UAC elevation prompt for standard users

Copper Contributor

MSFT Windows 10 21H2 - Computer have the following setting recommendation

  Policy: User Account Control: Behavior of the elevation prompt for standard users

  Setting: Automatically deny elevation requests


How do I provide support if I need to install software that requires Run as Administrator permissions? Will I need to switch user to the Administrator, and install the software?



12 Replies
Running elevated processes on a non-admin desktop is risky - there are too many ways for non-admin code to hijack those elevated permissions. Much better isolation to perform the installation from an admin's desktop or through a service (e.g., Microsoft's SCCM or Tanium's "Deploy" capability.)
What is your delivery method for the policy? If it is a GPO, then you can create a custom policy over the baseline with higher precedence to prompt for credentials. I blogged about this using Intune, but the admx policy setting is the same.
Intune is an option as well.
Our management solution, SCCM/Intune, fixes >90% of the installations, uninstalls, upgrades ++. But some error situations requires Administrators permissions. I guess I'll need to invest more time in SCCM/Intune or helpdesk will need to "Switch user, and log in as Administrator" to fix the problem?

I'm just trying to figure out what the "cost" will be to following the standard and what other companies are doing.
Sorry, was that directed to me? I already mentioned about using Intune as a delivery tool for the policy.
The problem isn't making exceptions in GPO or Intune for this setting, but how I manage the clients if this setting is set to Automatically deny elevation requests
Ok, in that case the available options that comes to my mind are switching user to admin account or elevating permissions on demand for a standard user using a 3rd party script or an app. Make me an admin is an example.
If you absolutely need to log in to an interactive desktop on the target system to perform the administrative actions, then switch-user and log in with that admin account. UAC different-user elevation is MUCH less secure. Keep that option disabled.
Apologies, I thought I was replying to Aaron's earlier comment. :)
Not a problem. :)

If I have understood it correctly, to conclude;


This is a important setting to follow in regards to security, because it is possible to hijack a elevated process.


A management solution is required to manage the clients. The management solutions must be able to install, configure, update/upgrade and uninstall operating system, drivers/firmware and software. It should also be able to evaluate configuration and correct error automatically.


If a one time fix is required and a program/process needs to be run with Administrators permissions, the user/helpdesk should switch user to the Administrator account with a LAPS password (or equivalent) and run the program/process in that session.


The following setting will make it impossible to run a program/process with Administrators permissions interactive remotely / through a remote support session. These changes MUST now be done through the management solution.


Thanks @AaronMargosis_Tanium and @rahuljindal-MVP for input.


Good summary. That sounds like the best case scenario IMO.