Lock Down Elevation on Intune Devices with These Must-Have UAC Settings

Controlling how elevation prompts appear to users is a critical part of hardening Windows endpoints. User Account Control (UAC) helps mitigate the risk of malware and unintentional system changes by standard users. In this article, I'll show you how to enforce a secure and practical UAC configuration across your Intune-joined Windows devices especially when users do not have local admin rights.

1 - Goal

Configure UAC to :

• Prompt standard users and administrators for admin credentials when elevation is required.

• Enforce secure desktop during elevation prompts.

• Prevent silent elevation or auto-approval of apps.

2 - Security Benefits

• Reduced risk of privilege escalation : Standard users can't elevate without explicit admin credentials.

• Stronger malware defense : Applications can't silently bypass elevation prompts.

• Improved user awareness : Secure desktop prompts make elevation requests more visible and harder to spoof.

3 - Step by step Configuration :

1. Open Microsoft Intune Admin Center Go to Microsoft Intune admin center.

2. Navigate to Devices In the left-hand menu.

3. Go to Configuration Under "Devices".

4. Click on + Create and then select New Policy from the dropdown.

5. In the right pane, set the Platform to Windows 10 and later.

6. Set the Profile type to Settings catalog.

7. Click the Create button to proceed with profile creation.

• Give a Name and Description to your Policy.

• Click Next.

1. Click on "+ Add settings" to start adding new configuration settings.

2. Type "Local Policies Security Options" in the search bar.

3. Click on the "Search" button to find relevant settings.

4. Choose "Local Policies Security Options" from the category list.

5. Check the boxes next to the following User Account Control (UAC) settings :

User Account Control Use Admin Approval Mode

• Status : Enabled

• Purpose: When Enabled, even administrators must authenticate for better protection.

User Account Control Switch To The Secure Desktop When Prompting For Elevation

• Status : Enabled

• Purpose : Ensures that UAC prompts appear on a separate secure desktop, isolating the prompt from malicious software that may try to interfere or spoof it.

User Account Control Run All Administrators In Admin Approval Mode

• Status : Enabled

• Purpose : Forces all admin accounts to operate in a secure mode where actions requiring elevated rights must be approved via UAC.

User Account Control Detect Application Installations And Prompt For Elevation

• Status : Enabled

• Purpose : Triggers a UAC prompt when applications try to install software, preventing silent or unauthorized installs.

User Account Control Behavior Of The Elevation Prompt For Standard Users

• Value : Prompt for credentials

• Purpose : Standard users must enter an administrator password to perform elevated tasks. This adds a strong security barrier.

User Account Control Behavior Of The Elevation Prompt For Administrators

• Value : Prompt for credentials

• Purpose : Admin users must enter an administrator password to perform elevated tasks. This adds a strong security barrier.

User Account Control Allow UIAccess Applications To Prompt For Elevation Without Using The Secure Desktop

• Value : Disabled

• Purpose : Prevents accessibility apps from bypassing the secure desktop for elevation prompts. Disabling improves security.

Click on the “Next” button to continue with creating the profile.

• Select group of users or devices or both as your company needs.

• Click "Next"

• Click Create

4 - Test Result :

• Here is Admin Approuval window in Local Admin and user Session.

5 - Summary:

These settings are designed to increase system protection by making elevation (privilege escalation) more visible, controlled, and secure. They help prevent malware or unauthorized users from silently making changes that require administrative privileges.

Thanks

Aymen EL JAZIRI

System Administrator