Managing User Account Control settings via Windows 10 MDM

This blog post uses the LocalPoliciesSecurityOptions area of the Policy configuration service provider (CSP), to manage User Account Control (UAC) settings on Windows 10 devices. This area was added in Windows 10, version 1709, which is currently available as Insider Preview build.

This week a blog post about managing User Account Control (UAC) settings via Windows 10 MDM. The ability to manage UAC-settings is new in Windows 10 MDM. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP, which also contains settings to manage UAC. This is the same area, in the Policy CSP, as my last post, but this time a different group of settings. The frequent readers of my blog might recognize some bits and pieces, but that’s simply because I liked the subjects used in my previous post. That also enables me to provide more details in this post. In this post I’ll look at the available UAC-settings, in the Policy CSP, and I’ll provide information about how those settings relate to actual local group policy settings. I’ll also provide some configuration guidelines for Microsoft Intune hybrid and Microsoft Intune standalone and I’ll end this post with 4 different locations that show the actual device configuration.

Available settings

Let’s start by looking at the available UAC-settings. Windows 10, version 1709, introduces the LocalPoliciesSecurityOptions area in the Policy CSP. That area contains 20+ settings. Those settings are related to accounts, interactive logon, network security, recovery console, shutdown and UAC. In this post I’m specifically looking at the settings related to UAC. The table below show the available UAC-settings, the available values and a short description. For even more information about the UAC-settings, please refer to the articles in the More information section of this post.

Setting Value Description
UserAccountControl_ AllowUIAccessApplicationsToPromptForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether User Interface Accessibility (UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
UserAccountControl_ BehaviorOfTheElevationPromptForAdministrators 0 – Elevate without prompting
1 – Prompt for credentials on the secure desktop
2 – Prompt for consent on the secure desktop
3 – Prompt for credentials
4 – Prompt for consent
5 – Prompt for consent for non-Windows binaries
This setting allows the administrator to control the behavior of the elevation prompt for administrators.
UserAccountControl_ BehaviorOfTheElevationPromptForStandardUsers 0 – Automatically deny elevation requests
1 – Prompt for credentials on the secure desktop
3 – Prompt for credentials
This setting allows the administrator to control the behavior of the elevation prompt for standard users.
UserAccountControl_ DetectApplicationInstallationsAndPrompt ForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of application installation detection for the computer.
UserAccountControl_ OnlyElevateExecutableFilesThatAreSigned AndValidated 0 – Disabled

1 – Enabled

This setting allows the administrator to enforce public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege.
UserAccountControl_ OnlyElevateUIAccessApplicationsThatAreInstalled InSecureLocations 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system
UserAccountControl_ RunAllAdministratorsInAdminApprovalMode 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of all User Account Control (UAC) policy settings for the computer.
UserAccountControl_ SwitchToTheSecureDesktopWhenPrompting ForElevation 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether the elevation request prompt is displayed on the interactive user’s desktop or the secure desktop.
UserAccountControl_UseAdminApprovalMode 0 – Disabled

1 – Enabled

This setting allows the administrator to control the behavior of Admin Approval Mode for the built-in Administrator account..
UserAccountControl_ VirtualizeFileAndRegistryWriteFailuresToPer UserLocations 0 – Disabled

1 – Enabled

This setting allows the administrator to control whether application write failures are redirected to defined registry and file system locations.

Note: Keep in mind that every mentioned settings starts with ./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions and that any spaces used within the setting, show in the table above, should be removed.

Local group policy settings

The nice thing is that the mentioned UAC-settings, in the LocalPoliciesSecurityOptions area of the Policy CSP (./Vendor/MSFT/Policy/Config), are all related to actual local group policy settings. Those local group policy settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Nice and easy. The table below shows how the available UAC-settings, actually translate to local group policy settings.

Policy CSP Local group policy setting
UserAccountControl_ AllowUIAccessApplicationsToPromptForElevation User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
UserAccountControl_ BehaviorOfTheElevationPromptForAdministrators User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
UserAccountControl_ BehaviorOfTheElevationPromptForStandardUsers User Account Control: Behavior of the elevation prompt for standard users
UserAccountControl_ DetectApplicationInstallationsAndPrompt ForElevation User Account Control: Detect application installations and prompt for elevation
UserAccountControl_ OnlyElevateExecutableFilesThatAreSigned AndValidated User Account Control: Only elevate executables that are signed and validated
UserAccountControl_ OnlyElevateUIAccessApplicationsThatAreInstalled InSecureLocations User Account Control: Only elevate UIAccess applications that are installed in secure locations
UserAccountControl_ RunAllAdministratorsInAdminApprovalMode User Account Control: Run all administrators in Admin Approval Mode
UserAccountControl_ SwitchToTheSecureDesktopWhenPrompting ForElevation User Account Control: Switch to the secure desktop when prompting for elevation
UserAccountControl_UseAdminApprovalMode User Account Control: Admin Approval Mode for the built-in Administrator account
UserAccountControl_ VirtualizeFileAndRegistryWriteFailuresToPer UserLocations User Account Control: Virtualize file and registry write failures to per-user locations

Configure settings

After getting to know the available settings, let’s have a closer look at the configuration of the settings. The settings can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below. Within the configuration guidelines, I’m using the UAC-setting to enable the behavior of Admin Approval Mode for the built-in Administrator account as an example. That requires the following OMA-URI setting and value:

OMA-URI setting: ./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
OMA-URI value: 1

Environment Configuration guidelines
Microsoft Intune hybrid IntuneH_UACSettingThe configuration in Microsoft Intune hybrid can be performed by starting the Create Configuration Item Wizard in the Configuration Manager administration console. Make sure to select Windows 8.1 and Windows 10 (below Settings for devices managed without the Configuration Manager client) on the General page and to select Windows 10 on the Supported Platforms page. Now select Configure additional settings that are not in the default setting groups on the Device Settings page and the configuration can begin by using the earlier mentioned OMA-URI setting and value.

Once the configurations are finished, the created configuration items can be added to a configuration baseline and can be deployed to Windows 10 devices/ users.

Microsoft Intune standalone (Azure portal) IntuneS_UACSettingThe configuration in Microsoft Intune standalone, in the Azure portal, can be performed by creating a Device configuration. Create a new profile and within the new profile, make sure to select Windows 10 and later as Platform and Custom as Profile type. In the Custom OMA-URI Settings blade, add the custom settings by using the earlier mentioned OMA-URI setting and value.

Once the configurations are finished, the profile can be saved and can be deployed to Windows 10 devices/ users.

Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can become available via the UI of Microsoft Intune standalone and/or hybrid.

Device configuration

Like last week I’ll end this post by simply looking at the device configuration. However, this week I’ll take it one step further. This time I’ll also add some WMI and registry information. Now let’s start with, below on the left, an export of the MDM Diagnostics Information, which clearly shows the default configuration and the new configurations via MDM. Below on the right is an overview of the Local Group Policy Editor, which clearly shows the actual configuration of the new configurations via MDM. In both cases the example UAC-setting, to control the behavior of Admin Approval Mode for the built-in Administrator account, is shown in the small red circle.

UAC_MDMDiagReport_Settings UAC_LGPO_Settings

Now let’s also have a look at the information in WMI and the registry. Below on the left is an overview of the policy result node in WMI Explorer, which clearly shows the results of the configurations via MDM. Below on the right is an overview of the local group policy settings in the Registry Editor, which clearly shows the local group policy settings configured via MDM. Also, like before, in both cases the example UAC-setting, to control the behavior of Admin Approval Mode for the built-in Administrator account, is shown in the small red circle.

UAC_WMI_Settings UAC_Registry_Settings

More information

For more information about the LocalPoliciesSecurityOptions area of the Policy CSP, and about the available UAC-settings,please refer to the following articles:

Leave a Comment