How to configure UAC (User Account Control) with Microsoft Intune

To configure User Account Control (UAC) settings via Microsoft Intune, you can manage these settings using Windows Security Baselines or by creating a Configuration Profile to apply custom settings for UAC. Here are the two main methods:

Method 1: Use Windows Security Baselines (Recommended)

Windows Security Baselines provide pre-configured security settings that include UAC settings.

1. Sign in to Microsoft Intune:
   • Go to the Microsoft Endpoint Manager admin center.
2. Navigate to Security Baselines:
   • In the left menu, go to Endpoint security > Security baselines.
3. Select the Baseline:
   • Choose a baseline that contains UAC settings. For example, the Microsoft Defender for Endpoint Baseline or Windows 10 Security Baseline.
   • If no baseline is available for your specific needs, you may need to create a custom configuration profile (explained in Method 2).
4. Configure the Baseline:
   • After selecting the appropriate baseline, click on Create profile to configure and deploy.
   • Select UAC settings (like Notify me only when programs try to make changes to my computer) from the available settings and configure as needed.
5. Assign the Baseline:
   • Assign the baseline to the desired user or device groups.
   • Save and monitor the deployment.

Method 2: Create a Custom Configuration Profile for UAC

If you need more control over UAC settings, you can use a custom configuration profile.

1. Sign in to Microsoft Intune:
   • Go to the Microsoft Endpoint Manager admin center.
2. Create a Custom Profile:
   • Navigate to Devices > Configuration profiles > Create profile.
   • Choose Platform as Windows 10 and later and Profile type as Custom.
   • 
3. Add Configuration Settings:
   • In the Settings section, click Add to configure UAC settings.
   • To apply UAC settings, you’ll need to use Oma-Uri or ADMX-backed policy. You can use the following common UAC-related policies:
   • 
   • 

   UAC Policy for Admin Approval Mode (recommended for enhanced security):

   • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUserRights/EnableAdminApprovalMode
   • Value: True or False

   UAC Policy for Behavior of the Elevation Prompt for Standard Users:

   • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUserRights/EnableSecureUAC
   • Value: True or False

   UAC Policy for Behavior of the Elevation Prompt for Administrators in Admin Approval Mode:

   • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUserRights/EnableUAC
   • Value: True or False

   Example OMA-URI entries for common UAC settings:

   • Disable UAC prompt for administrators: ./Device/Vendor/MSFT/Policy/Config/LocalUserRights/DisableUAC with value True.
4. Assign the Profile:
   • Once the configuration settings are applied, assign the profile to the appropriate user or device groups.
5. Monitor Deployment:
   • After deployment, you can monitor the status of the UAC settings through the Devices > Configuration profiles section.

UAC Settings You Can Configure

• Admin Approval Mode: Allows or prevents administrative approval before making changes.
• Behavior for Elevation Prompt: Defines the UAC behavior for both standard and administrator users.
• Notify or Automatically Deny Elevation Requests: Adjusts how elevation prompts are handled.

Method 3: Use Group Policy Settings (If Needed)

If you want to use specific Group Policy settings, you can apply them using an ADMX-backed configuration profile.

1. Download the ADMX templates for Windows.
2. Add the ADMX-backed profile in Intune to configure detailed UAC settings.
3. Assign and monitor.

Conclusion

• Security Baselines are the simplest way to configure UAC settings in Intune, offering predefined settings for common security needs.
• Custom Configuration Profiles allow for advanced customization using OMA-URI or ADMX settings for greater flexibility and control. By following these methods, you can efficiently manage UAC settings across your devices using Microsoft Intune.