Detections
Analytics

2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'

Information

This policy setting controls the behavior of the elevation prompt for standard users.

The recommended state for this setting is: Automatically deny elevation requests.

Rationale:

One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run.

Impact:

When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.

Note: With this setting configured as recommended, the default error message displayed when a user attempts to perform an operation or run a program requiring privilege elevation (without Administrator rights) is 'This program will not run. This program is blocked by group policy. For more information, contact your system administrator.' Some users who are not used to seeing this message may believe that the operation or program they attempted to run is specifically blocked by group policy, as that is what the message seems to imply. This message may therefore result in user questions as to why that specific operation/program is blocked, when in fact, the problem is that they need to perform the operation or run the program with an Administrative account (or 'Run as Administrator' if it is already an Administrator account), and they are not doing that.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Automatically deny elevation requests:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Endpoint protection)

Click Create

Enter a Name

Click Next

Configure the following Setting

Path: Endpoint protection/Local device security options/User account control
Setting Name: Elevation prompt for standard users
Configuration: Automatically deny elevation requests

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Data type: Integer
Value: 0

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Default Value:

Prompt for credentials. (When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.)

See Also

https://workbench.cisecurity.org/benchmarks/14355

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5

Plugin: Windows

Control ID: a8f0e18cc433add67416e13f5646ab3b217b384230dc40927abd76cfcb03c5a2