Information
This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system.
Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.
Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure.
The recommended state for this setting is: Disabled.
Rationale:
Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Disabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Custom)
Click Create
Enter a Name
Click Next
Configure the following Setting
Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
Data type: Integer
Value: 0
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Disabled. (Windows Installer will apply the current user's permissions when it installs programs that a system administrator does not distribute or offer. This will prevent standard users from installing applications that affect system-wide configuration items.)