Detections
Analytics
2.3.17.5 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'
Information
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:...\Program Files\, including subfolders
...\Windows\System32\
...\Program Files (x86)\, including subfolders (for 64-bit versions of Windows)
Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
The recommended state for this setting is: Enabled.
Rationale:
UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:
To set the foreground window.
To drive any application window using SendInput function.
To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.
To set journal hooks.
To uses AttachThreadInput to attach a thread to a higher integrity input queue.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Custom)
Enter a Name
Click Add
Enter the Details below
Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplications
ThatAreInstalledInSecureLocations
Data type: Integer
Value: 1
Select Save
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2 This recommendation can also be set using the Endpoint protection profile using Local device security options/User account control settings.
Default Value:
Enabled. (If an application resides in a secure location in the file system, it runs only with UIAccess integrity.)
See Also
Item Details
Audit Name: CIS Microsoft Intune for Windows 11 v2.0.0 L1
Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5
Plugin: Windows
Control ID: 1a662ec236c05a1323ebe90040ff6a13e06aa889dc9ef815287e8820f98f9b90