This article is written to take you through implementing the Intune Run All Administrators in Admin Approval Mode Policy. We’ll use Intune’s Settings Catalog to enforce this policy, emphasizing a practical, hands-on approach to make you understand the Run all Administrators in Admin Approval Mode Policy in action with Intune.
Run all Administrators in Admin Approval Mode Policy setting governs the behaviour of all User Account Control (UAC) policy settings on the computer. A system restart is required after modifying this policy setting.
User Account Control: Admin Approval Mode for the built-in Administrator account can be managed through this policy setting. There are two options available for this policy, i.e. Enable or Disable. The recommended option for this policy is Enabled.
On Enabling, the built-in Administrator account operates with Admin Approval Mode. In this mode, any action requiring an elevation of privilege will prompt the user for approval by default.
When we disable it, the built-in Administrator account runs all applications with complete administrative privileges without requiring explicit user approval for elevated operations.
- Create an Accounts Enable Guest Account Status Policy with help of Intune
- Intune Policy to Enable Interactive Logon Do Not Display Last Signed-in
Run All Administrators in the Admin Approval Mode Policy
To create a Run all Administrators in Admin Approval Mode Policy, follow the steps stated below:
- Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Devices > Windows > Configuration profiles > Create a profile.
In Create Profile, I select Windows 10 and later in Platform, I choose the Profile Type as Settings catalog. Click on the Create button.
On the Basics tab pane, I provide a name for the policy as “Run all Administrators in Admin Approval Mode Policy.”
- Optionally, if you want, you can enter a policy description and proceed by selecting “Next“.
Now, in Configuration Settings, Click Add Settings to browse or search the catalog for the settings I want to configure.
In the Settings Picker windows. I searched for the keyword User Account Control. I found the category Local Policies Security Options and selected this.
- I see the sub-category User Account Control Run All Administrators In Admin Approval Mode. After selecting that, click the cross mark at the right-hand corner, as shown below.
Here in Local Policies Security Options, I have Enabled the User Account Control Run All Administrators In Admin Approval Mode.
Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required). More details on Intune Scope Tags Implementation Guide.
- Click Next to continue.
Now in Assignments, in Included Groups, you need to click on Add Groups and choose Select Groups to include one or more groups. Click Next to continue.
In the Review + Create tab, I review settings. After clicking on Create, changes are saved, and the profile is assigned.
After successfully creating the “Run all Administrators in Admin Approval Mode Policy,” a notification will appear in the top right-hand corner confirming the action. You can also verify the policy’s existence by navigating to the Configuration Profiles list, where it will be prominently displayed.
Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.
Intune Report for Run all Administrators in Admin Approval Mode Policy
From the Intune Portal, you can view the Intune settings catalog profile report, which provides an overview of device configuration policies and deployment status.
To track the assignment of the policy, you need to select the relevant policy from the Configuration Profiles list, which is the Run all Administrators in Admin Approval Mode Policy. Then, you can review the device and user check-in status to determine whether the policy has been successfully applied.
- If you require more detailed information, you can click on “View Report” to access additional insights.
Windows CSP Details UserAccountControl_RunAllAdministratorsInAdminApprovalMode
We will see Windows CSP Details for this Policy setting UserAccountControl_RunAllAdministratorsInAdminApprovalMode. It’s important to note that any changes made to this policy setting will only take effect after a system restart. This ensures that the adjustments are applied consistently and that the modified UAC policies are in effect throughout the entire operating system. Consequently, a reboot is mandated to enact the updated UAC configuration and maintain a secure computing environment.
CSP URI – ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
Registry Key Verification – Run all Administrators in Admin Approval Mode Policy
Now we will verify whether the policy was successfully deployed or not by accessing the registry settings that will hold the group policy configurations on a specific computer. To accomplish this, you can execute “REGEDIT.exe” on the target computer and navigate to the precise registry path mentioned below, where these settings are stored.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\5B88AEF1-09E8-43BB-B144-7254ACBBDF3E\default\Device\LocalPoliciesSecurityOptions
When you navigate the above path in the Registry Editor, you will find the registry key named