How to Configure UAC (User Account Control) with Microsoft Intune

Configure User Account Control settings to enhance security using Microsoft Intune

← Back to Home
📅 January 22, 2026 | ⏱️ 5 min read | ✍️ By Allester Padovani | 🏷️ Device Configuration

User Account Control (UAC) in Windows prompts users when an app or action needs administrator rights, helping block unauthorized changes. You can enforce UAC behavior across managed devices with a Microsoft Intune Settings catalog profile that configures the Local Policies Security Options for UAC.

This guide walks through creating a Settings catalog profile, adding the UAC settings under Local Policies Security Options, configuring recommended values (e.g. prompt for consent on secure desktop for admins, automatically deny elevation for standard users), assigning the profile, and verifying behavior on a test device.

What Is UAC?

User Account Control (UAC) is a Windows security feature that asks for confirmation when a task or application needs elevated (administrator) privileges—for example installing software, changing system settings, or modifying protected folders. By default, users run as standard users; when elevation is needed, UAC shows a prompt. That reduces the chance that malware or an unauthorized user can make system changes without the user’s knowledge. You can tune UAC so that administrators are prompted for consent on the secure desktop and standard users are denied elevation by default, then manage these settings centrally with Intune.

What You’ll Configure

  • A Settings catalog configuration profile for Windows 10 and later.
  • Under Local Policies Security Options: the User Account Control settings (elevation prompts, admin approval mode, secure desktop, app install detection, etc.).

Step 1: Create a Settings Catalog Profile

In the Microsoft Intune admin center, go to Devices → Windows → Configuration profiles. Click Create → New policy. Choose Windows 10 and later as the platform and Settings catalog as the profile type. Click Create.

Creating a new configuration profile with Settings catalog

Step 2: Basics

On Basics, give the profile a name (e.g. WIN-UAC Security Options) and click Next.

Configuration profile Basics tab with profile name

Step 3: Add UAC Settings

On Configuration settings, click Add settings. Search for User Account Control. Expand Local Policies Security Options. You’ll see all UAC-related settings. Configure the ones that match your security baseline. Example recommendations:

  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: e.g. Prompt for consent on the secure desktop (admins must confirm on the secure desktop).
  • User Account Control: Behavior of the elevation prompt for standard users: e.g. Automatically deny elevation requests (standard users cannot elevate without an admin).
  • User Account Control: Detect application installations and prompt for elevation: Enable (prompts when an app install is detected).
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations: Enabled (UIAccess apps must be in a secure path).
  • User Account Control: Run all administrators in Admin Approval Mode: Enabled.
  • User Account Control: Switch to the secure desktop when prompting for elevation: Enabled (prompts appear on the secure desktop).
  • User Account Control: Use Admin Approval Mode for the built-in Administrator account: Enable (if you use the built-in Administrator).

Adjust values to match your policy. For full descriptions, see Microsoft documentation on UAC settings. Click Next when done.

User Account Control settings in Intune Detailed UAC settings configuration

Step 4: Assign and Create

Add Scope tags if needed, then click Next. On Assignments, add the groups that should receive this profile (e.g. All Devices or a pilot group). Click Next, review the summary, and click Create.

Assigning the configuration profile to groups Review and create the configuration profile

Step 5: Verify on a Test Device

After the profile syncs to a device, sign in as a standard user and try an action that requires elevation (e.g. opening a Control Panel item that needs admin rights). With “Automatically deny elevation requests” for standard users, the user should see a blocked or access-denied message instead of a consent prompt. The exact message depends on the setting and the app. Admins should see the consent prompt on the secure desktop when they trigger an elevated action.

UAC blocking notification when standard user attempts administrative task

Wrap-up

You’ve configured UAC with Intune by creating a Settings catalog profile and adding the User Account Control settings under Local Policies Security Options. Set elevation behavior for administrators and standard users, enable admin approval mode and secure desktop, then assign the profile to the right users or devices. Test on a pilot device to confirm prompts and denials match your policy. For more options and descriptions, see Microsoft’s UAC group policy and registry key documentation.