ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Configure UAC with Microsoft Intune Settings Catalog

How to Configure UAC with Microsoft Intune Settings Catalog

Configure Windows User Account Control settings across enterprise devices using Microsoft Intune's Settings Catalog for centralized security management and compliance.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 19, 2026 15 min 0
hardintune 9 steps 15 min

Why Configure UAC Through Microsoft Intune?

User Account Control (UAC) serves as Windows' primary defense against unauthorized system changes, but managing UAC settings across hundreds or thousands of enterprise devices manually is impractical and error-prone. Microsoft Intune's Settings Catalog provides centralized, cloud-based management of UAC configurations, ensuring consistent security posture across your entire Windows fleet.

Traditional methods like Group Policy require on-premises infrastructure and complex domain relationships. Intune eliminates these dependencies while providing superior reporting, compliance monitoring, and integration with modern identity systems like Entra ID. The Settings Catalog, enhanced significantly in 2025-2026, offers granular control over all UAC registry settings through an intuitive interface.

What Security Benefits Does Centralized UAC Management Provide?

Proper UAC configuration prevents privilege escalation attacks, reduces malware infection vectors, and maintains audit trails for administrative actions. Through Intune, you can enforce consistent UAC behaviors that balance security with user productivity. The Settings Catalog approach ensures your UAC policies deploy reliably without conflicts from legacy Group Policy Objects or local registry modifications.

This tutorial demonstrates the current best practices for UAC configuration using Microsoft Intune's Settings Catalog, including enterprise-grade security settings, deployment strategies, and troubleshooting common issues. You'll learn to create policies that protect against both external threats and insider risks while maintaining user experience standards expected in modern workplaces.

Related: Configure OneDrive Auto Sign-in Using Microsoft Intune

Related: Configure Time Zone Settings for Windows Devices Using

Related: How to Configure Windows Security Updates During OOBE with

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Create New Policy

Navigate to the Microsoft Intune admin center and initiate the policy creation process. The Settings Catalog is the current recommended method for UAC configuration as of 2026.

Open your browser and navigate to https://intune.microsoft.com. Sign in with your Global Administrator or Intune Administrator credentials.

Once logged in, follow this navigation path:

  1. Click Devices in the left navigation pane
  2. Select Configuration
  3. Click Create button
  4. Choose New policy

In the policy creation wizard:

  1. Platform: Select Windows 10 and later
  2. Profile type: Choose Settings Catalog
  3. Click Create
Pro tip: Settings Catalog replaced Administrative Templates for UAC configuration in 2025. Always use Settings Catalog for the most granular control over UAC settings.

Verification: You should now see the Settings Catalog policy creation wizard with the Basics tab active.

02

Configure Policy Basics and Naming

Set up the foundational information for your UAC policy. Proper naming and description help with policy management and troubleshooting.

On the Basics tab, configure the following:

  • Name: Corporate UAC Policy 2026
  • Description: Standardized UAC settings via Local Policies Security Options for enterprise security compliance
  • Platform: Windows 10 and later (already selected)
  • Profile type: Settings catalog (already selected)

Click Next to proceed to the Configuration settings tab.

Warning: Avoid generic names like "UAC Policy" as they become difficult to manage when you have multiple policies. Include the year and purpose for clarity.

Verification: The policy name should appear in the breadcrumb navigation at the top of the page, and you should now be on the "Configuration settings" tab.

03

Add Local Policies Security Options Settings

Access the UAC settings through the Local Policies Security Options category. This is where Microsoft consolidated all UAC configuration options in 2025-2026.

On the Configuration settings tab:

  1. Click the + Add settings button
  2. In the search box, type: Local Policies Security Options
  3. Select the Local Policies Security Options category from the results
  4. Click Close to return to the settings list

You'll now see the Local Policies Security Options category added to your policy. Expand it to view all available UAC settings.

Pro tip: You can also search for specific UAC settings by typing "User Account Control" in the search box, but using the category ensures you see all available options.

Verification: You should see "Local Policies Security Options" listed under your configuration settings with an expandable arrow next to it.

04

Configure Core UAC Security Settings

Configure the essential UAC settings that form the foundation of your enterprise security posture. These settings control how UAC behaves for both administrators and standard users.

Expand the Local Policies Security Options section and configure these critical settings:

1. Enable UAC Admin Approval Mode

Find and configure: User Account Control: Run all administrators in Admin Approval Mode

  • Set to: Enabled
  • Registry impact: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 1

2. Administrator Elevation Behavior

Configure: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

  • Set to: Prompt for consent for non-Windows binaries (value 5)
  • Registry impact: ConsentPromptBehaviorAdmin = 5

3. Standard User Elevation Behavior

Configure: User Account Control: Behavior of the elevation prompt for standard users

  • Set to: Prompt for credentials (value 3)
  • Registry impact: ConsentPromptBehaviorUser = 3
Warning: Setting administrator behavior to "Elevate without prompting" (value 0) completely disables UAC prompts for administrators and significantly reduces security. Only use in isolated lab environments.

Verification: Each setting should show your selected value next to the setting name in the configuration list.

05

Configure Advanced UAC Protection Settings

Set up additional UAC settings that enhance security by controlling secure desktop behavior and application installation detection.

4. Secure Desktop Protection

Configure: User Account Control: Switch to the secure desktop when prompting for elevation

  • Set to: Enabled
  • Registry impact: PromptOnSecureDesktop = 1
  • Purpose: Prevents malware from interfering with UAC prompts

5. Application Installation Detection

Configure: User Account Control: Detect application installations and prompt for elevation

  • Set to: Enabled
  • Registry impact: EnableInstallerDetection = 1
  • Purpose: Automatically detects installer packages and prompts for elevation

6. Virtualization Settings (Optional)

Configure: User Account Control: Virtualize file and registry write failures to per-user locations

  • Set to: Enabled (recommended for legacy application compatibility)
  • Registry impact: EnableVirtualization = 1
Pro tip: The secure desktop setting is crucial for preventing privilege escalation attacks. Always keep this enabled unless you have specific accessibility requirements that conflict with it.

Verification: Your policy should now have 5-6 UAC settings configured. Review each setting to ensure the values match your security requirements.

06

Assign Policy to Target Groups

Deploy your UAC policy to specific device or user groups. Proper assignment ensures the policy reaches the intended devices while avoiding conflicts.

Click Next to reach the Assignments tab. Here you'll specify which devices or users receive this policy.

Assignment Options:

  1. Click + Add groups under "Included groups"
  2. Search for and select your target Entra ID security groups
  3. Choose between:
    • Device groups: Apply to specific devices regardless of user
    • User groups: Apply to devices when specific users sign in

Recommended Assignment Strategy:

Include groups:
- "Corporate Devices - Windows"
- "IT Department - Devices"

Exclude groups:
- "Kiosk Devices"
- "Test Lab Devices"
Warning: Avoid assigning UAC policies to "All devices" initially. Start with pilot groups to test the impact before broad deployment.

Click Next to proceed to the review stage.

Verification: The Assignments tab should show your selected groups under "Included groups" with the correct member count displayed.

07

Review and Deploy the UAC Policy

Complete the policy creation process and deploy it to your selected devices. This final step activates the UAC configuration across your enterprise.

On the Review + create tab, carefully review all your configurations:

  • Verify the policy name and description
  • Check that all UAC settings show the correct values
  • Confirm the assigned groups are correct
  • Review any scope tags if applicable

Once satisfied with the configuration, click Create to deploy the policy.

Post-Deployment Monitoring:

After creation, monitor the policy deployment:

  1. Navigate to Devices > Configuration
  2. Find your "Corporate UAC Policy 2026" in the list
  3. Click on the policy name to view deployment status
  4. Check the Device and user check-in status section
Pro tip: Policy application can take up to 8 hours for the next device check-in cycle. For immediate testing, force a sync on target devices through the Company Portal app or Settings > Accounts > Access work or school > Sync.

Verification: The policy should appear in your configuration profiles list with a status of "Succeeded" or "In progress" for assigned devices.

08

Verify UAC Settings on Target Devices

Confirm that the UAC policy has been successfully applied to your target devices by checking registry values and UAC behavior.

PowerShell Verification Script:

Run this PowerShell command as an administrator on a target device:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" |
Select ConsentPromptBehaviorAdmin, ConsentPromptBehaviorUser, 
       EnableLUA, PromptOnSecureDesktop, EnableInstallerDetection |
Format-Table -AutoSize

Expected Output for Enterprise Configuration:

ConsentPromptBehaviorAdmin : 5
ConsentPromptBehaviorUser  : 3  
EnableLUA                 : 1
PromptOnSecureDesktop     : 1
EnableInstallerDetection  : 1

Alternative Verification Methods:

  1. Control Panel Check: Navigate to Control Panel > User Accounts > Change User Account Control settings. The slider should reflect your configured behavior.
  2. Test UAC Prompt: Try running an application as administrator to verify the prompt behavior matches your policy.
  3. Event Logs: Check Windows Logs > Security for Event ID 4648 (successful logon with explicit credentials).
Warning: If registry values don't match your policy, check for conflicting Group Policy Objects. Use gpresult /r to identify any GPO conflicts that might override Intune settings.

Verification: Registry values should match your Intune policy configuration, and UAC prompts should behave according to your settings when testing elevation scenarios.

09

Troubleshoot Common UAC Policy Issues

Address common problems that may prevent UAC policies from applying correctly. These troubleshooting steps resolve the most frequent deployment issues.

Issue 1: Policy Not Applying

Symptoms: Registry values don't match policy settings

Solution: Check for Group Policy conflicts

# Check for conflicting GPO settings
gpresult /r /scope:computer

# Remove conflicting registry entries if safe to do so
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Policies\System" -Name "*" -Force

Issue 2: Access Denied Errors

Symptoms: Devices show "Access Denied" in Intune reporting

Solution: Re-establish device trust relationship

# Run as administrator
dsregcmd /leave
# Restart device, then rejoin to Azure AD
dsregcmd /join

Issue 3: UAC Slider Stuck

Symptoms: Control Panel slider doesn't reflect policy changes

Solution: Clear cached user settings

# Clear user-specific UAC cache
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "*" -ErrorAction SilentlyContinue

# Force policy refresh
gpupdate /force

Issue 4: Delayed Policy Application

Solution: Force immediate device sync

# Force Intune sync
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Alternative: Manual sync through Settings
# Settings > Accounts > Access work or school > Info > Sync
Pro tip: Always test UAC policy changes on a small pilot group first. Create a "UAC Testing" group with 5-10 devices to validate settings before broad deployment.

Verification: After applying troubleshooting steps, re-run the PowerShell verification script to confirm registry values match your policy configuration.

Frequently Asked Questions

What's the difference between Intune Settings Catalog and Administrative Templates for UAC configuration?+
Settings Catalog is the modern, recommended approach that provides access to all UAC registry settings through the Local Policies Security Options category. Administrative Templates are legacy and offer limited UAC configuration options. Microsoft enhanced Settings Catalog in 2025-2026 to include all UAC settings previously only available through Group Policy, making it the superior choice for comprehensive UAC management.
Can Intune UAC policies conflict with existing Group Policy Objects?+
Yes, Group Policy Objects (GPOs) take precedence over Intune policies when both configure the same registry keys. If you have existing UAC GPOs, they will override Intune settings. To resolve conflicts, either remove the conflicting GPO settings or ensure devices are not receiving conflicting policies. Use 'gpresult /r' to identify active GPOs that might interfere with your Intune UAC configuration.
How long does it take for UAC policy changes to apply to devices?+
UAC policy changes typically apply within 8 hours during the next device check-in cycle with Intune. However, you can force immediate application by triggering a manual sync through Settings > Accounts > Access work or school > Sync, or by running the PushLaunch scheduled task. Critical UAC changes should be tested on pilot devices first before broad deployment to ensure proper application timing.
What UAC settings provide the best security for enterprise environments?+
For enterprise security, configure ConsentPromptBehaviorAdmin to 5 (prompt for consent for non-Windows binaries), ConsentPromptBehaviorUser to 3 (prompt for credentials), EnableLUA to 1 (enable Admin Approval Mode), PromptOnSecureDesktop to 1 (use secure desktop), and EnableInstallerDetection to 1 (detect installers). This configuration balances security with usability while preventing most privilege escalation attacks and malware installations.
How can I verify that UAC policies are working correctly on managed devices?+
Verify UAC policy application using PowerShell: 'Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"' to check registry values. Test UAC behavior by attempting to run applications as administrator and observing prompt behavior. Monitor Intune device compliance reports for policy application status, and check Windows Security event logs (Event ID 4648) for UAC-related authentication events to confirm proper operation.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#uac#windows-security

Further Intelligence

Deepen your knowledge with related resources

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive
How to Configure Outlook Auto-Login using Microsoft Intune Settings Catalog
tutorial
Cloud Computing

How to Configure Outlook Auto-Login using Microsoft Intune Settings Catalog

Deep Dive
How to Set Up Secure Intune Conditional Access Policies
tutorial
Cybersecurity

How to Set Up Secure Intune Conditional Access Policies

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...