Ever thought about your end-users really think before clicking?

How often does your end users (who have local administrator rights in some way) just install stuff without thinking?

To start with, your end-users should not be local administrators on their machines, but many still are. If they are not all the time lot`s of companies have sollutions where end-users can elevate them self for a certain time frame.

But let`s make them think an extra time before actually installing stuff that require administrator privilegdes on their machine by forcing them to type their username and password instead of just “Yes/No”.

One way to change this is to use the Registry and force the UAC to prompt username / password.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 1

for several of my customers I deploy this registry setting to the end-user using Endpoint Manager (Intune), and this is really easy!

Head into Endpoint Manager (Intune)

  1. https://endpoint.microsoft.com
  2. Dive into “Device” and and choose “Scripts” and hit “+ Add”

3. Give it a “name” and “Description” hit next.
4. Upload the script (see code block over and save it as .ps1)
5. Lett all settings be at “no”

6. Assign it to “All Devises”, next and add!

Now all your devices will get this deployed and after the next reboot your users will need to provide both username and password to be able to install something that requires administrative rights.