UAC Prompt Does Not Have Use the "Use a different account" Option
Posted by therealconjon@reddit | sysadmin | View on Reddit | 4 comments
I am fairly new at this company, and before I joined a few months ago they have implemented Intune. They set up a security baseline and some configuration profiles and pushed them to every machine. The "Use a different account" in a UAC prompt is gone. On a non-virtual machine with Windows Hello you can use the biometrics option to authenticate as a local admin but if you are on a virtual azure machine or Windows 365 or want to use a different user account it is impossible to enter those credentials manually. You have to use the local admin LAPs account which is really annoying especially for helpdesk.
I was hoping someone could give me some ideas on what configuration setting or security baseline setting is causing this. I know they should not have pushed these out before testing but I joined too late to stop that.
I also know for sure it's a configuration profile or security baseline because if I add a machine to Intune without applying our device configuration group, that "Use a different account" option is there.
If I'm missing any details, please ask questions to clear anything up.
PTCruiserGT@reddit
Sounds like someone enabled passwordless experience. Just had to fix this for a client.
therealconjon@reddit (OP)
What's the fix? Disable Passwordless Experience? Is there an easy way to disable it if it's already enabled? You mentioned fixing this for a client so I'm just hoping you could let me know what steps you took to fix it. :)
PTCruiserGT@reddit
Per Microsoft recommendations we had to configure LAPS and have them start using local administrator accounts.
https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/#recommendations
trueg50@reddit
Here you go:
How User Account Control works | Microsoft Learn
I believe what you are seeing is also the default behavior if you are using the MS Hardening baseline. Why this is I am not sure.