UAC prompt for standard user does not ask for username on Win11 (but does on Win10) #14
Comments
|
Hi. So I've spun up a VM of both OS versions and I'm not able to replicate that behaviour: |
|
What Windows version are you on on the W10? April Cumulative? |
W10 is on the May 14th update, version is 10.0.19045.4412, and LAPS is working fine on both 10 and 11. |
|
The baseline implements LAPS using the built-in Administrator account, but again, I'm not able to replicate the behaviour on any VM I've tested and always get blank username/password boxes with the ability to use a different account. |
|
No other policies (outside of OIB) being applied. I've found that if I disabled the built in administrator account, the UAC prompt only has a 'no' button - nothing else is configurable. Conversely, if I create a new local account and add it to the local admins group - the UAC prompt then allows me to select from the 2 administrator accounts. So essentially, it is only enumerating the members of the local administrators group. This is reproducible in 2 tenants - including on a freshly autopilot deployed machine. |
|
I just found this - suspect it is relevant, as I have enabled passwordless. |
|
I am having the same issue. Only the built-in administrator account is displayed. |
|
I have the same behaviour, UAC appears but only option was to click no until I enabled LAPS on the tenant, now Administrator is selected and I can use the LAPS password. I believe this is expected behaviour with passwordless. |
|
Yes, reading that article it looks like this is intended behavior. Luckily my helpdesk guys do not need to elevate as admin on user devices very often since I have all of our apps packaged to install if needed. |
|
I've got this on multiple devices in multiple tenants, even with LAPS enabled, the sign-in breaks and we're now unable to use the Entra Role for administration. |
|
@SFMextrico I've been doing some testing with some of the Insider CSP settings available for LAPS and if you utilise a different account other than the built-in, you do get the "More choices" dialogue, but still only local accounts are selectable: There is no circumventing this, outside of removing the Passwordless config. |
|
It should be the local administrator, but for some reason when trying to use the LAPS password it throws a password error and the user account gets changed to Azuread\administrator I didn't know this was caused by the Passwordless experience, i'll try to remove the policy, thanks for the reply. It seems a bit wierd that this is the intended use while also having an entra role for local administrator, imo |
|
I just wanted to share my finding regarding this; While on a device with the passwordless experience configured you're able to sign-in with your entra admin or any other admin account by simply using "Sign in as another user" |
Believe to be related to settings in Win - OIB - Device Security - D - Local Security Policies - v3.0
On Windows 10, UAC prompts for username and password
On Windows 11, UAC prompts for Administrator password
UAC Win10.pdf
UAC Win11.pdf
The text was updated successfully, but these errors were encountered: