Purpose
You want to use a Local Administrator account or LAPS account as your Scan and / or Deploy User.
This is for remote management and does not change the User Account Control settings on the targets located at Control Panel > Security and Maintenance > Change User Account Control Settings.
Resolution
Remote UAC can be disabled in the Registry of the target computers. This can be performed locally, on the target computer(s) or via GPO.
This resolution assumes the following:
- All Windows Firewall policies are properly applied: Firewall Ports and External Exceptions
- Recommended Antivirus Policies are properly applied: Recommended Antivirus/Antimalware Exclusions for PDQ Products
- The Local Administrator Account or LAPS User credentials have been set and tested locally, and configured in PDQ Deploy and / or PDQ Inventory via Options > Credentials.
- PDQ Deploy does not support LAPS natively. To use a LAPS User account in PDQ Deploy, the option Use PDQ Inventory Scan User credentials first, when available will need to be selected when using Deploy Once or when creating a new Schedule.
Disabling Remote UAC on Individual Computers:
- On the target computer(s), open Regedit.exe and navigate to:
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Create/update a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- A reboot is recommended but not required, however, restarting the Server service is necessary.
Disabling Remote UAC via Group Policy:
- Open the Group Policy Management Console.
- Under Group Policy Objects, create a new policy and name it accordingly.
- Open the new GPO and navigate to:
-
Computer Configuration > Preferences > Windows Settings > Right Click Registry > New > Registry Item.
- Configure the following options in the New Registry Properties Window:
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value Name: LocalAccountTokenFilterPolicy
- Value Type : REG_DWORD
- Value Data : 1
- Configure the following options in the New Registry Properties Window:
-
Computer Configuration > Preferences > Windows Settings > Right Click Registry > New > Registry Item.
- Link the new GPO to the any computer OUs that you wish to apply the new settings to.
See Also:
Article - Firewall Ports and External Exceptions
Article - Recommended Antivirus/Antimalware Exclusions for PDQ Products
Article - How It Works: PDQ Deploy
Article - How It Works: PDQ Inventory