Disable Remote UAC for Local Admin/LAPS Accounts

Purpose

You want to use a Local Administrator account or LAPS account as your Scan and / or Deploy User. 

Note: This is for remote management and does not change the User Account Control settings on the targets located at Control Panel > Security and Maintenance > Change User Account Control Settings

Resolution

Remote UAC can be disabled in the Registry of the target computers. This can be performed locally, on the target computer(s) or via GPO. 

This resolution assumes the following:

  • All Windows Firewall policies are properly applied: Firewall Ports and External Exceptions
  • Recommended Antivirus Policies are properly applied: Recommended Antivirus/Antimalware Exclusions for PDQ Products
  • The Local Administrator Account or LAPS User credentials have been set and tested locally, and configured in PDQ Deploy and / or PDQ Inventory via Options > Credentials
    • PDQ Deploy does not support LAPS natively. To use a LAPS User account in PDQ Deploy, the option Use PDQ Inventory Scan User credentials first, when available will need to be selected when using Deploy Once or when creating a new Schedule

Disabling Remote UAC on Individual Computers:

  • On the target computer(s), open Regedit.exe and navigate to: 
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      • Create a DWORD value called LocalAccountTokenFilterPolicy and assign it a value of 1.
  • A reboot is recommended but not required, however, restarting the Server service is necessary.

Disabling Remote UAC via Group Policy:

  • Open the Group Policy Management Console.
  • Under Group Policy Objects, create a new policy and name it accordingly.
  • Open the new GPO and navigate to:
    • Computer Configuration > Preferences > Windows Settings > Right Click Registry > New > Registry Item
      • Configure the following options in the New Registry Properties Window:
        • Action: Create
        • Hive: HKEY_LOCAL_MACHINE
        • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
        • Value Name: LocalAccountTokenFilterPolicy
        • Value Type : REG_DWORD
        • Value Data : 1
  • Link the new GPO to the any computer OUs that you wish to apply the new settings to. 

See Also: 

Article - Firewall Ports and External Exceptions

Article - Recommended Antivirus/Antimalware Exclusions for PDQ Products

Article - How It Works: PDQ Deploy

Article - How It Works: PDQ Inventory

 

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.