In this article, you will learn everything you need to know about how to customize the default Intune Security Baseline Policy in order to resolve a compatibility issue with Heimdal's Privileged Access Management product/service.
Privileged Access Management leverages user membership within the local Administrators' group on an endpoint to be able to grant temporary permissions to a user in order to be able to act as an Administrator (or run a file as an Administrator). Furthermore, an Administrator can run processes or operations based on the settings configured in the User Account Control, which need to allow elevation prompt behavior otherwise, they will not be able to run.
With Intune Security Baseline Policy, the User Account Control is configured to Automatically deny elevation requests, and this conflicts with the Privileged Access Management functionality by defeating its purpose of temporarily elevating a standard user to Administrator permissions. Usually, this behavior is seen on an endpoint where the user is trying to run a process as Administrator and gets notified with the following message:
This app has been blocked by your system administrator. Contact your system administrator for more info.
In order to workaround this matter, you need to edit the Intune Security Baseline Policy that is applying to your endpoint(s) to allow Standard user elevation prompt behavior. This can be done by logging in to the Microsoft 365 Admin Center and by changing the following settings in the Endpoint Manager:
1. Go to Endpoint security -> Security Baselines -> Security Baseline for Windows 10 and later.
2. The default security baseline policy (profile) is the one named Cloud-Managed PC MDM Security Baseline XX.X.XXXX. Usually, the default profile CANNOT be edited.
3. To workaround this, you need to create a new profile (security baseline policy) with the default settings provided in each step.
4. The newly-created profile (security baseline policy) can be edited, so, you can proceed with modifying the option in question.
5. To edit the profile, click on it, click on Properties and click the Edit button on the Configuration settings:
6. In the Local Policies Security Options category, look for Standard user elevation prompt and change that to Prompt for credentials.
7. Hit Review + save and then Save to apply the modified settings.
8. Make sure this new profile (security baseline policy) si applying to your endpoint(s) (or the group your endpoint is a member of) and wait for the new settings to sync (it takes between 4 and 120 minutes).
The Standard user elevation prompt behavior option will change the User Account Control: Behavior of the elevation prompt for standard user to Prompt for credentials in the Local Group Policy Editor on the endpoint(s).