Some of our customers have asked whether Windows administrators can receive an MFA prompt for every administrative action (for example, when deleting an Active Directory user) even when they are logged in as an administrators. While Rublon MFA for Windows secures local logons and Remote Desktop sessions with multi-factor authentication (MFA), prompting for MFA on each admin action is not supported out-of-the-box.
Is True MFA on Every Admin Action Possible?
Although you can adjust Windows system policies to require a UAC prompt for every administrative task, this approach merely adds an extra layer of password verification (which can trigger a Rublon MFA challenge) and does not provide true per-action MFA. Rublon MFA for Windows is designed to secure initial logon and RDP sessions, not to enforce MFA for each individual administrative operation once logged in.
What Can You Do?
Windows includes User Account Control (UAC) as a built‑in mechanism to protect administrative tasks. By default, non-admin users are prompted for credentials when an elevated action is attempted, whereas administrators are not. However, you can change system policies to enforce a UAC prompt (which requires re-entering an administrator password) for every admin action.
How to Enforce a UAC Prompt for Administrators
If you have the Rublon MFA for Windows Logon & RDP connector installed, enforcing a UAC prompt for admin actions can fulfill your requirement of administrators being prompted for MFA on each UAC Elevation.
Standalone or locally managed systems: Use gpedit.msc.
Local Active Directory: Use GPMC to deploy the settings through a domain GPO.
Entra ID/Azure AD with Intune: Use configuration policies in Microsoft Endpoint Manager.
For detailed instructions on enforcing a UAC Prompt for administrators, refer to the step-by-step instructions below. For more information, refer to the official Microsoft documentation: User Account Control settings and configuration | Microsoft Learn.
For Standalone or Locally Managed Systems
Follow these steps to adjust UAC settings via the Local Group Policy Editor:
1. Open the Local Group Policy Editor:
Press Windows+R, type gpedit.msc, and press Enter.
2. Navigate to the Security Options:
In the Local Group Policy Editor, go to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
3. Modify the Elevation Prompt Behavior:
Double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and change its value to Prompt for credentials on the secure desktop. This forces administrators to enter their password whenever an elevated action is initiated.
4. Verify Additional UAC Settings (Optional):
Ensure User Account Control: Run all administrators in Admin Approval Mode is set to Enabled.
You might also want to enable User Account Control: Switch to the secure desktop when prompting for elevation for added security.
5. Apply and Restart:
- Click Apply and then OK to save your changes, then close the Local Group Policy Editor. Restart your computer for the changes to take effect.
For Domain Environments Using Active Directory
Follow these steps to adjust UAC settings via the GPMC:
1. Open Group Policy Management Console (GPMC):
On your domain controller, open the GPMC.
2. Create a New Group Policy Object (GPO):
Right-click on your domain or the desired Organizational Unit (OU) and choose Create a GPO in this domain, and Link it here…
Name it (e.g., “Enforce UAC Prompt for Admin Actions”).
3. Edit the GPO:
Right-click the new GPO and select Edit.
Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
4. Configure the UAC Setting:
Set User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Prompt for credentials on the secure desktop. This forces administrators to enter their password whenever an elevated action is initiated.
5. Link and Deploy the GPO:
Link the GPO to the appropriate OU containing your target computers.
Force a Group Policy update using the gpupdate /force command or wait for the next policy refresh.
For Organizations Using Entra ID (Azure AD) with Microsoft Intune
1. Sign in to Microsoft Endpoint Manager Admin Center:
Go to the Microsoft Endpoint Manager admin center.
2. Create a New Configuration Policy:
Navigate to Devices → Windows → Configuration.
Create a new device configuration policy for Windows 10 and later using the Administrative Templates profile type.
3. Configure the UAC Setting:
In the Administrative Templates, search for User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode and set it to Prompt for credentials on the secure desktop. This forces administrators to enter their password whenever an elevated action is initiated.
4. Assign the Policy:
Assign the policy to the appropriate groups/devices and ensure the devices sync so that the new settings are applied.
Known Limitations
Not True Per-Action MFA: Enforcing UAC prompts will require re-entering the admin password (and completing a Rublon MFA challenge) when launching an administrative task. However, the prompt appears when opening the admin tool or window—not during each administrative action.
Timing of the Prompt: The additional authentication occurs at the moment you initiate an admin action (for example, opening the management console), not at the moment of executing each specific operation (such as deleting a user in Active Directory).
Helpful Links
When are users challenged for Rublon MFA in Windows Logon & RDP?
User Account Control settings and configuration | Microsoft Learn
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article