Remco van Diermen is Senior Engineer bij Prodicom. Regelmatig krijgt Remco unieke technische vraagstukken voorgelegd. Deze keer: RunAs a different user on a passwordless Windows 10 / 11 Device.
Currently there are companies that are investigating the way of passwordless authentication . But the moment you go completely passwordless, you run into the same obstacles. For instance, if you disable the password credential manager in Windows, the option to fill in credentials in a UAC prompt is disabled aswell.
In this article I will show how you can still run an application (e.g. Windows Terminal) with another account as an Administrator.
The things I already did before encountering this obstacle were:
- Enrolled a Windows 10 device into Intune
- Created a Configuration Profile to Enable Windows Hello for Business and assigned it to the Windows 10 device
- Only enabled the PIN and Trusted Signal options for testing purposes
- Logged on to the Windows 10 device and enrolled my user into Windows Hello for Business.
- Created a Custom Profile to disable the Password Credential Provider and assigned it to the Windows 10 device
- Windows 10 / 11 Enterprise
- Intune License
So my Windows 10 VM now only has a PIN option to log on to the device. The password option is removed.
I log in with my PIN code and start CMD.exe as a different user using SHIFT + Rightclick
The first thing you notice is there’s no more option for filling in credentials.
So how do I elevate permissions to another account for troubleshooting purposes? In my case it is an Azure AD Joined Device. The user is a standard user and I want to change something in cmd as the Cloud Device Administrator.
First you run cmd or powershell as the standard user. Within that session for a Azure AD Joined Device you run:
Runas /profile /user:AzureAD\firstname.lastname@example.org cmd.exe
For a AD Joined Device you run:
Runas /profile /user:YourDomain\youradminaccount cmd.exe
Enter the password and you have started a new cmd.exe session as a different user. But still it’s not elevated to Run as Administrator. Therefor within that new session run the following command:
Powershell.exe -command "Start-Process cmd \"/k cd /d %cd%\"-Verb RunAs"
Now a UAC prompt will appear and you will be able to click Yes
You are now able to startup anything from the elevated CMD prompt as a different user on a passwordless device.
Dit artikel verscheen voor het eerst op Remcovandiermen.nl