RunAs a different user on a passwordless Windows 10 / 11 Device

Remco van Diermen is Senior Engineer bij Prodicom. Regelmatig krijgt Remco unieke technische vraagstukken voorgelegd. Deze keer: RunAs a different user on a passwordless Windows 10 / 11 Device.

Currently there are companies that are investigating the way of passwordless authentication . But the moment you go completely passwordless, you run into the same obstacles. For instance, if you disable the password credential manager in Windows, the option to fill in credentials in a UAC prompt is disabled aswell.

In this article I will show how you can still run an application (e.g. Windows Terminal) with another account as an Administrator.

The things I already did before encountering this obstacle were:

  • Enrolled a Windows 10 device into Intune
  • Created a Configuration Profile to Enable Windows Hello for Business and assigned it to the Windows 10 device
  • Only enabled the PIN and Trusted Signal options for testing purposes
  • Logged on to the Windows 10 device and enrolled my user into Windows Hello for Business.
  • Created a Custom Profile to disable the Password Credential Provider and assigned it to the Windows 10 device

Prerequisites

  • Windows 10 / 11 Enterprise
  • Intune License

So my Windows 10 VM now only has a PIN option to log on to the device. The password option is removed.

Figure 1: Windows 10 logon screen with the password provider disabled

I log in with my PIN code and start CMD.exe as a different user using SHIFT + Rightclick

Figure 2: Run an app as a different user

The first thing you notice is thereโ€™s no more option for filling in credentials.

Figure 3: Credential fields are gone

So how do I elevate permissions to another account for troubleshooting purposes? In my case it is an Azure AD Joined Device. The user is a standard user and I want to change something in cmd as the Cloud Device Administrator.

First you run cmd or powershell as the standard user. Within that session for a Azure AD Joined Device you run:

Runas /profile /user:AzureAD\youradminaccount@contoso.com cmd.exe

For a AD Joined Device you run:

Runas /profile /user:YourDomain\youradminaccount cmd.exe

Enter the password and you have started a new cmd.exe session as a different user. But still itโ€™s not elevated to Run as Administrator. Therefor within that new session run the following command:

Powershell.exe -command "Start-Process cmd \"/k cd /d %cd%\"-Verb RunAs"

Now a UAC prompt will appear and you will be able to click Yes

Figure 4: UAC Prompt

You are now able to startup anything from the elevated CMD prompt as a different user on a passwordless device.

Figure 5: CMD as Administrator on a Passwordless Azure AD Joined Device

Dit artikel verscheen voor het eerst op Remcovandiermen.nl