I recently implemented a group policy in our Windows Domain to enforce Smartcard logins. Specifically, I navigated to: Computer Config - Policies - Windows Settings - Security Settings - Local Policies - Security Options - and set Interactive logon to require either Hello or a Smartcard. While this change is working well for logging in, I've hit a snag. Now, when I try to right-click an application to choose 'Run as Administrator', I get stuck at a Smartcard authentication prompt. I enter my PIN, but I'm met with an 'Elevated Permissions required' error. Has anyone dealt with this issue?
2 Answers
Actually, this is working as designed. Since you've enforced smartcard authentication for all logins, the User Account Control (UAC) looks for that method to elevate privileges, not a username and password. If UAC is asking for a Smartcard login but failing to accept it, there might be a misconfiguration somewhere in your policy. Make sure everything is set correctly for UAC with Smartcards!
It sounds like you're trying to log in with the standard user account associated with your Smartcard certificate. When you just enter your PIN, you're not necessarily using an account with elevated permissions. To fix this, you'll need to set up certificate mapping first and potentially username hints. Check out Microsoft's documentation for specifics on configuring these settings!
I understand, but I can enter my Smartcard details during the UAC prompt and still get denied. It feels like there's a missing link somewhere.