Information
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:
%ProgramFiles%
%windir%
%windir%\System32
HKEY_LOCAL_MACHINE\SOFTWARE
The recommended state for this setting is: Enabled.
Rationale:
This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Endpoint protection)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Endpoint protection/Local device security options/User account control
Setting Name: Virtulize file and registry write failures to per-user locations
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:
Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
Data type: Integer
Value: 1
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Default Value:
Enabled. (Application write failures are redirected at run time to defined user locations for both the file system and registry.)