Autopilot Windows 11 (Host Process for Windows Services) constantly notification

Frequent Contributor

Started having this issue on newly enrolled Windows 11 devices in Autopilot.

No changes have been made and never had this issue before.

 

Devices enrolled before does not have this issue, wiping a device or running fresh start same issue

 

UAC shows up constantly.

2022-08-10 12_17_00-Windows 11 Autopilot on DESKTOP-VCQ6Q31 - Virtual Machine Connection.png2022-08-10 12_17_16-Windows 11 Autopilot on DESKTOP-VCQ6Q31 - Virtual Machine Connection.png

11 Replies
No one?

I seem to get this issue when I run a Autopilot Reset
Seems that the Security Baseline setting Local Policies Security Options > Administrator elevation prompt behavior might have been the issue, my last setting was "Prompt for credentials on secure desktop"

Setting it to Prompt for consent on non-Windows binaries seems to have solve it, at least on my current tests
I assume you are deploying some drivers to the device when its enrolled into Autopilot? care to show us how you are doing this? as normally that uac prompt shouldn't be shown (depends of course on the config... but... )
Thank you for answering but I'm not deploying any drivers.
I never had this issue before, just started showing on my test device, did no changes to my configs. Windows 11.

But never had the issue before did multiple re-deploys of test machine no issues then it just started to happen, not sure if it's an update in Windows 11 that is causing it or why really. Still testing now multiple scenarios after I changed my security baseline to see if I can replicate it, currently it seems to have gone away.
Was deviceguard enabled in the baseline? As the screenshot mentions the driver purpose…. Also no wufb with drivers enabled? (Just checking)

@Rudy_Ooms_MVP 

 

The issue just showed up again.

I have had over 25 devices no issues, now it just started happening on new devices, no changes have been done.

 

JimmyWork_0-1661277193412.png

JimmyWork_1-1661277228431.png

 

On my test device I did run a Wipe. Everything went fine no prompt during OOBE.

Then when I tested to make the logged in user an admin using PIM the issue showed up twice again.

 

Is there any logs I can check why its prompting me, like event viewer or something?

 

New information.
Most likely some kind of police that creates this issue.

New test device, user is Admin.
Co-Managed, when move into Intune and applied the Intune policies the user got.

UAC prompt: Host Process for Windows Services.
Any input on how I can track down whats triggering the UAC, what logs to check etc?
We are installing the Quick Assist tool, but I need to confirm that this is the reason why they are getting the prompt. So any details on how I can check the logs, locally or using Advanced Hunting would be much appreciated.

https://call4cloud.nl/2022/05/the-100-year-old-quick-assist-tool-who-climbed-out-the-window-and-disa...
Maybe you can use "ProcessTokenElevation" in the "DeviceProcessEvents" table to find processes with elevation, but I doubt that'll give you an answer. Isn't it easier to just exclude the device/user from the app and test if the UAC-prompt disappears?
That would indeed be an easy test :).. just exclude the app from 1 test user and enroll a device :)
Will try this on next batch of users and report it back. Right now they only need to click it once so I mean it is OK but not good.