UAC admin prompt for credentials in OOBE

There is a special scenario where you could encounter an UAC prompt during the Out-Of-Box-Experience (OOBE) experience. In my case it included:

• Autopilot reset
• Local policies security options (User Account Control: Behavior of the elevation prompt for standard users)
• Non-English OS language (German, but it might affect other languages too)

UAC prompt asking for credentials of a privileged account

It is interesting that this is related to the language — there is a more or less solved thread in the Microsoft Q&A. (resolution approach with DISM) According to it, the issue should be resolved with Windows 10 2004. The root cause was a Cortana component and any missing language features on demand (FOD) for other languages. I was able to reproduce this with Windows 11 22H2.

User account control settings

The guilty setting is found under the settings catalog “Local Policies Security Options” — setting name: “User Account Control: Behavior of the elevation prompt for standard users” configured to “Prompt for credentials on the secure desktop”.

UAC settings

In Windows advanced boot, you can start a cmd and expore the registry or anything you want. The registry key ConsentPromptBehaviorAdmin is found at this location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\

4 — Prompt for consent
3 — Prompt for credentials
2 — Prompt for consent on the secure desktop
1 — Prompt for credentials on the secure desktop

-> The setting was still configured after an Autopilot reset.

Autopilot reset vs. factory reset

Unfortunately Autopilot reset is not a “real” reset as you might expect. (see official docs) Some artefacts from the previous installation persist, such as registry values and other settings, sometimes even apps. A Windows.old folder is created to store the previous files.

In my opinion Autopilot reset might not be the best way to reset a device. My definition of a reset is, that everything from the user, all system settings and preconfigured configurations get removed, so I can start from blank.

My recommendation is to use the Windows integrated reset option (from advanced startup), or wipe and load the system. If you want to be sure, you should consider another “real” reset tool. You could trigger a wipe from Intune, use an image on a USB drive, or leverage OEM tools to reset the software to factory default.