M365 Secure Score

Back to Secure Score Hub

How to Disable Administrator Account Enumeration on Elevation

Last updated: May 2026

When a Windows device prompts for elevated privileges, it can expose administrator account names — giving attackers a free list of high-value targets. This guide walks you through disabling administrator account enumeration on elevation, a quick win that improves your Microsoft 365 Secure Score and reduces attacker reconnaissance opportunities.

Get a Security AssessmentView All Secure Score Fixes
Estimated time: 15 minutes. Requires Global Administrator or Security Administrator access.

What You'll Achieve

Reduce Account Enumeration RiskPrevent attackers or malware on a compromised endpoint from harvesting administrator account names via UAC elevation prompts.
Improve Your Secure ScoreThis control is tracked by Microsoft Secure Score. Completing it gives your organisation measurable, auditable security progress.
Enforce Least PrivilegeHiding admin account names on elevation reinforces least-privilege discipline and makes lateral movement harder for attackers.

Why This Matters

By default, when a user triggers a UAC elevation prompt on Windows, the system displays administrator account names in the credentials dialog. This behaviour allows anyone with physical or remote access to a machine — including malware — to enumerate privileged account names without any authentication. In a targeted attack or ransomware scenario, this reconnaissance step can significantly accelerate lateral movement.

Disabling this enumeration removes a low-effort data source for attackers and is a recommended control under Microsoft's own security baseline. It is one of the faster Secure Score wins available — no licensing upgrade required, and it can be deployed fleet-wide via Intune or Group Policy.

Microsoft flags this as a Secure Score improvement action for all tenants where the control is not yet enforced.

Before You Start

You will need: Global Administrator or Security Administrator role in Microsoft 365; access to Microsoft Intune (preferred) or on-premises Group Policy management; and a change window if deploying to production endpoints.

Step-by-Step Instructions

Follow these steps to disable administrator account enumeration on elevation across your Microsoft 365 tenant.

1
Screenshot required

Sign in to the Microsoft Entra admin centre

Go to entra.microsoft.com and sign in with a Global Administrator or Security Administrator account. Confirm you are in the correct tenant before proceeding.

Sign in to the Microsoft Entra admin centre
2
Screenshot required

Navigate to Microsoft Intune — Endpoint Security

In the Intune admin centre (intune.microsoft.com), go to Endpoint Security > Account Protection. This is the recommended deployment method for cloud-managed devices. For hybrid or on-premises environments, use Group Policy instead (see Step 4).

Navigate to Microsoft Intune — Endpoint Security
3
Screenshot required

Create or edit an Account Protection policy

Click Create Policy, select Windows 10 and later as the platform, and choose Account Protection as the profile. Give the policy a clear name such as 'Disable Admin Enumeration on Elevation' and proceed to the configuration settings.

Create or edit an Account Protection policy
4
Screenshot required

Set 'Enumerate administrator accounts on elevation' to Disabled

Locate the setting 'Enumerate administrator accounts on elevation' and set it to Disabled. For Group Policy environments, find this under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Assign the policy to your device groups and save.

Set 'Enumerate administrator accounts on elevation' to Disabled
5
Screenshot required

Verify the Secure Score improvement in Microsoft Defender

Go to security.microsoft.com > Secure Score > Improvement Actions and search for the account enumeration control. Once the policy has propagated to devices, Microsoft will automatically detect the control as completed and update your score.

Verify the Secure Score improvement in Microsoft Defender

How to Confirm It Worked

  • On a managed Windows device, trigger a UAC elevation prompt — administrator account names should no longer appear in the credentials dialog.
  • In Microsoft Defender (security.microsoft.com > Secure Score > Improvement Actions), the control should show as Completed once policy has propagated.
  • In Intune, check the policy assignment report to confirm the profile has applied successfully to your target device group.

Frequently Asked Questions

What is administrator account enumeration on elevation?

When Windows displays a UAC (User Account Control) elevation prompt, it can show a list of administrator account names for the user to choose from. This behaviour is called administrator account enumeration on elevation. While convenient, it allows anyone — including malware — to harvest privileged account names without authenticating.

Will disabling this setting break anything for end users?

No. End users who need to approve elevation prompts will still see the UAC dialog — they just won't be presented with a list of administrator accounts to choose from. They will need to type the administrator username manually. This is standard behaviour on well-configured enterprise systems.

Can I deploy this without Intune?

Yes. For on-premises or hybrid environments, you can enforce this control via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > 'Enumerate administrator accounts on elevation' — set this to Disabled and link the GPO to the relevant OUs.

How long does it take for the Secure Score to update after applying the policy?

Microsoft Secure Score typically refreshes within 24–48 hours of the policy being detected on enrolled devices. Intune policy propagation itself usually completes within a few hours depending on device check-in intervals.

Does this control apply to Azure AD joined devices as well as on-premises machines?

Yes. When deployed via Microsoft Intune, the Account Protection policy applies to Azure AD joined and hybrid joined Windows devices. For purely on-premises AD-joined devices not enrolled in Intune, Group Policy remains the deployment method.

Want Us to Handle Your Secure Score Improvements?

Technowand's Microsoft 365 security specialists can assess your current Secure Score, prioritise the highest-impact controls, and deploy them across your tenant — so your team can focus on the business.

Get a Security AssessmentView All Secure Score Fixes