MicrosoftHotCakeX and MikkelLundKnudsen : I'm repeating myself, but the "Apply UAC restrictions..." setting in the SCT baselines for Windows is "Enabled" (explicitly enforcing Windows' secure default) and has been that way in every SCT Windows baseline since Rick and I added it to the Win8.1/WS2012R2 baselines ten years ago. If you don't believe me, please have a look at the GPO backups yourselves.
The SCT's local-install script provides an install-time option to support remote administration of non-domain systems using local accounts. That option makes three changes from the standard baseline: it changes the "Apply UAC restrictions..." setting to "Disabled," and removes the network and remote-desktop logon restrictions against NT AUTHORITY\LocalAccount. As far as I know, the Intune baselines don't offer a similar option, nor should they need to, since Intune can administer non-domain-joined systems.
