Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 23, 2017 3:35 PM
Hi all,
we are managing the UAC for Windows 10 (1607) machines over GPO. Here a screenshot:
The UAC above are applying on the type of client machine.
Client machine type 1: The user is a member of the local admin group.
Issue: There are no problem for these kind of clients with these UAC settings above. So one different point regarding Windows 7 is just that if the user run 'regedit.exe' there will be first appear the message of UAC with "Do you want to allow this app to make changes to your device?". But this is fine. It will be more interestring if we check the Client machine type 2.
Client machine type 2: The user is NOT a member of the local admin group.
If I want to open the Task Manager with this type of client machine than it asks me first for entering the windows password. After that the task manager gets open.
But exactly that is very strange. I dont want this "asking" for a password windows before.
So I made some researches how to solve that problem. I was able to find this following limited workaround:
Changing the UAC "User Account Control: Run all administrators in Admin Approval Mode" from "Enabled" to "Disabled" solves just a part of this issue. What does that mean? This means that a non local admin group user was able to open the Task Manager without entering first the user password BUT the more worse problem is that all of the client machine type (1 & 2 ) were not able anymore to run Windows Store Apps (Edge for example). There was always the message that "This app can't open".
So in the end the change of this UAC setting was useless.
How can I make sure, that in the one hand a user with non local admin permisson is able to open the Task Manger without entering first the password and in the other hand the user is still able (at same time) to work with Windows Store Apps ?
Please let me know if there is more information needed. Thank you in advance
All replies (9)
Tuesday, May 23, 2017 4:05 PM
Hi all, we are managing the UAC for Windows 10 (1607) machines over GPO. Here a screenshot:
The UAC above are applying on the type of client machine.<o:p></o:p>
Client machine type 1: The user is a member of the local admin group.
**
Issue:
**There are no problem for these kind of clients with these UAC settings above. So one different point regarding Windows 7 is just that if the user run 'regedit.exe' there will be first appear the message of UAC with "Do you want to allow this app to make changes to your device?". But this is fine. It will be more interestring if we check the Client machine type 2.<o:p></o:p>
Client machine type 2: The user is NOT a member of the local admin group.
**Issue:
**
If I want to open the Task Manager with this type of client machine than it asks me first for entering the windows password. After that the task manager gets open.
But exactly that is very strange. I dont want this "asking" for a password windows before.
So I made some researches how to solve that problem. I was able to find this following limited workaround:
Changing the UAC "User Account Control: Run all administrators in Admin Approval Mode" from "Enabled" to "Disabled" solves just a part of this issue. What does that mean? This means that a non local admin group user was able to open the Task Manager without entering first the user password BUT the more worse problem is that all of the client machine type (1 & 2 ) were not able anymore to run Windows Store Apps (Edge for example). There was always the message that "This app can't open".
So in the end the change of this UAC setting was useless.
How can I make sure, that in the one hand a user with non local admin permisson is able to open the Task Manger without entering first the password and in the other hand the user is still able (at same time) to work with Windows Store Apps ?
Please let me know if there is more information needed. Thank you in advance !
Wednesday, May 24, 2017 2:59 AM
Hi ea001,
I am using the following configuration. The standard user could open task manager without inputting admin password and the metro apps could be opened well.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, May 24, 2017 6:50 PM
Hi MeipoXu
Thank you for the quick reply. I will try this setting and give to you a feedback.
Friday, June 2, 2017 7:30 AM
Hi MeipoXu
Sorry for the delay - I was not able to test the configuration until today.
So I have applied this configuration to our environment. Unfortunately the message for entering the credentials are still here. So it doesn't solve this problem.
At the moment I have no idea why this happen.
Monday, June 5, 2017 9:12 AM
Hi ea001,
How did you open the task manager(Ctrl+Alt+Delete)?
Please restart the machine to make the gpo to take effect after you configured the gpo. Run "gpresult /h C:\gpresult.html" to confirm the gp result.
To analyze the issue deeply, we could try to use process monitor to capture the whole process. Upload the package to OneDrive paste the link here.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, June 7, 2017 11:41 AM
Hi MeipoXu
Thanks for reply.
So what I did was first of all take the my test machine into a OU without any settings regarding UAC. So I was able to open task manager, registry, device management etc. open without and credentials asking.
Next step was to apply these settings over GPO and make a gpupdate on the client machien and restart it. After that it was not possible to open these app's directly. So I have to enter the credentials before.
- Task manager with shortcut on the desktop --> Not OK, i have to enter credentials first
- Start > Run > regedit.exe --> Not OK, i have to enter credentials first
- Computer management --> Not OK, i have to enter credentials first
- CTRL + ALT + ESC -> Not OK, i have to enter credentials first
So what I found as workaround is to set a system variable called "__COMPAT_LAYER=RunAsInvoker".
After a reboot i get following situation:
- Task manager with shortcut on the desktop --> OK, no credentials are asking before
- Start > Run > regedit.exe --> OK, no credentials are asking before
- Computer management --> OK, no credentials are asking before
- CTRL + ALT + ESC -> Not OK, i have to enter credentials first
Its nice to see that something change with settings this variable. But I have to manage over 200 clients, so I dont think that this is the right solution for my problem.
Regarding these points that you mentioned:
- "gpresult /h C:\gpresult.html" -> Shows me just the GPOs which are applied on the user (not computer) - so i dont see that GPO which has the task to apply the UAC settings
- process monitor: never used that, i will check if i can handlet it and find more informations.
Friday, June 9, 2017 8:48 AM
Hi ea001,
Is the UAC configured as the default level?
Try to configure the gpo.
User Account Control: Behavior of the elevation prompt for standard users (automatically deny elevation requests).
Since the setting a system variable called "__COMPAT_LAYER=RunAsInvoker" will work.
We could try to deploy a startup script gpo or task schedule for all the machines. Save the following command as a .bat file.
cmd /min /C "set __COMPAT_LAYER=RUNASINVOKER && start "" %1"
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Thursday, June 15, 2017 1:35 PM
Hi MeipoXu
Yes, the UAC was on the default level - so it means first no UAC was applied over GPO (it works) after that I apply your recommended configuration, then the result was not fine.
So what I did try was to set:
User Account Control: Behavior of the elevation prompt for standard users (automatically deny elevation requests)
But unfortunately than there is a error message which means "this programm was blocked by the administrator. please contact your administrator for further informations".
Regarding "__COMPAT_LAYER=RUNASINVOKER" as i wrote - this does not solve my all problem:
- Task manager with shortcut on the desktop --> OK, no credentials are asking before
- Start > Run > regedit.exe --> OK, no credentials are asking before
- Computer management --> OK, no credentials are asking before
- CTRL + SHIFT + ESC -> Not OK, i have to enter credentials first
Tuesday, June 20, 2017 3:11 AM
Hi ea001,
How about the issue? Have you tried to use Process monitor to capture the process?
Since the shortcut would work, we could use the shortcut as workaround.
Best regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.