Desktop flows fails and could not start flows due to security policy

  • Raksts

This article provides a resolution for the issue that you could not start flows because of security policy during the UI flows execution.

Applies to:   Microsoft Dynamics CRM
Original KB number:   4564550

Symptoms

  1. When running a Flow that contains a desktop flow, it fails with the following error even though the target device has desktop flows installed.

    Could not connect to desktop flows running on your machine. Please make sure that Power Automate Desktop is installed and running.

  2. On restart (for example, device reboot), the Windows service uiflowservice fails to restart with the following error in the event viewer in Windows Logs\System with event ID 7041:

    This service account does not have the required user right "Log on as a service."

    Screenshot of the UIFlowService restart fail event viewer.

  3. When trying to start the uiflowservice manually, the start fails with the message:

    Windows could not start the UIFlowService service on Local Computer. Error 1069: The service did not start due to a logon failure.

    Screenshot of the UIFlowService manual start fail dialog.

Cause

The UI flow service (uiflowservice) isn't running on the target machine because the account used by the service isn't granted Log on as a service authorization, either by a manual configuration or by a domain group policy.

Resolution

Target device

  1. Make sure the UI flow service is running in the local service on the target machine.

    Screenshot shows UIFlowService not running.

    Screenshot shows UIFlowService is running.

  2. Ensure that either the UI flow service account NT SERVICE\UIFlowService or the general service account NT SERVICE\ALL SERVICES is present in the Log on as a service policy of the Local Security Policy settings.

    Screenshot shows UIFlowService is in log on as a service local security policy.

    More Details More Details
    If none of them is present and cannot be added in the local "Log on as a service" policy, one of them will need to be added in the domain group policies. Go to Domain joined server. Screenshot shows UIFlowService is not in log on as a service local security policy. This indicates that the policy is set as a group policy on the domain controller: Screenshot indicates that the policy is set as a group policy on the domain controller.

  3. Ensure that the service account NT SERVICE\UIFlowService and the general service account NT SERVICE\ALL SERVICES aren't present in the Deny log on as a service policy of the Local Security Policy settings.

    Screenshot shows UIFlowService deny log on as a service local security policy is empty.

    More Details More Details
    If they cannot be removed from the local "Deny log on as a service" policy, they'll need to be removed from the domain group policies. Go to Domain joined server Screenshot shows UIFlowService is in deny log on as a service. This indicates that the policy is set as a group policy on the domain controller: Screenshot indicates that the deny log on as a service policy is set as a group policy on the domain controller.

Domain joined server

If your server is domain joined and either Log on as a service or Deny log on as a service policy is managed by the domain, look at the following steps on the domain controller. You might need to contact your domain administrator for the following steps:

  1. Ensure that either the UI flow service account NT SERVICE\UIFlowService or the general service account NT SERVICE\ALL SERVICES is present in the Log on as a service policy of the Group Security Policy settings.

    More Details More Details
    The virtual account used by the UI flow service, "NT SERVICE\UIFlowService" is created during the installation of Power Automate Desktop (when the UI flow service is installed). If it's not present in the domain, follow this procedure for creating it on the domain controller:
    1. Install Power Automate Desktop on the domain controller
    2. The installation doesn't need to succeed, the virtual account will be created in the domain even if you get to an error condition.
    If there's an error, check that the account "NT SERVICE\UIFlowService" has all the access required on domain controller and target server policies before canceling or aborting the installation.
    3. Now that the "NT SERVICE\UIFlowService" account is available in the domain it can be added to the group policy settings and will be visible in the domain joined servers.    		 UI flow service with its virtual account as installed on domain controller. Screenshot shows UIFlowService is installed in domain controller.
    Add "NT SERVICE\UIFlowService" to the domain group "Log on as a service" policy Screenshot shows UIFlowService is added to log on as a service group. Screenshot of the Add User and Group dialog in Log on as a service properties.
    After making sure the "NT SERVICE\UIFlowService" account is present in the appropriate group policies you may uninstall Power Automate Desktop from the domain controller, the service is only needed on the target machine.

  2. Ensure that neither the UI flow service account NT SERVICE\UIFlowService nor the general service account NT SERVICE\ALL SERVICES are present in the Deny log on as a service policy of Group Security Policy settings.

    More Details More Details
    If the account "NT SERVICE\UIFlowService" or the account "NT SERVICE\ALL SERVICES" are in the "Deny log on as a service" policy, then the domain group policy needs to be edited.
    UIFlowService check deny log on as a service group.     		Screenshot of the Remove option of UIFlowService in Deny log on as a service properties.