none
Windows 10 UAC & Store Apps like Edge

    Question

  • Is it possible to have the UAC fully off and yet use Windows Store apps like Edge?

    If I use the Windows GUI, meaning useraccountcontrolsettings.exe to turn off the UAC it doesn't really turn off.  The EnableLUA reg value at HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system\ remains 1.  I still get prompted for file modifications to Program Files, Windows, or the Public Desktop folders.  Application install scripts that try to place files in protected locations like that will fail.

    I can use Group Policy to fully turn off the UAC but that breaks Edge and the Windows Store which is unacceptable.

    If I can't fully turn off the UAC then I have 100 or so application install scripts which will need to be re-worked to request elevation.  What's more they will have drive mapping and working folder issues since an elevated session does not retain network drives and changes the current directory to c:\windows\system32.  

    Above and beyond the install script issue we will have problems with people running older applications that might be trying to modify protected locations.  We were able to turn off the UAC for Win 7 via GPO without incident (we skipped Win 8) so we don't have a handle on how large a problem that will be.

    I'm not seeing any good options here.  Has anyone else run across this problem?

    Friday, February 24, 2017 12:29 AM

Answers

  • For anyone else out there here's how we're working around the issue for our install scripts.  We're setting GPO to

    Elevate without prompting for admin approval mode,
    run all admins in admin approval mode: enabled, 
    only elevate from secure locations: disable

    At the beginning of the install cmd add:

    REM THIS SECTION IS FOR HANDLING WIN10 UAC ISSUES START set randfile="%programfiles%\UACCheck-%random%.txt" echo yo > %randfile% if exist %randfile% goto :elevated goto :notelevated :notelevated nircmd elevate \\DOMAIN\NETLOGON\skipUAC.cmd %~f0 goto :eof :elevated del %randfile% cls REM THIS SECTION IS FOR HANDLING WIN10 UAC ISSUES END

    the skipUAC.cmd file consists of:

    net use r: \\fileserver\share
    FOR %%A IN (%1) DO set cmddrive=%%~dA 
    FOR %%A IN (%1) DO set cmdpath=%%~pA 
    %cmddrive% 
    cd %cmdpath%
    %1
    

    Basically what the above does is when the install cmd starts it checks to see if it is in an elevated session, if not it calls a second script in an elevated session.  That script maps any necessary drive letters, changes to the working directory to the parent folder of the original script, and re-runs the original script.  The original install cmd then is in an elevated session and proceeds with the install.

    It's convoluted but is working for us so far.

    • Marked as answer by shelt Tuesday, February 28, 2017 6:48 PM
    Tuesday, February 28, 2017 6:48 PM

All replies

  • Hi ,

    >>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
    The related Group Policy are shown blew.
    Computer Configuration >>Windows Settings>Security Settings>Local Policies>security options> User Account Control: Run all administrators in Admin Approval Mode
    Disabling this policy disables the "administrator in Admin Approval Mode" user type.
    https://msdn.microsoft.com/en-us/library/cc232765.aspx?f=255&MSPPError=-2147217396
    If this policy is disabled, we will face "This app can't open. app can't not be opened using Built-in Administrator account. Sign in with a different account and try again" error message. It is by design.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, February 27, 2017 8:17 AM
    Moderator
  • Sorry, I'm not really sure what you're asking or telling me to do.

    I know that if I enable the UAC prompt I will be able to run Store Apps such as Edge.  The question is can I fully disable the UAC prompt in all situations and still run Store applications?

    Monday, February 27, 2017 5:52 PM
  • Hi ,

    >>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
    If you changed this value to 0 or disabled "Run all administrators in Admin Approval Mode" policy, it will disable the "administrator in Admin Approval Mode" user type.
    https://msdn.microsoft.com/en-us/library/cc232765.aspx?f=255&MSPPError=-2147217396

    If "administrator in Admin Approval Mode" is disabled, Windows 10 built-in apps such as Edge and Store will not run well when we turn off UAC. To make sure Edge and Store work well as expected, UAC must be turned on. It is by design. So, the answer is no, you cannot turn off UAC and still run built-in apps such as Edge and Store.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 28, 2017 7:57 AM
    Moderator
  • Well, that is quite disappointing.  

    We rely heavily on cmd scripts that users can trigger to self serve application installs and the UAC breaks them.  Our install files are located on a network share which isn't mapped when you elevate.  Everyone is an admin of their own machines on our campus and can install anything they like - and they do.  I know that's not a best practice but it's a political fact in our environment.  Even putting aside the install issues, there will be older programs that don't get along with the UAC.  

    I understand what Microsoft is trying to do with the UAC but it just doesn't fit with a higher education computing environment.
    Tuesday, February 28, 2017 6:45 PM
  • For anyone else out there here's how we're working around the issue for our install scripts.  We're setting GPO to

    Elevate without prompting for admin approval mode,
    run all admins in admin approval mode: enabled, 
    only elevate from secure locations: disable

    At the beginning of the install cmd add:

    REM THIS SECTION IS FOR HANDLING WIN10 UAC ISSUES START set randfile="%programfiles%\UACCheck-%random%.txt" echo yo > %randfile% if exist %randfile% goto :elevated goto :notelevated :notelevated nircmd elevate \\DOMAIN\NETLOGON\skipUAC.cmd %~f0 goto :eof :elevated del %randfile% cls REM THIS SECTION IS FOR HANDLING WIN10 UAC ISSUES END

    the skipUAC.cmd file consists of:

    net use r: \\fileserver\share
    FOR %%A IN (%1) DO set cmddrive=%%~dA 
    FOR %%A IN (%1) DO set cmdpath=%%~pA 
    %cmddrive% 
    cd %cmdpath%
    %1
    

    Basically what the above does is when the install cmd starts it checks to see if it is in an elevated session, if not it calls a second script in an elevated session.  That script maps any necessary drive letters, changes to the working directory to the parent folder of the original script, and re-runs the original script.  The original install cmd then is in an elevated session and proceeds with the install.

    It's convoluted but is working for us so far.

    • Marked as answer by shelt Tuesday, February 28, 2017 6:48 PM
    Tuesday, February 28, 2017 6:48 PM