Find out what does change the settings for User Account Control all the time
The settings of the UAC get changed by some app/program/process. As a result I can't open Edge, calculator, Windows store or any other Metro style app. If I try to open it I get
xxx can't be opened with the Built-in Administrator account
One time I saw the notification that I have to restart my PC so that the changes of the UAC can take affect. So that was the point where some app/program/process made a change. I found the following (possible related) entries in the event log:
The computer 'Administrator (built-in)' preference item in the 'Administrator rename and guest account {C2FB86B3-A1FD-494C-CA29-X309579E9ZCE}' Group Policy object did not apply because it failed with error code '0x80070524 The specified account already exists'. This error was suppressed.
Another interesting log is this
The Group Policy settings for the user were processed successfully. New settings from 20 Group Policy objects were detected and applied.
At this time EnableLUA
is disabled, but I can open all Metro style apps (Edge, calculator, ...). After a restart this isn't the case anymore. Now the setting EnableLUA
is working as expected.
My workaround is to set the UAC to any level, click OK and restart. Then I can open my programs again. Now I want to find out the app/program/process which is responsible for changing the UAC settings.
Working settings:
FilterAdministratorToken
: 1EnableUIADesktopToggle
: 0ConsentPromptBehaviorAdmin
: 5ConsentPromptBehaviorUser
: 3EnableInstallerDetection
: 0ValidateAdminCodeSignatures
: 0EnableSecureUIAPaths
: 1EnableLUA
: 1PromptOnSecureDesktop
: 1EnableVirtualization
: 1
Non working settings:
FilterAdministratorToken
: 1EnableUIADesktopToggle
: 0ConsentPromptBehaviorAdmin
: 0ConsentPromptBehaviorUser
: 3EnableInstallerDetection
: 0ValidateAdminCodeSignatures
: 0EnableSecureUIAPaths
: 1EnableLUA
: 0PromptOnSecureDesktop
: 1EnableVirtualization
: 1
The error messages of your eventlog point to a GPO which gets applied and sets your UAC level.
Check your GPO in Computer Configuration\Security Settings\Local Policies\Security Options
check all the settings which are described in this link: https://technet.microsoft.com/en-us/library/dd835564%28v=ws.10%29.aspx
you can see the default option for each setting on the site, compare this to you GPO. I guess Behavior of the elevation prompt for standard users
alias ConsentPromptBehaviorUser
is set to "Automatically deny elevation requests" which would only make sense if you're not administrator on your machine.
or Run all administrators in Admin Approval Mode
alias EnableLUA
is disabled. this is most of the time the case when you can't open any windows app like calculator, because since windows 10, Microsoft wants you to have UAC enabled, to use these apps.
Edit: Since we found out that EnableLUA
is disabled, we can say that's where your error occurs. Most of the time, the administrator disables UAC because he/she sees it as unnecessary, doesn't want to deploy it to Win7 and Win8.1, or doesn't really know what UAC does (so better disable it, right ;-)?). it's a must have for windows 10. So I would create a GPO which targets only windows 10 PCs with the following WMI Filter: select * from Win32_OperatingSystem where Version like "10.%"
keep in mind that the whole GPO with this Filter only gets deployed to windows 10.