Latest posts by Michael Pietroforte (see all)
- Posting ops news and competition results March–May 2017 - Wed, Jun 21 2017
- Results of the February competitions - Fri, Mar 10 2017
- 4sysops IT news and winners of the first competition - Thu, Feb 2 2017
Once upon a time, an administrator was the unchallenged ruler on a Windows computer. An administrator account had no restrictions whatsoever. These times are over. Nowadays, an administrator is not even allowed to do what every standard user can do—that is, open common apps such as Microsoft Edge. This is how far the security paranoia of recent years has brought us. Okay, as usual, I am exaggerating. But error messages like the one below don’t really make sense to me.
If you try to run Edge with a domain administrator account, you will be greeted by Microsoft’s new browser in a Spartan way:
Error message: This app can’t open. Microsoft Edge can’t be opened using the Built-in Administrator account. Sign in with a different account and try again.
This error message is actually not telling the truth. Microsoft Edge can be opened using the built-in administrator account, and there is no need to sign in with a different account and “try again.” If you are willing to jump through a few hoops, Edge runs fine with the built-in administrator account.
Some how-to bloggers who covered this topic tell you this Windows feature is actually a good thing. Running a web browser as an administrator is a no-no. The unbearable Internet Explorer Enhanced Security on Windows Server comes to mind.
However, this is not what this “feature” is all about. If you feel like it, you can run Internet Explorer (which most likely is less secure than Edge) with the built-in administrator account on a Windows 10 machine without being troubled. No, this odd behavior is just a consequence of the poorly designed User Account Control (UAC).
The problem already existed on Windows 8. By default, the built-in administrator cannot execute modern apps. The reason that many admins are now stumbling across this error message is because Edge is the first modern app that will actually be used by a wide range of users simply because it is the default web browser on Windows 10.
Actually, if you completely disable UAC, no one will be able to run these colorful toy applications. Note that you can’t completely disable UAC through the Control Panel. With the setting Never notify, UAC is still active.
To turn off all UAC settings, you have to disable the security policy User Account Control: Run all administrators in Admin Approval Mode (Computer Configuration > Policies > Windows Settings > Security > Security Options).
Completely disabling UAC
If you are looking for a bulletproof method that ensures that no user can run modern apps, this is one way to do it.
Message indicating that app can’t open while User Account Control is turned off
If you completely disable UAC, a user in the administrators group will run all applications with an administrator access token (elevated). You can verify that by opening Notepad the common way (no need to run it as an administrator) and save a file in C:\Windows. With the default settings, administrators can’t do that because common applications will be executed with a standard user access token.
We are now getting closer to the real problem. The built-in administrator account essentially runs with all UAC settings disabled. That is, all applications are executed with full admin privileges without the UAC prompt, and this would also apply to all modern apps.
In a world without security paranoia, we would trust our administrator to be careful enough not to run insecure Windows apps from the Store that install the latest computer worm on the Windows computer through a security hole that a Microsoft engineer left behind. However, because many admins don’t really know what they are doing, a popup prompt has to save the careless geek.
Thus, if you enable the policy User Account Control: Admin Approval Mode for the Built-in Administrator account (Computer Configuration > Policies > Windows Settings > Security > Security Options), the built-in administrator account can run Edge and all other Windows apps because the UAC popup now ensures that everything is perfectly secure. (Make sure you reboot the computer after you change the UAC settings.) The consequence is that, from now on, Windows will present a UAC prompt whenever you run applications that require elevation (regedit.exe, for instance).
Enabling Admin Approval Mode for the built-in administrator account
However, many admins like to log on with the domain administrator account, just so UAC prompts won’t get on their nerves. The good news is that you can turn off these UAC prompts even if Admin Approval Mode is enabled, if you now set UAC in the Control Panel to Never notify.
Setting UAC to never notify
However, the difference in the default configuration is that not all applications will be executed with administrator rights automatically. For instance, if you want to edit a file in the Windows folder, you now have to launch Notepad as an administrator (right-click).