- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Once upon a time, an administrator was the unchallenged ruler on a Windows computer. An administrator account had no restrictions whatsoever. These times are over. Nowadays, an administrator is not even allowed to do what every standard user can do—that is, open common apps such as Microsoft Edge. This is how far the security paranoia of recent years has brought us. Okay, as usual, I am exaggerating. But error messages like the one below don’t really make sense to me.
If you try to run Edge with a domain administrator account, you will be greeted by Microsoft’s new browser in a Spartan way:
Error message: This app can’t open. Microsoft Edge can’t be opened using the Built-in Administrator account. Sign in with a different account and try again.
This error message is actually not telling the truth. Microsoft Edge can be opened using the built-in administrator account, and there is no need to sign in with a different account and “try again.” If you are willing to jump through a few hoops, Edge runs fine with the built-in administrator account.
Some how-to bloggers who covered this topic tell you this Windows feature is actually a good thing. Running a web browser as an administrator is a no-no. The unbearable Internet Explorer Enhanced Security on Windows Server comes to mind.
However, this is not what this “feature” is all about. If you feel like it, you can run Internet Explorer (which most likely is less secure than Edge) with the built-in administrator account on a Windows 10 machine without being troubled. No, this odd behavior is just a consequence of the poorly designed User Account Control (UAC).
The problem already existed on Windows 8. By default, the built-in administrator cannot execute modern apps. The reason that many admins are now stumbling across this error message is because Edge is the first modern app that will actually be used by a wide range of users simply because it is the default web browser on Windows 10.
Actually, if you completely disable UAC, no one will be able to run these colorful toy applications. Note that you can’t completely disable UAC through the Control Panel. With the setting Never notify, UAC is still active.
To turn off all UAC settings, you have to disable the security policy User Account Control: Run all administrators in Admin Approval Mode (Computer Configuration > Policies > Windows Settings > Security > Security Options).
Completely disabling UAC
If you are looking for a bulletproof method that ensures that no user can run modern apps, this is one way to do it.
Message indicating that app can’t open while User Account Control is turned off
If you completely disable UAC, a user in the administrators group will run all applications with an administrator access token (elevated). You can verify that by opening Notepad the common way (no need to run it as an administrator) and save a file in C:\Windows. With the default settings, administrators can’t do that because common applications will be executed with a standard user access token.
We are now getting closer to the real problem. The built-in administrator account essentially runs with all UAC settings disabled. That is, all applications are executed with full admin privileges without the UAC prompt, and this would also apply to all modern apps.
In a world without security paranoia, we would trust our administrator to be careful enough not to run insecure Windows apps from the Store that install the latest computer worm on the Windows computer through a security hole that a Microsoft engineer left behind. However, because many admins don’t really know what they are doing, a popup prompt has to save the careless geek.
Thus, if you enable the policy User Account Control: Admin Approval Mode for the Built-in Administrator account (Computer Configuration > Policies > Windows Settings > Security > Security Options), the built-in administrator account can run Edge and all other Windows apps because the UAC popup now ensures that everything is perfectly secure. (Make sure you reboot the computer after you change the UAC settings.) The consequence is that, from now on, Windows will present a UAC prompt whenever you run applications that require elevation (regedit.exe, for instance).
Enabling Admin Approval Mode for the built-in administrator account
However, many admins like to log on with the domain administrator account, just so UAC prompts won’t get on their nerves. The good news is that you can turn off these UAC prompts even if Admin Approval Mode is enabled, if you now set UAC in the Control Panel to Never notify.
Setting UAC to never notify
However, the difference in the default configuration is that not all applications will be executed with administrator rights automatically. For instance, if you want to edit a file in the Windows folder, you now have to launch Notepad as an administrator (right-click).
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi Michael
As group policy is not available in Windows 10 Home.
I did some registry changes instead.
1) Different solution without disabling UAC:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System FilterAdministratorToken 0 Default 1 enabled Change to 1
Also this method, from the following website
http://www.askvg.com/tip-disable-microsoft-account-sign-in-requirement-in-windows-8-1-store-apps/
Use Method 2.
It’s about Windows 8, but I can confirm, that apps open up in the admin profile.
Regards
Hey Andre!
Your method worked for me in Windows 10. I couldn’t run any damn app on the Home license. Followed your steps. I had to create the DWORD (32-bit) value for ‘FilterAdministratorToken’ and put the value 1. Restarted and it worked! Thanks so much, brother.
Ankush — your extra details make Andre’s regedit work. — Thanks
Thanks to both Michael and Andre. Great info. I sort of get why they might want to restrict edge but doing so to ALL metro apps on the Administrator account is overkill, and it’s not just the “built in” account as the message states, it does this when I’m logged in using my domain Administrator account. The final straw was when I could not even look at Windows defender when logged in as Admin, the info in this article and it’s comments helped me fix that.
It is not only overkill, it also shows that the entire concept has not been thought through. If those modern apps are supposed to replace desktop applications in the long run, how will ever be able to run management apps? Or is Microsoft seriously considering to continue with this hodgepodge of apps?
Thanks. That worked for me, also.
Thaaaaaank you! So many people claimed to have a solution but never explained it in detail so my problem was never solved. Your explanation was comprehensive so, again thanx!
Best Answer
Andre, thanks! You right, you can’t use Group Policy editor on Windows 10 Home. But I think the article you linked is about another topic. It is about using Windows apps without Microsoft account.
Michael, Yes, but these tweaks, allow me to run Edge, in the built in admin account.
I’d post a screenshot, but no can do.
Hi Andre, what should I do if these tweaks still don’t work for me? I still get the same #$%@! error message about not being able to run MS Edge using Built-In Administrator account. Running latest version of Win 10 Pro, Build 10586.14. I noticed that lowering the access level to “User” does allow an account to run MS Edge. But Administrator or Power User doesn’t. Thanks.
Hi Andre, please ignore/delete my earlier message. For some unknown reason, after multiple reboots MS Edge is now running for user accounts set to Administrator.
Sorry, spoke too soon, still having the same trouble with MS Edge (after rebooting) as explained in my first message.
If your system doesn’t have the “Group Policy Management Console” aka gpmc.msc (my Win10 Pro doesn’t), you can use “Local Security Policy” aka secpol.msc and navigate to Security Settings – Local Policies – Security Options.
However what saddens me that there seems to be no way to run all apps as admin by default, including Metro apps (Edge, Settings) and without a prompt.
The msc for the Local Group Policy Editor, which is available in Win 10 Pro, is gpedit.msc
I need to leave uac disabled in order to run one of my software programs. How do i go about opening edge and other apps, Do I have to make another user account?
Joe
joe, did you try to run this application in compatibility mode with UAC turned on?
yes, Does not work.
thanks
Same as Joe. It doesn’t work even for me. Caught in a loop. If I disable UAC, my application works but builtin apps fail. If I enable UAC, builtin apps work but my application doesn’t. 🙁
@Joe, Arun
I guess the application requires administrator rights? One thing you should seriously consider is to replace this application with a new one that supports UAC.
I couldn’t get anything to work.. fingerprint scanner… apps, Edge… then realized that I was logged in with my mobile Microsoft account!!! I logged out of that.. and into my Home account.. BAM!!!! EVERYTHING works!!!!.. apps, fingerprint scanner, Edge… so before you go and try all these registry edits and policy changes… make sure you are logged in to your computer with your HOME account…
Okay, I read everything….made sense. Tried to go to the Editor, but I can’t as an administrator. Tried to create another account, but I can’t do that either. So, now a relatively easy and logical fix becomes another frustration. Any ideas?
If you can’t create a new user account, you are probably not logged on with an administrator account.
I only have an administrator account on this laptop. When I try to create a new user account, I also get the message that I cannot open this app as an administrator and to create a new user account. Locked in the loop.
You have to use the desktop app to create a new user account. Right-click Start and then run Computer Management.
Under Comp Management, there is nothing like ‘Local Users and Groups’ as an option to create a new user. Am I missing something simple here? I have searched for all the files and so far no success. I do appreciate your patience.
Right-click the Users folder. You should then see “New User” in the context menu.
This is quote from another user with my problem: “Just converted from 8.1 to 10 and cannot enable guest or other users. Tried all suggestions I found from searching internet and none work. Seem like I need to get at local users and groups in computer management but they don’t show up as a menu item. Some info I’ve seen says I need to run gpedit.msc, but that is not in Win 10 home version…. Got to be a way to get them back. Control panel/users only shows my account.”
There is absolutely nothing with the word User or anything close to right click on….it simply does not exist. There is no category for either User or Groups….nothing.
Menu for Comp Management: System Tools >Task Scheduler, Event Viewer, Shared Folders, Performance, Device Manager. Storage >Disk Management. Services and Applications >Services, WMI Control, Message Queuing.
Yes, the Home edition doesn’t have the user management feature in the Computer Management app. In that case you have to add a new user on the command prompt: Right-click Start and select Command Prompt (Admin). Then you can add a new user with this command:
net user username password /add
To add this user to the Administrators group, you need this command:
net localgroup administrators username /add
Thank you. It seems the Home Edition is not very user friendly compared to the Pro version, which is ‘buggy’ in it’s own right. I hope MS decides to construct a fix for these problems. I now have a local user account, but it feels like a ‘bandaid’ and not a true ‘fix.’
Thank you andre
I was looking for a solution without disabling UAC.
Your solution “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System FilterAdministratorToken 0 Default 1 enabled Change to 1″ solved my problem. Thank you I’ll write it down to use in every machine.
Hey Folks, So here is my situation:
Computer is on domain
I have a test user account (not set admin anywhere), lets call it Test
I have a Local Admin on the domain account, Lets call it Ladmin
I have Windows 10 installed on this machine
I have User Account Control: Admin Approval Mode for the Built-in Administrator account Set to Enabled
With Ladmin, I cannot run Edge. I cannot run Calc.exe.
With Test, I can run Edge, I can run Calc.exe.
If I set Test to admin using Users and Groups on the local machine, it can no longer run edge nor calc.exe.
Help?
Also a Note: I did the regedit change mentioned above
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System FilterAdministratorToken 0 Default 1 enabled Change to 1
Ok, for some reason (separate issue i guess) UAC keeps turning off automatically. I thought I had resolved that already.
One I turned UAC back on, it now works.
First, thanks so much for the explanation and fix! Before these changes, I couldn’t open edge, the OneNote Windows app or anything, now everything opens fine.
But… I was just wondering what would happen if I disabled “User Account Control: Admin approval Mode…” So I disabled it and restarted. Guess what, everything still opens and works fine. While i’m okay with this, I am wondering why it’s possible?
Something I did notice, when I went to enable UAC:Admin… the first time, it WASN’T disabled by default. In fact, neither of the circles were selected. Now that I have selected one of the options, there’s no way to go back an select neither. Just wondering if anyone else has encountered this behavior.
Woot. between the main article and the first few comments, I was able to get this issue resolved.
Thanks folks!
I hate to be a party-pooper but if someone could round up all the trials that did not works and the ones that did and distill it down to a single sure fire method to fix Windows 10 Pro I would appreciate it. I got lost after the 3rd or 4th effort to do something that also did not work?
UAC is on never notify but that is the only thing I went through after reading to the 8th post I figured better wait for the final judgement call. 🙂
thanks. my problem was solved.