- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
Once upon a time, an administrator was the unchallenged ruler on a Windows computer. An administrator account had no restrictions whatsoever. These times are over. Nowadays, an administrator is not even allowed to do what every standard user can do—that is, open common apps such as Microsoft Edge. This is how far the security paranoia of recent years has brought us. Okay, as usual, I am exaggerating. But error messages like the one below don’t really make sense to me.
If you try to run Edge with a domain administrator account, you will be greeted by Microsoft’s new browser in a Spartan way:
Error message: This app can’t open. Microsoft Edge can’t be opened using the Built-in Administrator account. Sign in with a different account and try again.
This error message is actually not telling the truth. Microsoft Edge can be opened using the built-in administrator account, and there is no need to sign in with a different account and “try again.” If you are willing to jump through a few hoops, Edge runs fine with the built-in administrator account.
Some how-to bloggers who covered this topic tell you this Windows feature is actually a good thing. Running a web browser as an administrator is a no-no. The unbearable Internet Explorer Enhanced Security on Windows Server comes to mind.
However, this is not what this “feature” is all about. If you feel like it, you can run Internet Explorer (which most likely is less secure than Edge) with the built-in administrator account on a Windows 10 machine without being troubled. No, this odd behavior is just a consequence of the poorly designed User Account Control (UAC).
The problem already existed on Windows 8. By default, the built-in administrator cannot execute modern apps. The reason that many admins are now stumbling across this error message is because Edge is the first modern app that will actually be used by a wide range of users simply because it is the default web browser on Windows 10.
Actually, if you completely disable UAC, no one will be able to run these colorful toy applications. Note that you can’t completely disable UAC through the Control Panel. With the setting Never notify, UAC is still active.
To turn off all UAC settings, you have to disable the security policy User Account Control: Run all administrators in Admin Approval Mode (Computer Configuration > Policies > Windows Settings > Security > Security Options).
Completely disabling UAC
If you are looking for a bulletproof method that ensures that no user can run modern apps, this is one way to do it.
Message indicating that app can’t open while User Account Control is turned off
If you completely disable UAC, a user in the administrators group will run all applications with an administrator access token (elevated). You can verify that by opening Notepad the common way (no need to run it as an administrator) and save a file in C:\Windows. With the default settings, administrators can’t do that because common applications will be executed with a standard user access token.
We are now getting closer to the real problem. The built-in administrator account essentially runs with all UAC settings disabled. That is, all applications are executed with full admin privileges without the UAC prompt, and this would also apply to all modern apps.
In a world without security paranoia, we would trust our administrator to be careful enough not to run insecure Windows apps from the Store that install the latest computer worm on the Windows computer through a security hole that a Microsoft engineer left behind. However, because many admins don’t really know what they are doing, a popup prompt has to save the careless geek.
Thus, if you enable the policy User Account Control: Admin Approval Mode for the Built-in Administrator account (Computer Configuration > Policies > Windows Settings > Security > Security Options), the built-in administrator account can run Edge and all other Windows apps because the UAC popup now ensures that everything is perfectly secure. (Make sure you reboot the computer after you change the UAC settings.) The consequence is that, from now on, Windows will present a UAC prompt whenever you run applications that require elevation (regedit.exe, for instance).
Enabling Admin Approval Mode for the built-in administrator account
However, many admins like to log on with the domain administrator account, just so UAC prompts won’t get on their nerves. The good news is that you can turn off these UAC prompts even if Admin Approval Mode is enabled, if you now set UAC in the Control Panel to Never notify.
Setting UAC to never notify
However, the difference in the default configuration is that not all applications will be executed with administrator rights automatically. For instance, if you want to edit a file in the Windows folder, you now have to launch Notepad as an administrator (right-click).
Want to write for 4sysops? We are looking for new authors.
Hi, I cannot make this work in Win 10 Pro. I have Never Notify set in UAC, then the appropriate disable/enable policies through gpedit.msc. I have placed a photo on my company’s website so you can view what settings are present in gpedit.msc:
Would appreciate your review and suggestions.
Chris, did you reboot the computer after you changed the UAC settings? I forgot to mention this in the blog post. I just added this now.
I did, without success. Another symptom, which I don’t know would help isolate the issue, is that I got a similar message when I tried to install a new “app” (this is a desktop, geez Microsoft) to handle LaTeX (.tex) files. Thanks again!
Do you have this problem with the built-in administrator account or with a normal account with admin rights?
It is the builtin account. Actually, I have found the problem, because your mention of the Registry in the blog reminded me: I have disabled UAC through the Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA=0).
This caused no side effects in Win7, but does cause the symptoms I’m describing, plus it even disables the GAMES that come with Win10!
When I set the value to 1, everything works as you describe. However, I find I have to leave it off (and why I turned it off in the first place), because anything that has administrative privileges in the Startup folder WILL NOT LOAD. I have an administrative cmd prompt, the goscreen virtual display manager, the Hot Keyboard macro utility, and others. These programs all seem to need administrative mode to run properly, and Win10 seems to think it’s helping me out by not loading them for me.
Unless/until the programs I use are updated to be 100% compatible with Win10, I guess I have to leave it off. Or I could decide to create my own user account with admin privileges, but I’m takin’ a stand – it’s my machine and I want to run it like a boss with the builtin account, dammit 😉
PS #1: Sorry this is not a “reply” to your post, the browser glitched and erased my first attempt at the last reply, and so I started typing into the text box without realizing it had reset the text box as well.
PS #2: When I went to get a LaTeX “app” in the “app store”, there was no free app suggested by Microsoft to handle .tex files 🙁
Maybe you just have to run these applications in compatibility mode or automatically run them as administrator: Right-click the application > select properties > go to the Compatibility tab.
I have the same problem; except I need EnableLUA=0 to allow drag-and-drop from file explorer into programs running as administrator.
Agreed, forgot about that! At least in Vista you could copy as path and paste it into the prompt, but I don’t believe that works anymore either. For those of us that use the cmd prompt to speed up their daily operations, it’s definitely a step backwards.
In case this was solely an issue with the “built-in Administrator”, I created a new user with admin privileges. With EnableLUA=0, I still got complaints about apps not available to the built-in administrator account – hello, it’s not the built-in account anymore!
So unless someone has magic workarounds (please publish them if you do!), withOUT EnableLUA=0, you can’t
– Drop executables into an elevated command prompt to start them
– Start programs with “run as Administator” from the Startup folder
However, WITH EnableLUA=0, you can’t
– Find “apps” from the Microsoft “Store” online
– Play Win10 games (are they that vulnerable?)
– Run Edge or any other modern app, as stated in the Michael’s original blog post.
Personally, I view all this as a weakness in Win10. To have important features that allow me to be as productive as I can, I have to disable protections that could be important behind the scenes!
Standard user can’t install anything. Administrator can’t open some files. Brilliant. What a POS.
Here’s my problem. I have win10 home, and the problem is when I try to run an app from the windows store from any account, not the builtin administrator account, it says app can’t open. I tried disabling UAC and reinabling it again, even setting the slider to always notify in control panel in the user accounts area. Still no luck. Tried making another account to run apps as a standard account. It worked fine. Then I changed it to anministrator account and had problems. Any help would be appreciated. Thanks!
You mean whenever you add a standard account to the administrators group, this user can’t open Windows apps? It is very likely that it is a UAC issue. What happens when you open a desktop app that requires admin privileges (like regedit). Do you see a UAC prompt?
Yes, there is a UAC prompt. But I have the slider set to 0 and completely disabled UAC and still get this problem. I’m not sure what it is, is there something else I need to do in the home adision to get this fixed? I’m not all the good with registry and could really use more computer help as I’m not really all that good with them anyways
Problem, no UAC, great can create documents on “C”, however can’t use W10 apps…, yes UAC, can use W10 apps, however can’t creat on “C”… funny situation.. any suggetion?
I have a windows 10 home 10586.494, bought it in april, edge worked fine until now, cant open using the built in administrator account error message, is there a way to fix this, if so can you explain it to me please, julie
Julie, as explained in the article, you have to modify the UAC settings. However, I recommend using a standard user account for browsing the web.
Thanks dude. I see many articles on that theme, but you only one who explain why is this happening.
I had modified the policy as you mentioned here, and all was fine… until the Win10 Anniversary update. The update has reverted my Domain Admin back to lowly user. Now, following these instructions [again] I cannot give my Admin account the elevated rights he needs. What did “they” change this time, and now how do I go about changing the policy to elevate the Admin again?
I just tried it now on Windows 10 1607 (Anniversary Update) and it worked. Are you sure that you configured the policy for the built-in administrator? I first made the mistake to configure Admin Approval Mode for all administrators and this doesn’t work. To verify that UAC is configured correctly, you can launch Regedit with the local built-in administrator or with the built-in domain administrator account. If you see a UAC prompt, UAC is configured correctly and you can also open Edge. If you don’t see a UAC prompt, Admin Approval Mode is not enabled for the built-in administrator and you can’t launch Edge.
but my error is stable on win 10 !:(
Carefully check your UAC settings as described in the article. Best way to test if your settings are correct, is to open regedit with the built-in administrator account. If you don’t see a UAC prompt, you didn’t configure UAC correctly.
Once I move the slider down it will automatically move back to the top. If I go into the registry and change the value from 0 to 1 I will not have the drop n drag feature anymore.
As mentioned in the article, moving the slider is not the solution to the problem. You have to enable the Admin Approval Mode for the Built-in Administrator account. What kind of drag and drop does not work anymore?
here’s my problem; I got my computer not too long ago and about after a week of getting it, it began to tell me that certain apps could not be opened with the built in admin account. I went to a place and they did a reset of the computer and it started working again however after a day of working properly it stopped working. I’ve been reading the comments , trying to do what everyone is saying however none of the solutions seem to be able to help me. for example for the solution with the HOTKEY , I connot find a Filter Adminisrator Token. for the one with the Command line IU, none of the commands work for me including the one that was recommended to me by the system. Whenever I go into my settings to create a new accound for it to be switched to, it does not open anything for me to do so. I would really like to find a way to fix this problem, PLEASE HELP ME!!!
You need to create the HOTKEY. Navigate to where it’s suppose to be and then right click, select new–>DWORD (32bit) and name it FilterAdminisratorToken with a value of 1. Reboot, then you should be fine.
For some reason, the instructions didn’t work for me. My domain users were still getting the built-in administrator error. Even though we are running Windows 10 Pro, the registry hack for the Home addition worked! I used group policy to push it to my machines and now my clients can be admins of their machines and not have issues running programs, install/uninstall programs etc.
Domain users, shouldn’t see this error message even if they are in the domain admin group. You probably disabled UAC altogether. In that case, nobody can use Windows apps as described in the article.
I just updated to the Windows 10 anniversary update (cumulative 1607) and set UAC to default. Now my account works normally, and I can open Edge.
Before that, I did have some adware somehow (fresh upgrade from 8 to 10), but removed them with AdwCleaner and Malwarebytes Anti-Malware. I assume the adware set my UAC to disabled, since it is not the default setting.
I don’t think that the Anniversary Update brought any changes with regard to this issue. You either didn’t log on with the built-in administrator account or you still have admin approvable mode enabled for the built-in admin.
We have found that we need to enable “User Account Control: Run all administrators in Admin Approval Mode” (EnableLUA in the registry) as well as “User Account Control: Use Admin Approval Mode for the built-in Administrator account” (FilterAdministratorToken in the registry) to use these applications in Windows 10. We did this by running a script to modify both registries like Andre mentioned. “EnableLUA” and “FilterAdministratorToken” should be set to 1 (Enabled). They are in the same directory in the registry. After a reboot, it should work for you.
Adding the FilterAdministratorToken and changing the value to 1 allows me to open Edge as the built-in administrator on Win10 Home but it doesn’t allow me Internet access. My Internet access is via a server on the ethernet port. When I switch back to User, I immediately get Internet. When I switch to Administrator I get ‘No Internet connection’.
It will have to be a registry entry/edit as you can’t open group policies or security policies on Win10 Home.
Sounds odd. When you log on as Administrator can you ping external sites? Try this:
If not, then it is not a a browser problem. If you receive replies, then it could be a proxy setting. Maybe there is a HTTP proxy configured for the user account, but not for the Administrator?
Hi Michael. Yes, it was a proxy issue. All running smoothly now. Thank you so much for your article and your response to my comment.
I am glad it helped. 🙂
Hello, just a small question to this and thanks for the info by the way. I currently have UAC completely off (as displayed in the OP). And thus, I cannot use the calculator for example. Is there any way to be able to run all these Apps AND have UAC completely off (registry)? Perhaps tricking Windows it’s still there or something. That or do you know any nice 3rd party calculator I can use in place of the default one? 😀 Windows 10 64-bit here btw.
As far as I know, UAC has to be enabled if you want to work with modern apps. There are many free desktop calculators. Just google it.
I see, thanks a lot for the quick reply!
I say: why bother? use Chrome or Firefox. it’s the first thing I load with other utilities using Ninite. I’m so sick of MS telling me what I can and can’t do “for my own good”. Every new version of Windows brings some new level of idiocy that’s unexplainable. Ever try saving a page in Edge… can’t be done. Ever try opening banking or medical websites in Edge.. total fail. and, no, I don’t want to “give it a try” so don’t make me answer another stupid question when I change my default browser!
MS should stick with doing a solid OS and leave the rest to others.
It’s almost like Microsoft doesn’t want people to enjoy using Windows. Like when they replaced the ‘Start’ menu, with the ‘Stop’ menu in Windows 8 (as in ‘we’re going to change everything, and then hide a bunch stuff in a way that if you actually find it it’s still all different, and then we’ll give you no option to go back to what you’re familiar with, so that you will Stop using Windows, because we hate having to deal with customers as they just don’t know how to use our computers they bought for us to run our masterpiece of stupidity‘)
Like here, wouldn’t it have been much easier and simpler to associate a lower privileged ‘normaluser’ account to the admin account, and automatically do like ‘runas /user:normaluser’ when you launch things like Edge? We’d then never need the spaghetti of settings, as every setting is a security whole waiting to be exploited. uhg.
Removing the Start menu was a good thing. The Start screen was just poorly designed. I love the “Start screen” on OS X (Launchpad). The fact that Microsoft brought back the Start menu in Windows 10 shows that Redmond is actually doing the opposite to what you are claiming. They “listen to customers” and give them whatever the customers believe makes them happy. And this is Microsoft’s main problem. In the days where Microsoft was growing rapidly they didn’t listen to anyone except to the instincts of their leaders.
The problems with Edge and the Modern apps in general come from the same source. Ballmer was very much afraid of Steve Job’s post PC blah blah. So he wanted to bring Windows on tablets as fast as possible. He forced his engineers to reinvent Windows in a very short time. The poorly designed Modern apps are the result. If Ballmer would have been a good leader and didn’t always just listen to what customers want, Microsoft wouldn’t have got into in this trouble in the first place.
Apple could become a serious competitor because their leader didn’t listen to customers and just told them what they really want. You could say that the Edge problem exists because Jobs succeeded with his deliberate scare-mongering post PC talk which forced Ballmer into making so many big mistakes.
“Running a web browser as an administrator is a no-no” This cannot be the reason. The first user you create wil be a local admin, and wil run a web browser. They where just to lazy to protect the browser interaction with Windows itself (where they should’ve protected the user instead), and put some nonesense quick and dirty fix in there instead. Users with local admin rights will not be protected by this at all
Yes, it is not the reason as I mentioned in the article. The reason is that Modern apps are designed like mobile apps. When you run an app on your Android phone you don’t run it as root. The problem is that Windows machines also run in corporate environments and need to be managed by administrators. Mobile devices were not designed for this. When Microsoft tried to force the mobile paradigm onto desktop computers all these problems came up.
The UAC problem is not the only problem. Modern apps are hard to manage for admins. Microsoft now tries to fix all these issues. It remains to be seen if these two very different systems really fit together.
Wow, this article took off, since it I started it.
I was following it, but stopped getting notifications, any ideas as to why, Michael?
You are still subscribed to notifications. Maybe the emails are in your spam folder?
i received this one.
strange, but it’s working again.
I wanted to add what worked for me on Windows 10 Pro. Enabling “Admin Approval Mode for Built-In…” did not let me use MS Edge, but enabling “run all administrators in Admin Approval Mode” did.
I’m running Win pro 10 in domain environment and all I did was change UAC bar up one level from never notify and now apps work fine as domain admin or built in admin. No regedit needed. FYI.
You mean your UAC setting is “Notify me only when apps try to make changes to my Computer…”? This doesn’t work. I just tried it now on a Windows 10 Pro domain with the domain admin account. Perhaps someone else enabled admin approval mode for the built-in admin?