Q: Enabling User Account Control

• Domain joined computers running Windows 8.1 and Windows 10 may receive the error “This app can’t open for Built-in Administrator account” when trying to run Universal “Modern” Apps such as Edge Browser, Calculator, Microsoft Store, Weather App, etc.:
  

Context

• This issue is occurring because these apps require User Account Control (UAC) to be enabled due to Application Sandboxing.  By default UAC is disabled at the root level of the WIN domain due to current compatibility issues with MIT Kerberos for Windows.
• This fix is applied via a group policy object and must be performed by an IT technician with the appropriate permissions to the GPO.
• Important! If you are using SAP you will need to apply an environmental variable change first. Once this change is in place the UAC can be enabled in the case where MIT’s Kerberos for Windows was only used for access to SAP.

Answer

1. Access the related Organization Unit GPO through Group Policy Management Console.  This is done through Citrix under the WIN Container Admin Tools.  https://mv-ezproxy-com.ezproxyberklee.flo.org/Citrix/XenApp/auth/login.aspx

1. Once you locate your related GPO right click and select edit
2. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/
3. Set the parameter User Account Control: Run all administrators in Admin Approval Mode to Enabled.
   
   
4. Please Note:  This change will enable UAC for all computers in the OU including Windows 7 computers.  Users will experience additional approval prompts with UAC enabled.
5. A reboot will be required after the policy is applied (either with a gpupdate /force or wait 120 minutes).

See Also

• WIN.MIT.EDU Landing Page