What issues might we run into enabling UAC when we start our migration to Windows 10?
We're starting to prepare for Windows 10. One of the things we've
done in Windows 7 is to disable UAC through AD policy. This seems to be
problematic in Windows 10 because of the Windows Store apps - users
can't access silly things like their calculator with UAC disabled. I
don't have my hands in AD, so I don't know if there is a better way to
resolve this, but if we re-enable UAC, what do I need to know/watch out
for with my KACE appliances? I've found some individual articles with
little references to UAC, (example here) but nothing compiled... any help?
1 Comment
[ + ] Show comment
Answers (5)
Please log in to answer
Posted by:
Pressanykey
8 years ago
Hi,
another possibility is looking into the various options of automated Win 10 readiness checks. This *is not* a silver bullet, but will however give you a very good heads-up on possible issues that various applications that you run might have. We offer such a solution which you can have a look at here...
Phil
another possibility is looking into the various options of automated Win 10 readiness checks. This *is not* a silver bullet, but will however give you a very good heads-up on possible issues that various applications that you run might have. We offer such a solution which you can have a look at here...
Phil
Posted by:
Pressanykey
8 years ago
Hi Sarah,
I can't comment on your answer, so I'll have to open a new answer...
You can "wrap" appx-apps in MSI's for machine deployment (our tool does this) AFAIK SCCM does this as well to allow deployment per machine as well. You can also go down the "hard way" and wrap them in power-shell. Did you see my comment about sending you a pdf document?
Phil
I can't comment on your answer, so I'll have to open a new answer...
You can "wrap" appx-apps in MSI's for machine deployment (our tool does this) AFAIK SCCM does this as well to allow deployment per machine as well. You can also go down the "hard way" and wrap them in power-shell. Did you see my comment about sending you a pdf document?
Phil
Comments:
-
I attended a RayPack session at DWUF 2015 - looked like a neat product (I'm on one of the mailing lists). Complete tangent for a moment, though: one of the things we're running into with KACE in general, as much as I have loved our appliances and the things we can do with them, is how many other little things we need to have at our disposal in order to make automation work (lots of free downloadable tools, but I need a separate database just to track the little tools).
Part of my frustration with UAC (more specifically, that we're just now having to figure out dealing with it) is that we've had how many years of Windows 7 to work all this out and it isn't until our hands are tied that we're going to reinvestigate the issues involved (since we can't find a workaround anymore). I'm not a fan of playing catch-up... - sarahmurray 8 years ago-
Then let me know how to send the document that I have, it will be a start.. - Pressanykey 8 years ago
Posted by:
apptopack
8 years ago
If you want your applications to work with UAC enabled, then Microsoft Application compatibility toolkit (ACT) is good to suppress it through Shims.
Posted by:
sarahmurray
8 years ago
Let me clarify this question a little, since I started it off poorly: I'm more concerned with the move to enabling UAC than the migration to Windows 10. How will this impact Distribution and Scripting? Does the KACE agent inventory normally with UAC enabled? What else am I failing to anticipate?
Posted by:
Pressanykey
8 years ago
Hi Sarah,
UAC is not just about restricting access to certain things, or pseudo "hardening" of the OS, but also affects things like how an application works in regards to the file and registry system due to the pseudo virtualisation. You'd have to ensure that your current Win7 apps work with UAC enabled on your current OS before migrating and that's just the tip of the iceberg. Could you be a bit more precise on what specific aspects you are looking at? Just the deplyoment of the OS, standard settings, windows store (appx) apps etc.
Cheers
Phil
UAC is not just about restricting access to certain things, or pseudo "hardening" of the OS, but also affects things like how an application works in regards to the file and registry system due to the pseudo virtualisation. You'd have to ensure that your current Win7 apps work with UAC enabled on your current OS before migrating and that's just the tip of the iceberg. Could you be a bit more precise on what specific aspects you are looking at? Just the deplyoment of the OS, standard settings, windows store (appx) apps etc.
Cheers
Phil
Comments:
-
Even just a list of things to watch out for, like making sure Windows 7 apps work with it enabled. Back when we did have it enabled, all I remember is users finding it annoying, but that was also pre-KACE - we didn't deploy much or push out patches or anything. I was just hoping to get some feedback on what to expect from people that are working with (or around) UAC already.
My inquiry has less to do with the OS than it does the function of the KACE appliances. Scripting? Managed installs? Am I worrying for nothing? Our domain admin said we disabled UAC years ago for KACE (before I got involved with our K1000), but he doesn't remember why, specifically... I'm expecting to find out fairly quickly, but I was hoping another ninja could spare me the headache. - sarahmurray 8 years ago-
Hi Sarah,
a few years ago I prepared training / white papers for migrating to Vista / Win 7. If you can give me a email address (your_mail dot wherever dot org) I'll send you it. - Pressanykey 8 years ago
-
UAC disabled? Migrating to enabled - one moment, lmfao, your going to hate your life when that starts.
PressAnyKey is correct, you should get your apps working in Windows 7 with UAC on before attempting to migrate to Window 10. It will be easier to troubleshoot in a known environment without the complications of an unknown o/s.
The other approach is to install each app on Windows 10 and test for UAC issue.
On a side note, I *highly* recommend you use UAC, otherwise you're basically converting Windows 10 back to the stone-age of Windows XP security with NTFS. - rileyz 8 years ago-
I do not disagree with any of your above points: I am going to hate my life (I appreciate your words of encouragement, though); it would be much easier to troubleshoot in a known environment (I'm bracing myself to propose the change sooner than later); and yes, we should be using UAC (inheriting, here). - sarahmurray 8 years ago
-
Could just create a new AD OU and move one computer object there to test with UAC Enabled. Turn on the Windows 7 box and see what explodes?
Most of your issues with UAC will be caused by legacy apps which were pre or written around when Windows 7 was released.
Most modern (not referring to Windows Store apps) are written to handle UAC now. - rileyz 8 years ago
-
Hi Rileyz,
Is UAC *really* an improvement? IMHO not really, it causes more problems than it solves. If you've got good locked-down environment, you provide the require relaxations that an app requires to operate in the package (these of course defined) then UAC is not required. In my opinion, UAC for for the end users that just always used the "admin" account, and for them nothing has changed, they just have to do a few more clicks... - Pressanykey 8 years ago-
I don't think Microsoft is going to give us a choice with Windows 10... RE: apps...? - sarahmurray 8 years ago
FYI, I've removed / hidden your double posting of this - Pressanykey 8 years ago