UAC blocking Microsoft Management Console [mmc.exe]

%3CLINGO-SUB%20id%3D%22lingo-sub-1280778%22%20slang%3D%22en-US%22%3EUAC%20blocking%20Microsoft%20Management%20Console%20%5Bmmc.exe%5D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1280778%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20first%20of%20all%20to%20start%20with%20the%20preface%3A%20Windows%2010%20Pro%20Version%202004%20(OS%20Build%2019041.172)%20-%20using%20an%20account%20that%20belongs%20to%20the%20administrator%20group....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20to%20open%20the%20(running%20as%20an%20administrator)%20mmc.exe%20or%20any%20derivative%2C%20i.e.%20local%20security%20policy%20manager%2C%20device%20manager.%20UAC%20blocks%20the%20app%20from%20running%20with%20the%20error%20%22An%20administrator%20has%20blocked%20you%20from%20running%20this%20app.%20For%20more%20information%2C%20contact%20the%20administrator.%22%20The%20only%20way%20to%20open%20the%20apps%20is%20to%20run%20them%20using%20an%20administrative%20command%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20anyone%20has%20any%20help%20that%20they%20can%20offer%2C%20or%20any%20questions%20would%20be%20greatly%20appreciated%3C%2FP%3E%3CP%3EThank%20you%2C%20Teylor%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285578%22%20slang%3D%22en-US%22%3ERe%3A%20UAC%20blocking%20Microsoft%20Management%20Console%20%5Bmmc.exe%5D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373855%22%20target%3D%22_blank%22%3E%40Teylor%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20by%20design.%26nbsp%3B%20Being%20in%20the%20%22Administrators%22%20group%20is%20not%20the%20same%20as%20being%20THE%20Administrator.%26nbsp%3B%20When%20you%20%22run%20as%20Administrator%22%20you%20are%20elevating%20to%20Ring%200%2C%20which%20has%20access%20to%20privileged%20areas%20of%20the%20OS.%26nbsp%3B%20This%20is%20a%20security%20measure%20to%20prevent%20accidental%20access.%26nbsp%3B%20Here's%20an%20%5Bold%20but%20correct%5D%20article%20that%20should%20help.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmrsnrub%2F2010%2F08%2F06%2Fuser-account-control-but-im-an-admin%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fmrsnrub%2F2010%2F08%2F06%2Fuser-account-control-but-im-an-admin%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Eddie%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288249%22%20slang%3D%22en-US%22%3ERe%3A%20UAC%20blocking%20Microsoft%20Management%20Console%20%5Bmmc.exe%5D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288249%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F88264%22%20target%3D%22_blank%22%3E%40Eddie%20Leonard%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20what%20you%20are%20saying%20is%20that%20I%20shouldn't%20be%20able%20to%20access%20device%20manager%2C%20disk%20management%2C%20local%20security%20policy%2C%20etc.%20Just%20to%20clarify%2C%20I%20can%20access%20these%20through%20command%20prompt%20and%20it%20has%20only%20started%20blocking%20me%20recently%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288459%22%20slang%3D%22en-US%22%3ERe%3A%20UAC%20blocking%20Microsoft%20Management%20Console%20%5Bmmc.exe%5D%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F373855%22%20target%3D%22_blank%22%3E%40Teylor%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%2C%20what%20build%20is%20this%20on%3F%20Just%20want%20to%20verify%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3ESecond%2C%20is%20this%20device%20managed%20by%20an%20IT%20department%2C%20or%20is%20it%20just%20a%20personal%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20make%20sure%20I%20clearly%20understand%20your%20scenario.%3C%2FP%3E%3CP%3E1.%20You%20are%20logged%20in%20with%20a%20user%20that%20is%20a%20member%20of%20the%20local%20administrators%20group.%3C%2FP%3E%3CP%3E2.%20You%20are%20attempting%20to%20run%20various%20admin%20tools%20(mmc%2C%20Device%20Manager%2C%20etc.)%20from%20the%20Start%20Menu.%3C%2FP%3E%3CP%3E3.%20In%20doing%20so%20you%20are%20blocked%20by%20UAC.%3C%2FP%3E%3CP%3E4.%20You%20open%20an%20elevated%20command%20prompt%20(%22run%20as%20administrator%22)%3C%2FP%3E%3CP%3E5.%20You%20can%20now%20open%20the%20admin%20tools%20from%20the%20elevated%20command%20prompt.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20your%20scenario%2C%20then%20that%20is%20correct%20and%20by%20design.%26nbsp%3B%20You%20mentioned%20this%20changed.%26nbsp%3B%20This%20is%20why%20I'm%20asking%20if%20your%20device%20is%20managed%20or%20not.%26nbsp%3B%20If%20it%20is%2C%20then%20someone%20may%20have%20previously%20disabled%20UAC%20and%20it%20has%20either%20been%20reset%2C%20or%20intentionally%20turned%20on.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20an%20Insider%20build%20and%20is%20not%20managed%20AND%20you%20had%20previously%20disabled%20UAC%20and%20it%20was%20reverted%20to%20default%2C%20please%20file%20feedback%20and%20share%20the%20link%20so%20we%20can%20look%20into%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Eddie%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello, first of all to start with the preface: Windows 10 Pro Version 2004 (OS Build 19041.172) - using an account that belongs to the administrator group....

 

When I try to open the (running as an administrator) mmc.exe or any derivative, i.e. local security policy manager, device manager. UAC blocks the app from running with the error "An administrator has blocked you from running this app. For more information, contact the administrator." The only way to open the apps is to run them using an administrative command prompt.

 

 

If anyone has any help that they can offer, or any questions would be greatly appreciated

Thank you, Teylor

3 Replies
Highlighted

@Teylor 

 

This is by design.  Being in the "Administrators" group is not the same as being THE Administrator.  When you "run as Administrator" you are elevating to Ring 0, which has access to privileged areas of the OS.  This is a security measure to prevent accidental access.  Here's an [old but correct] article that should help. https://blogs.technet.microsoft.com/mrsnrub/2010/08/06/user-account-control-but-im-an-admin/

 

-Eddie

Highlighted

@Eddie Leonard 

 

So what you are saying is that I shouldn't be able to access device manager, disk management, local security policy, etc. Just to clarify, I can access these through command prompt and it has only started blocking me recently

Highlighted

@Teylor 

 

First, what build is this on? Just want to verify :)

Second, is this device managed by an IT department, or is it just a personal device?

 

I want to make sure I clearly understand your scenario.

1. You are logged in with a user that is a member of the local administrators group.

2. You are attempting to run various admin tools (mmc, Device Manager, etc.) from the Start Menu.

3. In doing so you are blocked by UAC.

4. You open an elevated command prompt ("run as administrator")

5. You can now open the admin tools from the elevated command prompt.

 

If this is your scenario, then that is correct and by design.  You mentioned this changed.  This is why I'm asking if your device is managed or not.  If it is, then someone may have previously disabled UAC and it has either been reset, or intentionally turned on.  

 

If this is an Insider build and is not managed AND you had previously disabled UAC and it was reverted to default, please file feedback and share the link so we can look into it.

 

-Eddie