I need a GPO to set UAC on Windows 10 in V18.104.22.168 for Starting 800xA Operator Workplace
The User Account Control: Run all administrators Admin Approval Mode policy setting controls the behavior of all UAC policy settings for the computer.
The options are: Use Disable Option
- Enabled. (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
- Disabled. Admin Approval Mode and all related UAC policy settings are disabled.
Note If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
Starting with Windows 8/Server 2012, System 800xA’s LogOver feature (making use of the ”Impersonate a client after authentication” security privilege) now requires elevation.
Elevation need UAC approval/procedure in Microsoft Windows.
It was not feasible to implement elevation at time of logover, instead elevation takes place at workplace launch.
As a side effect, workplace autostart was changed from a Startup Job into a Scheduled Task as the Scheduler can start an elevated job. The Startup Job method will present a UAC dialog.
a) turn off UAC (a less secure option)
b) configure scheduled task locally on each computer using Workplace App
c) configure scheduled task remotely
I have tested option c) from CLI using the SCHTASKS.EXE command. Side note: task name must be unique per user and computer.
There could be other viable methods, but after testing GPO methods for some hours without sufficient results I gave up and returned to use CLI.
First, Stephan, thank you for answer and your work, you do all the time for this Forum!
I tried this over a GPO, but there is one Problem if you have different Users ond different Machines.
If I start a WP with another user, i have to logon twice. Otherwise the workplace is not starting. After this, it works on every logon. But if I use another Account, same issue again.
I tried a lot of settings. "create, update, replace," but same issue every time.
So i decidet to use this only for Workplaces with single user.
I'm a littlebit surprised that there is no official Workaround from ABB, this will be a Problem on a lot of Plants.
Thx, Arno Hürlimann