MDT Enables UAC for Built-In Administrator Account

After setting up MDT for our organization, a coworker pointed out some issues with starting a new litetouch deployment from within an existing Windows 10 installation. When I saw it, it was obvious the issues were related to UAC. The problems were:

  • The user was being asked for network credentials immediately at the beginning of the wizard.
  • After answering all of the questions and completing the wizard, the computer would reboot into PE and proceed to start the whole wizard over again, forgetting all of the previously provided answers.

I checked and found, sure enough, the local policy “Enable app approval mode for built-in Administrator account” was set to enabled. I couldn’t figure out where or how this was getting set, so I ran some test deployments and found MDT itself was turning this on at the very end of a litetouch deployment!

Turns out, this is set this way by a few lines near the beginning of the LTICleanup.wsf file. Microsoft did this for versions of Windows 8 and above so that the built-in Administrator account could open Windows modern apps, such as Edge. I’d never encountered this issue before because I’d only ever used MDT with Windows 7 in the past.

I disagree with this decision not only on the grounds of it being mostly useless and worse, encourages people to use the Administrator account for daily use, but also because it causes the before mentioned issues on future MDT deployments.

To fix this issue, simply comment out lines 144-150 in LTICleanup.wsf that reads:

If oEnvironment.Item("OSCurrentVersion") <> "" then
  If ((oUtility.VersionMajor = 6 and oUtility.VersionMinor >= 2) or oUtility.VersionMajor >= 10 ) then
    oLogging.CreateEntry "Re-enabling UAC for built-in Administrator account", LogTypeInfo
    oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken", 1, "REG_DWORD"
  End if
End if 

You can comment each line by simply adding an apostrophe to beginning.

You can find LTICleanup.wsf in the Scripts folder of your deployment share.


Leave a Reply

Your email address will not be published. Required fields are marked *