I can't understand why regular domain users are being blocked from running anything as administrator. Something as simple as Command Prompt (Admin) gets you the blue error saying "this app has been blocked by your system administrator." Applocker isn't running. UAC is enabled. I don't have any group policy that would be blocking this. My only assumption is that I don't have something turned on through group policy or it is something with UEM. Maybe something disabled through OS Optimization? Has anyone ran into this issue?
I figured it out. It was the VMWare OS Optimization Tool. The tool changes ConsentPromptBehaviorUser to 0. This should be 1 for UAC prompts.
You have application blocking enabled in UEM.
Try disabling it and see if the error goes away. (See screenshot) After you disable it, you need to restart the VM or run "C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -UemRefreshApplicationBlocking
I assumed it was something Applocker/UEM Application Blocking enabled, but I don't have any of those on.
If both of those are disabled, have you check out if you have an Software Restriction Policies set?
rsop.msc and check your group policies coming down.
SRP is under:
GPO -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
Also, check out application log on the desktop.
Yah, nothing seems out of the ordinary. I'll work with Microsoft on this one. Thanks for trying.
I booted up my golden image and it's the same result, so it isn't anything with UEM or group policy as far as I can tell. Perhaps it's the VMWare OS Optimization tool. Going to have to build a regular VM and test. Will report back.
I figured it out. It was the VMWare OS Optimization Tool. The tool changes ConsentPromptBehaviorUser to 0. This should be 1 for UAC prompts.