Link to home
Start Free TrialLog in
Avatar of jkimzlg
jkimzlg

asked on

Win 10 pro - Group Policy - Microsoft Edge - This app can't open

we have Win2k8r2 server in a domain environment and mostly win 7 pcs.  We recently got 5 win 10 pro pc's and clumped them all into one OU.  On the Win 10 Pro pc's we are getting the message 'Microsoft Edge - can't be opened using the Built-in administrator account'.  The strange thing is after a reboot I can launch the Edge browser no problem.  The problem returns after some time.

Do I need to make a separate OU and in group policy specify the following:

Security Settings > Local Policies >Security Options >User Account Control Admin Approval Mode for the Built-in Administrator account > "ENABLED"

Will this resolve my issue or is there something else needed?
Avatar of John
John
Flag of Canada image

are getting the message 'Microsoft Edge - can't be opened using the Built-in administrator account'

That is no surprise. The built-in Administrator's account is supposed to be disabled and remain disabled.

Disable the admin account and use a different account (even if a member of the administrator's group).
Avatar of jkimzlg
jkimzlg

ASKER

thanks john, I don't really want to disable the admin account.  I am using a entirely different account and I've made them an administrator so they can install whatever they need.  I'm not really concerned about the security aspect.  I just want to know how to enable this in group policy so that this message will not come up again for my Win 10 pro users.  They should always be able to use the Edge browser.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It is completely wrong to use the built in administrators account as it is a high security risk. That has been like that since Windows 7 and I have never run across a situation needing the account in all my clients.

You may be able to resolve with the policy, I just would not ever do that.
John, do you know what we are talking about, the policy and what effect it has? It does not seem so.
That policy treats the built-in administrator just as any other administrator when activated.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is no argument. See, why does Microsoft let us use edge and other apps when this policy is enabled? Just for the very reason that there is no difference anymore. Sure, the built-in admin is disabled by default. But for what reason? Because UAC treats him differently. We enable the policy, UAC does not treat him differently anymore - same risk as with other admins.
Avatar of jkimzlg

ASKER

it worked, about to distribute points, before I do:

are you guys saying that in Win 10 if I enable the build-in local admin account named 'Administrator' (which is disabled by default), then it will make every local administrator I add in a built-in administrator?
No... you misunderstood. What that policy does: it turns on UAC for the built-in administrator. Now the built-in administrator is treated just as any other administrator.
Avatar of jkimzlg

ASKER

For example, this Edge error message came up for the user 'Patrick'.  All I did was add him into the 'Administrators' group.  Is Patrick a built-in administrator here?

User generated image
Ok, we need to be clear on some things :-)
Normally, you suppose that people follow recommendations like "leave UAC on". So when you described that problem, we assume that UAC was on. If that message comes up for a self-created admin, then that implies that you have turned off UAC.

More: all that windows is trying to do is to protect you from mischief that you are probably causing. Windows by default won't let anyone run the modern apps when UAC is off. So that policy will only make a difference if UAC is on and then, only for the built-in administrator.

Summed up: UAC off: message appears for any administrator. No administrator will be able to run modern apps.
UAC on: message appears only for the built-in administrator. Using that policy will let him use the apps (because the policy turns UAC on for him as well).

OK?
Avatar of jkimzlg

ASKER

thank you