New KB: Elevation and Run-As Considerations in Microsoft App-V Environments

  • Article

KBJust a quick FYI on a new KB we published this morning:

=====

Symptoms

Applications whose manifests specify automatic elevation (for example mmc.exe) may require additional steps to work correctly using run-as in App-V environments. This is a common scenario for environments that require using separate credentials from the account used to log on to the desktop. For instance, a normal user account may be used to log on to a Windows 7 Professional desktop, and then a second account with administrative rights may be used to launch the System Center Configuration Manager (ConfigMgr) Administration Console by shift-right-clicking on the shortcut and choosing Run as different user.

Errors will vary depending on the application. For the Configuration Manager console, the MMC may fail to load with the error: Error initializing console.

Cause

This behavior is by design. When an shortcut to a an App-V virtualized application is launched that invokes sftlp.exe (for example, MMCs and other non-executable images), ShellExecute() does not request elevation. If you log on to the desktop using the same administrative account that is used to launch the shortcut, the process will elevate successfully.

Resolution
Workaround #1 - use the Elevation PowerToy
  1. Download and install the Vista Elevation PowerToy
  2. Modify the shortcut to use elevate.cmd. For example, this command line:

"C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe" /launch "ConfigMgr 1.0"

becomes

C:\Elevation\elevate.cmd "C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe" /launch "ConfigMgr 1.0"

Workaround #2 - configure sfttray to always launch with elevation

Right-click on C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe and choose properties. Click on the Compatibility tab. Click Run this program as an administrator and then click Apply and OK to exit. This will cause all App-V packages to run with administrative privileges, and should only be used for testing.

=====

For the most current information please see the following KB article:

KB2559075 - Elevation and Run-As Considerations in Microsoft App-V Environments

J.C. Hornbeck | System Center Knowledge Engineer

The App-V Team blog: https://blogs.technet.com/appv/
The WSUS Support Team blog: https://blogs.technet.com/sus/
The SCMDM Support Team blog: https://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: https://blogs.technet.com/operationsmgr/
The SCVMM Team blog: https://blogs.technet.com/scvmm/
The MED-V Team blog: https://blogs.technet.com/medv/
The DPM Team blog: https://blogs.technet.com/dpm/
The OOB Support Team blog: https://blogs.technet.com/oob/
The Opalis Team blog: https://blogs.technet.com/opalis
The Service Manager Team blog: http: https://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: https://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: https://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: https://blogs.technet.com/b/serverappv

clip_image001 clip_image002