New KB: Elevation and Run-As Considerations in Microsoft App-V Environments

KBJust a quick FYI on a new KB we published this morning:

=====

Symptoms

Applications whose manifests specify automatic elevation (for example mmc.exe) may require additional steps to work correctly using run-as in App-V environments. This is a common scenario for environments that require using separate credentials from the account used to log on to the desktop. For instance, a normal user account may be used to log on to a Windows 7 Professional desktop, and then a second account with administrative rights may be used to launch the System Center Configuration Manager (ConfigMgr) Administration Console by shift-right-clicking on the shortcut and choosing Run as different user.

Errors will vary depending on the application. For the Configuration Manager console, the MMC may fail to load with the error: Error initializing console.

Cause

This behavior is by design. When an shortcut to a an App-V virtualized application is launched that invokes sftlp.exe (for example, MMCs and other non-executable images), ShellExecute() does not request elevation. If you log on to the desktop using the same administrative account that is used to launch the shortcut, the process will elevate successfully.

Resolution
Workaround #1 - use the Elevation PowerToy
  1. Download and install the Vista Elevation PowerToy
  2. Modify the shortcut to use elevate.cmd. For example, this command line:

"C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe" /launch "ConfigMgr 1.0"

becomes

C:\Elevation\elevate.cmd "C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe" /launch "ConfigMgr 1.0"

Workaround #2 - configure sfttray to always launch with elevation

Right-click on C:\Program Files (x86)\Microsoft Application Virtualization Client\sfttray.exe and choose properties. Click on the Compatibility tab. Click Run this program as an administrator and then click Apply and OK to exit. This will cause all App-V packages to run with administrative privileges, and should only be used for testing.

=====

For the most current information please see the following KB article:

KB2559075 - Elevation and Run-As Considerations in Microsoft App-V Environments

J.C. Hornbeck | System Center Knowledge Engineer

The App-V Team blog: https://blogs.technet.com/appv/
The WSUS Support Team blog: https://blogs.technet.com/sus/
The SCMDM Support Team blog: https://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: https://blogs.technet.com/operationsmgr/
The SCVMM Team blog: https://blogs.technet.com/scvmm/
The MED-V Team blog: https://blogs.technet.com/medv/
The DPM Team blog: https://blogs.technet.com/dpm/
The OOB Support Team blog: https://blogs.technet.com/oob/
The Opalis Team blog: https://blogs.technet.com/opalis
The Service Manager Team blog: http: https://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: https://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: https://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: https://blogs.technet.com/b/serverappv

clip_image001 clip_image002

Comments

  • Anonymous
    June 30, 2011
    By design? Are we supposed to by that it working completely incorrectly was intentional? Ok, then what was the reason for that? I would love for you guys to explain what we gain from this NOT working like everything else on the OS as opposed to what I think you REALLY mean which is "uh, it doesn't handle it right". If this is by design then maybe you can explain why: <ENVIRONMENT VARIABLE="__COMPAT_LAYER">RunAsInvoker</ENVIRONMENT> works but: <ENVIRONMENT VARIABLE="__COMPAT_LAYER">RunAsAdmin</ENVIRONMENT> does nothing. I don't mind you guys saying "yeah we know, this should behave like everything else in the OS, we just haven't done it or haven't managed to figure it out yet". But telling us it is SUPPOSED to work like this, and then posting a KB because enough people go "ummmmm" and saying we should use a Vista PowerToy... ...really?

  • Anonymous
    June 30, 2011
    And by the way...what the heck is the point of elevation if one of your solutions is "run everything elevated"...so because I have the SCCM console on my machine firefox should be given elevation too? Good grief.

  • Anonymous
    June 30, 2011
    @alcaron - By design means that we acknowledge that it is a limitation of the product.  All commercial software is a trade-off between "perfect" and "shipped in time to be relevant".  The point of this article was to show you how to make this work, not to debate the fine points of software design. Your second comment - I think "This will cause all App-V packages to run with administrative privileges, and should only be used for testing." covers your concern. A quick Bing search answers your RunAsAdmin question - blogs.technet.com/.../making-applications-compatible-with-windows-7-in-a-virtualized-environment.aspx Appreciate the passion of your response and hope this helps. ---Mark