“Run as Admin” required for binary update installation when User Access Controls enabled
“Run as Admin” required for binary update installation
when User Access Controls enabled
The release of a new SmartUpdate client (aka SmartUpdater) forced an old issue to resurface for the AMP console. When a workstation has User Access Controls enabled the “Run as Admin” feature must be used in order to enable SmartUpdate to install new binaries. Even if the logged in user is an administrator on the desktop, the run as admin feature must be used.
Run as Admin is required for applying SmartUpdate binary updates on windows vista, 7, and server 2008 workstations with user access controls enabled. This is true even if the logged in user is an administrator on the desktop.
What the problem looks like (AMP console):
1) Launch AMP Console normally
2) Log in to AMP with account
3) User is prompted with message stating updates are available (figure 1)
Figure 1 (See attachment figures 1-3.png)
4) User clicks "Yes" and is presented with the SmartUpdate dialog. In the dialog a new SmartUpdater is recommended for install (Figure 2). In the upper right the dialog states that an Administrator account is required for download. The download button and the check box are grayed out, preventing installation. The user is a desktop admin, but User Account Controls are enabled so even the admin is not actually running as admin.
Figure 2 (See attachment figures 1-3.png)
5) The user has no choice. They must cancel the SmartUpdate.
6) If the user attempts to edit a policy or template at this point, they will be informed that they cannot. This is because there is an undelivered binary update to the console.
Figure 3 (See attachment figures 1-3.png)
Running with “Run as Administrator” (AMP console):
1) Select the program to launch, right click and select Run As Administrator (figure 4)
Figure 4 (See attachment figures 4-6.png)
2) User is prompted by windows user access control. User selects YES to open program. (Figure 5)
Figure 5 (See attachment figures 4-6.png)
3) User logs into AMP, is prompted for updates in the same way as presented in Figure 1.
4) User has ability to download and install the new SmartUpdater. The check box is enabled and once a check has been placed, the download button is enabled. (figure 6)
Figure 6 (See attachment figures 4-6.png)
5) User updates SmartUpdater, secure base is updated. Policy & template access is enabled