A few days ago, I noticed someone facing an incredibly frustrating problem on their Windows device. They kept encountering the User Account Control error message that mentioned, “This App has been blocked by your system administrator.”
Every time they tried to run an application as an administrator, the error seemed to come out of nowhere, and no matter what they tried, the message would appear. To make matters worse, even attempting to right-click and “Run as administrator” to run the app with administrator privileges would lead to the same block.
6 Hidden Policies That Could Be Blocking Your Apps in Windows
If you’ve ever encountered the dreaded “This App Has Been Blocked by Your System Administrator” message, you’re not alone. It’s frustrating, and tracking down the cause can feel like chasing ghosts. After a deep dive into one such case, here’s what we uncovered: six potential hidden culprits, but none of them were causing the issue of obtaining administrator privileges.
1. AppLocker:
AppLocker is often the first suspect in blocking apps. However, in this instance, no AppLocker policies were set, so we moved on to other possibilities.
2. Windows Defender Application Control (WDAC): Clean Slate
- WDAC / Appcontrol for Business can impose strict rules on app execution, but a thorough check revealed no active WDAC policies contributing to this block.
3. Security Baselines: Checked and Cleared
We carefully reviewed all security baselines for any restrictive policies. After double-checking, there was no sign of any that could cause the block.
4. Microsoft Defender for Endpoint: Only Monitoring
While Microsoft Defender for Endpoint was onboarded, it was set to monitor-only mode. No policies were being enforced that could block applications from running.
5. Conditional Access & SmartScreen: Not the Issue
Neither Conditional Access policies nor SmartScreen settings were configured in a way that would lead to the issue. Both were ruled out as potential blockers.
6. Shared Device Mode via Intune: The Hidden Player
The real culprit turned out to be Shared Device Mode, which was quietly set through Intune. This mode is designed for shared environments (like kiosks) and restricts user permissions. In this case, it was automatically denying any attempt to run apps with admin privileges.
Everything was checked and double-checked—yet the error persisted. No matter what was attempted, any app that required admin privileges seemed completely blocked and showed them the same error message. At this point, it was starting to look like a ghost policy or an invisible setting was at work.
That’s when I started digging deeper into lesser-known configurations, and I realized there was one potential culprit still lurking in the shadows—Shared Device Mode configured through Intune.
This mode, often used for environments like kiosks or multi-user machines, can contain settings that are easily overlooked but can significantly impact user permissions and app functionality. Let me show you why!
The Missing Piece: Shared Device Policy
After exhausting the other 5 options I focused on a setting that often flies under the radar—Shared Device Mode, configured via Intune. Shared Device Mode, designed for multi-user scenarios (think: shared PCs in libraries or kiosks), contains some very restrictive default configurations that can catch you off guard if not properly understood.
One particular setting stood out: the “ConsentPromptBehaviorUser” policy within this Shared Device Mode. We can spot this policy and its corresponding User Account Control settings when opening the registry editor and looking at the Windows Registry.
This policy, often deployed via EnableSharedPCMode, modifies the behavior of UAC (User Account Control) security settings and prompts. Specifically, it automatically denies elevation requests for standard users, essentially stripping them of the ability to right-click and “Run as administrator.”
In environments where Admin Approval Mode is enabled, elevation requests for administrators must be explicitly approved by an admin. However, in Shared Device Mode, Admin Approval Mode is bypassed for standard users, preventing any elevation attempts from succeeding, even if someone with administrator credentials attempts to approve the action. This leads to scenarios where users are completely blocked from running certain apps unless the Shared PC Mode is disabled or adjusted.
Shared PC Mode
The setting “ConsentPromptBehaviorUser” is enforced as part of the Shared PC policy and is configured to automatically deny elevation requests for standard users.
So, even if all other policies look clean, this one can still block users from running apps as an admin:
EnableSharedPCMode: Automatically applies a GPO that denies elevation requests for standard users.
ConsentPromptBehaviorUser: Ensures that no user can bypass admin controls by launching applications with elevated privileges.
Once Shared PC Mode is enabled, this setting kicks in regardless of whether you’ve set up other policies to manage UAC behavior. In effect, the right-click “Run as administrator” function is completely broken, as the elevation request is automatically denied without user interaction. With the elevation request automatically denied, we will get the famous error message that this app has been blocked by your system administrator.
Key Takeaways
This is one of those cases where, despite no visible AppLocker, WDAC (Appcontrol for Business), or Smartscreen, Intune’s Shared Device Mode is quietly running the show in the background. This is why we got the message “This app has been blocked by your system administrator UAC message.” If you’re dealing with devices set up for multi-user scenarios, it’s crucial to consider this mode and its impact on user privileges.
In this case, the system administrator would need to revisit the Shared Device configuration within Intune and either disable the Shared PC mode or modify the policies to allow for more flexibility with administrative permissions.
Remember, policies that limit administrative elevation, even if applied for standard users, can lead to widespread issues if not fully understood or properly documented.