Demo
Log In
Support

Patch My PC / Blog

Failed to find MUI File

Local Administrator Protection: Failed to find MUI File

by | Dec 19, 2024 | Blog

Table of Contents
2
3

Microsoft’s new Local Administrator Protection feature promises enhanced security for local admin accounts. However, on non-en-US devices, it can trigger the “Failed to Find MUI File” error, locking you out completely. In this blog, we’ll explore the issue, its cause, and how to fix it.

Introduction

With Local Administrator Protection just being released to the Insider Preview Windows Builds, it’s clear that Microsoft is stepping up its game in securing local admin accounts. The Local Administrator Protection feature promises to lock down admin tokens and prevent abuse, making it a powerful addition to the Windows security toolkit. But, as with any new feature, it could have some funny issues. We discovered a critical issue during testing when enabling Local Administrator Protection on devices configured with NON en-US languages like en-GB. Instead of improving security, it ended up completely locking us out of local administrator accounts! Let’s dive into what caused the Failed to Find MUI File error, how we fixed it, and why you need to tread carefully before enabling this feature in your environment.

 

The MUI Errors: What Happened After Enabling It?

Let’s take a look at what happened before diving in! After enabling Local Administrator Protection and rebooting, the device refused to let us log in with a local administrator account. Instead, we were greeted with weird cryptic errors like:

  • The resource loader cache doesn’t have loaded MUI entry.

The Resource loader cache doesn't have loaded MUI entry

  • The resource loader failed to find MUI file.

the resource loaded failed to find the MUI file

These errors aren’t just annoying; they completely block access to local admin accounts, leaving you in a funny situation (well, it depends on what you think is funny). But what’s behind these errors? That’s where ProcMon came in handy.

The Root Cause: Missing MUI Files

To troubleshoot, we ran ProcMon through an RMM tool in the system context (as we couldn’t log in to the device anymore, right?) and found the culprit: the missing MUI (Multilingual User Interface) files. As shown below, the moment we tried to elevate something from the non-admin account, consent.exe showed that it couldn’t find the MUI file.

procmon showing that it could not find the consent.exe.mui in the en-gb MUI folder

Local Administrator Protection seems to rely on these files to handle certain system resources, but if they’re missing from your device’s language configuration, the feature seems to break.

Here’s what we uncovered:

  • File Not Found: The system repeatedly tried to access files like consent.exe.mui and samsrv.dll.mui in the System32/en-GB folder.

the consent.exe.mui is missing in the en-gb build

  • MUI Exists for en-US Only: These files DO exist in the en-US directory but were missing for en-GB and likely other non-en-US Windows Builds.

the consent.ui.mui is available in the en-us build

This mismatch seems to indicate that devices configured with non-en-US languages couldn’t handle certain operations required by Local Administrator Protection, resulting in the MUI error and the corresponding login failures.

The Simple Fix: Adding en-US Language

To resolve the issue, here’s what worked for us:

  • Install the en-US Language Pack:

    Add English (United States) as a display language via Settings > Time & Language > Language & Region. Be sure to set it as your Windows display language.

Installing the en-us language and configuring the language preferences to set en-us as default display language
  • Update Administrative Language Settings:
click on the administrative language settings to copy the settings to all new users

In the Control Panel, navigate to Region > Administrative and set the System Locale to English (United States) for non-Unicode programs.

 

change the system local language settings
  • Ensure that you copy the Language settings to new users and the welcome screen and SYSTEM ACCOUNTS
Copy your settings to the welcome screen and system accounts and new users
  • Reboot and Re-enable the Feature:
    After making these changes, reboot the device, re-enable Local Administrator Protection
Configuring local administrator protection by configuring the admin approval mode with administrator protection

After enabling local administrator protection and rebooting the device, we were able to login!

Lessons Learned: Test Before You Deploy

Here’s what this experience taught us:

  1. Test Non-en-US Configurations: Devices configured with non-en-US languages (like en-GB, de-DE, etc.) are likely to run into this issue. Always test thoroughly before enabling Local Administrator Protection across your environment.

  2. Check for MUI Files: Missing MUI files for your device’s language configuration can break the feature. Adding en-US as a fallback is the easiest solution for now.

  3. Plan for Localization Issues: Remember, Local Administrator Protection is still in preview. Localization bugs like this will get fixed in future updates, but for now, be ready with workarounds.

Wrapping It Up

Local Administrator Protection is a great step forward for securing local admin accounts, but it’s clear that it still has some rough edges. Especially for devices running non-en-US configurations. If you plan to enable this feature, ensure you enable it on EN-US Windows Builds and always test in a lab before deploying.

 

Table of Contents
2
3

View Full SCUP Catalog