Impact: This issue is due to child processes of these apps running with Integrity level low instead of Integrity level medium Originating KB URL: https://support.microsoft.com/en-us/topic/5043131 Originating KB Release Date: 2024-09-24T14:00:00-07:00 Originating Build: 19045.4957 Resolved KB URL: https://support.microsoft.com/en-us/topic/5046613 Date Resolved: 2024-11-12T10:00:00-08:00 All Updates: ------------------------------------------------------ November 12, 2024 18:04 PM After installing the September 2024 preview update (KB5043131 (https://support.microsoft.com/help/5043131)), released September 24, 2024 or later, you might observe that apps such as Quick Assist, Microsoft Teams, Windows Narrator, etc might fail to start if you are a non-admin user. You might experience this issue on any app that sets UIAccess=true (https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) while trying to run the app as a non-admin user. The uiAccess=true attribute in an application's manifest file is used to request that the application be granted higher privileges. Apps using this attribute launch from a secure path, such as : - %ProgramFiles% (including subdirectories) - %ProgramFiles(x86)% (including subdirectories for 64-bit versions of Windows) - %systemroot%\system32 - %systemroot%\syswow64 (for 64-bit versions of Windows) If you have the Procmon (https://learn.microsoft.com/sysinternals/downloads/procmon) monitoring tool installed in your device, you will observe that the application runs with the wrong integrity level (https://learn.microsoft.com//windows/win32/secauthz/mandatory-integrity-control), Integrity:Low instead of the expected Integrity:Medium. You are less likely to encounter this issue if you are running the application as an administrator. Resolution: This issue was resolved by Windows updates released November 12, 2024 (KB5046613 (https://support.microsoft.com/help/5046613)), and later. We recommend you install the latest security update for your device as it contains important improvements and issue resolutions, including this one. If you have an enterprise-managed device and have installed the update released November 12, 2024 (KB5046613 (https://support.microsoft.com/help/5046613)), and later, you do not need to use a Known Issue Rollback (KIR) (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831) or a special Group Policy to resolve this issue. If you are using an update released before November 12, 2024, and have this issue, your IT administrator can resolve it by installing and configuring the special Group Policy listed below. The special Group Policy can be found in Computer Configuration > Administrative Templates > <Group Policy name listed below>. For information on deploying and configuring these special Group Policy, please see How to use Group Policy to deploy a Known Issue Rollback (https://learn.microsoft.com/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback). Group Policy downloads with Group Policy name: - Download for Windows 10, version 22H2 (https://download.microsoft.com/download/50aed8a9-d766-4adc-8324-e1b0b7defe2a/Windows%2010%2020H2,%2021H1,%2021H2%20and%2022H2%20KB5041582%20241027_11353%20Known%20Issue%20Rollback.msi) – Windows 10 20H2, 21H1, 21H2 and 22H2 KB5041582 241027_11353 Known Issue Rollback Important: You will need to install and configure the Group Policy for your version of Windows to resolve this issue. You will also need to restart your device(s) to apply the group policy setting. Note: The below steps apply to enterprise devices that are domain joined. 1. Wait for the KIR group policy changes to replicate in Active Directory and the SYSVOL 2. Follow one of the steps below before applying the KIR: a. Wait for group policy to refresh in the background (https://learn.microsoft.com/previous-versions/windows/desktop/Policy/background-refresh-of-group-policy) then restart your device (or) b. Run ‘gpupdate (https://learn.microsoft.com/windows-server/administration/windows-commands/gpupdate) /force’ from a command prompt then restart your device Affected platforms: - Client: Windows 10, version 22H2 - Server: None Click here (https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth/:/wrhpreferences) to manage email notifications for Windows known issues. ------------------------------------------------------ October 30, 2024 20:16 PM After installing the September 2024 preview update (KB5043131 (https://support.microsoft.com/help/5043131)), released September 24, 2024 or later, you might observe that apps such as Quick Assist, Microsoft Teams, Windows Narrator, etc might fail to start if you are a non-admin user. You might experience this issue on any app that sets UIAccess=true (https://learn.microsoft.com/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) while trying to run the app as a non-admin user. The uiAccess=true attribute in an application's manifest file is used to request that the application be granted higher privileges. Apps using this attribute launch from a secure path, such as : - %ProgramFiles% (including subdirectories) - %ProgramFiles(x86)% (including subdirectories for 64-bit versions of Windows) - %systemroot%\system32 - %systemroot%\syswow64 (for 64-bit versions of Windows) If you have the Procmon (https://learn.microsoft.com/sysinternals/downloads/procmon) monitoring tool installed in your device, you will observe that the application runs with the wrong integrity level (https://learn.microsoft.com//windows/win32/secauthz/mandatory-integrity-control), Integrity:Low instead of the expected Integrity:Medium. You are less likely to encounter this issue if you are running the application as an administrator. Resolution: This issue is mitigated using Known Issue Rollback (KIR) (https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831). Please note that it might take up to 24 hours for the resolution to propagate automatically to consumer devices and non-managed business devices and business devices that are not managed by IT departments. Restarting your Windows device might help the resolution apply to your device faster. For enterprise-managed devices managed by IT departments that have installed the affected update and encountered this issue, IT administrators can resolve it by installing and configuring the Group policy listed below. The special Group Policy can be found in Computer Configuration > Administrative Templates > <Group Policy name listed below>. For information on deploying and configuring these special Group Policy, please see How to use Group Policy to deploy a Known Issue Rollback (https://learn.microsoft.com/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback). Group Policy downloads with Group Policy name: - Download for Windows 10, version 22H2 (https://download.microsoft.com/download/50aed8a9-d766-4adc-8324-e1b0b7defe2a/Windows%2010%2020H2,%2021H1,%2021H2%20and%2022H2%20KB5041582%20241027_11353%20Known%20Issue%20Rollback.msi) – Windows 10 20H2, 21H1, 21H2 and 22H2 KB5041582 241027_11353 Known Issue Rollback Important: You will need to install and configure the Group Policy for your version of Windows to resolve this issue. You will also need to restart your device(s) to apply the group policy setting. Note: The below steps apply to enterprise devices that are domain joined. 1. Wait for the KIR group policy changes to replicate in Active Directory and the SYSVOL 2. Follow one of the steps below before applying the KIR: a. Wait for group policy to refresh in the background (https://learn.microsoft.com/previous-versions/windows/desktop/Policy/background-refresh-of-group-policy) then restart your device (or) b. Run ‘gpupdate (https://learn.microsoft.com/windows-server/administration/windows-commands/gpupdate) /force’ from a command prompt then restart your device Next Steps: We are working on a resolution and will provide more information when it is available. Affected platforms: - Client: Windows 10, version 22H2 - Server: None