Recently I ran into a problem helping a client with their Office 365 Hybrid Configuration. We couldn’t get the Office 365 Hybrid Configuration Wizard (HCW) to launch. We tried running it in Internet Explorer and Google Chrome without success.
It seems the Office 365 team changed the HCW from a standalone Windows executable to a Click-To-Run (C2R) executable. The biggest benefit of using C2R is that whenever it is clicked, the latest version of the program is downloaded and launched.
The problem was something broke the Default Programs association for “.application” extensions. If you open the Default Programs control panel and look at the “.application” filetype, this is what you’ll see:
Change the “.application” file type to be opened with Internet Explorer. Go back to the HCW link and click it.
I was reviewing a client’s Microsoft Windows Server 2016 after a security auditing tool discovered it was listening on some suspicious TCP ports, when I opened Settings -> Update & Security and selected Windows Defender.
When I did, I was concerned when I saw this:
C:\Program Files\Windows Defender\msascui.exe Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them.
My first reaction was complete panic! Many times after a server or workstation becomes infected with a nasty malware or virus, any anti-virus software installed is either disabled or crippled to the point where it wouldn’t function.
I immediately fired up a fresh install of Windows Server 2016 in my lab, disconnected from the Internet, joined our test lab’s domain and recreated the error!
“What the heck!”, I thought. How can a brand-new Windows Server 2016 machine be doing this? I did some brief research with Google finding post after post screaming about infected servers and corrupted NTFS permissions, which I could confidently rule out.
So I started doing some testing and eliminating causes by trial and error. Once I had confirmed it wasn’t a file permission issue it occurred to me – User Account Control (UAC)!
I modified the Local Security Policy to enable the following setting and rebooted my test server:
User Account Control: Admin Approval Mode for the Built-in Administrator account
Lo and behold, I could now open Windows Defender!
I’m not sure why it still takes me so long to investigate UAC. I’ve run into enough issues with it in the past I should know better. I hope this article helps anyone who is struggling with this issue.