Microsoft Windows Updates Trigger Unexpected UAC Prompts and App Install Issues

Estimated reading time: 7 minutes

Key Takeaways:

  • Recent Windows updates are causing unexpected UAC prompts and application installation problems.
  • The issue stems from a security patch (CVE-2025-50173) in the August 2025 updates.
  • Workarounds include running applications as administrator or using Known Issue Rollback (KIR) for managed environments.

Table of Contents:

Microsoft has acknowledged that recent Windows updates are causing unexpected User Account Control (UAC) prompts and application installation problems for non-administrative users across all supported versions of Windows. The issue stems from security updates released in August 2025.

Root Cause: Security Patch for CVE-2025-50173

The underlying cause is a security patch designed to address the CVE-2025-50173 vulnerability, a Windows Installer privilege escalation flaw. This vulnerability could allow authenticated attackers to gain SYSTEM privileges. The patch introduces stricter UAC prompts to prevent unauthorized privilege escalation.

The security improvement was included in the August 2025 Windows security update (KB5063878) and later updates to enforce the requirement that User Account Control (UAC) prompt for administrator credentials when performing Windows Installer (MSI) repair and related operations.

Impact of the Change

The updated security measures trigger UAC prompts in several scenarios:

  • Running MSI repair commands (e.g., msiexec /fu).
  • Installing applications that configure themselves for individual users.
  • Executing Windows Installer during Active Setup.

This change impacts standard users attempting to deploy packages through Configuration Manager (ConfigMgr) that rely on user-specific “advertising” configurations. It also affects the ability to enable Secure Desktop and can cause issues when launching Autodesk applications, including certain versions of AutoCAD, Civil 3D, and Inventor CAM.

If a standard user runs an app that initiates an MSI repair operation without displaying UI, it will fail with an error message. For example, installing and running Office Professional Plus 2010 as a standard user will fail with Error 1730 during the configuration process.”

Affected Platforms

The issue affects a wide range of Windows platforms, including both client and server versions:

Client:

  • Windows 11, version 24H2
  • Windows 11, version 23H2
  • Windows 11, version 22H2
  • Windows 10, version 22H2
  • Windows 10, version 21H2
  • Windows 10, version 1809
  • Windows 10 Enterprise LTSC 2019
  • Windows 10 Enterprise LTSC 2016
  • Windows 10, version 1607
  • Windows 10 Enterprise 2015 LTSB

Server:

  • Windows Server 2025
  • Windows Server 2022
  • Windows Server, version 1809
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Workarounds

Microsoft is developing a fix to allow IT administrators to authorize specific applications to perform MSI repair operations without triggering UAC prompts. This fix will be included in a future Windows update.

In the interim, Microsoft recommends the following workarounds:

  1. Run Applications as Administrator: Users can right-click the application in the Start menu or search results and select “Run as administrator.” This provides the necessary privileges to bypass the UAC prompt.
  2. Known Issue Rollback (KIR): For managed environments, IT administrators can use Known Issue Rollback (KIR) to revert the problematic changes. This involves installing and configuring a Group Policy. KIR is available for the following Windows versions:
    • Windows 11, versions 22H2, 23H2, 24H2
    • Windows Server 2025
    • Windows Server 2022
    • Windows 10, versions 21H2, 22H2

    Administrators need to reach out to Microsoft’s business support team to enable KIR.

Impact on Cyber Threat Intelligence and Security Operations

This situation underscores the importance of proactive cyber threat intelligence platform capabilities. Understanding the potential impact of software updates, including unexpected side effects, is crucial for maintaining a secure environment. The UAC prompt issue could be exploited by attackers if users are trained to blindly accept prompts, potentially leading to privilege escalation.

Security teams need to closely monitor systems for unexpected behavior following updates. This includes using tools for PurpleOps Solutions and implementing robust PurpleOps Solutions to identify any malicious alterations to the update process. Organizations need to ensure that their incident response plans are up-to-date to address potential exploitation of this UAC-related issue.

Furthermore, the incident highlights the need for reliable real-time ransomware intelligence. While this particular issue is not directly related to ransomware, unexpected system behavior can create vulnerabilities that ransomware actors can exploit.

Practical Takeaways

For Technical Readers (IT Administrators and Security Engineers):

  • Implement the provided workarounds (Run as Administrator or KIR) based on the environment and user needs.
  • Monitor systems for unusual UAC prompts and application installation failures.
  • Review Group Policy settings to ensure they align with the updated UAC behavior.
  • Stay informed about the release of the official fix from Microsoft and deploy it promptly.
  • Update training for users on identifying legitimate and suspicious UAC prompts.
  • Leverage threat intelligence platforms to understand how threat actors might exploit this vulnerability.

For Non-Technical Readers (Business Leaders and Managers):

  • Understand that recent Windows updates might cause temporary disruptions to application installations.
  • Communicate the issue to end-users and provide clear instructions on the recommended workarounds.
  • Ensure that IT staff are aware of the problem and are taking steps to mitigate the impact.
  • Recognize the importance of proactive cybersecurity measures, including regular software updates and user education.
  • Consider investing in security awareness training to teach employees how to recognize and respond to suspicious activity, including unexpected UAC prompts.

PurpleOps and System Vulnerabilities

PurpleOps provides services that can help organizations to manage risks associated with software vulnerabilities. Our capabilities in PurpleOps Solutions and PurpleOps Solutions can provide early warnings of threat actors discussing exploits related to this UAC issue. This enables organizations to preemptively patch and harden their systems before attacks occur.

Our expertise in PurpleOps Solutions also gives us unique insights into emerging threats and vulnerabilities. We can monitor hacker forums and other underground channels to identify discussions about exploiting the UAC bypass or other related attack vectors.

Our PurpleOps Solutions services can also help you detect unauthorized use of your brand in phishing campaigns that may attempt to trick users into approving malicious UAC prompts. This allows you to take rapid action to protect your users and brand reputation.

We offer a comprehensive suite of services to enhance your organization’s security posture:

  • Cyber Threat Intelligence: Leverage our platform for real-time, actionable intelligence to stay ahead of emerging threats.
  • Dark Web Monitoring: Protect your data and brand by monitoring dark web activity and identifying potential threats.
  • Breach Detection: Implement proactive measures to detect and respond to security breaches before they cause significant damage.
  • Supply Chain Information Security: Assess and mitigate risks associated with your supply chain vendors.
  • PurpleOps Solutions and PurpleOps Solutions: Simulate real-world attacks to identify vulnerabilities and weaknesses in your defenses.

For more information about how PurpleOps can help you protect your organization from cyber threats and vulnerabilities, explore our PurpleOps Solutions or contact us today.

FAQ

Q: What is causing the unexpected UAC prompts after the latest Windows updates?

A: A security patch (CVE-2025-50173) included in the August 2025 updates introduces stricter UAC prompts to prevent unauthorized privilege escalation during MSI repair operations.

Q: Which Windows versions are affected by this issue?

A: The issue affects a wide range of Windows client and server versions, including Windows 11, Windows 10, Windows Server 2025, Windows Server 2022, and earlier.

Q: What are the recommended workarounds for this issue?

A: The recommended workarounds are to run applications as administrator or use Known Issue Rollback (KIR) for managed environments.

Q: When will a permanent fix be available?

A: Microsoft is developing a fix that will be included in a future Windows update.

Q: How can PurpleOps help with this issue?

A: PurpleOps can provide early warnings of threat actors discussing exploits related to this UAC issue through our dark web and telegram threat monitoring services. We also offer brand leak alerting to detect phishing campaigns that may attempt to trick users into approving malicious UAC prompts.