Non-admin users are still getting a UAC prompt for updates despite Maintenance Service being installed
Running 60.6.1esr (64-bit) on Windows Server 2012 R2, non-admin users are unable to install updates and are getting blocked by the UAC prompt. The Mozilla Maintenance Service is installed and is supposed to handle these updates (app.update.service.enabled=true).
From what I can tell, the update (and logs) are supposed to be in C:\ProgramData\Mozilla (which I can see on my personal non-ESR install), but that folder is not getting created on the problem machine, and the update is downloading to the local user's profile in AppData.
Are there any other options I can look for that would affect the functionality of the Maintenance Service?
Chosen solution
One last follow-up for internet posterity. I discovered that the updater was able to successfully use the Maintenance Service on some accounts, but not the original account I was testing on. I believe that my predecessors had done some strange modifications of the ACLs for all services and the SCM in regards to the problem account, which I assume is what is throwing off the updater. Since the user accounts that will actually be running the updater in the wild aren't affected and work as expected, I'm going to count this as good enough for me.
EDIT: Further update in case it helps anyone later... The Mozilla Maintenance Service is getting created with a non-default ACL. Deleting the registry key with this ACL (HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Security) and rebooting will reset it back to the default, which allowed my problem users to update without getting the UAC prompt.
Read this answer in context 👍 0All Replies (4)
Did you try to reinstall the Mozilla Maintenance Service as a normal user?
- maintenanceservice_installer.exe
Also check the update settings in Options/Preferences.
I'm not sure what you mean. Normal users can't install software because they don't have admin privileges.
I have app.update.service.enabled=true in about:config, and "Use a background service to install updates" is checked in about:preferences.
For completeness, I am seeing the same result on both 60.6.1esr and 66.0.3 (.exe and .msi).
I also tried running ProcMon when starting Firefox to see exactly what calls are being made, and at no point is maintenanceservice.exe ever read or executed before the UAC prompt is shown, so it's obvious that Firefox isn't even trying to use it.
Chosen Solution
One last follow-up for internet posterity. I discovered that the updater was able to successfully use the Maintenance Service on some accounts, but not the original account I was testing on. I believe that my predecessors had done some strange modifications of the ACLs for all services and the SCM in regards to the problem account, which I assume is what is throwing off the updater. Since the user accounts that will actually be running the updater in the wild aren't affected and work as expected, I'm going to count this as good enough for me.
EDIT: Further update in case it helps anyone later... The Mozilla Maintenance Service is getting created with a non-default ACL. Deleting the registry key with this ACL (HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Security) and rebooting will reset it back to the default, which allowed my problem users to update without getting the UAC prompt.
Modified