Why is a random msi running for standard users the first time they open AutoCAD?

Why is a random msi running for standard users the first time they open AutoCAD?

thielen.adam
Enthusiast Enthusiast
10,805 Views
38 Replies
Message 1 of 39

Why is a random msi running for standard users the first time they open AutoCAD?

thielen.adam
Enthusiast
Enthusiast

AutoCAD 23 and 25. Just running setup as admin through SCCM deployment. Nothing fancy. Serial key licensing.

 

UAC prompts for admin credentials, but if UAC is disabled, which it can't be any longer, it works fine.

 

Can't run this as any other user or it just doesn't work, and just tries to run it again with the standard user. 

 

How do I stop this behavior?

Accepted solutions (2)
10,806 Views
38 Replies
Replies (38)
Message 21 of 39

oaktonsoftreg
Explorer
Explorer

 

Got this from Autodesk Education Support.  This is working for us on 24H2 (26100.4946), only tested on a couple workstations not planning on disabling UAC on our systems.

 

The permanent solution for the AutoCAD Admin credentials issue is to use GPO or ConfigManager or batch/script to set the registry as

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

DisableLUAInRepair to dword:00000001

Best,
Autodesk Education Support

 

 

Message 22 of 39

gmthorn
Community Visitor
Community Visitor

What are we supposed to do if we can't roll back the update?

0 Likes
Message 23 of 39

justin_venard
Community Visitor
Community Visitor

Disabling security controls is not a fix...Autodesk needs to actually provide a solution to this issue.

Message 24 of 39

awmolloy
Participant
Participant

That fix worked for me too. But disabling it sounds like a risk. I hope a different solution is coming.

From Copilot:

The DisableLUAInRepair registry setting is a Windows policy that controls whether User Account Control (UAC) prompts appear when using the Repair option for installed programs. Here's a breakdown of what it does and the associated risks:


🔧What DisableLUAInRepair Does

  • Registry Path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

  • Value:
    DisableLUAInRepair set to 1 disables UAC prompts during MSI-based repair operations.

  • Effect:
    When set, users can initiate repair operations without being prompted for admin credentials—even if the repair modifies system-level files or settings. This is particularly useful in environments where users are not admins but need to repair applications without IT intervention.


⚠️Security Risks of Disabling It

Disabling UAC during repair operations can introduce security vulnerabilities, especially in multi-user or enterprise environments:

  • Privilege Escalation Risk:
    MSI repair operations can run under SYSTEM privileges. If a low-privileged user initiates a repair and the installer is insecurely designed, it may be exploited to gain elevated access. This has been demonstrated in vulnerabilities like CVE-2024-38014, where attackers could hijack the repair process to execute commands as SYSTEM.

     

  • Microsoft’s Response:
    In response to CVE-2024-38014, Microsoft changed the default behavior in updates like KB5043055, requiring elevation for all repair operations. This was done to mitigate the risk of unauthorized privilege escalation.

     

  • Reverting the Change:
    Setting DisableLUAInRepair to 1 reverts this security fix, allowing repairs without elevation. While this may restore convenience, it reopens the attack vector that Microsoft aimed to close.


When It's Safe to Use

  • Low-risk environments:
    If you're in a controlled, single-user environment (e.g., personal PC or tightly managed kiosk), and you trust all installed software, the risk is minimal.

  • High-risk environments:
    In enterprise or shared systems, especially where users lack admin rights, it's not recommended to disable UAC for repairs.

Message 25 of 39

thielen.adam
Enthusiast
Enthusiast

As much as I'd like to put this on AutoDesk, this fix should be fine because that's how windows was operating before the update.

Message 26 of 39

deepti_bhardwaj
Autodesk
Autodesk
Accepted solution

Hello @thielen.adam 

 

Thank you for bringing this issue to our attention. We are aware of an issue affecting AutoCAD 2022–2026 products after the recent Windows 11 August 2025 update (KB5063878 / OS Build 26100.4946).

When attempting to launch, repair, or uninstall AutoCAD, you may see the following message:

Error 1730: You must be an Administrator to remove this application or AutoCAD products (AutoCAD, verticals, and LT on versions 2022 to 2026) request admin credentials and won't open.


Why this happens

This error is caused by a change introduced in the Windows update that incorrectly forces AutoCAD to request elevated administrator permissions. Autodesk is working to release a permanent fix.


Workarounds

Until a patch is available, please use one of the following options:

  1. Run as Administrator

    • Right-click the AutoCAD shortcut (or installer/uninstaller) and select “Run as administrator.”

  2. Uninstall Windows Update KB5063878

    • Go to Settings > Windows Update > Update history > Uninstall updates.

    • Select KB5063878 and uninstall it.

    • Restart your computer.

    • You may also pause updates temporarily to prevent reinstallation.


Next Steps

  • Autodesk is monitoring this issue closely with Microsoft.

  • Once a permanent resolution is available, we will notify you.

For reference: After installation of Security Update for Microsoft Windows AutoCAD products request admin credentia...

We sincerely apologize for any inconvenience this may have caused and greatly appreciate your patience. If the information provided resolves your query, please click “Accept Solution.”

Message 27 of 39

emmonsk
Explorer
Explorer

Is there any update to this. We start classes at our University on Tuesday, and this will greatly impact classes on the first day. Thank you for any additional information you might have.

0 Likes
Message 28 of 39

npruess
Participant
Participant

We implemented the registry change as a temporary fix. Also had to uninstall/reinstall AutoCAD (and verticals) as it seemed the installation was hosed if the user had launched the programs and failed to run through the install window prior to the fix being implemented. 

0 Likes
Message 29 of 39

matt_anderson9B9SJ
Explorer
Explorer

That's a workaround.  We need a fix.

0 Likes
Message 30 of 39

dbellFE72J
Explorer
Explorer

FYI if you run into users that have closed the UAC prompts (like Npruess did), you can reset Autocad (or various Autocad derivatives) by clicking on "Reset Settings to Default" in the Programs list.
We had to make use of this when we did our testing otherwise, we would have had to delete user profiles.

0 Likes
Message 31 of 39

deepti_bhardwaj
Autodesk
Autodesk
Accepted solution

 

I’d like to share the latest update from Microsoft regarding the installation and repair issue:

Background on the Issue
The issue originates from changes introduced by Microsoft’s September 2024 Security Updates (KB5042880 and KB5043055). These updates modified how Windows Installer handles application repairs, now requiring elevation via UAC prompts even for per-user MSI repairs.

To restore previous behavior, Microsoft recommends setting the following registry key:

 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableLUAInRepair = 1


This workaround disables the new UAC enforcement during repair operations, allowing impacted machines to function as expected.

Background & Next Steps
Microsoft’s R&D team is actively investigating the root cause and working on a permanent fix. Here’s what you can expect:

  • Patch Release: A permanent fix will be published through Microsoft’s official update channels.

  • Customer Notification: All licensed users will receive an email notification detailing the resolution and deployment instructions.

  • Public Documentation: Microsoft will publish full details on its support and community platforms.

  • Preventive Guidance: Recommendations will be shared to help avoid similar issues in future releases.

Current Workarounds
While Microsoft finalizes the fix, there are three available workarounds:

  1. Disable UAC for MSI repair operations – by setting the registry key above. This only impacts the MSI repair process and does not reduce the overall Windows system security level.

  2. Uninstall the September security updates – although please note that automatic updates may reinstall them.

  3. Grant administrator credentials when prompted – some users have confirmed that once credentials are entered, the issue does not reoccur.

We will continue to monitor Microsoft’s progress and keep you updated as soon as the permanent fix is released.

Message 32 of 39

caenarena1
Observer
Observer

Alternative Workaround (No UAC Downgrade Required)

A more structured workaround involves manually preparing the user profile in advance, using an admin account on a reference machine. Here's how:

Step-by-Step Process

  1. Log in with an admin account on a reference PC Launch AutoCAD once to allow full profile initialization.

  2. Save the following folders to a network location:

    • %appdata%\Autodesk\AutoCAD 20xx

    • %localappdata%\Autodesk\AutoCAD 20xx (replace xx with installed version)

  3. Export the registry key:

    Code (replace x with installed version: Autocad 2025 => R25.0)
    Computer\HKEY_CURRENT_USER\Software\Autodesk\AutoCAD\R2x.0
  4. On the target PC (new user profile):

    • Copy the two folders into the corresponding paths for the new user.

    • Edit the .reg file: Replace all instances of C:\Users\{USERNAME} with the actual destination username using Find & Replace.

    • Run the .reg file to import the registry settings.

With these three resources (AppData folders + registry key), AutoCAD will launch without triggering MSI repair or requesting admin rights. This avoids compromising UAC settings or uninstalling critical Windows updates.

Optional Automation You can create a PowerShell or BAT script to automate:

  • Folder copy operations

  • Registry import (after dynamic username substitution)

This makes it easier for IT staff or end users to apply the fix with minimal effort.

Important Note: This is a temporary workaround until Autodesk and Microsoft release an official fix. Always test thoroughly before deploying in production environments.

Message 33 of 39

emmonsk
Explorer
Explorer

I did hear back on my support ticket with Microsoft. Here is the response I got from them.

I want to let you know that we have an action plan in place, and you will need to roll back due to the known issue with the UAC prompt until further notice. as per your windows version Windows 11 22H2. 

Let me know if you have any questions or concerns

Message 34 of 39

singh_h
Observer
Observer

Can you please share script/batch file you have made?

0 Likes
Message 35 of 39

thielen.adam
Enthusiast
Enthusiast

Guys, it seems a lot easier to just add the reg key that lets it work like it does before the update. Create a reg file and put the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"DisableLUAInRepair"=dword:00000001

Then save that as a .reg, and use something like the following command or batch, through sccm, group policy, etc:

cmd /c reg.exe import disableLUArepair.reg /reg:64

 

cmd /c and /reg:64 are additions that SCCM plays nicer with when deploying from a package.

Message 36 of 39

ej25wrx
Observer
Observer

I think this approach makes sysadmins uncomfortable since this can potentially expose machines to CVE-2024-38014.

0 Likes
Message 37 of 39

thielen.adam
Enthusiast
Enthusiast

As far as I can tell, you would be just as exposed with the prompt, assuming you provide credentials to get the install finished.  This is based on a quick reading of the CVE.  It doesn't matter how it executed, the attack comes from another malware, I assume just waiting for a repair operation to occur. The more extensive method of pre-adding folders, and files, and user-specific regkeys, if that works and you are a wiz with that, then it is probably the better way to go. But I imagine a lot of environments will struggle there, especially in labs where students frequently move to different computers, but their computer account already exists.

 

There's always ways to make it work, but the vulnerability seems really really unlikely to work (there is a tool that Autodesk can use to make sure their installers aren't susceptible) in any environment with moderate controls and malware detections. System admins should go with whatever doesn't keep them awake at night. In a normal classroom lab environment with somewhat inconsequential windows boxes with limited access to any other sensitive resources, it's not particularly troubling. 

0 Likes
Message 38 of 39

lhall5YJRE
Explorer
Explorer

Why is Autodesk running a repair every time a user opens up autoCAD/Arch? This behavior makes no sense.

 

While we wait for Autodesk to get their stuff together, doing this workaround is probably the best bet so you don't have to revert the cumulative update. Here is what I added into Intune Detection/Remediation in case anyone needs to just copy and paste to get it working again. Make sure to test it out before running in production.

 

Detection Script:

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
$Name = "DisableLUAInRepair"
$Type = "DWORD"
$Value = "1"

Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Compliant"
       	exit 0
    }
     
    else {
    Write-Warning "Not Compliant"
    exit 1
   }
} 
Catch {
    Write-Warning "Not Compliant"
    exit 1
}

 

Remediation Script:

# Remediation Script to Set DisableLUAInRepair = 1
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
$dwordName = "DisableLUAInRepair"
$dwordValue = 1

# Create the registry key if it doesn't exist
if (-not (Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}

# Set the DWORD value
New-ItemProperty -Path $registryPath -Name $dwordName -Value $dwordValue -PropertyType DWord -Force | Out-Null

 

Message 39 of 39

bwilkerson
Observer
Observer

Thank you for that remediation script.   Disabling any part of UAC is not something I want to do but my environment is not set to easily remove Microsoft Updates as they will just get reinstalled.  At least with this I can limit the script to the lab that needs this to work.   

0 Likes