I looked into this a few years ago, also with a simple Windows-shipped program.
IIRC Windows 10 just won’t do that. If you get same results, try asking Microsoft.
I forget if it worked any better if I turned off the UAC prompt, but that’s a bad idea.
I do this to a desktop shortcut all the time. It works fine, but needs a manual start:
A manual one-time plan is to install Duplicati as a Windows service as SYSTEM.
If you also want tray icon, use the --no-hosted-server option to use service’s.
This is a common feature request, but has not been prioritized.
I do not think you want the UAC, because it would create a popup each time the backup runs.
Failing to click it would cause the backups to run.
You can run Duplicati as a service. It is not super easy, but there is Duplicati.WindowsService.exe in the install folder, and you can simply run (as Admin):
Duplicati.WindowsService.exe install
Others are using NSSM to run Duplicati.Server.exe.
The problem with both approaches are that you are running an HTTP enabled service with administrative privileges. Any flaws in Duplicati can potentially grant full control of the machine.
A related problem is that the service is not running in the same context as the user, which means that the tray-icon cannot run.
The workaround for this, as @ts678 mentioned, is to run the trayicon as the local user and then having the trayicon (in the user context) connect to the service (running as admin).
Essentially, the problem here is that Windows does not support making VSS snapshots for non-admin users. Most likely because a VSS snapshot can access any file on the system, making it possible to avoid many other security checks.
Longer term, I hope to add a small(-ish) service component that can run as admin and give the user the possibility of backing up with VSS support, such that only a small piece of code has admin privileges and runs out of the users context.
I think this is what OP was trying to make work, and I posted an image of my clunky desktop shortcut setup.
One weirdness is that even though it’s in my system tray, I’m a standard user, so Duplicati switches at UAC time to an administrators group account. Windows initial setup seems to give such an account (maybe they consider it safe enough, given it’s not very special until UAC elevation). Commercial deployments likely vary.
A requester typically needs to run under a user that is a member of either the Administrators group or the Backup Operators group, or run as the Local System account.
I think Backup Operators leads to SeBackupPrivilege which I think enables things the SYSTEM user lacks. Privileges might be possible to enable and disable on the fly, which I’m thinking is not possible with elevation.
Backup software is an awkward position of needing a lot of file access, yet potential for abuse needs limiting.
