1. Origin of the bypass
As often with UAC, the flaw comes from an auto-elevated process. These processes have the particularity to run with high integrity level without prompting the local admin with the usual UAC window. If the user running with medium privileges can make these process load a dll or execute a command, UAC bypass is performed.
In our case, the executable is sdclt.exe. Sdclt is used in the context of Windows backup and restore mechanisms. You can check it auto-elevates using Sysinternals Sigcheck: