remote assistance not allowing UAC prompt interaction with the box checked to allow

windows uac remote-assistance

11,889

Solution 1

You need to turn on a Group Policy setting and/or download a hotfix:

http://blogs.msdn.com/b/asklar/archive/2012/03/14/remote-assistance-and-uac-prompts.aspx

However, in order for this to work properly in scenarios that prompt for elevation (i.e. UAC prompt), you have to enable a certain group policy:

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

What this will do is it will enable Remote Assistance to show the UAC prompt on the user’s desktop, as opposed to the secure desktop. If you don’t enable this, the user being helped (call him novice) will get the prompt on his local machine – so the expert cannot interact with it since RA will only remote out the user’s desktop. At that point, the novice may not know what to do with it, and/or he may not have the administrator password. So it is important that you enable this group policy in order to have the UAC prompt show up in the user’s desktop and have RA remote out this dialog to the expert’s machine.

Solution 2

I recently created this PowerShell solution which can be used when need to open a Remote Assistance session and type in the elevated UAC credential that cannot be share with the end-user being assisted.

Technically you can run just the Invoke-Command and point it to the remote computer, and then ensure the Set-ItemProperty has the appropriate 1 or 0 value for "PromptOnSecureDesktop" to enable or disable.

I wanted to ensure that when I need to run msra in an elevated session, I can just execute the script and be assured the UAC secure desktop security is re-enabled automatically after the msra session has ended.

Essentially this will...

prompt you for the computer name

disable the "UAC secure desktop" via the remote registry change and commands

start an msra session that works same way it works always works from here

enable the "UAC secure desktop" via the remote registry change and commands once the correlated msra instance ends

To use you only need to...

Save the PowerShell script as a text document with a .ps1 file name extension

Open a PowerShell command prompt and type (or paste) in the full script path and filename, and press Enter

Enter in the computer name of the computer you are connecting to with remote assistance and press Enter.

When done with the remote assistance session, close the mrsa process if it's still running

Tip: Use the non-elevated "other/standard" method of msra most of the time, and only use this as-needed.

PowerShell Script

$pc = Read-Host "Enter the remote computer name to disable secure desktop";

Invoke-Command -ComputerName $pc -Scriptblock {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
    };

$remoteAssist = "$Env:windir\system32\msra.exe";
Start-Process $remoteAssist "/offerra" -Wait;
Write-Host "Your Remote assist session has ended" -ForegroundColor Red;

Invoke-Command -ComputerName $pc -Scriptblock {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop"  -Value 1 -Force;
    };

Execute Example

Note: Just paste in the full path script name and press enter.

PS C:\Users\User> \\myserver.domain.com\sharename\folder\script\Elevate-RemoteAssist.ps1

Supporting Resources

User Account Control: Switch to the secure desktop when prompting for elevation

The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied.

The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.

Possible values
- Enabled
  - All elevation requests by default go to the secure desktop.
- Disabled
  - All elevation requests go to the interactive user desktop.
source
Invoke-Command
Set-ItemProperty

Start-Process

 -Wait
   Wait for the specified process to complete before accepting more input.
   This parameter suppresses the command  prompt or retains the window
   until the process completes

11,889

rerat

Updated on September 18, 2022

Comments

rerat almost 2 years
I need to be able to connect up to customers computers and would like to use Remote Assistance, but I am unable to click on any UAC prompts, even though the user puts a check mark to allow me to click on the UAC prompts.

Here are the details:
- They send me an invite file.
- I start the session and they accept.
- I can see their desktop.
- I request control and they get a prompt to share control.
- They put a check in "Allow xxxxx to respond to User Account Control Prompts" and click Yes.
- Everything is fine until I get a UAC prompt.
I am unable to click on anything until the user clicks "yes". Isn't the point of that last box to prevent this? Does anyone know what I might be doing wrong or is this a bug?
Vomit IT - Chunky Mess Style over 4 years

@rerat - With this answer, you have control when to turn the feature off or on. With the GPO way, it's one or the other whereas with this solution I provided, you allow as-needed only and disallow when done per each allowed session or instance of RA. Don't need to elevate, then use the other/standard where no elevation if needed in the remote support session.
Graham Perrin about 3 years

stackoverflow.com/q/66920815/38108 I'm struggling (PowerShell is quite new to me) …