remote assistance not allowing UAC prompt interaction with the box checked to allow
Solution 1
You need to turn on a Group Policy setting and/or download a hotfix:
http://blogs.msdn.com/b/asklar/archive/2012/03/14/remote-assistance-and-uac-prompts.aspx
However, in order for this to work properly in scenarios that prompt for elevation (i.e. UAC prompt), you have to enable a certain group policy:
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
What this will do is it will enable Remote Assistance to show the UAC prompt on the user’s desktop, as opposed to the secure desktop. If you don’t enable this, the user being helped (call him novice) will get the prompt on his local machine – so the expert cannot interact with it since RA will only remote out the user’s desktop. At that point, the novice may not know what to do with it, and/or he may not have the administrator password. So it is important that you enable this group policy in order to have the UAC prompt show up in the user’s desktop and have RA remote out this dialog to the expert’s machine.
Solution 2
I recently created this PowerShell solution which can be used when need to open a Remote Assistance session and type in the elevated UAC credential that cannot be share with the end-user being assisted.
Technically you can run just the Invoke-Command
and point it to the remote computer, and then ensure the Set-ItemProperty
has the appropriate 1
or 0
value for "PromptOnSecureDesktop
" to enable or disable.
I wanted to ensure that when I need to run msra
in an elevated session, I can just execute the script and be assured the UAC secure desktop security is re-enabled automatically after the msra
session has ended.
Essentially this will...
prompt you for the computer name
disable the "UAC secure desktop" via the remote registry change and commands
start an
msra
session that works same way it works always works from hereenable the "UAC secure desktop" via the remote registry change and commands once the correlated
msra
instance endsTo use you only need to...
- Save the PowerShell script as a text document with a
.ps1
file name extension- Open a PowerShell command prompt and type (or paste) in the full script path and filename, and press
Enter
- Enter in the computer name of the computer you are connecting to with remote assistance and press
Enter
.- When done with the remote assistance session, close the
mrsa
process if it's still running
Tip: Use the non-elevated "other/standard" method of msra
most of the time, and only use this as-needed.
PowerShell Script
$pc = Read-Host "Enter the remote computer name to disable secure desktop";
Invoke-Command -ComputerName $pc -Scriptblock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
};
$remoteAssist = "$Env:windir\system32\msra.exe";
Start-Process $remoteAssist "/offerra" -Wait;
Write-Host "Your Remote assist session has ended" -ForegroundColor Red;
Invoke-Command -ComputerName $pc -Scriptblock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
};
Execute Example
Note: Just paste in the full path script name and press enter.
PS C:\Users\User> \\myserver.domain.com\sharename\folder\script\Elevate-RemoteAssist.ps1
Supporting Resources
User Account Control: Switch to the secure desktop when prompting for elevation
The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied.
The secure desktop’s primary difference from the user desktop is that only trusted processes running as
SYSTEM
are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain.Possible values
-
Enabled
- All elevation requests by default go to the secure desktop.
-
Disabled
- All elevation requests go to the interactive user desktop.
-
- Set-ItemProperty
-
Start-Process
-Wait Wait for the specified process to complete before accepting more input. This parameter suppresses the command prompt or retains the window until the process completes
Related videos on Youtube
rerat
Updated on September 18, 2022Comments
-
rerat almost 2 years
I need to be able to connect up to customers computers and would like to use Remote Assistance, but I am unable to click on any UAC prompts, even though the user puts a check mark to allow me to click on the UAC prompts.
Here are the details:
- They send me an invite file.
- I start the session and they accept.
- I can see their desktop.
- I request control and they get a prompt to share control.
- They put a check in "Allow xxxxx to respond to User Account Control Prompts" and click Yes.
- Everything is fine until I get a UAC prompt.
I am unable to click on anything until the user clicks "yes". Isn't the point of that last box to prevent this? Does anyone know what I might be doing wrong or is this a bug?
-
Vomit IT - Chunky Mess Style over 4 years@rerat - With this answer, you have control when to turn the feature off or on. With the GPO way, it's one or the other whereas with this solution I provided, you allow as-needed only and disallow when done per each allowed session or instance of RA. Don't need to elevate, then use the other/standard where no elevation if needed in the remote support session.
-
Graham Perrin about 3 yearsstackoverflow.com/q/66920815/38108 I'm struggling (PowerShell is quite new to me) …