Share via

UAC prompt is blocked when I use Quick Assist

Federico Coppola 1,181 Reputation points
2021-01-20T16:34:21.88+00:00

Hi all,
I have the following trouble when I use Quick Assist tool of Windows 10:
all users inside company are "Standard User" and they can not run any software as Administrator.

Sometimes these users ask me remote support, so we use Quick Assist App.

My issue is that very often I need to insert Administrator account to execute operation,
but I can not see screen that permit me to type administrator account and password.

How can I solve it?
I must avoid this problem otherwhise I can not support users remotelly!

It is fine for me that I can see UAC prompt and I can type admin user and password to assist employees.

All PC has got Windows 10 2004 or Windows 10 20H2 inside company.

Thanks so much
Federico

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
Accepted answer
  1. Carl Fan 6,881 Reputation points
    2021-01-21T07:24:54.663+00:00

    Hi Federico,
    As far as I understand it, at the moment if you use Quick Assist , when you connect to a remote users laptop/PC and try to do anything that requires an administrator elevation, the screen is just blanked out.
    In the GPO editor, go to Security Settings > Local Policies > Security Options > User Account Control: Switch to the secure desktop when prompting for elevation to Disabled
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    2 people found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Peter Dornauer 40 Reputation points
    2024-05-21T11:33:06.3566667+00:00

    As there are several answers, but none is in my case fully functional -> I write now my procedure:

    1.) Connect via QuickAssist as usual.
    2.1)"GroupPolicy Answer" will work, but I don't like the idea to disable that security feature totally.
    2.2)"runas Administrator"-Answer will work, but only if Administrator user isn't disabled. With any other user from Admin group, you will not get an elevated cmd window and therefore continue with 3
    3.) open Task Manager on the Target as an admin -> search the "Taskmgr.exe" in System32 and open with "Run as different user" and start with any user in Admin Group other than "Administrator". For Administrator u use Answer 2.2.
    4.) In Processes Window, click on "Run new Task" and enter "cmd" in the new window
    4.1) tick "Create this task with administrative privileges" and press OK
    5.) In the new opened CMD-Window you can then enter the Registry Commands to disable and enable the "Prompt on SecureDesktop" feature:

    to install apps -> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x0 /f

    reenable security -> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x1 /f

    5.1) So, enter the first command and you can instantly install SW without Black Screen Out
    When you are ready, I suggest to re-enable the setting with the second command

    I hope this helps all out, which als had Administrator disabled and another admin user ;-)

    Peter

    1 person found this answer helpful.
  2. Anonymous
    2022-04-30T05:31:42.303+00:00

    Dear all,

    1) Has anyone any security concerns re long term disabling of the UAC setting mentioned above?
    2) My manager has found this:

    https://superuser.com/questions/227860/how-to-toggling-uac-on-off-quickly-eg-using-command-line-in-windows-7

    • We are on Windows 10 so will give it a try to see if that Windows 7 solution works on Windows 10
    • I am interested to know how anyone else gets on trying that

    Regards,
    Steve

  3. Brandon 0 Reputation points
    2023-02-14T17:10:54.52+00:00

    Hello All,

    Here are the answers if anyone has security questions regarding disable and enable of "User Account Control: Switch to the secure desktop when prompting for elevation":

    Security considerations

    This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

    Vulnerability

    Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Mouse cursors can be spoofed by hiding the real cursor and replacing it with an offset so the cursor is actually pointing to the Allow button.

    Countermeasure

    Enable the User Account Control: Switch to the secure desktop when prompting for elevation setting. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system processes.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation

    Hope this helps.

    Brandon

    0 comments
  4. Lindauer, Greg 0 Reputation points
    2023-11-30T13:31:22.8466667+00:00

    The quick explanation of how to "unblock" UAC prompts on the remote, from the assisting PC, is, from the assisting PC:

    1)      Open cmd.exe (non-elevated) on the remote computer.

    2)      Execute   runas /user:Administrator cmd

    3)      In the resulting elevated prompt, execute (all one line)

    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x0 /f

     

    You can copy these commands to the remote using quick-assist's built-in chat, or an online chat like https://other-chat.com, email, etc.

    If you don't have an enabled Administrator account on the remote, you can runas /user:accountInAdminGroup cmd, where the user is any account in the admin group-- but unlike running as an administrator, the resulting cmd window WILL NOT BE ELEVATED even though it has admin privileges. To elevate, run something like powershell -Command "Start-Process cmd -Verb RunAs". However, unlike signing directly in as Administrator, this method requires the remote user to click "Yes" on their side, to OK this elevation. (runas /user:__adminUser "powershell "start cmd -v runas"" does both the runas and powershell in one command.) Be aware that, if adminUser is not local to the remote machine but is rather a domain account, you must prefix the domain (DOMAIN_NAME\domainUserWithAdminPrivilege) for the runas command.

    Once you have the elevated admn command window, you can use reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x0 /f

    to have UAC's prompt on the normal window, instead of the secure desktop.

    Before you end the session, be sure to change PromptOnSecureDesktop back to 0x1! The secure desktop prevents programming functions (presumably in malware) from being able to read the password you enter.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.