UAC prompt is blocked when I use Quick Assist

Question

question

FedericoCoppola-2569 asked Jan 20, '21 MikkelKnudsen-3362 commented Jul 5, '22

UAC prompt is blocked when I use Quick Assist

Hi all,
I have the following trouble when I use Quick Assist tool of Windows 10:
all users inside company are "Standard User" and they can not run any software as Administrator.

Sometimes these users ask me remote support, so we use Quick Assist App.

My issue is that very often I need to insert Administrator account to execute operation,
but I can not see screen that permit me to type administrator account and password.

How can I solve it?
I must avoid this problem otherwhise I can not support users remotelly!

It is fine for me that I can see UAC prompt and I can type admin user and password to assist employees.

All PC has got Windows 10 2004 or Windows 10 20H2 inside company.

Thanks so much
Federico

windows-10-general windows-10-security

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri · Jan 20, 2021 at 04:48 PM

Make sure update Windows and Quick Assist app.
Does it ask for password after user entered the code?
This app should be run in standard users too unless you want to perform a task which required administrator access.

0 ·

Answer 1 · 2021-01-21T07:24:54.663Z

CarlFan-MSFT answered Jan 21, '21

Hi Federico,
As far as I understand it, at the moment if you use Quick Assist , when you connect to a remote users laptop/PC and try to do anything that requires an administrator elevation, the screen is just blanked out.
In the GPO editor, go to Security Settings > Local Policies > Security Options > User Account Control: Switch to the secure desktop when prompting for elevation to Disabled
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-01-21T05:43:47.977Z

FedericoCoppola-2569 answered Jan 21, '21

Hi @Reza-Ameri ,
Laptop has got lastest Windows 10 updates.

Quick Assist app works fine.

My issue is that:
1) Remote user is a standard domain user (no administrator privileges)
2) When UAC message appears I can't see anything about it and I can't type administrator password.

I hope to be clear
Federico

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2021-01-23T07:53:47.297Z

FedericoCoppola-2569 answered Jan 23, '21

Dear @CarlFan-MSFT
Thanks!
You are right! I created a domain policy (with your settings) and I applied it to Clients OU.

Is It a vulnerability?

Thanks
Federico

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2021-09-15T06:39:30.717Z

yannara answered Sep 15, '21

Was this solved by GPO? I have the same problem, but I am in Intune.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2021-09-15T07:11:52.887Z

yannara answered Sep 15, '21 MikkelKnudsen-3362 commented Jul 5, '22

I enabled this setting in Intune using the Settings Catalog, I ensured the policy has been applied, but still UAC is blacked out...

I also saw then in mmc local sec policies, that the setting is applied...

image.png (14.2 KiB)

image.png (6.4 KiB)

· 7

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

chrisxfire · Dec 20, 2021 at 05:50 PM

@yannara have you had any luck? We're exploring this as well.

0 ·

yannara chrisxfire · Dec 22, 2021 at 06:33 PM

@chrisxfire yes I managed to do it quite fast, in Settings Catalog you find all "old" UAC settings and you can configure them not to use Secure desktop.

0 ·

Nate-0602 yannara · Apr 18 at 09:10 AM

To my understanding, how do I type admin account and password if UAC prompt was disabled?

0 ·

Nate-0602 · Apr 18 at 08:48 AM

Hi Yannara
Where does that setting located in Intune. Unable to find it :(
Thanks.

0 ·

yannara Nate-0602 · Apr 21 at 10:35 AM

@Nate-0602 you should see this in Settings Catalog

0 ·

Nate-0602 yannara · Apr 21 at 11:44 AM

I found it in Intune Devices | Configuration profiles->Create profile. Is there a security risk or any vulnerability after I disable it?

0 ·

MikkelKnudsen-3362 · Jul 05 at 08:17 AM

We are doing the same right now - seems to be working ok. But its enabled in Security Baseline pr. default - so I dont think its a really good solution to be honest.

0 ·

Answer 6 · 2022-04-30T05:31:42.303Z

SteveCRF-0508 answered Apr 30, '22 chrisxfire commented May 6, '22

Dear all,

1) Has anyone any security concerns re long term disabling of the UAC setting mentioned above?
2) My manager has found this:

https://superuser.com/questions/227860/how-to-toggling-uac-on-off-quickly-eg-using-command-line-in-windows-7

We are on Windows 10 so will give it a try to see if that Windows 7 solution works on Windows 10
I am interested to know how anyone else gets on trying that

Regards,
Steve

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

chrisxfire · May 02 at 01:50 AM

I can't, in good conscience, attempt an 11-year-old solution for a deprecated operating system on a current one.

0 ·

SteveCRF-0508 chrisxfire · May 06 at 09:49 AM

Hi Chris,

I hope you are well :-)

What do you propose as a way forward?

Regards,
Steve

0 ·

chrisxfire SteveCRF-0508 · May 06 at 02:37 PM

The GPO solution mentioned above worked for us.

0 ·

question