With the introduction of Windows 10 came a nifty little tool called ‘Quick Assist’. This tool is basically the Microsoft equivalent of Teamviewer. You give a remote assist code to the client in need and voila; you’re connected to the remote desktop. There are shortcuts to the task manager and restart button, an annotate function and most interesting the option to remote control the client’s pc.
There is one problem however: Once you trigger UAC, the screen freezes and doesn’t show a log-in window. You might think that this is a bug, but actually it’s by design. UAC prevents access to admin privileged tasks remotely. This behavior applies to all remote support tools, including Teamviewer.
Luckily there is a way to safely get past this security measure and best of all; it’s build right into InTune! Go to the Microsoft Azure control panel -> InTune -> Device configuration -> Profiles and choose ‘Create profile’.
Now choose the platform ‘Windows 10 and later’ and choose the profile ‘Endpoint protection’. Give the profile a meaningful name and a description. I always put a prefix in front of the name so I can quickly see what platform the restriction will apply to.
Now go to ‘Local device security options’ -> ‘User account control’ and find the column called ‘UIA elevation prompt behavior’. We are going to change two default settings. First we set ‘Route elevation prompt to user’s interactive desktop’ to ‘enabled’. After changing this setting the issue should already be resolved. I highly recommend however to also change ‘Elevation prompt for admins’ to ‘Prompt for credentials’. This setting will make sure that on every elevation request made by admins credentials are needed.
You will now notice that for every UAC elevated request you will need to provide credentials. This time however you can actually enter those credentials remotely. I know it’s not a perfect solution and there is a security trade-off. Use it wisely, and at your own risk.