Happy FriYAY, when using Quick Assist when the end-user is in user mode to remote control devices, a black screen is presented to the rescuer when a UAC dialogue box appears on the end-user device and the administrator cannot enter in a password or dismiss. This is a quick post on how to resolve this via Microsoft Intune.
Before we begin, be mindful of the security considerations when disabling the below policy, information can be found here on what the policy is and what it protects from a security perspective, only disable the below policy if it’s been cleared by your security team.
Whilst using Quick Assist and the end-user being rescued isn’t a local administrator when the rescuer performs an action that produces a UAC dialogue the rescuer’s screen goes to black and the end-user is left with a username and password dialogue box, essentially rendering the rescue session useless, here’s a short video of the experience:
To ensure that the UAC prompt is shown to the rescuer, we need to disable switching to a secure desktop, which is enabled by default, we can use Microsoft Intune to disable this, go to the MEMAC portal, Windows, Configuration Profiles and Create profile:
Select the following Platform and Profile type:
Enter in an appropriate Name and Description for the profile:
From the settings picker, under Local Policies Security Options, select User Account Control Switch To The Secure Desktop When Prompting For Elevation setting:
Toggle the switch to Disabled:
Deploy to your test users \ devices before rolling out to production.
Trust but Verify
After rolling out the above setting to my test device, the following behaviour is observed when in user mode, as you can see the UAC prompt is sent via the Quick Assist session: