Forum Discussion
JillArmour
Community Manager
Community ManagerRepost: Make quick assist run as admin
Question:
We need to be able to use Quick Assist in Windows 10 to do some administrative tasks, but if the end user initiates the Quick Assist session then the remote admin is limited to only what...
JillArmour What a great post!
With a further step, you can alter settings so you can fill in credentials when elevation is required. To do this, you need to set the PromptOnSecureDesktop value in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key to 0x0.
You need an elevated administrator command prompt to do this; if you use runas /user:.\Administrator cmd for you will get this elevated prompt.
If you don't have an enabled .\Administrator account, from a cmd window that has admin privileges (but isn't elevated) you can use
If you don't have an enabled .\Administrator account, from a cmd window that has admin privileges (but isn't elevated) you can use
powershell -Command "Start-Process cmd -Verb RunAs" and use any account in the computer's administrator group. However, unlike signing directly in as Administrator, this method requires the remote user to click "Yes" on their side, to OK this elevation.
If you can use chat, email, or something like (external links removed by moderator) you can send
powershell -Command "Start-Process cmd -Verb RunAs"
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x0 /f
to the remote. Then using the final, elevated Admin, cmd window, execute the reg (or regedit.exe if you prefer) to clear PromptOnSecureDesktop. From that point UAC prompts will appear where you can see and respond to them.
The point of all that was to disable PromptOnSecureDesktop without having Windows 10 or 11 prompt you for credentials on the secure desktop. One the secure desktop is disabled, you won't be "paused out" of the remote whenever the computer asks for elevated credentials.
Before you end the session, be sure to change PromptOnSecureDesktop back to 0x1! The secure desktop prevents programming functions (presumably in malware) from being able to read the password you enter.
Before you end the session, be sure to change PromptOnSecureDesktop back to 0x1! The secure desktop prevents programming functions (presumably in malware) from being able to read the password you enter.
If you are regularly running this kind of support process in a internal domain environment or for customers, you can implement a net logon or domain policy. One of my customers built it in as part of the startup that the registry would revert to secure desktop prompts again to maintain endpoint security when they reboot, just in case the support agent got disconnected before the agent could revert the setting for "PromptOnSecureDesktop".