Remove From My Forums

Remote Assistance & UAC

Question
0

Sign in to vote
Hi All,

I would like to use remote assistance to help my staff - after all that's what it's designed for

The problem I am having is that general users are not machine / domain admins.

When they send a remote assistance request to me, for me to do anything more than open notepad or the like the user is prompted to enter admin account creditials - which they don't have - so I have to go find them and type it in directly, hence making remote assistance nothing more than a convoluted support request email system

Is there a way a user can send a request, and the remote helper (that's me) enter the UAC admin credentials instead of the local user? Group policy or something...???

Thanks guys!

Russell.
- Moved by Carey FrischMVP, Moderator Thursday, September 8, 2011 3:51 PM Moved to more appropriate forum category (From:Windows Vista Setup)
Sunday, June 3, 2007 3:17 PM

Answers

11

Sign in to vote
Hi ppl,

Note: This is based around the Expert being on a 2003 Server and the Novice being Vista and the vista client generating a RA (remote assistance) request file.

I simplified the RA request file creation by creating a small HTA that generates the request file and saves it on the 2003 management server in a hidden share.

Workaround for the UAC problem is to set the following policy either locally or via a Domain GPO.

Computer Configuration > Windows Settings > Local Policies > Security Options > User Account Control : Switch to the secure desktop when prompting for elevation. Check Define this policy setting and select Disabled.

Now when you check the elevated access check box the UAC prompt will appear on the experts session and you will not get the irritating Pause sign

As always do your own testing first!

Cheers,

Barry
- Proposed as answer by Russ-ASID Friday, April 22, 2011 6:49 PM
- Marked as answer by Carey FrischMVP, Moderator Tuesday, September 20, 2011 12:31 PM
Tuesday, February 5, 2008 6:05 PM

All replies

0

Sign in to vote
UAC is designed to highly secure your Windows and your data! It's a hard closed system that prompts for operations with tasks would require administrator privilages and tasks which would affect system or files directly (delete, move or execution of data). It's useful to prevent trojans and worms to execute behind being watched by you "as administrator". Remote assistance must be of those applications with Run as Admin or high elevation privilages. You may disable the UAC if your work concentrated specially on Remote Assistance Application.

Good luck
- Proposed as answer by CProfile Wednesday, January 28, 2015 5:40 PM
Sunday, June 3, 2007 7:53 PM
1

Sign in to vote

I understand why UAC is there, I do not want my users running as admins, nor disable UAC, hence the problem.

How I can provide remote assistance (which fundamently requires admin access to be of any significant use) to a user without giving them an admin login - to enable me to be a remote admin?

It seems that I have the key to the lock, but I must give to the user in order to use it, and hence remove the reason for the remote assistance?

Or have I missed the point here...

I want to be a remote admin, helping my users, but in order to do so, I must give them admin access?

Thanks

Sunday, June 3, 2007 11:06 PM
0

Sign in to vote

Did you find a solution? I have the same problem.

I want to help my users but I don't want them to have local admin passwords.

Andrew

Friday, November 9, 2007 3:50 PM
0

Sign in to vote

Hi Andrew,

No, I never did find a solution

Sorry!

Friday, November 9, 2007 8:47 PM
0

Sign in to vote

I am also having this issue. I will look around a bit more before opening a ticket with Microsoft utilizing my Partner support for business critical down situations. I will come back and post the resolution if there is one.

Thursday, January 10, 2008 11:14 PM
1

Sign in to vote

I've found the answer. If UAC is enabled, the user MUST respond to a UAC prompt when allowing remote assistance. This is a design "feature" that essentially makes it impossible for a company to help their users unless the users are granted local admin rights on the PC, unless a third party product is used or UAC is disabled. Thanks Microsoft for making our jobs that much more difficult and costly.

Below is an excerpt from the Vista Resource Kit book (from http://www.windowsnetworking.com/articles_tutorials/Windows-Vista-Resource-Kit-Chapter-23-Supporting-Users-Using-Remote-Assistance-Part1.html)

Pay attention to the last paragraph... basically, the user must allow the helper to have admin access by providing their own admin credentials in order to prevent them from stealing local admin priviledges from the helper, which is moot because they already must have local admin priviledges! At least MS should have provided a Group Policy setting that turns off UAC for RA in a Domain or something similar.

--------------------

When a User consents to having a Helper share control of her computer during a Remote Assistance session, the User has the option of allowing the Helper to respond to UAC prompts (Figure 23-1). Typically, User Account Control (UAC) prompts appear on the Secure Desktop (which is not remoted) and consequently the Helper cannot see or respond to Secure Desktop prompts. The Secure Desktop mode is the same mode that a user sees when she logs on to her computer or presses the Secure Attention Sequence (SAS) keystroke (Ctrl+Alt+Delete). UAC elevation prompts are displayed on the Secure Desktop instead of the user’s normal desktop to protect the user from unknowingly allowing malware to run with elevated privileges on her computer. The user must provide consent to a UAC prompt to return to her normal desktop and continue working. This consent requires either clicking Continue (if the user is a local admin on her computer) or by entering local admin credentials (if she is a standard user on her computer).

It is important to understand that the Secure Desktop on the User’s computer is not remoted to the Helper’s computer. In other words, the Helper can only respond to UAC prompts on the User’s computer using the User’s own credentials. This means that if the User is a standard user on her computer while the Helper is a local administrator on the User’s computer, the Helper can only have administrative privileges on the User’s computer if the User can first supply those credentials.

Enforcing this limitation is essential to ensure the security of Vista desktops. The reason behind this design decision is that if RA was architected to allow the Helper to remotely elevate the User’s privileges, the User would be able to terminate the RA session and thus steal local admin credentials from the Helper.

Friday, January 25, 2008 7:04 PM
11

Sign in to vote
Hi ppl,

Note: This is based around the Expert being on a 2003 Server and the Novice being Vista and the vista client generating a RA (remote assistance) request file.

I simplified the RA request file creation by creating a small HTA that generates the request file and saves it on the 2003 management server in a hidden share.

Workaround for the UAC problem is to set the following policy either locally or via a Domain GPO.

Computer Configuration > Windows Settings > Local Policies > Security Options > User Account Control : Switch to the secure desktop when prompting for elevation. Check Define this policy setting and select Disabled.

Now when you check the elevated access check box the UAC prompt will appear on the experts session and you will not get the irritating Pause sign

As always do your own testing first!

Cheers,

Barry
- Proposed as answer by Russ-ASID Friday, April 22, 2011 6:49 PM
- Marked as answer by Carey FrischMVP, Moderator Tuesday, September 20, 2011 12:31 PM
Tuesday, February 5, 2008 6:05 PM
0

Sign in to vote

This is seriously doing my head in. I set up a computer for an overseas colleague, without giving him administrative access. I figured that if he needed to install something, I could provide remote assistance and enter the administrator password for him. Obviously this isn't possible due to this "feature"

Unfortunately I did not discover this problem until after the computer was sent. While there are a few ways round this, (like turning off UAC, using Barry's security policy change) they all require the admin access that I can not provide so I am stuck in a real catch-22 situation. I really don't want to give him the password as foolishly I used a password in use in other places and it would be a hassle to change it in multiple locations

Can anyone think of any way of modifying the registry or local policy that does not invoke UAC?

Tuesday, April 15, 2008 3:23 PM
2

Sign in to vote

Disabling UAC or the Secure Desktop is a terrible solution. Microsoft, GET IT TOGETHER.

Vista Remote Assistance is totally useless in the enterprise. Their I no reason the USER needs administrative privileges to receive Remote Assistance. This isn't even a technical question, it's just plain stupid. Their is no technical reason that Remote Assistance can't be given my network credentials to initiate UAC access. I have to authenticate to initiate Remote Assistance anyway, just like Remote Desktop.

Also, showing the checkbox to allow UAC prompts to non admins is just plain stupid. Every user in my company has tried to check that box, and then get stuck because they don't have permission and don't know what to do.

This is one more feature from Windows XP that has been ruined in Vista.

Tuesday, April 15, 2008 5:42 PM
2

Sign in to vote

MS has fixed this problem in Vista SP1. Find this local security policy: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - and set it to Enabled. Problem solved.

Friday, September 12, 2008 7:19 AM

Pirks wrote:

MS has fixed this problem in Vista SP1. Find this local security policy: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - and set it to Enabled. Problem solved.

That is incorrect. User's will still get a UAC prompt for admin creds, even with the policy enabled, and the Helper(Admin) on the other end will still get the black screen. it's only after that initial promp that the rest of the RA session will have secure desktop disabled.

bump this thread for a better solution from the MSFT, pros.

currently, it seems the workaround is to disable secure desktop.

Wednesday, December 3, 2008 10:54 PM

Anyone can comment if this problem is fixed in Windows7?

Remote assistance (RA) is really needed in the enterprise and 95% is the following scenario - Help Desk employee with admin rights must help local person who does not have admin rigts and in 90% of cases Help Desk employee need to open computer management tools or other things that require admin credentials (for example, to install additional program, etc.)

Current problems:
1. Help desk initiated RA requires to open dangerous ports common with other windows features in firewall. Instead, it should work over separate port only for RA.
2. UAC prompt on local user side makes this feature totally useless. And this does not improve the security at all - third party programs are installed that share desktop including all the UAC prompts. Every second counts for expensive Help Desk employee, nobody has the time to talk to non-advanced local user that he must press one or another button.
3. No questions must be asked on the user side (exept first Yes/No to allow connection) for connection of authorized Help desk technicians (if such domain policy is in place).

"Enterprise" version must not behave like version designed for the home user. Company owns a PC and if the decision is that Help Desk employee or company administrator can connect to any PC to fix the problem, must be group policy enabling that.

Proposed as answer by harrymrh Friday, March 6, 2009 5:21 PM

Sunday, February 15, 2009 5:13 PM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.

DWORD Value - EnableUIADesktopToggle

To Enable - 1
To Disable - 0

It worked for me on home premium sp1, and basic sp1.

Note registry edit because the basic and home systems don't have the local security policy editor. The tick box on the take control screen in remote assistance vanishes, remote user can see the uac prompts remotely. It only effects remote control. Secure desktop is still active locally.

Harry

Proposed as answer by harrymrh Friday, March 6, 2009 5:28 PM

Friday, March 6, 2009 5:28 PM

Hi Guys, I am sorry, I am not seeing the problem here.

1 - If you are concerned that these ports are being exploited, limit the Scope to the IT department subnet or better still select the "Allow the connection if it is secure" and require Computer and User authentication. No need for a seperate port. Search for IPSec in technet.

2 - Removing the requirement for the Secure Desktop is not "Disabling the UAC" as described by James. The secure desktop is meant to avoid spoofing of the UAC, which in the enterprise is unlikely to be a problem. (Users know they don't have credentials anyway, and when they see it they always called you anyway.)

3 - There are only two questions the user needs to answer - Allow the Helper to connect, and Allow the helper to control the desktop. You then have control.

Even people working for a company have some rights to privacy. I would personally consider it of extreme rudeness for me as a Support Person to try and take control of or try to view a users desktop without first asking them. I have accordingly edited the Group Policy to change the message so that it identifies the department as the connecting to the desktop. As I am on the phone and have spoken to them, the message make perfect sense and does not take them by surprise.

If you worry that the person will steal your credentials, you only need to use a local admin password. You can then easily reset this using group policy and change after use or every day/week/month/whatever. There are also many scripts that can do this for you. In one of my previous jobs we used a password setting tool that gave you an admin password for a PC, set this on the PC for use, then scrambled it afterward. So much for that concern.

Under these conditions RA works fine under Vista and works fine under Windows 7 in an enterprise environment.

Anthony Sheehy - .net

Wednesday, October 21, 2009 3:33 PM

For those who do need a workaround, the following will work. I don't think there's a way to request elevation from the command prompt, but if there is, it would make this easier.

If the issue you face is that UAC requesting your admin credentials brings up the secure desktop on the remote machine and shows you a big pause button. do this instead:

When you are given shared control by the user you're assisting, open a command prompt, and start another command prompt with RUNAS. In other words type runas /USER:domain\adminusername cmd. You will be prompted for credentials in the command line box, and a new command prompt will open that is running under your admin credential. So far so good.

Now however you need to run a program that requests elevation. We have a custom admin tool that sits on every machine that does this, but for example you can create a .NET program that does nothing but launch an elevated command prompt. When this program runs, the secure desktop will still come up and you'll still get a pause on your end, but the difference is that you don't have to enter any credentials because you've already done that. The user will just be prompted to Cancel or Allow the elevation. Tell them to click Allow, and you have your elevated admin prompt on the remote machine.

The following articles discuss ways of elevating via scripting and/or PowerToys. Again, the main point is entering credentials on the remote machine without getting the UAC at that point. With a bit of work you can support your enterprise users remotely even under a fully secure scenario. Hope that helps!

http://blogs.msdn.com/b/aaron_margosis/archive/2007/07/01/scripting-elevation-on-vista.aspx

http://technet.microsoft.com/en-us/magazine/2008.06.elevation.aspx

Thursday, July 29, 2010 8:17 PM

Hi Guys, I am sorry, I am not seeing the problem here.
2 - Removing the requirement for the Secure Desktop is not "Disabling the UAC" as described by James. The secure desktop is meant to avoid spoofing of the UAC, which in the enterprise is unlikely to be a problem. (Users know they don't have credentials anyway, and when they see it they always called you anyway.)

3 - There are only two questions the user needs to answer - Allow the Helper to connect, and Allow the helper to control the desktop. You then have control.

Even people working for a company have some rights to privacy. I would personally consider it of extreme rudeness for me as a Support Person to try and take control of or try to view a users desktop without first asking them. I have accordingly edited the Group Policy to change the message so that it identifies the department as the connecting to the desktop. As I am on the phone and have spoken to them, the message make perfect sense and does not take them by surprise.

If you worry that the person will steal your credentials, you only need to use a local admin password. You can then easily reset this using group policy and change after use or every day/week/month/whatever. There are also many scripts that can do this for you. In one of my previous jobs we used a password setting tool that gave you an admin password for a PC, set this on the PC for use, then scrambled it afterward. So much for that concern.

Under these conditions RA works fine under Vista and works fine under Windows 7 in an enterprise environment.

Anthony Sheehy - .net

Well Anthony if you aren't seeing the problem here, you may need to get back into the trenches more often. This attitude is unfortunately why we arent getting a fix. I lead a team of Level 1 and Level 2 guys and I must say that the decision to force prompt is extremely short-sighted given today's ENTERPRISE needs from MS products.

a) Rights to privacy. Anthony how about logging into a newly imaged machine in a remote branch office with no IT staff? We have a global vendor who ships hardware to us, plugs it in for us (or we talk someone through it if that service is not provided in the respective country) then we build new machines for people in offices all around the world using PXE boot deployment silently and unattended right to the point that someone has to press CTRL-ALT-DEL (sometimes imaging script stops because of bad logic in a new software package etc and we need to restart). However since Windows 7, we have to annoy someone to read prompts on a screen where we never had before. Terrible.

What about the situation where the user has allowed you to remote control via email chain (so there's your authorisation paper trail) and you are playing phone tag with them? I don't like hearing from my guys "i was delayed in solving because I needed the user at the computer". Terrible!

b) So what was previously a 60second helpdesk task turns into 3-4 minutes as my guys have to wait for someone to sit down (always get written confirmation that we are allowed to remote control) then once done we have to reset passwords. Even if we had your wonderful password reset tool, or used local password change via GPP, it is still time consuming. We have on average 200 jobs/calls a day. 90% of them are remote control. That's 200 password changes x at least 2-3 mins. You do the math and see if that is ENTERPRISE FRIENDLY.

Also, I would probably fire one of my guys if they handed out the local admin password and the user had access to that for anything more than 5 minutes. I completely disagree with your assertion that the user knows local admin credentials for a day/week/month.

Seriously, get with the times and hear what the greater community are saying MS. We want no prompt.

Sunday, January 23, 2011 10:52 PM

Remote Assistance was a very great tool in Windows XP, and now it is completely useless!!!

Does Microsoft really think that end-users should have Admin rights on their PCs to be able to ask for help??? Come-on, they are calling the person asking for help a novice in the documentation, do they really imagine that I will give the admin password to a novice!!!!!

We are a 4000+ employ Airline, and this "feature" will delay our migration to windows 7 until we find, pay for and get a 3rd party Remote Assistance tool that works. That an extra time and money wasted, because somebody is not thinking logically in Redmond.

Again, really??? They expect us to give the Admin password to the end-user!!!!

I can not believe what I am reading... somebody wake me up please !!!

Maybe all users in Redmond are Admins on their PCs, and the average novice in Microsoft is at least an MCSE... but out of our 4000+ users only about 100 are Admins on their PCs, and I am sure it is the same in all normal enterprises.

Sunday, March 6, 2011 8:00 AM

I think Remote Assistance is designed for home/small business. It's just not useful in an enterprise environment, as you can see. If it were for enterprise, the user wouldn't even need to initiate a session, because there would be an admin tool to simply logon to any desktop to share the user session. And that isn't going to happen, because Microsoft wants to sell terminal server licenses.

You'll just have to go with 3rd party solutions, like GoToAssist, which does not have all these limitations.

Thursday, March 17, 2011 7:15 PM

MS has fixed this problem in Vista SP1. Find this local security policy: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop - and set it to Enabled. Problem solved.

Pirks' solution is correct.

Here is a specific reference to the setting:

http://technet.microsoft.com/en-us/library/dd851479.aspx

This one has the Group Policy location for that setting, as well as some other UAC setting details:

http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

It works as advertised, which greatly improves the usefulness of Remote Assistance. The user does not need initiate the session as long as you know the name of their system.

Thursday, March 17, 2011 11:03 PM

I'm not sure if this is a Windows 7 or SBS 2011 feature or both, but Windows Remote Assistance now has a checkbox to allow the remote user to respond to UAC prompts.

No policy changes needed, as long as someone's there at the PC.

Saturday, April 2, 2011 7:32 PM

Yes there is a checkbox there in Windows 7 to respond to UAC prompts however when using the Secure Desktop for UAC the screen will go blank and it is not possible to elevate.

Lowering our UAC settings is not an option!

Lee Bowman MCITP MCTS

Tuesday, April 12, 2011 10:40 AM

Computer Configuration > Windows Settings > Local Policies > Security Options > User Account Control : Switch to the secure desktop when prompting for elevation. Check Define this policy setting and select Disabled.

Now when you check the elevated access check box the UAC prompt will appear on the experts session and you will not get the irritating Pause sign

As always do your own testing first!

Cheers,

Barry

Yes, Barry is right. It worked for me. HOWEVER... there is a second Policy that MAY need to be set as well.

Set both of these:

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (Set to Enabled)
User Account Control: Switch to the secure desktop when prompting for elevation (Set to Disabled)

All the UAC settings are here:

Security Settings\Local Policies\Security Options

All the UAC setting descriptions are in the GPMC or here:

http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

Friday, April 22, 2011 6:48 PM

We had same problem with Windows 7.

Additional to both Policies (see answer of 'Russ-A SID') we did have to set

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for credentials" and
"User Account Control: Behavior of the elevation prompt for standard users" to "Prompt for credentials".

Now there is no pause by RA when UAC is on!

HLM\Software\Microsoft\Windows\CurrentVersion\Policies\System looks like this:
ConsentPrompBehaviorAdmin: 3
ConsentPromptBehaviorUser: 3
EnableUIADDesktopToggle: 1

Thanks for this question and answers!

Soheil

Proposed as answer by Theo v Z Tuesday, July 26, 2011 2:13 PM

Wednesday, July 6, 2011 2:00 PM

Saw this feature in windows7 and thought it was great. Tried to fix an issue for a user (install some software) when I did the run as admin I got the pause screen. Then I noticed the check box for let the helper see UAC. I thought oh right, got the user to tick that box ... pause screen again. Now I think the feature is a waste of space. I would be much happier if I could configure users who can take control and use UAC in group policy.

I'm just going to deploy VNC again. Phone call to user

Me: "Hi, is it ok for me to connect to your PC to help with the issue you've been having"

User: "Ok"

I VNC their machine and can work, how easy was that.

Thursday, September 8, 2011 3:35 PM

One other issue :

In Active Directory add the user member of "admin of domains" during the remote assistance, they uses their credentials.

But it's not a good solution ...

Tuesday, September 20, 2011 12:05 PM

One other issue :

In Active Directory add the user member of "admin of domains" during the remote assistance, they uses their credentials.

But it's not a good solution ...

Making a user a domain admin? That's a terrible idea! But it highlights the point that Microsoft has purposely made it impossible to share screen sessions with remote desktop. Obviously, they want people to buy Windows Server with terminal server. If a desktop client allowed multiple simultaneous user logins, Microsoft fears it would cut into the terminal server licenses (which are very expensive).

Tuesday, September 20, 2011 3:01 PM

Making a user a domain admin? That's a terrible idea! But it highlights the point that Microsoft has purposely made it impossible to share screen sessions with remote desktop. Obviously, they want people to buy Windows Server with terminal server. If a desktop client allowed multiple simultaneous user logins, Microsoft fears it would cut into the terminal server licenses (which are very expensive).

Exactly, my position was to emphasize this point. You are right it is a story to protect the business of licensing TSE.

Wednesday, October 12, 2011 12:57 PM

So after doing the steps above (as we have done already), we are unable to type into the credential fields. Are you saying you can enter your admin credentials here?

Thursday, March 22, 2012 5:01 PM

After doing this, are you able to enter your admin credentials? All our users are standard users.

Thursday, March 22, 2012 5:05 PM

This continues to be a problem for us on ALL Windows 7 computers we deploy even though we have...

disabled the following local security policy: User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

...and enabled the following; User Account Control: Detect application installations and prompt for elevation

...secure desktop and enabled the prompt in local security policy. We have thousands of users, many of which are remote with user accounts that are not part of any group other than standard user. We use various remote support tools and we have the same issue across the board; because UIAccess is disabled we can at least see the prompt remotely but that is useless because we cannot enter admin credentials and even when a the user enters the local admin credentials provided to them the remote admin is unable to interact with or click through application installers. MS needs to fix this fast, I am sure an additional policy to allow remote access to the UAC and installers.

What is the need of security if it gets in the way? Now we are having to issue remote users local admin credentials just so we can support them, something that we should not have to do. Why isn't there a policy that also lets remote admins able to enter credentials and click through application installers?

Monday, May 28, 2012 12:56 PM

I tested this on Windows 8 Release Preview and it worked flawlessly. All I needed to do was enable the the UIAccess and siable secure desktop in local policies as everyone has done in Windows 7 without success. This goes to show that the implementation in Windows 7 is broken and needs to be fixed.

Saturday, June 2, 2012 7:13 PM

Does ANYONE have this working on WIN 7 Enterprise?

I want to use Remote Assistance with UAC on. Do the Group Policy mentioned above work?

Thanks

Dave

Proposed as answer by Antiskeptic Friday, June 15, 2012 6:47 AM
Unproposed as answer by Antiskeptic Friday, June 15, 2012 6:47 AM

Friday, June 8, 2012 6:05 AM

Hi Dave,

Our Enterprise environment has it working. We may now remote into Win 7/Win XP boxes using group policy and a couple firewall exceptions.

Firewall ports: 3389 & 135

Windows 7

GPO: Remote_Assistance_Win7_Vista (Or your on GPName)
Computer Configuration\Administrative Templates\System\Remote Assistance:
Offer Remote Assistance: Enabled
Allow helpers to remotely control the computer
Helpers: (Domain Admin Accounts/Group)

Security Settings\Local Policies\Security Options:
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desk

Firewall:

When using the Windows 7 default domain profile, the default firewall configuration is already set correctly and the remote maintenance option active.

Windows XP

GPO: Remote_Assistance_XP
Computer Configuration\Administrative Templates\System\Remote Assistance:
Offer Remote Assistance: Enabled
Allow helpers to remotely control the computer
Helpers: (Domain Admins/Group)

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile:

Windows Firewall: Define program exceptions: Enabled
Exceptions:

%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice

Windows Firewall: Define port exceptions: Enabled
Exception: 135:TCP:*:Enabled:Offer Remote Assistance

Computer Configuration\Administrative Templates\Windows Components\Terminal Services:
Allow users to connect remotely using Terminal Services: Enabled

Once these GPs are applied, you can use the following command line to open a Remote Assistance prompt that allows you to input IP Address or DNS Name:

msra.exe /offerRA

Here's some links we used to get this up and running:

http://www.cloudtec.ch/blog/tech/remote-assistance-windows-7-free-built-in-remote-control.html

http://support.microsoft.com/kb/301527

http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx

http://technet.microsoft.com/en-us/magazine/ff356868.aspx

GOOD LUCK!

Proposed as answer by BlurryEyed Friday, June 8, 2012 6:27 PM
Edited by BlurryEyed Friday, June 8, 2012 6:30 PM

Friday, June 8, 2012 6:26 PM

For information, this solution also works on Windows 8 (the home edition)

We have a number of employees who have Windows 8 (not Pro) and this solution worked perfectly for me.

Thanks!

Tuesday, May 21, 2013 9:51 AM

This solution works fine like a charm!!!

Thank You! :-)

Cheers,

Helton.

Friday, January 31, 2014 5:09 PM

Thank mate, it works for me,

Thursday, June 12, 2014 5:03 AM

Thanks mate it works for me but just need to add few more setting.

Thursday, June 12, 2014 5:04 AM

I found a solution & want to share with you. Please follow the below steps to configure UAC by using group policy so that it can apply to all machine.

Steps 1:Create an OU (Organizational Unit) on your AD (active directory) & move the machine which you want to apply the GP (Group Policy) for UAC access on remote assistance.

Steps 2:Open Group Policy Management Console on your AD machine and create a GP & link it to OU which you have created. Give a name to that GP & select edit.

Steps3: Now go to this location

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

And make the changes as mentioned below

Group Policy setting	Registry key	Default	Changes Required
User Account Control: Admin Approval Mode for the built-in Administrator account	FilterAdministratorToken	Disabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop	EnableUIADesktopToggle	Disabled	Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	ConsentPromptBehaviorAdmin	Prompt for consent for non-Windows binaries	Prompt for credentials
User Account Control: Behavior of the elevation prompt for standard users	ConsentPromptBehaviorUser	Prompt for credentials on the secure desktop	Prompt for credentials
User Account Control: Detect application installations and prompt for elevation	EnableInstallerDetection	Disabled (default for enterprise)
User Account Control: Only elevate executables that are signed and validated	ValidateAdminCodeSignatures	Disabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations	EnableSecureUIAPaths	Enabled
User Account Control: Run all administrators in Admin Approval Mode	EnableLUA	Enabled
User Account Control: Switch to the secure desktop when prompting for elevation	PromptOnSecureDesktop	Enabled	Disabled
User Account Control: Virtualize file and registry write failures to per-user locations	EnableVirtualization	Enabled

Now run ‘’gpupdate’’ on server & client side to verify. Enjoy J

Thursday, June 12, 2014 12:24 PM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.

DWORD Value - EnableUIADesktopToggle

To Enable - 1
To Disable - 0

It worked for me on home premium sp1, and basic sp1.

Note registry edit because the basic and home systems don't have the local security policy editor. The tick box on the take control screen in remote assistance vanishes, remote user can see the uac prompts remotely. It only effects remote control. Secure desktop is still active locally.

Harry

You're still helping people 6 years into the future ;)

Best Regards Wojciech Wróblewski Visit my blog (in polish): http://wojciechwroblewski.wordpress.com/

Friday, April 3, 2015 10:11 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Remote Assistance & UAC

Question

Answers

All replies

Windows 7

Windows XP