In these days most people are working from home and offering remote assistance to the end-users might be challenging under certain circumstances, even on Windows 10 devices.
Having a quick view on the users desktop can be easily done with tools like Microsoft Teams, TeamViewer or the build-in Windows 10 tool Quick Assist. But as soon as we need to provide a fix which requires administrator rights, things get more complicated as a lot of end-users are standard users without admin rights on their local device. The User Account Control (UAC) prompt isn`t shown to the (remote assistant) IT helpdesk user by default, but to the end-user. This doesn`t allow the remote assistant to provide his administrator credentials.
There is a workaround for this via a Microsoft Intune Configuration Profile setting: Route elevation prompts to user`s interactive desktop.
By enabling this setting on the Windows 10 devices, during a remote assistance session, the UAC prompt is shown to the remote assistant, which allows the remote assistant to enter his credentials.
Let`s have a look where we find this setting in Intune and how the remote support is provided using Quick Assist on Windows 10.
Configure the Endpoint Protection profile
The setting which we need to enable is found in the Endpoint Protection profile.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configurations profiles tab click + Create profile
- Choose Windows 10 and later as Platform
- Choose Endpoint protection as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click the Settings tab
- Click the Local device security options tab
- Set Route elevation prompts to user`s interactive desktop to Enabled
- Click OK (three times)
- Click Create
Assign the profile to a security group and your ready for testing.
End-user experience
Let`s have a look how we can provide remote assistance to our end-users by using Quick Assist.
Start Quick Assist (by searching for it via the search box or by hitting the Windows key + CTRL + Q) on both the Windows 10 desktops, from the end-user and the remote assistant.
On the desktop of the assistant choose Assist another person.
A Security code will be provided. Provide the security code to the end-user.
The end-user needs to enter the received security code and click Share screen.
The assistant checks Take full control and clicks Continue.
The end-user reviews the information, about who is connecting and click Allow.
The remote assistance session is setup!
This is the view from the assistant.
But when we, for example, try to start PowerShell as Administrator, by default the assistant screen is paused/ turns black for the assistant.
But when the setting is applied to route the elevation prompt, the User Account Control pop-up is shown to both users. This allows the assistant to provide his (administrator) credentials and run PowerShell as admin.
And we are able to run PowerShell with Administrator rights.
That`s it for this post. Thank you for reading and I hope you`re now able to assistant your home working colleagues.
3 Comments
For what we need to assign the profile user/device/admin
I would assign it to a device group.
what a great solution, we are going to test it here!