This a note for me as I always have to lookup which group policy setting I need.
When using the Remote Assistance tool to help someone running Windows 7 (or Vista!) if you need to elevate via UAC you’re not able to do this as the “helper” out of the box. The end user is supposed to respond to the UAC prompt. It’s intended as security feature to prevent remote helpers making admin changes but what if you’re the network admin and the end user doesn’t have local admin rights?
As the helper you just end up with a black screen displayed and the user is prompted for credentials they don’t have and you probably don’t want to give them.
The solution is to allow remote assistance users to interact with the UAC prompt.
It’s a simple change in group policy. (or via local security policy if you really wanted to do it by hand!)
Local Settings\Security Settings\Local Policies\Security Option
This setting needs to be ENABLED
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
If you are a little worried about security there are still some restrictions in place that prevent just any old application from getting around UAC.
UIA programs (User Interface Accessibility) are designed to interact with Windows and application programs on behalf of a user. This policy setting allows UIA programs to bypass the secure desktop to increase usability in certain cases; however, allowing elevation requests to appear on the interactive desktop instead of the secure desktop can increase your security risk.
UIA programs must be digitally signed because they must be able to respond to prompts regarding security issues, such as the UAC elevation prompt. By default, UIA programs are run only from the following protected paths:
- …\Program Files, including subfolders
- …\Program Files (x86), including subfolders for 64-bit versions of Windows
If you really wanted to lower your security you can disable this requirement too but it’s probably not worth thinking about!