remote assistance not allowing UAC prompt interaction with the box checked to allow

Posted on


I need to be able to connect up to customers computers and would like to use Remote Assistance, but I am unable to click on any UAC prompts, even though the user puts a check mark to allow me to click on the UAC prompts.

Here are the details:

  • They send me an invite file.
  • I start the session and they accept.
  • I can see their desktop.
  • I request control and they get a prompt to share control.
  • They put a check in “Allow xxxxx to respond to User Account Control Prompts” and click Yes.
  • Everything is fine until I get a UAC prompt.

I am unable to click on anything until the user clicks “yes”. Isn’t the point of that last box to prevent this? Does anyone know what I might be doing wrong or is this a bug?


You need to turn on a Group Policy setting and/or download a hotfix:

However, in order for this to work properly in scenarios that prompt
for elevation (i.e. UAC prompt), you have to enable a certain group

User Account Control: Allow UIAccess applications to prompt for
elevation without using the secure desktop

What this will do is it will enable Remote Assistance to show the UAC
prompt on the user’s desktop, as opposed to the secure desktop. If you
don’t enable this, the user being helped (call him novice) will get
the prompt on his local machine – so the expert cannot interact with
it since RA will only remote out the user’s desktop. At that point,
the novice may not know what to do with it, and/or he may not have the
administrator password. So it is important that you enable this group
policy in order to have the UAC prompt show up in the user’s desktop
and have RA remote out this dialog to the expert’s machine.

I recently created this PowerShell solution which can be used when need to open a Remote Assistance session and type in the elevated UAC credential that cannot be share with the end-user being assisted.

Technically you can run just the Invoke-Command and point it to the remote computer, and then ensure the Set-ItemProperty has the appropriate 1 or 0 value for “PromptOnSecureDesktop” to enable or disable.

I wanted to ensure that when I need to run msra in an elevated session, I can just execute the script and be assured the UAC secure desktop security is re-enabled automatically after the msra session has ended.

Essentially this will…

  • prompt you for the computer name

  • disable the “UAC secure desktop” via the remote registry change and commands

  • start an msra session that works same way it works always works from here

  • enable the “UAC secure desktop” via the remote registry change and commands once the correlated msra instance ends

To use you only need to…

  1. Save the PowerShell script as a text document with a .ps1 file name extension
  2. Open a PowerShell command prompt and type (or paste) in the full script path and filename, and press Enter
  3. Enter in the computer name of the computer you are connecting to with remote assistance and press Enter.
  4. When done with the remote assistance session, close the mrsa process if it’s still running

Tip: Use the non-elevated “other/standard” method of msra most of the time, and only use this as-needed.

PowerShell Script

$pc = Read-Host "Enter the remote computer name to disable secure desktop";

Invoke-Command -ComputerName $pc -Scriptblock {
    Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "PromptOnSecureDesktop" -Value 0 -Force;

$remoteAssist = "$Env:windirsystem32msra.exe";
Start-Process $remoteAssist "/offerra" -Wait;
Write-Host "Your Remote assist session has ended" -ForegroundColor Red;

Invoke-Command -ComputerName $pc -Scriptblock {
    Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" -Name "PromptOnSecureDesktop"  -Value 1 -Force;

Execute Example

Note: Just paste in the full path script name and press enter.

PS C:UsersUser> \myserver.domain.comsharenamefolderscriptElevate-RemoteAssist.ps1

Supporting Resources

  • User Account Control: Switch to the secure desktop when prompting for elevation

    The secure desktop presents the logon UI and restricts functionality
    and access to the system until the logon requirements are satisfied.

    The secure desktop’s primary difference from the user desktop is that
    only trusted processes running as SYSTEM are allowed to run here
    (that is, nothing is running at the user’s privilege level). The path
    to get to the secure desktop from the user desktop must also be
    trusted through the entire chain.

    Possible values

    • Enabled

      • All elevation requests by default go to the secure desktop.
    • Disabled

      • All elevation requests go to the interactive user desktop.


  • Invoke-Command

  • Set-ItemProperty
  • Start-Process
       Wait for the specified process to complete before accepting more input.
       This parameter suppresses the command  prompt or retains the window
       until the process completes

Leave a Reply

Your email address will not be published. Required fields are marked *