I recently created this PowerShell solution which can be used when need to open a Remote Assistance session and type in the elevated UAC credential that cannot be share with the end-user being assisted.
Technically you can run just the Invoke-Command
and point it to the remote computer, and then ensure the Set-ItemProperty
has the appropriate 1
or 0
value for "PromptOnSecureDesktop
" to enable or disable.
I wanted to ensure that when I need to run msra
in an elevated session, I can just execute the script and be assured the UAC secure desktop security is re-enabled automatically after the msra
session has ended.
Essentially this will...
prompt you for the computer name
disable the "UAC secure desktop" via the remote registry change and commands
start an msra
session that works same way it works always works from here
enable the "UAC secure desktop" via the remote registry change and commands once the correlated msra
instance ends
To use you only need to...
- Save the PowerShell script as a text document with a
.ps1
file name extension
- Open a PowerShell command prompt and type (or paste) in the full script path and filename, and press
Enter
- Enter in the computer name of the computer you are connecting to with remote assistance and press
Enter
.
- When done with the remote assistance session, close the
mrsa
process if it's still running
Tip: Use the non-elevated "other/standard" method of msra
most of the time, and only use this as-needed.
PowerShell Script
$pc = Read-Host "Enter the remote computer name to disable secure desktop";
Invoke-Command -ComputerName $pc -Scriptblock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 0 -Force;
};
$remoteAssist = "$Env:windir\system32\msra.exe";
Start-Process $remoteAssist "/offerra" -Wait;
Write-Host "Your Remote assist session has ended" -ForegroundColor Red;
Invoke-Command -ComputerName $pc -Scriptblock {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "PromptOnSecureDesktop" -Value 1 -Force;
};
Execute Example
Note: Just paste in the full path script name and press enter.
PS C:\Users\User> \\myserver.domain.com\sharename\folder\script\Elevate-RemoteAssist.ps1
Supporting Resources
The secure desktop presents the logon UI and restricts functionality
and access to the system until the logon requirements are satisfied.
The secure desktop’s primary difference from the user desktop is that
only trusted processes running as SYSTEM
are allowed to run here
(that is, nothing is running at the user’s privilege level). The path
to get to the secure desktop from the user desktop must also be
trusted through the entire chain.
Possible values
Enabled
- All elevation requests by default go to the secure desktop.
Disabled
- All elevation requests go to the interactive user desktop.
source
Invoke-Command
- Set-ItemProperty
- Start-Process
-Wait
Wait for the specified process to complete before accepting more input.
This parameter suppresses the command prompt or retains the window
until the process completes
@rerat - With this answer, you have control when to turn the feature off or on. With the GPO way, it's one or the other whereas with this solution I provided, you allow as-needed only and disallow when done per each allowed session or instance of RA. Don't need to elevate, then use the other/standard where no elevation if needed in the remote support session. – Pimp Juice IT – 2020-02-12T22:51:06.743