In this post I explain an ‘issue’ most of you will be asked to ‘fix’ once in a while. Your support team is using a remote control tool (for example the Windows built-in Quick Assist app). Every now and again their session just shows a blank screen and will not react to an input.
Turns out this happens when the remote device is showing a UAC-prompt. They have to enter administrative credentials to elevate the session. On a black screen. Without any input control whatsoever.
Whodunit
By default, UAC-prompts are shown on something called the Secure Desktop. You’ve seen it: the one where everything else dims and all other windows disappear.
This separate desktop session is special. It only allows processes running under the SYSTEM-account and is completely cut off from user-space. The idea behind it is that this protects critical UI-elements (like this credentials screen) from abuse by attackers.
Thing is, anything on this Secure Desktop is only appears on the device’s screen. It’s protected status doesn’t allow it to be influenced by (and therefore seen in) an unprivileged remote session.
For more detailed information on how UAC (and the Secure Desktop) work, these Microsoft docs are an excellent read.
Keep the lights on
The Secure Desktop feature for UAC-prompts can be turned on or off through Local Security (or Group) Policy. This results in the following registry change:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"PromptOnSecureDesktop"=dword:00000000Please, keep in mind that Secure Desktop exists for a reason. Input (like mouse cursors and keyboard strokes) and output (like a credentials-prompt) can be spoofed on a normal desktop, tricking the user into entering credentials or clicking somewhere the didn’t mean to.
In MEM, we can achieve the same result with the Local Policies Security Options CSP (which, as you know, can be used in a Settings Catalog configuration profile):
- Settings Catalog > Local Policies Security Options
- User Account Control Switch To The Secure Desktop When Prompting For Elevation
- Enabled: shows UAC-prompts on the secure desktop, which is what we’re trying to avoid.
- Disabled: shows UAC-prompts on the interactive desktop.
- User Account Control Switch To The Secure Desktop When Prompting For Elevation
Alternatively, you can use the following setting, which allows for a more fine-grained approach:
- Settings Catalog > Local Policies Security Options
- User Account Control Behavior Of The Elevation Prompt For Standard Users
- Automatically deny elevation requests: just shows an “Access denied” prompt and cancels the operation.
- Prompt for credentials on the secure desktop: shows UAC-prompts on the secure desktop, which is what we’re trying to avoid.
- Prompt for credentials: shows UAC-prompts on the interactive desktop.
- User Account Control Behavior Of The Elevation Prompt For Standard Users
If you’re applying the security baseline for Windows 10 or later, note that this configures the second approach as “Automatically deny elevation requests”. As often in security baselines, the GUI shows a different name for the same setting. The one you’re looking for there is “Standard user elevation prompt behavior”.
Be First to Comment