Tag: UAC

A problem since Windows Vista was launched is that when you remote control another user and try to elevate to Administrator, using for instance Quick Assist which is built into Windows 10 or TeamViewer, the screen on the admin side will freeze. This is due to UAC Secure Desktop feature kicking in.

The solution is to turn this secure desktop feature off, lowering security a little but at hardly no risk.

Configuration via Intune (MDM)

Create a Configuration Policy > Endpoint Protection and go to Local device security options > User account control. Set the setting Route elevation prompts to user’s interactive desktop to Enabled.

Configuration via Group Policy (GPO)

In the GPO editor, go to Security Settings > Local Policies > Security Options > User Account Control: Switch to the secure desktop when prompting for elevation to Disabled

One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.

When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
http://go.microsoft.com/fwlink/?LinkId=271185

I get many questions about the confusing problem with mapped network connections not being available when running for instance cmd.exe as an administrator even though the account is the same one being used when the cmd.exe is run with standard rights and everything works splendid.

The cause of this is UAC and the fact that you have multiple security tokens and that the mapped network drives are linked to the standard user token and not the administrator token. The solution is to enable “Linked Connections”, see the KB article 937624 for more information on how to set this value.

Also read the case of some other mysterious problems or behaviors when UAC is en effect.

Just wanted to post a quick reminder that if you turn off UAC (User Account Control) in Windows Vista or Windows 7 you also turn off “Protected mode” in Internet Explorer. Turning off UAC is not recommended but if you do, make sure that you run with a standard user account.