Forum Discussion

JillArmour's avatar
JillArmour
Icon for Community Manager rankCommunity Manager
Jun 29, 2023

Repost: Make quick assist run as admin

Question:

We need to be able to use Quick Assist in Windows 10 to do some administrative tasks, but if the end user initiates the Quick Assist session then the remote admin is limited to only what the end user has access to.  Is there any way we can start Quick Assist as an administrator or elevate it to admin level during the Quick Assist session?

 

Response:

Quick Assist is my preferred application to resolve all technical issues remotely.

It also allow me to Run as Administrator to install and configure hardware/software but there are few steps required as mentioned below:

  1. Run CMD at end-user's computer
  2. Type the below command:
    runas /user:domain\administrator cmd
    *domain will be any domain of your organization
    *administrator can be  any administrator login.
    If domain is not available type the below command in cmd.
    runas /user:local_user cmd
  3. Put the admin password.

Now you have successfully launched cmd in administrator mode, you can run the below tasks.

  • x:\MicrosoftEdgeSetup.exe (for software installation, where x is any drive letter from your computer).
  • appwiz.cpl for installing or uninstalling program.
  • services.msc (Run or Stop a service)
  • devmgmt.msc (Device Manager, to install/uninstall or upgrade the device driver)
  • diskmgmt.msc (Disk Management
  • compmgmt.msc (Computer Management)
  • regedit (Registry Editor)

Above mentioned are just example, you can use the number of commands as per your requirement. 

tech question or issue
  • Mohammad_AlShaabi's avatar
    Mohammad_AlShaabi
    Copper Contributor
    Mar 21, 2024
    If I can reach the end-user's computer physically and do the mentioned steps then why would I need quick assist?
    I need to run it in administrator mode remotely without doing these steps physically on each end user's computer.
    • glindauer's avatar
      glindauer
      Copper Contributor
      Mar 21, 2024

      Mohammad_AlShaabi 
      You can do everything in the Nov 30 2023 05:18 AM post using Quick Assist. You do not need physical access to the machine to do any of those steps.

      Note the runas /user:.\Administrator cmd, which you run inside quick assist. That gives you an elevated prompt without physical access to the machine or needing to have the user click anything, and you can proceed to make the registry changes in quickassist as well, by following the other steps.

      • Tremaine_nul's avatar
        Tremaine_nul
        Copper Contributor
        Nov 15, 2024

        Hi Glindauer, just wanting to be totally clear here -- in Quick Assist, the user receiving help still has to do the first step: "Allow Screen Sharing" to the incoming connection.  No?

        I prefer users I'm helping know that I am taking control of their machine, up front, so this seems to fill the bill for me.

        I also like the idea of putting the 0x1 part of the command into a Startup batch file to reset back to secure.  Haven't tried it yet,

  • glindauer's avatar
    glindauer
    Copper Contributor
    Nov 30, 2023

    JillArmour  What a great post!

    With a further step, you can alter settings so you can fill in credentials when elevation is required. To do this, you need to set the PromptOnSecureDesktop value in the     HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key to 0x0.

    You need an elevated administrator command prompt to do this; if you use runas /user:.\Administrator cmd for you will get this elevated prompt.

    If you don't have an enabled .\Administrator account, from a cmd window that has admin privileges (but isn't elevated) you can use 
    powershell -Command "Start-Process cmd -Verb RunAs" and use any account in the computer's administrator group. However, unlike signing directly in as Administrator, this method requires the remote user to click "Yes" on their side, to OK this elevation.

    If you can use chat, email, or something like (external links removed by moderator)     you can send
    powershell -Command "Start-Process cmd -Verb RunAs"
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0x0 /f
    to the remote. Then using the final, elevated Admin, cmd window, execute the reg (or regedit.exe if you prefer) to clear PromptOnSecureDesktop. From that point UAC prompts will appear where you can see and respond to them.
     
    The point of all that was to disable PromptOnSecureDesktop without having Windows 10 or 11 prompt you for credentials on the secure desktop. One the secure desktop is disabled, you won't be "paused out" of the remote whenever the computer asks for elevated credentials.

    Before you end the session, be sure to change PromptOnSecureDesktop back to 0x1! The secure desktop prevents programming functions (presumably in malware) from being able to read the password you enter.
    • NZDanny's avatar
      NZDanny
      Copper Contributor
      Jan 17, 2024
      If you are regularly running this kind of support process in a internal domain environment or for customers, you can implement a net logon or domain policy. One of my customers built it in as part of the startup that the registry would revert to secure desktop prompts again to maintain endpoint security when they reboot, just in case the support agent got disconnected before the agent could revert the setting for "PromptOnSecureDesktop".

Resources