This article will describe how to fix the black screen in Quick Assist or Teamviewer with Intune.
Situation:
- Hybrid Joined Intune MDM managed devices
- Coming from Dame Ware to give remote support
Target:
- Delivering remote support with Quick Assist or TeamViewer
Quick Assist is a Windows 10 application that enables two people to share a device over a remote connection. By allowing a trusted friend, family member, or Microsoft support person to access your computer, you can troubleshoot, diagnose technological issues, and receive instruction on your computer. You can find more info here.
While working on a project at a customer, we noticed that when using Quick Assist or TeamViewer, as we run an application or command as admin in a remote session, the UAC prompt would turn up on the computer, but the remote session gives a black screen. This is due to UAC Secure Desktop feature kicking in. Be aware that this solution for Quick Assist is to turn this secure desktop feature off, lowering security a little.
1. Create a configuration profile in Intune to deploy a UAC fix for Quick Assist
Navigate to the Microsoft Endpoint Manager console. Click on ‘Devices’. Click on ‘Configuration profiles’. Click on ‘Create profile’.
In the new profile wizard, choose a name. As Platform choose ‘Windows 10 and later’. The profile type is ‘Endpoint protection’. In settings, choose ‘Local device security options’.
In the next blade, choose ‘User account control’, and enable the ‘Route elevation prompts to user’s interactive desktop’. Click three times on ‘OK’ and then on ‘Create’ to create the new profile.
2. Assign the new profile
In your new profile, click on ‘Assignments’. Click on ‘Select groups to include’ and choose the right group on whom you want to assign this profile. (Use a testgroup first!). Click on ‘Select’ and then on ‘Save’.
Follow up if it deployed well:
3. Do a remote session with Quick Assist and test!
Now take over a device with Quick Assist, run something with admin privileges and you’ll see the UAC prompt gets redirected fine to your remote session.
Too bad that in TeamViewer this still gives us issues and isn’t working correctly.
4. TeamViewer solution
To avoid UAC issues during connections to a Service Case (session code), please connect to the service case using Windows Authentication instead of the password.
4.1 UAC for connections to the TeamViewer Host or full version
To avoid UAC issues during connections via a TeamViewer ID when connecting to the TeamViewer Host or full version (when the remote computer is logged in with a non-admin account) please do one of the following:
- If not already done beforehand: Install the TeamViewer full version or Host on the remote computer.
- Run the TeamViewer software on the remote device with administrative rights (for TeamViewer run-only full version, Portable, or QuickSupport module).
- Connect to the remote device using TeamViewer ID and Windows Authentication instead of the password. This requires the Windows account credentials of an admin account on the remote device.
- Connect to a Windows device with the Windows login credentials.
4.2 UAC for connections to a TeamViewer Service Case
To avoid UAC issues during connections to a Service Case (session code), please connect to the service case using Windows Authentication instead of the password.
This requires the Windows account credentials of an admin account on the device that created the service case.
4.3 UAC for connections to the QuickSupport module
If you are connecting to a customer running a QuickSupport module, there are a few additional steps needed in order to interact with remote UAC prompts.
Please see below for the steps required in order to interact with the UAC prompt on a remote machine when connected to a TeamViewer QuickSupport:
-
- Start TeamViewer on your computer
- Ask your partner to start TeamViewer QuickSupport on their device
- Ask your partner for their TeamViewer ID shown in TeamViewer QuickSupport
- Select the option Remote support and enter your partner’s TeamViewer ID in the field Partner ID
- Click on Connect to Partner
Hint: If you are using QuickSupport with Session codes (Service Cases), after your partner starts TeamViewer QuickSupport on their device, select Remote Control using Windows authentication to the right of the service case in your Computers & Contacts window. See chapter above.
The TeamViewer dialogue will open, but as you are connecting to a QuickSupport module, a new message also appears.
Select Click here for more information to proceed. A new dialog box appears:
Select Switch to Windows authentification and enter the remote computer’s local admin credentials and Click Log On.
Hint: When you click Log On please be advised you will not be automatically connected. You will see a new message appear at the bottom of the TeamViewer application window:
The remote computer will be prompted with a UAC prompt from TeamViewer. Instruct the remote user to select YES to allow TeamViewer to make the requested changes.
Once the user accepts the UAC prompt, their TeamViewer QuickSupport will restart. Reconnect to the ID, and you will be prompted with the Windows credentials login screen again. Re-enter the local admin credentials, and you will be connected to the device.
You are now connected to your partner’s computer and can control the UAC as you wish.
Happy testing!
More articles on Intune:
- O365 suite not installing on Intune managed devices (0X3AFC)
- Windows updates not installing on Intune devices
- Silently remove SCCM client and enroll device in Intune
- Serverless LAPS with Intune, Function App and Key Vault
- Windows Updates for Business with deadline settings in Intune
- Windows Hello for Business multi-factor unlock with Intune
- Block unsanctioned apps: MCAS + MDATP + Intune configuration
- Create a security task in Intune from MDATP to take action on exploits
- Windows Insider update ring in Intune
- Intune – Change primary user of a device
