PowerShell script to disable the prompt on secure desktop

Introduction - 
This is part 2 of a four part series on 'How to remotely assist Azure AD Joined devices'.
Remotely assisting Intune managed devices poses challenges for MSPs as MSP technicians don't normally have Global Admin rights to the tenant and usually perform admin tasks via the Microsoft Partner Portal. 

MSP technicians face several challenges including - 
- The MSP technician account is not a local admin of the Azure AD Joined / Intune Managed device
- The end user is a standard user and has no local admin rights
- Windows 10 blacks out the screen during UAC prompts when clients are being assisted via TeamViewer or Microsoft QuickAssist.
- The Intune Security Baseline denies user elevation prompts with the message - This app has been blocked by your system administrator. 

To solve these issues I have designed a three stage solution which includes the following
- Add users or groups as local admins to all Azure AD Joined devices
- Deploy a PowerShell script to disable the prompt on the secure desktop
- Update the Endpoint Security Baseline

======================================================================

This is Part 2 of a 4 part series

Remote Administration and Assistance - Four part tutorial
1. Add users or groups as local admins to all Azure AD Joined devices - Link 
2. PowerShell script to disable the prompt on secure desktop - Link - This article
3. Updating the Endpoint Security Baseline - Link
4. How to remotely connect and assist - Link

=======================================================================

2. PowerShell script to disable the prompt on secure desktop

As discussed in the Introduction, one of the challenges facing MSP technicians is that Windows 10 blacks out the screen during UAC prompts when clients are being assisted via TeamViewer or Microsoft QuickAssist. 

Fortunately, Oliver Kieselbach, an Microsoft MVP in Enterprise Mobility has created and shared a script in GitHub which disables the Windows 10 black screen during UAC prompts when clients are being assisted remotely.

This step by step tutorial will take you through deploying this PowerShell script.

=====================================================================

Currently, when an MSP technician is remotely assisting and runs PowerShell as an Admin or performs an action to trigger UAC prompt, the technician's screen will go black.
This of course blocks the technician's ability to enter any credentials, whether they are Global Admin credentials or a user with the Local Administrator of Azure AD Joined devices right.

This happens with both Microsoft Quick Assist as well as TeamViewer.


To resolve this issue, we will be deploying a script to all devices that will disable this action.

==================================================================

Download the PowerShell script from GitHub - Link 
Rename the script - DisableSecureDesktopPrompt.ps1


Deploy the PowerShell script

Devices - Scripts


Add - Windows 10


Name - Remote Assistance - Disable prompt on secure desktop
Description - This script updates registry and disables the prompt on secure desktop to allow remote administration
Next


Script Settings -

Script location - Browse and select the PowerShell script - DisableSecureDesktopPrompt.ps1
Other settings as below
Next


Assignments
Select - Add groups


Search for, find and select the appropriate groups
Next


Review and add
Add

=====================================================================

 
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry