Windows Remote Assistance

From Michael's Information Zone
Revision as of 12:53, 28 March 2017 by Michael.mast (talk | contribs) (→‎Deploy to workstations)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

[1] [2] [3] Looking to spend as little money as possible I have been using Splashtop SSO support tool for remote access. However, this does not play well with UAC and prevents me from typing anything into password prompts. To help mitigate this on machines located on the LAN I want to deploy Microsoft Remote Assistance. Sadly the Easy Connect doesn't play well with firewalls and secured locations. Here are my attempts to get this working as a viable option.

Deploy to workstations

  • Create script to launch MSRA using an invite file.
msra /saveasfile \\network\share\to\save\to\%username%.%computername% password
  • Place the bat file on a network share that users have read access to.
  • Create a shortcut that points to the script, change the icon to something all systems have and place in a network location users have read access to.
  • Create GPO to push out the shortcut to people's desktop

Computer Configuration -> Preferences -> Windows Settings -> Files
Make sure to select the shortcut location as the source, the destination should be C:\Users\Public\Public Desktop\name of shortcut

To remove the UAC secure desktop issue, enable the

Computer -> Policies -> Windows Settings -> Security Settings -> Local Policies/Security Options -> User Account Control -> Allow UIAccess applications...


policy. Keep in mind that this will only work when your assisting standard users. If you assist administrators you will still be prompted on the secure desktop, and the local user/admin will need to enter credentials.

General Structure

The idea is to have the user do as little as possible. For this I deployed the script mentioned above to their desktops. When they launch the script an invitation file is created on a network share that I have access too. The shared secret is the same for all users, but since users will be expecting me to remote in I don't see an issue. Maybe I will rotate it over time? Who knows!

When I am finished the file is deleted and we move on with our lives.