Microsoft KB Archive/937803

= During a Remote Assistance session in Windows Vista, the administrator who is trying to provide remote assistance receives a black screen =

Article ID: 937803

Article Last Modified on 6/6/2007

-

APPLIES TO


 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Business
 * Windows Vista Business 64-bit Edition
 * Windows Vista Business N
 * Windows Vista Business N 64-bit Edition
 * Windows Vista Enterprise

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.



SYMPTOMS
When an administrator tries to provide remote assistance to a standard (non-administrator) user in Windows Vista, the administrator unexpectedly receives a black screen in the Remote Assistance session.



CAUSE
This behavior occurs if the administrator tries to remotely run a program that requires elevated user rights. In this situation, the Secure Desktop feature in Windows Vista displays the User Account Control dialog box only on the local desktop. The remote user receives a black screen.



WORKAROUND
To work around this behavior, you (the administrator) can configure Windows Vista to disable the Secure Desktop feature when you are prompted for elevated user rights. To do this, you must deploy a Group Policy object (GPO) in the domain. This GPO will apply to computers that require remote assistance.

Important We do not recommend that you start a program as an administrator in a Remote Assistance session. In this situation, the user can disconnect the Remote Assistance session at any time. Then, the user can continue to use administrative rights to run the program. To perform administrative tasks on a client computer, you may want to instead use Remote Desktop Connection.

For more information about how to use Remote Desktop Connection, visit the following Microsoft Web site:

http://windowshelp.microsoft.com/Windows/en-US/Help/f55326fa-e629-423b-abba-b30f76cc61e61033.mspx

If you already have a GPO in the domain, and you created this GPO from a Windows Vista-based computer, you must disable the following policy in the GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options\ User Account Control: Switch to the secure desktop when prompting for elevation

For more information about how to deploy group policies in Windows Vista, visit the following Microsoft TechNet Web site:

http://technet2.microsoft.com/WindowsVista/en/library/5ae8da2a-878e-48db-a3c1-4be6ac7cf7631033.mspx?mfr=true

To deploy a new GPO that applies to Windows Vista-based computers that experience the behavior that is mentioned in the &quot;Symptoms&quot; section, follow these steps. Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
 * 1) On the Windows Vista-based computer to which you (the administrator) are logged on, click Start.
 * 2) In the Start Search box, type gpmc.msc.
 * 3) In the search results list, right-click gpmc.msc, and then click Run as administrator.
 * 4) In the Group Policy Management console, expand Forest:  , expand Domains, and then expand  .
 * 5) Right-click Group Policy Objects, and then click New.
 * 6) In the Name box, type an appropriate name, and then click OK. For example, type Vista RA policy, and then click OK.
 * 7) In the details pane, right-click the newly created policy object, and then click Edit.
 * 8) Under Computer Configuration, expand Windows Settings, and then expand Security Settings.
 * 9) Expand Local Policies, and then click Security Options.
 * 10) Double-click User Account Control: Switch to the Secure Desktop when prompting for elevation.
 * 11) Click to select the Define this policy setting check box, click Disabled, and then click OK.
 * 12) Close the Group Policy Object Editor.
 * 13) Close the Group Policy Management Console.

After you have performed this procedure, ask the user to restart the Windows Vista-based computer that requires remote assistance. You can now provide remote assistance as required. When you perform an action that requires elevated user rights, you will now receive a User Account Control dialog box in which you can enter the required credentials.

Important After you provide remote assistance, we recommend that you re-enable the User Account Control: Switch to the secure desktop when prompting for elevation policy.



MORE INFORMATION
For more information about the Remote Assistance feature, visit the following Microsoft TechNet Web site:

http://technet2.microsoft.com/WindowsVista/f/?en/library/cdfa2f21-56e5-44da-aa5a-f22987be13511033.mspx

