cancel
Showing results for 
Search instead for 
Did you mean: 
drbank
Visitor

Can't restart as service on Intune/AAD managed Windows laptops

Recently purchased Rescue for remote support of my Intune managed laptops. Unfortunately, it won't accept my (valid) credentials when I try to restart the applet as a system service, leaving me unable to interact with UAC prompts and rendering it effectively useless. The only configuration policy I've applied is for Device Restrictions, none of which apply to UAC or authentication. What do I need to enable to allow credentials to pass through correctly?

 

Edit: When the remote user is an administrator, it allows me to prompt them to run as a service and then functions as expected. This behavior only occurs when I'm trying to elevate by passing through credentials for a non-administrative user.

3 REPLIES 3
dsrichmond
New Member

Re: Can't restart as service on Intune/AAD managed Windows laptops

Did you ever find a commonality, cause, or solution for this? Seeing the same behavior across multiple devices though only very sporadically. The user is sometimes prompted to enter UAC credentials, and I've speculated it could be related to the UAC policy in secpol.msc which specifies whether to ask for credentials or consent, but that hasn't been a commonality either.

JozsefSarosi
GoTo Contributor

Re: Can't restart as service on Intune/AAD managed Windows laptops

@drbank @dsrichmond 
In some cases it is really hard to find the correct user name, user email, and domain combination to log in.
I have compiled a list  which combinations are supported by Technician Console, and Applet. Please note that text "AzureAD" is a literal text for the domain name, you should enter directly that, UPN is tended to be an email address in connection with Azure AD.

Cloud Only AzureAD Account
  • UPN
  • AzureAD\UPN
  • AzureAD\USERNAME
  • AzureAD\FirstNameLastName
Hybrid Account (On-Prem AD synced to AzureAD)
  • UPN
  • AzureAD\UPN
  • AzureAD\USERNAME
  • AzureAD\FirstNameLastName
  • DOMAIN\Username
  • MACHINENAME\Username
where UPN is tended to be an email address.
Earlier TC parsed correctly only formats:
  • domain\user
  • machinename\user
  • user@domain
If the machine is out of domain, and tech want to express he enters the credentials as local admin he should use name format:
machiename\username
At the same time a local admin had to set remote access ENABLED.If the machine is a domain machine, then domain policies has to ensure that the domain admin is domain admin for that machine, and also remotely!
The credentials should be format:
domainname\username
Would you please give it one more try to find the right credentials?
JozsefSarosi
GoTo Contributor

Re: Can't restart as service on Intune/AAD managed Windows laptops

When an applet connects to a Technician Console, then it tells if the current user at the remote machine is a restricted  user, restricted admin or a full  admin, and also tells if the UAC is ON.  TC shows red notifications about the UAC, and credential prompts that would be needed for some actions,  and registering the applet as Windows System Service, or as login after reboot.

During the service registration, due to the UAC, and the current group policies, different prompts may pop up.
UAC Prompt needs

  • admin credentials for restricted users
  • consent, or admin credentials for restricted admins
  • no prompt for full admins.

Some strict group policies do not allow consent prompt, but need to enter admin credentials every time.
Rescue works best in an environment with elevation consent.
Please note that current status of a restricted user, or a restricted admin does not change after answering such UAC prompts, only the applet as a service, or the started process will be elevated.
The Applet tries to keep the current user in the same state as before applet registered as WSS. The extra rights are needed or keep running during user sign outs, user switching, and reboots.