Overview
This knowledge base article provides step-by-step instructions on how to enable credential escalation for Quick Assist in Windows 11 using CIS 3.0.0. This will cover how to switch user account control prompt for both the end user (sharer) and IT staff (helper).
The issue is if IT staff (helper) tries to launch a process that requires elevation, they can get stuck with a blank screen while the end user (sharer) is staring at a UAC prompt (even if the sharer is a local admin). If the Sharer isn’t a local admin, and the Helper doesn’t want to give them credentials to type in, what do you do? Which looks like this:
The following will be covered in this article:
- Changes for CIS 3.0.0 - Device Configuration
- Changes for CIS 3.0.0 - Administrative Rights
- End Result
Changes for CIS 3.0.0 - Device Configuration
1. By navigating to Windows Configuration Profiles, select Create then select New Policy then select By platform: Windows 10 and later and Profile type: Settings Catalog then select Create.
2. Under Basics tab, enter the following:
Name: Enable Credential Escalation for Quick Assist
Description: Enable Credential Escalation for Quick Assist
Then select Next
3. Under Configuration Settings tab, select Add Setting. In the search for a setting, enter in: Power Management.
User Account Control Behavior Of The Elevation Prompt For Administrators set to Prompt for credentials
User Account Control Behavior Of The Elevation Prompt For Standard Users set to Prompt for credentials
User Account Control Switch To The Secure Desktop When Prompting For Elevation set to Disabled
The following three OMA-URI settings will need to be updated on CIS 3.0.0:
| Settings | Description |
| User Account Control Behavior Of The Elevation Prompt For Administrators | This policy setting controls the behaviour of the elevation prompt for administrators. Default setting is Prompt on Secured Desktop |
| User Account Control Behavior Of The Elevation Prompt For Standard Users | This policy setting controls the behaviour of the elevation prompt for standard users. Default setting is Prompt on Secured Desktop |
| User Account Control Switch To The Secure Desktop When Prompting For Elevation | This policy setting switches the secure desktop when prompting for elevation. Default setting is Enabled |
Then select Next.
4. Under Scope tags, leave as default then select Next.
5. Under Assignments, select the required groups then select Next.
6. Under Applicability Rules, leave as default then select Next.
7. Under Review + create, review the following then select Create.
Changes for CIS 3.0.0 - Administrative Rights
1. By navigating to https://intune.microsoft.com/ then select Endpoint Security then select Account Protection then select Create Policy.
2. Then select Platform: Windows and Profile: Local user group membership then select Next.
3. Under Basics, enter a name then select Next.
4. Under Configuration settings, select Add. Then select the following:
- Local group: Administrators
- Group and user action: Add (Update)
- User selection type: Users/groups
- Selected user(s): Select your users on who to add
Once this has been selected, select Next.
5. Under Scope tags, select Next.
6. Under Assignments, select the required groups then select Next.
7. Under Review + create, review the settings then select Save.
This will grant the specified users as 'Administrators' to the devices you will be managing.
To verify that the specified users have been added as part of 'Administrators' group. By going to Start then Computer Management then expand Local Users and groups then select Groups then select Administrators. 
End result
Both the interactive switch user account prompt will appear for both the end user (sharer) and IT (helper).