Enabling Remote Help and Supporting Users with Intune

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Enabling Remote Help on Tenant

Remote help for Intune is a premium add-on that is licensed separately. So, first step in enabling Remote help is either purchasing its license for the end users or having a trial for Remote help feature. Once you have licenses available, it would be possible to enable Remote help for tenant.

 

Snippet from Tenant Administration - Remote Help ViewSnippet from Tenant Administration - Remote Help View

 

 

Enabling Remote help can be done on Intune console – Tenant Admin Node – Remote Help view. As you can see in the snippet, it is disabled by default. Configurable With a click on “Configure” button.

 

Configure Remote Help Dialog BoxConfigure Remote Help Dialog Box

 

 

Configuration is straightforward. First option is to Enable Remote help for the tenant. And second option is to allow remote help for the devices that are not enrolled on Intune. – Which would be usable for supporting personal devices of senior management.

 

Snippet from Tenant Administration - Remote Help ViewSnippet from Tenant Administration - Remote Help View

 

Once the configuration is done, you will be able to see the remote help service is enabled on tenant.

Assigning Licenses

Since Remote Help is a premium add-on, licenses should be assigned to those who will share their device and request for help, as well as to those who will be on helper role and connect for supporting users.

 

Snippet from License Assignment ViewSnippet from License Assignment View

 

 

As seen on the snippet, once we have the required licenses either paid or from a trial; they will be available as additional products and should be assigned either directly to users or through group-based licensing.

Deploying Remote Help Application

Remote help application is a Windows application that needs to be deployed on the endpoints. It can be downloaded from http://aka.ms/downloadremotehelp

It is possible to deploy Remote help application with any management solution. To deploy with intune it is important to convert application to .Intunewin format. Details on how to make the conversation can be found here.

After conversion it is a regular application deployment via Intune. Install and uninstall commands are important while deploying.

 

Install command: remotehelpinstaller.exe /quiet acceptTerms=1
Uninstall command: remotehelpinstaller.exe /uninstall /quiet acceptTerms=1

Snippet from Intune Application Properties for Remote Help ApplicationSnippet from Intune Application Properties for Remote Help Application

 

 

Also, it is important to have the correct detection rule while distributing the application. Below are the recommended rules while this post was written. It would be a good idea to check Remote help documentation beforehand for possible changes / updates.

 

For Rule type, select File
For Path, specify C:\Program Files\Remote Help
For File or folder, specify RemoteHelp.exe
For Detection method, select String (version)
For Operator, select Greater than or equal to
For Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000
Leave Associated with a 32-bit app on 64-bit clients set to No

Assigning Role Based Access Controls

Next step in the process is assigning RBAC to those who will be in the helper role. Permissions in Remote Help app category defines the capabilities that can be done in Remote help application.

  • Take full control
  • Elevation
  • View Screen

Those permissions are given to Helpdesk operator group by default, but it is possible to create a custom RBAC role and assign only the options that would satisfy your organizational requirements such as Can View Screen but Can Not Take Full Control etc.

Intune RBAC is available on Intune, Tenant Administration, Roles Node. As you can see there are different Built-in roles that you can assign groups to and ran a wizard to create a custom role based on your own requirements.

 

Snippet from Built-In Roles in Intune Tenant AdminisrationSnippet from Built-In Roles in Intune Tenant Adminisration

 

 

In this section we will continue with existing Help Desk Operator role.

 

Snippet from Help Desk Operator PropertiesSnippet from Help Desk Operator Properties

 

 

When you look at the permissions of Help Desk Operator role, you can see that permissions for Remote Help app are granted. Once we have the role to assign operators to; we can start assigning users to the role.

 

Snippet from Role Assignment Page for Help Desk Operator Role,Snippet from Role Assignment Page for Help Desk Operator Role,

 

 

Assignment wizard can be started by clicking on “Assign” button on the role page. There can be one or more assignments for a given role. As with any wizard, first step is to give assignment a name.

 

Snippet from Add Role Assignment Wizard for Help Desk Operator Role, Naming AssignmentSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Naming Assignment

 

 

Role assignments can be done only to groups, so next step is to pick a group that is hosting the members of help desk operators.

 

Snippet from Add Role Assignment Wizard for Help Desk Operator Role, Group SelectionSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Group Selection

 

 

It is possible to limit the scope of the assignment with scope tags, so that a specific help desk operator group will be able to work on a specific set of devices like VIP support, San Diego devices etc.

 

Snippet from Add Role Assignment Wizard for Help Desk Operator Role, Scope DefinitionSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Scope Definition

 

 

In my example I’m using all devices as it is just for Lab / Demo purposes.

 

Snippet from Add Role Assignment Wizard for Help Desk Operator Role, Assignment Review and CreationSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Assignment Review and Creation

 

 

Clicking create button will finish the wizard and the role assignment will be active.

 

Snippet from Role Assignments Wizard for Help Desk Operator RoleSnippet from Role Assignments Wizard for Help Desk Operator Role

 

 

Now that we have enabled Remote help add-on for our tenant, we deployed Remote help application to the endpoints and assigned role-based access control permissions to those who will be supporting our end users; it is time to look at the experience from both ends.

Initiating Help Session

In the Remote help application, there are two roles. One can either be a helper, or a sharer. In our example atil@mwpdemo.xyz user will be a helper; and yaz@mwpdemo.xyz user will be a sharer. Initiating a help session starts with helper getting a security code.

 

Snippet from Remote Help Application, Give Help FlowSnippet from Remote Help Application, Give Help Flow

 

 

This code is then shared with the user who will be in sharer role. Note that there is a 10-minutes window for sharer to enter the code to Remote help application on their end.

 

Snippet from Remote Help Application, Share Security CodeSnippet from Remote Help Application, Share Security Code

 

 

Once the sharer enters the code on their remote help application, connection initiation will start.

 

Snippet from Remote Help Application, Sharer FlowSnippet from Remote Help Application, Sharer Flow

 

 

As you can see from the screenshot below, user on the left side with a blue background is in helper role, while user in right side with green background is in sharer role. I utilized two different Windows 365 cloud pc’s that are joined to same Azure AD domain to be able to demonstrate the remote help session.

 

Screenshot during Remote Help Connection Initiation PhaseScreenshot during Remote Help Connection Initiation Phase

 

 

During initiation, helper role will get a notification that sharer is ready to accept their help. There are two main options as taking full control or viewing screen. Also, if there are compliance issues on the device helper is trying to connect such as an AV that is not up to date; helper would see the compliance error here to keep their device safe.

 

Snippet from Remote Help Application, Connection InitiationSnippet from Remote Help Application, Connection Initiation

 

 

Once the helper selects on the option to Take full control or View screen, their selection is shared with the sharer role. Sharer then can Allow or Decline based on Helpers selection.

Snippet from Remote Help Application, Connection InitiationSnippet from Remote Help Application, Connection Initiation

 

 

Session Experience

Now that we have our session set up between our helper and sharer roles, let’s take a look at what Remote Help application brings into the life of support teams. Note that these features mentioned here would be updated from time to time, adding new features or improving existing experiences. It is a good idea to check the updated documentation regarding Remote help application features.

Elevation

An important feature of Remote help application is the ability to elevate privilege for helper role, and the ability to block elevation on sharer role.

 

Screenshot from Remote Help Application, Elevation of a ShortcutScreenshot from Remote Help Application, Elevation of a Shortcut

 

 

As you can see from the snippet below; once helper triggers an executable to run as an administrator; their sharing is paused for a moment. During this pause, sharer is presented with a UAC control box, asking if they allow the elevation or not.

 

Screenshot from Remote Help Application, ElevationScreenshot from Remote Help Application, Elevation

 

Laser Pointer

It is possible for a helper to utilize laser pointer feature and highlight an item on screen. As you can see from the snippet below, helper (left side) is using a red-dot to highlight My Documents link on Bing search results and it is seen real time by the sharer (right side).

 

Screenshot from a Remote Help Session, Laser Pointer UsageScreenshot from a Remote Help Session, Laser Pointer Usage 

Pen

It is also possible for a helper to use a pen to note certain things down on screen for a sharer. As you can see from the snippet below, helper (left side) is using a green pen to highlight My Documents link on Bing search results, and it is seen real time by the sharer (right side).

Screenshot from Remote Help Session, Pen UsageScreenshot from Remote Help Session, Pen Usage

 

Instruction Channel

It is possible for a helper to open a messaging channel to send specific instructions. When helper triggers the instruction channel, messages they send pops up on sharer’s screen. Note that it is possible to have a two-way communication over Instruction channel and there is a copy button available to copy possible commands that are sent to sharer over instruction channel.

 

Screenshot from a Remote Help Session, Instruction ChannelScreenshot from a Remote Help Session, Instruction Channel

 

Task Manager

It is possible for a helper to open task manager via Remote Help application. Once task manager is opened, helper can do actions such as ending running processes, creating dump files etc.

Snippet from a Remote Help Session, Task Manager UsageSnippet from a Remote Help Session, Task Manager Usage

 

Monitoring Remote Help Sessions

It is possible to monitor remote help sessions. This is available on Tenant Administration – Remote Help node, Remote help sessions view. Provider ID and Recipient ID and Device Name that takes the remote help as well as Session start and Session end time information are available in this monitor view.

Snippet from Tenant Admin, Remote Help Node, Remote Help Sessions ViewSnippet from Tenant Admin, Remote Help Node, Remote Help Sessions View

 

 

Wrap-Up

Microsoft Intune has a premium feature called Remote Help, which can be used to connect to Azure AD Joined devices. Remote help application is used for connecting devices and has different features such as elevation of privilege, interaction with task manager, pen and laser pointer usage.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.