This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
Enabling Remote Help on Tenant
Remote help for Intune is a premium add-on that is licensed separately. So, first step in enabling Remote help is either purchasing its license for the end users or having a trial for Remote help feature. Once you have licenses available, it would be possible to enable Remote help for tenant.
Enabling Remote help can be done on Intune console – Tenant Admin Node – Remote Help view. As you can see in the snippet, it is disabled by default. Configurable With a click on “Configure” button.
Configuration is straightforward. First option is to Enable Remote help for the tenant. And second option is to allow remote help for the devices that are not enrolled on Intune. – Which would be usable for supporting personal devices of senior management.
Once the configuration is done, you will be able to see the remote help service is enabled on tenant.
Since Remote Help is a premium add-on, licenses should be assigned to those who will share their device and request for help, as well as to those who will be on helper role and connect for supporting users.
As seen on the snippet, once we have the required licenses either paid or from a trial; they will be available as additional products and should be assigned either directly to users or through group-based licensing.
Deploying Remote Help Application
Remote help application is a Windows application that needs to be deployed on the endpoints. It can be downloaded from http://aka.ms/downloadremotehelp
It is possible to deploy Remote help application with any management solution. To deploy with intune it is important to convert application to .Intunewin format. Details on how to make the conversation can be found here.
After conversion it is a regular application deployment via Intune. Install and uninstall commands are important while deploying.
Install command: remotehelpinstaller.exe /quiet acceptTerms=1
Uninstall command: remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
Also, it is important to have the correct detection rule while distributing the application. Below are the recommended rules while this post was written. It would be a good idea to check Remote help documentation beforehand for possible changes / updates.
For Rule type, select File
For Path, specify C:\Program Files\Remote Help
For File or folder, specify RemoteHelp.exe
For Detection method, select String (version)
For Operator, select Greater than or equal to
For Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000
Leave Associated with a 32-bit app on 64-bit clients set to No
Assigning Role Based Access Controls
Next step in the process is assigning RBAC to those who will be in the helper role. Permissions in Remote Help app category defines the capabilities that can be done in Remote help application.
- Take full control
- View Screen
Those permissions are given to Helpdesk operator group by default, but it is possible to create a custom RBAC role and assign only the options that would satisfy your organizational requirements such as Can View Screen but Can Not Take Full Control etc.
Intune RBAC is available on Intune, Tenant Administration, Roles Node. As you can see there are different Built-in roles that you can assign groups to and ran a wizard to create a custom role based on your own requirements.
In this section we will continue with existing Help Desk Operator role.
When you look at the permissions of Help Desk Operator role, you can see that permissions for Remote Help app are granted. Once we have the role to assign operators to; we can start assigning users to the role.
Assignment wizard can be started by clicking on “Assign” button on the role page. There can be one or more assignments for a given role. As with any wizard, first step is to give assignment a name.
Role assignments can be done only to groups, so next step is to pick a group that is hosting the members of help desk operators.
It is possible to limit the scope of the assignment with scope tags, so that a specific help desk operator group will be able to work on a specific set of devices like VIP support, San Diego devices etc.
In my example I’m using all devices as it is just for Lab / Demo purposes.
Clicking create button will finish the wizard and the role assignment will be active.
Now that we have enabled Remote help add-on for our tenant, we deployed Remote help application to the endpoints and assigned role-based access control permissions to those who will be supporting our end users; it is time to look at the experience from both ends.
Initiating Help Session
In the Remote help application, there are two roles. One can either be a helper, or a sharer. In our example firstname.lastname@example.org user will be a helper; and email@example.com user will be a sharer. Initiating a help session starts with helper getting a security code.
This code is then shared with the user who will be in sharer role. Note that there is a 10-minutes window for sharer to enter the code to Remote help application on their end.
Once the sharer enters the code on their remote help application, connection initiation will start.
As you can see from the screenshot below, user on the left side with a blue background is in helper role, while user in right side with green background is in sharer role. I utilized two different Windows 365 cloud pc’s that are joined to same Azure AD domain to be able to demonstrate the remote help session.
During initiation, helper role will get a notification that sharer is ready to accept their help. There are two main options as taking full control or viewing screen. Also, if there are compliance issues on the device helper is trying to connect such as an AV that is not up to date; helper would see the compliance error here to keep their device safe.
Once the helper selects on the option to Take full control or View screen, their selection is shared with the sharer role. Sharer then can Allow or Decline based on Helpers selection.
Now that we have our session set up between our helper and sharer roles, let’s take a look at what Remote Help application brings into the life of support teams. Note that these features mentioned here would be updated from time to time, adding new features or improving existing experiences. It is a good idea to check the updated documentation regarding Remote help application features.
An important feature of Remote help application is the ability to elevate privilege for helper role, and the ability to block elevation on sharer role.
As you can see from the snippet below; once helper triggers an executable to run as an administrator; their sharing is paused for a moment. During this pause, sharer is presented with a UAC control box, asking if they allow the elevation or not.
It is possible for a helper to utilize laser pointer feature and highlight an item on screen. As you can see from the snippet below, helper (left side) is using a red-dot to highlight My Documents link on Bing search results and it is seen real time by the sharer (right side).
It is also possible for a helper to use a pen to note certain things down on screen for a sharer. As you can see from the snippet below, helper (left side) is using a green pen to highlight My Documents link on Bing search results, and it is seen real time by the sharer (right side).
It is possible for a helper to open a messaging channel to send specific instructions. When helper triggers the instruction channel, messages they send pops up on sharer’s screen. Note that it is possible to have a two-way communication over Instruction channel and there is a copy button available to copy possible commands that are sent to sharer over instruction channel.
It is possible for a helper to open task manager via Remote Help application. Once task manager is opened, helper can do actions such as ending running processes, creating dump files etc.
Monitoring Remote Help Sessions
It is possible to monitor remote help sessions. This is available on Tenant Administration – Remote Help node, Remote help sessions view. Provider ID and Recipient ID and Device Name that takes the remote help as well as Session start and Session end time information are available in this monitor view.
Microsoft Intune has a premium feature called Remote Help, which can be used to connect to Azure AD Joined devices. Remote help application is used for connecting devices and has different features such as elevation of privilege, interaction with task manager, pen and laser pointer usage.