Today a blog post related to the, around Microsoft Ignite announced, feature Remote help. Remote help is a new remote assistance tool created by Microsoft and integrated with Intune. The application itself is based on the Windows app Quick Assist, but the features in this version are expanded as they describe themselves in the announcement:
We have developed new advanced endpoint management capabilities to meet the need for secure, connected experiences for IT administrators, helpdesk associates and Windows users on enrolled and unenrolled devices. Specifically, we will introduce four new capabilities for remote help:
Role-based access control (RBAC) and permissions: to define who is authorized to support which user or groups of users.
Elevation: to help Administrators determine if helpdesk associates can use local administrative privileges to troubleshoot an employees’ device, or if elevation of the task permissions is required.
Compliance warnings: to help protect the organization from security risks, alerts are displayed to the helpdesk associate if a device is out of compliance and may introduce a security risk to the organization.
Reporting: to identify recurring issues and potentially suspicious activity.
As the new tool is just released in Public Preview, we might expect further development of the tool and maybe even a version for other platforms.
Microsoft describes this tool as free of use during the Public preview period. When it hits general availability, Microsoft offers the tool as an add-on on the Intune license.
Official documentation can be found in the Microsoft docs.
Let’s have a look in this post how we get everything set up to use this new remote assistance tool.
Enable Remote help
The easiest part of this setup is to turn the new feature on in the Endpoint Manager admin center. The option to turn on the feature is found under Connectors and tokens.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Tenant administration, Connectors and tokens
- Open the Settings tab
- Set Enable remote help to Enabled
- Make your choice for Allow remote help to unenrolled devices
- Click Save
Role-based access control
We are able to define which users are allowed to use the Remote help tool. Besides that, we’re able to define with which permissions the helper is able to set up a remote session. For example, first-line support is allowed to view the session and second-line support is allowed to take full control and use elevation.
I’m going to create two custom roles. One which allows viewing a session and the second one to allow Full control and elevation. Using these two roles and different assignments, we are flexible in who is allowed to offer remote help to which user (or device) and with which permissions.
This all is configured, like other permissions in intune, with Endpoint Manager roles.
- Browse to Tenant administration, Roles
- Click +Create
- Give the role a Name
- Enter a Description (optional)
- Click Next
- Scroll down to the Remote help app section
- Select the permissions you want to set for the new role
- Select Next
- Finish creation of the new role
- Open the Assignments tab
- Click Assign
- Give the assignment a Name
- Enter a Description (Optional)
- Click Next
Here we add the group which holds the helpers to which we want to assign the role.
And here we assign the group to which the role is targeted. I’ll keep it simple, this group of helpers is allowed to start a remote help session to all devices.
Now the Remote help feature is enabled and permissions are in place. The only thing left is to deploy the (preview) Remote help application to our Windows devices.
Deploy the Remote help app
The Remote help tool which is used for this solution can be downloaded from the Microsoft website.
It depends on your environment how you can deploy the app to your Windows devices.
If you’re using Microsoft Intune, you need to wrap the installer file with the wrapper tool which is found here.
When this is done, we can deploy it as Win32 app with Intune.
For my lab I used these install and uninstall commands.
Install command: Remotehelp.exe /install /quiet acceptTerms=yes
Don’t forget to add /install to the command, without that it fails to install. And the acceptTerms is case sensitive.
And this is the detection rule which does the job in my lab.
We have deployed the app to our Windows devices, let’s have a look at how the Remote help tool is used by our users and helpers
Using Remote help
As this new Remote help tool is based on the Quick Assist app, this tool works pretty much the same.
To start the tool we can just open it from the Start menu.
But as and helper (with access to the Intune portal) we can also start the tool directly from the Intune portal.
From the action menu, click the dots on the right and click on New remote assistance session.
Click Launch remote help.
And if it’s the first time, set a checkmark and click Open Remote help.
A big difference is the requirement we (the helper and user) need to sign in to the app with our organizational account.
We need to accept these terms as user, as the app shares information with the remote helper.
Both the user and helper are shown below the screen.
The user enters the security code in the text box.
The helper click on Get security code, to generate the code.
The security code expires after 10 minutes.
Helpful for a helper which never used the tool are these instructions.
To make sure the helper is connecting to a known user’s device, information about the user is presented to the helper, like the Name, Company name and job title.
The end-user is shown information about the helper, to make sure the person who is connecting is a trusted user.
The tool itself looks a lot like Quick Assist. We have options to select the monitor, switch between the screen sizes, start Task manager and we have a text box.
In the top left corner, it shows if the end-user is running in administrator mode or not.
And an option that we can’t use in some environments when using Quick Assist or Teams for example, is to redirect the elevation prompt to the helpers desktop.
Remote help insights
When we switch back to the Endpoint Admin center, we have some insight available for Remote help.
We have a visual of the Average session time and Total sessions.
And we have a session list. The list shows provider ID (helper), Recipient ID (end-user), device name, session duration, and it shows if it was a view-only or full control session.
Overall, for the first public version, I’m pretty happy with the tool. As it is a preview, I expect the options we have with the tool might get expanded in the future.
Now let’s hope the license for this new Remote help tool is at least part of the M365 E3 suite.
Great new and post!
I have just tested and I do not arrive at the result.
The “new remote assistant” remains grayed out
Heh, i have the same. And i am sure i did everything right.
It’s still rolling out at the moment.
Ah, that would make sense. I thought I was going mad. Any insight to when it will go live or at least the preview will be properly available for preview?
Cannot wait until we have access to this. For us, this has been the largest missing piece of Endpoint Manager.
Great post. Although the feature is in public preview, I found a possible issue. The PC requesting assistance will logout when the “helper” ends the Remote Help session. This occurs only when the “helper” connects using Full Control. W10 Enterprise OS on both systems and both systems are AAD joined.
Anyone else having this issue?
This is by intent per the MS article (duh) https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help#how-to-use-remote-help
is anyone solve the problem of the greyed option “new remote session” in endpoint manager ?
Julien, still same on my site. “new remote session” is greyed out.
The last info I’ve seen from Intune support on Twitter, that issue should get solved by the end of this week.
Updated 12.14.2021: We updated the name of the installer on December 8, 2021 from remotehelp.exe to remotehelpinstaller.exe to resolve silent deployment issues and msi installation issues. While application functionality hasn’t changed, we recommend visiting aka.ms/DownloadRemoteHelp to download the updated version.
If you were having issues with elevation not being accessible to TeamViewer / QuickAssist, there is a Configuration Policy worth checking:
“Route elevation prompts to user’s interactive desktop”
Also, in the security baselines under Local Policies Security Options:
Administrator elevation prompt behavior
Standard user elevation prompt behavior
Trying to understand the benefit of this new remote support app and if it’s worth the licence if users still have to launch it to type a code in? Or perhaps it could just prompt a user to accept support so you don’t have to explain to users: “click on start, then start typing Q..” “but there’s no place to type”
The settings which you mention regarding the route of elevation prompts are not allowed to set in a lot of environments due to security measures. For MSRA for example these settings don’t need to be changed. it’s sort of marked safe application and now Remote help is also such an application for which we don’t need to set these settings.
Works like a charm, thanks!
Only thing is, when we end a session on a Windows 11 machine, the user gets singed out.
Windows 10 users haven’t got this problem
Nvm, read the previous comment that its by design.