For many years now, natively managed Intune devices (i.e. not co-managed with Config Manager) have had one problematic issue – Remote support.
In several places I’ve worked, remote viewing and control via Microsoft Teams has been an option, however for many support people, being able to perform tasks with elevated access has not been possible. The only supported methods have been the Config Manager remote control tool (meaning co-management) or Team Viewer. Quick assist has also been considered, but like Microsoft Teams, the inability to elevate access to perform tasks is also an issue.
At the recent 2021 Microsoft Ignite conference, it was announced the long-awaited solution Remote Help would be going into Public Preview
Microsoft have some good documentation on Remote help, and it should be reviewed as there are a number of requirements (Network Considerations, Prerequisites etc.)
I was able to do a basic set this up in my lab tenant within an hour, so I thought I would share what I did.
Set up the Remote Help Connector
In the Connectors and tokens section of the Tenant admin, you will find the new Remote help (preview) connector.
The first thing to do is to enable this connector. There is also an option to Allow remote help to unenrolled devices. In an enterprise environment, I would be hesitant to enable this option until I know more about it.
Remote Help Intune RBAC Permissions
With Remote help, there are three roles available – View Screen, Take Full Control and Elevation
The Intune Administrator Azure role and the Help Desk Operator Intune RBAC role has all three of these permissions set to yes by default.
If you want to implement just in time administration or have other requirements e.g. trainer staff having view screen permission only (useful in the remote working world), you can configure this by creating custom Intune RBAC roles
Deploying the Remote Help Client
The next step is to deploy the Remote Help client to all devices that will either be requesting help or providing help.
Download the latest version of remote help direct from Microsoft here.
To deploy this, I will use the Microsoft Win32 Content Prep Tool to prepare the Remotehelp.exe file.
I created the following Win32 App in Intune:
| Name | Microsoft Remote Help |
| Publisher | Microsoft |
| App Version | 10.0.10011.16384 |
| Category | Computer Management |
I used the following Install and Uninstall Commands
Install Command:
Remotehelp.exe /install /quiet acceptTerms=YesUninstall Command
Remotehelp.exe /uninstall /quiet
I set the requirements specific to my environment
For my detection rule, I used the following:
| Rule Type | File |
| Path | %ProgramFiles%\Remote help |
| File or Folder | RemoteHelp.exe |
| Detection method | String (version) |
| Operator | Equals |
| Value* | 10.0.10011.16384 |
*This will change when newer versions of RemoteHelp.exe come out
In my lab environment, I deployed the Remote Help app to all managed Windows devices
Using Remote Help
On the device requesting help, open the Remote Help app.
Click Sign In
You will then see some information about privacy.
Click Accept
The remote help app is now ready for the provider to help
On the Provider device, in Microsoft Endpoint Manager, select the requestors device and Select New Remote Assistance Session. This will open the Remote Help app on the providers device.
NOTE: There have been issues with this on some tenants with the option being greyed out. If this happens, you can still use Remote Help, the provider just has to open the Remote Help app and continue
On the provider device, click Get a security code
A six digit security code is generated and is valid for 10 minutes
On the requestor device, enter the six digit code and press Submit
Depending on the access the Provider has been granted, they will have two options. In this case Take full control is selected
The Requestor can choose to decline or allow this, in this case, the
The provider can now help the requestor
Requestor view:
Provider view:
Elevation
The above is great, but this is the equivalent of using Microsoft Teams or Quick Assist for remote control. Where Remote Help has a major difference is the ability for the provider to perform elevated tasks on the requestors device.
As an example, the provider will use elevation to restart a service
Opening the Services console shows that the user does not have access to restart a service
If the Provider opens the Services console as an Administrator
They are then prompted for elevated credentials (this is not possible when using Quick Assist or Microsoft Teams)
The Service console opens and admin tasks are able to be performed
I have confirmed when ending a Remote Help session where elevation is used, the Requestors device is signed off. It is important that the requestor has saved their work prior to the session ending to avoid losing any work. This is noted in the Microsoft Documentation
Reporting
In Remote help (preview) connector page, there is a monitor tab. Here you will be able to see some useful information on the usage of Remote Help
The Remote help sessions tab also provides some more detail on the remote sessions
I’m really looking forward to seeing how the public preview evolves and for this to go GA in 2022.
There are indications from Microsoft that this will be a premium service meaning it most likely there will be an additional cost to use this feature.
P.
thenewnumber2.com 