Remote Help – The new remote support app from Microsoft

For many years now, natively managed Intune devices (i.e. not co-managed with Config Manager) have had one problematic issue – Remote support.

In several places I’ve worked, remote viewing and control via Microsoft Teams has been an option, however for many support people, being able to perform tasks with elevated access has not been possible.  The only supported methods have been the Config Manager remote control tool (meaning co-management) or Team Viewer.  Quick assist has also been considered, but like Microsoft Teams, the inability to elevate access to perform tasks is also an issue.

At the recent 2021 Microsoft Ignite conference, it was announced the long-awaited solution Remote Help would be going into Public Preview

Microsoft have some good documentation on Remote help, and it should be reviewed as there are a number of requirements (Network Considerations, Prerequisites etc.)

I was able to do a basic set this up in my lab tenant within an hour, so I thought I would share what I did.

Set up the Remote Help Connector

In the Connectors and tokens section of the Tenant admin, you will find the new Remote help (preview) connector.

The first thing to do is to enable this connector.  There is also an option to Allow remote help to unenrolled devices.  In an enterprise environment, I would be hesitant to enable this option until I know more about it.

Remote Help Intune RBAC Permissions

With Remote help, there are three roles available – View Screen, Take Full Control and Elevation

The Intune Administrator Azure role and the Help Desk Operator Intune RBAC role has all three of these permissions set to yes by default.

If you want to implement just in time administration or have other requirements e.g. trainer staff having view screen permission only (useful in the remote working world), you can configure this by creating custom Intune RBAC roles

Deploying the Remote Help Client

The next step is to deploy the Remote Help client to all devices that will either be requesting help or providing help.

Download the latest version of remote help direct from Microsoft here.

To deploy this, I will use the Microsoft Win32 Content Prep Tool to prepare the Remotehelp.exe file.

I created the following Win32 App in Intune:

NameMicrosoft Remote Help
PublisherMicrosoft
App Version10.0.10011.16384
CategoryComputer Management

I used the following Install and Uninstall Commands

Install Command:

Remotehelp.exe /install /quiet acceptTerms=Yes

Uninstall Command

Remotehelp.exe /uninstall /quiet

I set the requirements specific to my environment

For my detection rule, I used the following:

Rule TypeFile
Path%ProgramFiles%\Remote help
File or FolderRemoteHelp.exe
Detection methodString (version)
OperatorEquals
Value*10.0.10011.16384

*This will change when newer versions of RemoteHelp.exe come out

In my lab environment, I deployed the Remote Help app to all managed Windows devices

Using Remote Help

On the device requesting help, open the Remote Help app.

Click Sign In

You will then see some information about privacy.

Click Accept

The remote help app is now ready for the provider to help

On the Provider device, in Microsoft Endpoint Manager, select the requestors device and Select New Remote Assistance Session.  This will open the Remote Help app on the providers device. 

NOTE: There have been issues with this on some tenants with the option being greyed out.  If this happens, you can still use Remote Help, the provider just has to open the Remote Help app and continue

On the provider device, click Get a security code

A six digit security code is generated and is valid for 10 minutes

On the requestor device, enter the six digit code and press Submit

Depending on the access the Provider has been granted, they will have two options.  In this case Take full control is selected

The Requestor can choose to decline or allow this, in this case, the

The provider can now help the requestor

Requestor view:

Provider view:

Elevation

The above is great, but this is the equivalent of using Microsoft Teams or Quick Assist for remote control.  Where Remote Help has a major difference is the ability for the provider to perform elevated tasks on the requestors device.

As an example, the provider will use elevation to restart a service

Opening the Services console shows that the user does not have access to restart a service

If the Provider opens the Services console as an Administrator

They are then prompted for elevated credentials (this is not possible when using Quick Assist or Microsoft Teams)

The Service console opens and admin tasks are able to be performed

I have confirmed when ending a Remote Help session where elevation is used, the Requestors device is signed off. It is important that the requestor has saved their work prior to the session ending to avoid losing any work. This is noted in the Microsoft Documentation

Reporting

In Remote help (preview) connector page, there is a monitor tab. Here you will be able to see some useful information on the usage of Remote Help

The Remote help sessions tab also provides some more detail on the remote sessions

I’m really looking forward to seeing how the public preview evolves and for this to go GA in 2022.

There are indications from Microsoft that this will be a premium service meaning it most likely there will be an additional cost to use this feature.

P.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s