This is a comprehensive guide to Intune Remote Help. Hope you find this useful.
- Remote Help Benefits
- Remote Help License Requirements
- Network Considerations
- Configure Remote Help App in Intune
- Remote Help Win32 App Deployment
- Firewall Rules Considerations
- RBAC – Assign Users to role
- Create a new RBAC Permission Role
- Create The Conditional Access Policy for the Remote Help App
- How to Use
- Initiating Chat in the App
- Restarting the Device Remotely
- If and When
- Monitoring Remote Help Sessions
- Monitor Conditional Access Sign-in Logs
- Wrapping Up
Remote Help Benefits
- You don’t need to rely on other 3rd party remote support tools which sometimes can be dangerous to use as they can bring unwanted issues to your environment
- This is controlled via Intune and can be used to manage both enrolled and unenrolled devices
- Because RBAC can be done over providing help, if you have a set of computers that 1st level admins should not login, you can set up a new RBAC role and assign the permissions as required
- Microsoft Intune can provide admins with support session logs/ reports
Remote Help License Requirements
Option 1 – Microsoft Intune Suite
Purchasing a Microsoft Intune Suite subscription and assign to the users
Option 2 – Remote help add-on
This is a per-user add-on and check here for more info
This is what you will see when you go to the Intune portal > Tenant Administration > Premium Add-ons > click on view details on Remote help
Remote Help Add-on details on in the Admin Center Billing Page
Helper – The IT admin who is supporting the user
Sharer – User who requires help
Network Considerations
Remote Help works over port 443 and connects to https://remoteassistance.support.services.microsoft.com by using RDP and the traffic is encrypted via TLS 1.2
Both Helper and Sharer should be able to reach the below endpoints via port 443
| Domain/Name | Description |
|---|---|
| *.aria.microsoft.com | Used for accessibility features within the app |
| *.events.data.microsoft.com | Microsoft Telemetry Service |
| *.monitor.azure.com | Required for telemetry and remote service initialization |
| *.support.services.microsoft.com | Primary endpoint used for the Remote Help application |
| *.trouter.skype.com | Used for Azure Communication Service for chat and connection between parties |
| *.aadcdn.msauth.net | Required for logging in to the application Microsoft Azure Active Directory (Azure AD) |
| *.aadcdn.msftauth.net | Required for logging in to the application Azure AD |
| *.edge.skype.com | Used for Azure Communication Service for chat and connection between parties |
| *.graph.microsoft.com | Used for connecting to the Microsoft Graph service |
| *.login.microsoftonline.com | Required for Microsoft sign-in service. Might not be available in the preview in all markets or for all localizations |
| *.remoteassistanceprodacs.communication.azure.com | Used for Azure Communication Service for chat and connection between parties |
| Allowlist for Microsoft Edge endpoints | The app uses Microsoft Edge WebView2 browser control. This article identifies the domain URLs that you need to add to the allowlist to ensure communications through firewalls and other security mechanisms |
Configure Remote Help App in Intune
This feature is disabled by default and the Intune Administrator needs to go in and change the settings
Go to https://intune.microsoft.com > Tenant Administration > Remote Help
Enable the below options and hit Save
Set the Enable remote help to Enabled
And Allow remote help to unenrolled devices to Enabled
Unenrolled devices will not be able to get grab the Remote Help app pushed by Intune. For these devices, the app needs to be installed manually.
Remote Help Win32 App Deployment
- Download the Remote Help app 🔗Check here
- Use the intunewin app util to prepare the remote help app 🔗Check here
- Run IntuneWinAppUtil.exe as Administrator
- Upload the app to Intune
- Go to Apps > Windows in the Intune portal
- Add > App type: Windows app (Win32) > Select
- Select the intunewin package created previously and upload it
- Set the Name/ Description/ Publisher
- Set the Install command remotehelpinstaller.exe /quiet acceptTerms=1
- Set the Uninstall command remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
- Install behavior System
- Press Next
- Under Requirements, OS architecture – Select x86, x64 or both
- Minimum OS – Select the OS level
- Press Next
- Under Detection rules, Rule format – Manually configure detection rules
- Detection rules – Select File and key in C:\Program Files\Remote help
- File or folder – RemoteHelp.exe
- Detection method – File or folder exists
- Press OK > Press Next and skip Dependencies and Supersedence
- Under Assignments, Assign it to the required Device Group
- Review and Create
This will now get installed in the specified device group.
Firewall Rules Considerations
Create the below exceptions needs to be created in Defender Firewall if needed. Check the below locations to be whitelisted.
- C:\Program Files\Remote help\RemoteHelp.exe
- C:\Program Files\Remote help\RHService.exe
- C:\Program Files\Remote help\RemoteHelpRDP.exe
RBAC – Assign Users to role
By default, the Intune Admin can use this to support users. However since Intune Admin has the power to perform any change in the Endpoint manager tenant, it is advisable to create RBAC within the App.
Intune RBAC permission role Help Desk Operator has all the below options set to Yes.
* View screen
* Elevation
* Take full control
Create a new RBAC Permission Role
- Go to Endpoint Manager > Tenant Administration > Roles > Create > Give a meaningful name > Next
- As shown below, set the options to Yes
- Press Next and add or skip Scope Tags (optional) > Create
- Go to the created role again > Assignments > Give a meaningful name > Press Next
- Assign it to the required Admins group > Next
- Set the Scope Groups – These are users/ devices that the relevant RBAC admin can access > Press Next
- Review and Create
Create The Conditional Access Policy for the Remote Help App
This is a newly introduces option where now the admins can specifically add Remote Help as an app in Conditional Access Policies to explicitly request to complete the MFA challenge. This is an added layer as bad actors use remote support tools widely to get into computers.
- Install the Azure AD Preview Powershell module by running Powershell as Administrator
Install-module AzureADPreview
- Connect-AzureAD and login with the Global Admin or appropriate account
- New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2
- Create the Conditional Access Policy as below. Select RemoteAssistanceService from the apps that need to be included
- Make sure you set the Grant option with Require MFA or setup other required Strong Authentication option
How to Use
Now that we have completed the groundwork, let’s see how this is working in the Intune environment.
Person who is providing help
IT admin to go to the Intune portal > Devices > Windows > Select the device to support > click on the 3 dots . . . and select New remote assistance session
This will open up a side pane. Click on Launch Remote Help
Admin to sign-in to the remote app and complete the MFA challenge
Click on Get a Security Code button
Person Who is Asking for Help
And now the Admin will be presented with a code that has a lifetime of 10 minutes
Now Sharer to open the Remote Help app, complete MFA and accept the legal notes for the 1st time use
Sharer to complete the MFA challenge as well
Key in the 6 digits that Admin instructs to enter and proceed
Sharer will see below
While the IT admin can see below. At this stage, Admin can Take full control or just View screen
Now back to the Sharer, They can see the below screen and need to press Allow
And Viola! The screen sharing will begin
Initiating Chat in the App
Click the icon shown below to initiate a chat with the other side. They will get the chat window popped up on the screen
Restarting the Device Remotely
Use the below-shown icon to restart the sharer’s device.
They will get the below message on their computer and once the device is restarted, it will be automatically joined to the previously connected Remote Help session
If and When
- When the Sharer Device is not compliant with the Intune Compliance Policies
- If someone is not an admin or hasn’t been granted RBAC permissions, they will get the below screen.
Helper Screen
Sharer Screen
Monitoring Remote Help Sessions
Intune Portal > Tenant Administration > Remote Help
Use the below tabs to monitor the Remote Help sessions.
Monitor Conditional Access Sign-in Logs
Look for the Application == RemoteAsistanceService and its sign-ins if you need to monitor the MFA behavior for the Remote Help app
Wrapping Up
Intune is going to be a one-stop shop for all device management tasks sooner or later and Remote Help is one helpful tool from the tool box. Hope this guide was helpful for you to plan your remote tool deployment as well
Advertisement
FAQs
How do I use remote help with Intune? ›
Sign into Microsoft Intune admin center and go to Devices > All devices and select the device on which assistance is needed. From the remote actions bar across the top of the device view, select New Remote Help session. This action opens the Remote Help app.
How do I use Microsoft remote help? ›Select Start , enter Quick Assist, then select it in the list of results (or press the Windows key + Ctrl + Q). Select Help someone, then share the 6-digit code with the person you're helping. After they've entered the code, wait for the person you're helping to allow the connection and share their screen.
How do I add Quick Assist to Intune? ›Install Quick Assist with Intune
Using your Global Admin account, log into Microsoft Store for Business. Select Manage / Settings and enable Show offline apps. Choose the Distribute tab and verify that Microsoft Intune is Active. You may need to use the +Add management tool link if it's not.
Sign in to Microsoft Intune admin center. Go to Tenant administration > Connectors and tokens > Remote help. On the Settings tab: Set Enable remote help to Enabled to turn on the Intune remote help. Select Save to apply the settings.
How do I enable remote administration remotely? ›- Click start>Run.
- Enter gpedit.msc.
- Click OK.
- Double-click Computer Configuration>Administrative Templates>Network>Network Connections>Windows Firewall.
- Double-click Domain Profile>Windows Firewall: Allow remote administration exception.
- Select Enabled.
- Hit the windows icon on your computer keyboard + R. ...
- Type (without the quotes) “mstsc /admin” then hit Enter or click OK.
- Type the target server/computer name and click Show Options.
- Enter your User name and click Connect.
Remote desktop is for unattended access. Remote assistance is for remote collaboration. Enterprise administrators can remotely access and troubleshoot IT devices with remote desktop software. Remote assistance comes in handy while educating or assisting an end user.
What is the difference between Quick Assist and remote assistance? ›While Remote Assistance establishes a Remote Desktop Protocol (RDP) connection to the end user's computer (requires TCP port 3389 to be opened on the client machine and the firewall/NAT/router behind which the machine is), Quick Assist is cloud-based and requires one outbound connection from the helper's PC to the ...
Why is Quick Assist not working? ›Uninstall and reinstall the Quick Assist. If Quick Assist is stuck on loading, singing, or connecting out of its own glitch (usually it happens after an update), uninstalling and reinstalling it can be the most effective way.
How do I manually install Quick Assist? ›- Select Start > All apps > Microsoft Store.
- In the Microsoft Store, search for and select Quick Assist.
- Select Get.
- When prompted, give permission to install Quick Assist. After it's installed, the button will change from Get to Open.
How do I force Intune apps to sync? ›
- Sign in to the Microsoft Intune admin center.
- Select Devices > All devices.
- In the list of devices you manage, select a device to open its Overview pane, and then select Sync.
- To confirm, select Yes.
- Option 1: Press Ctrl + Windows logo key + Q at the same time.
- Option 2: Use the Start menu: In Windows 11: Select Start > All apps > Quick Assist. ...
- Option 3: Select the Search bar or Search icon, enter quick assist, then select Quick Assist in the list of results.
However, the most common reasons for a TV remote that is not working are battery issues, paring issues, or infrared sensor issues. Press the power button while pointing the remote control at your TV. Make sure the LED indicator on the TV blinks. If not, your remote does not have enough power remaining in the batteries.
What happens if I enable remote assistance? ›A remote assistance when enabled allows another user on the Internet to use your computer. This may be asked by Microsoft agent or your friend or something else. Take caution while giving anyone remote access, this means everything in the PC is accessible to the one who has taken control.
What to do if remote access is not working? ›- Check your internet connection. ...
- Check if remote connections are allowed. ...
- Remove your credentials from Remote Desktop. ...
- Turn off custom scaling. ...
- Change Firewall Settings. ...
- Make changes to your registry. ...
- Add the IP address and server name to the hosts file.
- Click the Start menu from your desktop, and then click Control Panel.
- Click System and Security once the Control Panel opens.
- Click Allow remote access, located under the System tab.
- Click Select Users, located in the Remote Desktop section of the Remote tab.
Click on "System" > "Remote Desktop". Step 3. If the Enable Remote Desktop toggle switch is turned on, then the Remote Desktop is enabled on the remote PC.
What is the command line for remote assistance? ›Method 1: Open Windows Remote Assistance from Run Command
Press the Windows key and the R key at the same time to open the Run command box, type in msra and hit Enter. This should open up Windows Remote Assistance in no time.
- Select Start > Settings > Accounts .
- Under Family & other users, select the account owner name (you should see "Local account" below the name), then select Change account type. ...
- Under Account type, select Administrator, and then select OK.
- Sign in with the new administrator account.
While this type of connection originated within the confines of a LAN, remote assistance is now possible over the internet regardless of the users' locations. An important distinction in remote assistance vs.
Does Microsoft remote desktop only work on the same network? ›
As long as the remote Windows computer is turned on and set up for a remote connection, you can grab a file, open an application, troubleshoot a problem, or just work remotely. Through RDC, you can remotely access multiple Windows computers over the same network, whether they're at home or at your office.
Is Microsoft remote Assist free? ›You can try Microsoft Dynamics 365 Remote Assist for free on your HoloLens, HoloLens 2, mobile phones, and tablets. There are three types of free trials. The 30-day Dynamics 365 Remote Assist and Dynamics 365 Remote Assist Attach licenses include Microsoft Teams licenses.
What is the difference between remote support and unattended access? ›As opposed to attended remote support which provides support to users in need of immediate help, unattended remote support can be used to manage an IT infrastructure, install updates, and even troubleshoot non-urgent issues.
What is the difference between remote access and mobile access? ›Remote access is about accessing your primary environment when you're not in your office, for example. Mobile access is about accessing your work applications and data from anywhere.
How can I use Remote Assistance without an invitation? ›- open Run, type ”gpedit. ...
- Open Computer Configuration - Administrative Templates System - Remote Assistance.
- Double click Configure Offer Remote Assistance, select Enabled and select one of the following options: ...
- Click Show. ...
- Save the change, log off or re-start the system and check the result.
The recipient has 10 minutes to launch Quick Assist and enter the code to establish the remote-control connection. Once the connection is made, it remains active indefinitely, and the remote support person inherits all the access and rights to the troubled computer as the troubled computer's end user.
Is Quick Assist reliable? ›Is Microsoft Quick Assist safe? The answer is Yes!
Does Quick Assist cost money? ›Quick Assist is free for both personal and commercial use since it is native to all Windows 10 operating systems.
How do I use Quick Assist without Microsoft account? ›- You can use Quick Assist without Microsoft account! ...
- On the client side who offers assistance, click Assist another person.
- Sign in with your existing email, phone number, or Skype, and click Next.
It should be installed by default in Windows 11, but if you can't find it, or it needs an update, you can download Quick Assist from the Microsoft Store.
What is the latest version of Quick Assist for Windows 10? ›
Quick Assist is no longer available as a built-in app for Windows 10 and Windows 11. Since May 16, 2022, the remote support Quick Assist for Windows 10/11 is an app out of support.
How often do devices sync with Intune? ›If a policy or application is sent to the device Intune will try to notify the device within five minutes, otherwise the device should check in every 24 hours. To force the policy sync on a device open the Start menu and select Settings. Select Accounts. Select Work access then the organization you are subscribed to.
What does the sync button do in Intune? ›Syncing forces your device to connect with Intune to get the latest updates, requirements, and communications from your organization. Company Portal regularly syncs devices as long as you have a Wi-Fi connection.
What is the shortcut key for Quick Assist? ›The quickest way to open Windows Quick Assist is to use the Windows 10 Quick Assist keyboard shortcut. By pressing Win + Ctrl + Q together, you can easily launch Quick Assist.
What is the default remote tool in Windows? ›By default, any remote computer that can connect and provide the session name can use the named pipe that this tool creates, although you can use Remote tool options to include and exclude particular users and groups.
Does Microsoft Intune have remote control? ›The Intune and TeamViewer integration enables remote support using TeamViewer, and the connector is managed directly in Intune. Remote control is included in Microsoft Endpoint Configuration Manager (ConfigMgr).
How do I start remote Access Connection Manager? ›To begin with, press and hold the WinKey and R button on your keyboard and that will launch the Run window. Next type in services. msc and click on OK.
What is the difference between remote control and remote assistance in SCCM? ›Remote Assistance/Remote Control
Remote Assistance leverages the Windows feature, requests a session with the currently logged-on user and allows for in-session chat. Remote Control is an MECM console feature allowing you to take control of a managed computer.
Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.
Can you remote wipe a laptop with Intune? ›
Sign in to the Microsoft Intune admin center. Select Devices > All devices. Select the name of the device that you want to wipe. In the pane that shows the device name, select Wipe.
What is the difference between remote access and remote control? ›Whereas remote control refers to taking control of another computer, remote access means that the remote computer actually becomes a full-fledged host on the network. The remote access software dials in directly to the network server.
What are the limitations of Microsoft Quick Assist? ›Quick Assist doesn't come with any limitations; you can see someone's entire desktop on your screen and run apps. The icons in the border allow you to annotate the window with digital ink, expand the Quick Assist window into full-screen mode, reboot the remote computer, or bring up the Task Manager.
Does Remote Assistance work over the internet? ›While this type of connection originated within the confines of a LAN, remote assistance is now possible over the internet regardless of the users' locations. An important distinction in remote assistance vs.
How do I get remote access to my computer? ›Set up remote access to your computer
On your computer, open Chrome. In the address bar, enter remotedesktop.google.com/access . Follow the onscreen directions to download and install Chrome Remote Desktop.
In Create a profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button. On the Basics tab, enter a descriptive name, such as Disable Remote Desktop Connections.
How to allow Remote Desktop connection without admin rights? ›Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Step 3. Double-click on "Allow log on through Remote Desktop Services" to open "Properties".
How do I set up Remote Desktop Connection without asking permission? ›Under the Remote Desktop Session Host > Connections, right-click Sets rules for remote control of Remote Desktops Services user sessions and click Edit. Select Enabled. Under Options, select Full Control without the user's permission. Click OK and quit Group Policy Editor.
How do I troubleshoot remote access? ›- Enable remote desktop connections. ...
- Using the right credentials. ...
- Checking permissions. ...
- Changing the current firewall settings. ...
- Changing the properties of the network. ...
- Adding the RDGClientTransport Key. ...
- Checking the group policy.