It finally happened. Microsoft released their own remote assistance tool called Remote Help at Ignite during the fall 2021. It was to be honest one of the things I got most excited about.
Licenses are still a bit unclear around this, Microsoft says it’s free to use during the preview but will come at an additional fee once GA hits. What this license model will look like, no one seems to really know at this point. So please be aware of that the licensing will change and that this is still public preview before putting this into production.
But the fact that it´s in public preview means that you can start assessing it and see if it will fulfil your needs!
The setup
To get going, you basically sign in to Microsoft Endpoint Manager, navigate to Tenant Administration > Connectors and Tokens > Remote Help and select Enable under the Settings tab.
And now it’s enabled!
You will also need to assign the correct rights to your support personal. If you are using the built in roles in Intune for this, this role is enabled by default for:
- School administrator
- Help Desk operator
- Intune admin
If you want to add this role to a role, or create a specific custom role for Remote Help, you can do so by creating a new role and adding the Remote Help app” rights to that user.
You can create custom roles by going to Tenant administration > Roles and then select “+ Create“.
You will then have to assign your new role to an Azure AD group containing the users you want to add this role to by selecting Assignments on your newly created role and then “+ Assign”.
Give the assignment a name:
Add the group of users you want to assign this role to:
On the next blade you can select the scope for your support personal. You could for example only allow this group to remotely support a specific group of devices. But in this setup, I’m using “All devices” as the scope group.
If you are not using scope tags, just press next and then create your assignment.
Remote help app
The other part of this solution is the Remote Help app which you will need to distribute to your users.
To get the app, you simply download it from Microsoft at aka.ms/downloadremotehelp and you will get the application file.
Next step is to get this out to your computers through Intune, which means that you would need to package this as an Win32 app in Intune. Best way to do so is by using the IntuneWinAppUtil tool.
And create a detection rule based on that a file exist.
Once you have packaged it, uploaded it and distributed it to your clients, you are ready to go!
The experience
To connect, the admin or support personal needs to have the Remote Help app installed on their device (which should be deployed from Intune).
To launch a remote session with a user, there are two ways you can go at it. You as an admin can navigate to the device in the Microsoft Endpoint Management portal and go to Devices > Windows > Windows devices and find the device you want to support. On the device ribbon (where you see “Retire, Wipe, Delete”) find the three dots and select “New remote assistance session” and then click “Launch remote help”. This will open the Remote Help app.
Update: This being preview and all, it seems like the experience has changed a bit since when I originally started setting this up in my lab. The proper way to initiate a remote session is to go through the app, not Microsoft Intune. Check out the updated Docs for more information.
To initiate a remote session, launch the Remote Help app from your computer.
The first time you launch Remote Help, you will be asked to sign in and accept the user agreement.
Once signed in, you get a similar experience as the Quick Assist app where you can either choose to get or give help.
To give help, you simply select “Get a security code” which will generate a code that you can provide to the user you are helping.
When you have generated the code, share it the user you are helping. When the user enters the code in the “Get help” section, the admin will get a prompt showing which user they are trying to connect to, and they can select if they want to take full control or just view the screen.
Based on the support persons selection, the user will get a prompt showing who is going to help them and to allow or cancel their request to connect.
As you can see below, Remote Help will prompt if the device you are connecting to is not compliant and you can choose to either accept or leave the session since this could mean an increased risk. This status is also shown in the Microsoft Endpoint Manager portal on the device.
And now we can see the user’s desktop and perform our remote support tasks!
One little nice feature I found was that there is some options to do annotations on the users screen if you want to guide them to do something, and there is also a message feature you can send a receive messages in.
Why use Remote Help
What sets Remote Help apart from e.g. Quick Assist in Windows is that it’s built for enterprises, not consumer. This means that you have more control and possibilities, such as using corporate credentials and being able to accept UAC prompts with your admin credentials.
One other major thing here is that logging. You can see who helped whom and when.
You can also easily monitor how much the remote help is being utilized.
You can find all these things from Tenant Administration > Connectors and tokens > Remote Help (Preview).
Additional thoughts
I’m a huge fan of this new product and I’m really excited to see what this will become once general available.
One thing that could be a good idea is to remove the Quick Assist app if you have that installed on your device, to reduce confusion but also to improve security a little bit since with the Quick Assist anyone can remote your users’ computers if they are not cautious. This can easily be done by deploying a PowerShell script to the devices.
Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0
Quick Assist isn’t built for enterprise use but is a great tool to support family and loved ones to be honest (I use it often to support family members).
Leave a Reply