The remote help in Microsoft Endpoint Manager Intune is a new way to provide remote support inside the organization. It is very easy to use and its also easy to distribute. It allows you to view UAC messages, which is not possible in Teams, so it is a light weight and easy to setup solution in a company with internal support.
The following blog describes how to activate the remote help in Intune and how to install it on the clients.
The following 3 prerequisites must be given to use remote help:
- Intune subscription is available and remote help is activated.
- The sender and receiver must have Windows 11 or Windows 10 installed.
- Remote help app should be installed.
Further information: https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses
Remote help communicates via port 443 with the Remote Desktop Protocol (RDP). The encryption is TLS 1.2.
Both parts of the remote session must be able to communicate via port 443 to the following endpoints.
It is necessary to guarantee access to several Microsoft sites. A list of these sites can be found on the Microsoft website.
Setup and Usage
The user you log in with, must be in one of your Azure ADs, and the connection can only happen between other users from the same organization.
Enable remote help in your tenant
Remote help is not automatically activated. To use it, you must first activate it in Intune.
Log in to Endpoint Manager Admin Center and navigate to “Tenant administration –> Connectors and tokens –> Remote help (preview)”
In settings, you must set “Enable remote help” to “Enabled” and “Allow remote help to unenrolled devices” to “Allowed”.
If you want to allow remote help also to be used by logging into the app (optional), like in the following Screenshot.
You can set the permissions for the Remote help app as follows:
- Take full control – Yes/No (allows full access to the device)
- Elevation – Yes/No (Detailed option to enter administrative credentials for enabled permissions)
- View screen – Yes/No (Only allows you to see the screen)
By default, these rights are all set to yes.
With Role-based access control (RBAC), these settings can also be specified for individual users, and therefore it is possible to distinguish between administrators and other departments, for example. With RBAC, you can create custom roles for different support tiers to have more granular control over these permissions and also to be able to control, which departments can receive help from which support role.”
Install remote help
The remote help application must be installed on the sender and the receiver’s device to use remote help.
Intune administrators can install and deploy the app just as usual.
For more information see https://docs.microsoft.com/en-us/mem/intune/apps/apps-windows-10-app-deploy#install-apps-on-windows-10-devices
The deployment can be performed with the desired deployment method, for example with WIN32. After installation the user don’t have to do any further steps to use the solution.
Administrators which want to test the application in their environment can use the following link to install the package manually: https://aka.ms/downloadremotehelp
You have to generate a code to get access, which you send to the other person. Then, if the other person doesn’t know how to use the app, you can generate a manual that describes how to proceed.
While connecting, the helping person will receive a compliance warning message if there is one. This will not stop the connection but will inform the supporter that the device is not compliant. Unenrolled devices are always reported as non-compliant.
As someone who wants to grant access to his device, you can only enter the code you receive from the person accessing the device in the app and confirm it.
Monitor and Log files
In the Microsoft Endpoint Manager admin center, you can navigate to “Tenant admin –> Connectors and tokens –> Remote help (preview). On the first page, you will see the monitor. There you can see the Average session time and the Total sessions in your organization.
Locally remote help sessions will be logged in the Event Viewer under ” Application and Services –> Microsoft –> Windows –> RemoteHelp”.
The tool can be helpful because it can be deployed via Intune and is easy to use internally. The instructions that can be sent automatically make it unnecessary to provide additional explanations on how to set up the connection, and it is also very user-friendly in general. With the RBAC, you can cleverly control who is allowed to have which rights.
In contrast to Teams, a better connection, more uncomplicated handling, and the unrestricted view with UAC messages are ensured, making things easier in cases of support. Furthermore, no additional license costs will be generated, because the required Intune license is already present.
If you are looking for further information, visit Remotely assist users that are authenticated by your organization. | Microsoft Docs