A feature that has been absent from Microsoft Endpoint Manager (Intune) for a long time, is the ability to remote control and assist the endpoints that are being managed. The new Remote Help solution built into Endpoint Manager allows for rapid troubleshooting and remediation of issues on clients, by allowing administrators and support personnel to view or remote control devices without the need for third-party software. The feature is being rolled out over the next coming weeks and will enter general availability in early 2022.
Remote Help builds on Quick Assist, a remote assist solution built into Windows that most administrators is familiar with. So what’s the catch? Well Microsoft is considering making this a premium feature, meaning that it will be available to everyone during the private preview and might require an additional licensing once the product is released (general availability).
Contents
- Enable Remote Help in Endpoint Manager
- Deploying the Remote App
- Starting a Remote Help Session
- Reporting
- Required Connectivity
- Final Thoughts
Enable Remote Help in Endpoint Manager
Remote Help can be enabled or disabled for the tenant by navigating to the Tenant Administration page, then selecting Connectors and Tokens. Specify if Remote Help should be enabled and if administrators can assist on non-enrolled devices. Note that the helper and the receiver must be within the same organization (tenant), and it will not be possible to assist users outside your own organization.
Deploying the Remote Help App
After we have configured our settings in the Endpoint Manager admin Center, we can package the Remote Help App and deploy it to our clients. Since the Remote Help App is an exe file, we need to wrap it using the Microsoft Win32 Content Prep Tool. When using this tool I prefer to create the following structure on my machine that can be reused for packaging applications in the future. The PowerShell script below will automatically create this structure, and wrap the Remote Help App into a format that can be used with Endpoint Manager (Intune). The resulting RemoteHelp.intunewin will be located in the C:\Temp\Intune\Output folder.
C:\TEMP\INTUNE
├───Build
│ └───Remote Help
│ └───Another App
│ └───Another App
└───Output
New-Item -ItemType Directory -Path 'C:\Temp' -ErrorAction SilentlyContinue | Out-Null
New-Item -ItemType Directory -Path 'C:\Temp\Intune' -ErrorAction SilentlyContinue | Out-Null
New-Item -ItemType Directory -Path 'C:\Temp\Intune\Build' -ErrorAction SilentlyContinue | Out-Null
New-Item -ItemType Directory -Path 'C:\Temp\Intune\Build\Remote Help' -ErrorAction SilentlyContinue | Out-Null
New-Item -ItemType Directory -Path 'C:\Temp\Intune\Output' -ErrorAction SilentlyContinue | Out-Null
(New-Object System.Net.WebClient).DownloadFile("https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/raw/master/IntuneWinAppUtil.exe", "C:\Temp\Intune\IntuneWinAppUtil.exe")
(New-Object System.Net.WebClient).DownloadFile("https://aka.ms/downloadremotehelp", "C:\Temp\Intune\Build\Remote Help\RemoteHelp.exe")
Set-Location C:\Temp\Intune
& 'C:\Temp\Intune\IntuneWinAppUtil.exe' -c 'C:\Temp\Intune\Build\Remote Help' -s 'C:\Temp\Intune\Build\Remote Help\RemoteHelp.exe' -o 'C:\Temp\Intune\Output'
Now that we have our packaged file, we can deploy it using Endpoint Manager (Intune). In the Microsoft Endpoint Manager Admin Center portal, select Apps then add a new Windows app (Win32).
- On the App Information tab, select the RemoteHelp.intunewin file that we created using the script above.
- Add the Application details such as a Name, Description, Version, Publisher and optionally a Logo.
- On the Program tab, specify the Install and Uninstall command and change the Device Restart Behavior if you prefer.
Install Command: Remotehelp.exe /quiet acceptTerms=Yes /norestart
Uninstall Command: Remotehelp.exe /quiet acceptTerms=Yes /uninstall /norestart
- For the Requirements tab specify 64bit and a Windows 10 version. For my testing Windows 10 21H1 and Windows 11 was used.
- Finally on the Detection Rules tab, specify to Manually Configure detection rules. Specify the detection method as indicated below:
- We don’t need to configure any Dependencies so press next until the Assignments tab is reached. Specify a group of your choice to deploy the application to. A Required deployment will probably be most likely for most organizations.
- Complete the wizard and wait for the RemoteHelp.intunewin file to be uploaded to Endpoint Manager. This process should only take a few seconds if you have a decent internet connection.
Starting a Remote Help Session
A Remote Help help session can be started by opening the Remote Help App, or by selecting New Remote Assistance Session in the Endpoint Manager Admin Center on the overview page of a specific Windows device. The shortcut in the Endpoint Manager Admin Center simply starts the app and if the Remote Help App is not installed, nothing happens.
The first time the Remote App is run the Privacy Page is displayed to the user. Once accepted the user is taken to the main page where the user can choose to give or get help. Just like Quick Assist the person who is providing help (the technician) clicks Get a security code at the bottom and provides this code to the end-user receiving assistance.
Once the security code has been entered and a connection is made, Remote Help displays information about who the technician is connecting to and vise-versa for the end-user. The technician can then request to view or control the the end-user’s screen, and if the end-user has accepts a remote session is established.
The technician will receive a warning that the device they are connecting to is non-compliant if the end-user device does not meet the assigned compliance policy. The warning will not block the connection, but is there to inform the technician about the risk of using sensitive credentials/data on a non-compliant device. If the non-compliance issue is something simple like BitLocker not being activated, the technician could easily resolve the issue.
Remote Help also supports elevation allowing technicians to install or remediate issues that require local administrator permissions.
Reporting
From the Microsoft Endpoint Admin Center we can get insights into how many sessions have been completed and the average session time. Under the Remote Help Sessions tab we can get the following information from each completed session. Note that unenrolled devices will contain limited information.
- Provider ID – UPN of the person providing help
- Recipient ID – UPN of the person receiving help
- Recipient First Name
- Recipient Last Name
- Device Name
- Operating System
- Session Start
- Session End
Required Connectivity
Remote Help uses the Remote Desktop Protocol on port 443 and connections are encrypted using TLS 1.2. In order for Remote Help to function correctly, both the technician and the end-user must be able to reach the following endpoints.
| Domain/Name | Description |
|---|---|
| *.support.services.microsoft.com | Primary endpoint used for the remote help application |
| *.resources.lync.com | Required for the Skype framework used by remote help |
| *.infra.lync.com | Required for the Skype framework used by remote help |
| *.latest-swx.cdn.skype.com | Required for the Skype framework used by remote help |
| *.login.microsoftonline.com | Required for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations. |
| *.channelwebsdks.azureedge.net | Used for chat services within remote help |
| *.aria.microsoft.com | Used for accessibility features within the app |
| *.api.support.microsoft.com | API access for remote help |
| *.vortex.data.microsoft.com | Used for diagnostic data |
| *.channelservices.microsoft.com | Required for chat services within remote help |
Final Thoughts
Remote Help could be the tool that IT Professionals have been asking Microsoft about for years, especially if more enterprise functionality is added. Additional support for other platforms, especially mobile platforms like Android and iOS is also a requirement for many organizations. Support for this would probably also make it easier for organizations to see past any additional licensing fees. It will be interesting to see if more functionality is added to Remote Help when it reaches general availability in early 2022.
I do understand why Microsoft is considering charging extra for this as most other screen sharing tools also come at a price. However will it be worth the money if the functionality remains the same as in the public preview? Quick Assist is built into Windows and provides much of the same functionality for free. During my testing Remote Help and Quick Assist for that matter, sometimes had issues when the end-user was using a high resolution (4K in my case).
Another frustration was the fact that Remote Help signs the end-user out after the Remote Help session has been terminated, requiring users to re-open all their applications once their issue is solved. According to Microsoft’s documentation this is only the case if the technician that connects has the elevation privilege set to yes and a full control session is used. However being able to elevate and do full control sessions is somethin that is really normal in support scenarios.
