Jump to content

Enabling Remote Help and Supporting Users with Intune

Guest AtilGurcan
Guest AtilGurcan
in Microsoft Support & Discussions

Featured Replies

Posted

Enabling Remote Help on Tenant

 

 

Remote help for Intune is a premium add-on that is licensed separately. So, first step in enabling Remote help is either purchasing its license for the end users or having a trial for Remote help feature. Once you have licenses available, it would be possible to enable Remote help for tenant.

 

 

 

largevv2px999.png.4a376ebd0d4917714a0dcde88d062ba9.pngSnippet from Tenant Administration - Remote Help View

 

 

 

 

 

Enabling Remote help can be done on Intune console – Tenant Admin Node – Remote Help view. As you can see in the snippet, it is disabled by default. Configurable With a click on “Configure” button.

 

 

 

largevv2px999.png.cebdfe6b178dc5597d2f085bf09fc1ec.pngConfigure Remote Help Dialog Box

 

 

 

 

 

Configuration is straightforward. First option is to Enable Remote help for the tenant. And second option is to allow remote help for the devices that are not enrolled on Intune. – Which would be usable for supporting personal devices of senior management.

 

 

 

largevv2px999.thumb.png.5986c1e656230ed3e43e07f2cacc761b.pngSnippet from Tenant Administration - Remote Help View

 

 

 

Once the configuration is done, you will be able to see the remote help service is enabled on tenant.

 

Assigning Licenses

 

 

Since Remote Help is a premium add-on, licenses should be assigned to those who will share their device and request for help, as well as to those who will be on helper role and connect for supporting users.

 

 

 

largevv2px999.thumb.png.f0760bb8f78385656fd4c3988b447386.pngSnippet from License Assignment View

 

 

 

 

 

As seen on the snippet, once we have the required licenses either paid or from a trial; they will be available as additional products and should be assigned either directly to users or through group-based licensing.

 

Deploying Remote Help Application

 

 

Remote help application is a Windows application that needs to be deployed on the endpoints. It can be downloaded from http://aka.ms/downloadremotehelp

 

It is possible to deploy Remote help application with any management solution. To deploy with intune it is important to convert application to .Intunewin format. Details on how to make the conversation can be found here.

 

After conversion it is a regular application deployment via Intune. Install and uninstall commands are important while deploying.

 

 

 

Install command: remotehelpinstaller.exe /quiet acceptTerms=1

Uninstall command: remotehelpinstaller.exe /uninstall /quiet acceptTerms=1

 

largevv2px999.thumb.png.d7243def942cb1707d27f2741fbd58e6.pngSnippet from Intune Application Properties for Remote Help Application

 

 

 

 

 

Also, it is important to have the correct detection rule while distributing the application. Below are the recommended rules while this post was written. It would be a good idea to check Remote help documentation beforehand for possible changes / updates.

 

 

 

For Rule type, select File

For Path, specify C:\Program Files\Remote Help

For File or folder, specify RemoteHelp.exe

For Detection method, select String (version)

For Operator, select Greater than or equal to

For Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000

Leave Associated with a 32-bit app on 64-bit clients set to No

Assigning Role Based Access Controls

 

 

Next step in the process is assigning RBAC to those who will be in the helper role. Permissions in Remote Help app category defines the capabilities that can be done in Remote help application.

 

  • Take full control
  • Elevation
  • View Screen

 

Those permissions are given to Helpdesk operator group by default, but it is possible to create a custom RBAC role and assign only the options that would satisfy your organizational requirements such as Can View Screen but Can Not Take Full Control etc.

 

Intune RBAC is available on Intune, Tenant Administration, Roles Node. As you can see there are different Built-in roles that you can assign groups to and ran a wizard to create a custom role based on your own requirements.

 

 

 

largevv2px999.png.e36aea0b9e29faf294b073307c2012b7.pngSnippet from Built-In Roles in Intune Tenant Adminisration

 

 

 

 

 

In this section we will continue with existing Help Desk Operator role.

 

 

 

largevv2px999.thumb.png.3a71ecca016bc3cf4c06c2a3fa3f9988.pngSnippet from Help Desk Operator Properties

 

 

 

 

 

When you look at the permissions of Help Desk Operator role, you can see that permissions for Remote Help app are granted. Once we have the role to assign operators to; we can start assigning users to the role.

 

 

 

largevv2px999.png.b3b9f3b4fb579929ad7345b5b0a31abb.pngSnippet from Role Assignment Page for Help Desk Operator Role,

 

 

 

 

 

Assignment wizard can be started by clicking on “Assign” button on the role page. There can be one or more assignments for a given role. As with any wizard, first step is to give assignment a name.

 

 

 

largevv2px999.png.10781712b65b2ef367b5eb4a938511ea.pngSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Naming Assignment

 

 

 

 

 

Role assignments can be done only to groups, so next step is to pick a group that is hosting the members of help desk operators.

 

 

 

largevv2px999.png.c3b316ff5ddef74729003d748a9b3423.pngSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Group Selection

 

 

 

 

 

It is possible to limit the scope of the assignment with scope tags, so that a specific help desk operator group will be able to work on a specific set of devices like VIP support, San Diego devices etc.

 

 

 

largevv2px999.png.8f5eac4ef2dd67048a1c7656fc45c41a.pngSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Scope Definition

 

 

 

 

 

In my example I’m using all devices as it is just for Lab / Demo purposes.

 

 

 

largevv2px999.png.9214a1010d703509e2cd99706eb03f7e.pngSnippet from Add Role Assignment Wizard for Help Desk Operator Role, Assignment Review and Creation

 

 

 

 

 

Clicking create button will finish the wizard and the role assignment will be active.

 

 

 

largevv2px999.png.5b5fc7b8d5a96aef76ea766d76c3f7be.pngSnippet from Role Assignments Wizard for Help Desk Operator Role

 

 

 

 

 

Now that we have enabled Remote help add-on for our tenant, we deployed Remote help application to the endpoints and assigned role-based access control permissions to those who will be supporting our end users; it is time to look at the experience from both ends.

 

Initiating Help Session

 

 

In the Remote help application, there are two roles. One can either be a helper, or a sharer. In our example atil@mwpdemo.xyz user will be a helper; and yaz@mwpdemo.xyz user will be a sharer. Initiating a help session starts with helper getting a security code.

 

 

 

largevv2px999.png.e0249f9b68fb7074d7c519fdc0303be8.pngSnippet from Remote Help Application, Give Help Flow

 

 

 

 

 

This code is then shared with the user who will be in sharer role. Note that there is a 10-minutes window for sharer to enter the code to Remote help application on their end.

 

 

 

largevv2px999.png.5b8ced19bad86060d377d3ee4b70d872.pngSnippet from Remote Help Application, Share Security Code

 

 

 

 

 

Once the sharer enters the code on their remote help application, connection initiation will start.

 

 

 

largevv2px999.png.a8d44f01bf0140b839b96a9a49503c2d.pngSnippet from Remote Help Application, Sharer Flow

 

 

 

 

 

As you can see from the screenshot below, user on the left side with a blue background is in helper role, while user in right side with green background is in sharer role. I utilized two different Windows 365 cloud pc’s that are joined to same Azure AD domain to be able to demonstrate the remote help session.

 

 

 

largevv2px999.thumb.png.8b5093ce67c3f4880e023291fc7c0b6f.pngScreenshot during Remote Help Connection Initiation Phase

 

 

 

 

 

During initiation, helper role will get a notification that sharer is ready to accept their help. There are two main options as taking full control or viewing screen. Also, if there are compliance issues on the device helper is trying to connect such as an AV that is not up to date; helper would see the compliance error here to keep their device safe.

 

 

 

largevv2px999.thumb.png.20c483fee55911f2c9b01b2cc22a5db9.pngSnippet from Remote Help Application, Connection Initiation

 

 

 

 

 

Once the helper selects on the option to Take full control or View screen, their selection is shared with the sharer role. Sharer then can Allow or Decline based on Helpers selection.

 

largevv2px999.thumb.png.41db2220adab16cf7610bb46a765009d.pngSnippet from Remote Help Application, Connection Initiation

 

 

 

 

 

Session Experience

 

 

Now that we have our session set up between our helper and sharer roles, let’s take a look at what Remote Help application brings into the life of support teams. Note that these features mentioned here would be updated from time to time, adding new features or improving existing experiences. It is a good idea to check the updated documentation regarding Remote help application features.

 

Elevation

 

 

An important feature of Remote help application is the ability to elevate privilege for helper role, and the ability to block elevation on sharer role.

 

 

 

largevv2px999.thumb.png.741e0da851fe738e44bf214dab13e735.pngScreenshot from Remote Help Application, Elevation of a Shortcut

 

 

 

 

 

As you can see from the snippet below; once helper triggers an executable to run as an administrator; their sharing is paused for a moment. During this pause, sharer is presented with a UAC control box, asking if they allow the elevation or not.

 

 

 

largevv2px999.png.abfc608ce19d84f06dab1d9e869f52c6.pngScreenshot from Remote Help Application, Elevation

 

 

 

Laser Pointer

 

 

It is possible for a helper to utilize laser pointer feature and highlight an item on screen. As you can see from the snippet below, helper (left side) is using a red-dot to highlight My Documents link on Bing search results and it is seen real time by the sharer (right side).

 

 

 

largevv2px999.png.03c4f94de3d287bbaf60602bbd8e4771.pngScreenshot from a Remote Help Session, Laser Pointer Usage

 

Pen

 

 

It is also possible for a helper to use a pen to note certain things down on screen for a sharer. As you can see from the snippet below, helper (left side) is using a green pen to highlight My Documents link on Bing search results, and it is seen real time by the sharer (right side).

 

largevv2px999.png.a14c4ab13369aaa565f4b3f21b240767.pngScreenshot from Remote Help Session, Pen Usage

 

 

 

Instruction Channel

 

 

It is possible for a helper to open a messaging channel to send specific instructions. When helper triggers the instruction channel, messages they send pops up on sharer’s screen. Note that it is possible to have a two-way communication over Instruction channel and there is a copy button available to copy possible commands that are sent to sharer over instruction channel.

 

 

 

largevv2px999.png.cc8d4f2e97c73474f113f4e7e7ce378f.pngScreenshot from a Remote Help Session, Instruction Channel

 

 

 

Task Manager

 

 

It is possible for a helper to open task manager via Remote Help application. Once task manager is opened, helper can do actions such as ending running processes, creating dump files etc.

 

largevv2px999.thumb.png.90eeabddde7938c8f1c7c040ebf1b443.pngSnippet from a Remote Help Session, Task Manager Usage

 

 

 

Monitoring Remote Help Sessions

 

 

It is possible to monitor remote help sessions. This is available on Tenant Administration – Remote Help node, Remote help sessions view. Provider ID and Recipient ID and Device Name that takes the remote help as well as Session start and Session end time information are available in this monitor view.

 

largevv2px999.png.61a1db8dc16b1cdea3328d504889c2ab.pngSnippet from Tenant Admin, Remote Help Node, Remote Help Sessions View

 

 

 

 

 

 

Wrap-Up

 

 

Microsoft Intune has a premium feature called Remote Help, which can be used to connect to Azure AD Joined devices. Remote help application is used for connecting devices and has different features such as elevation of privilege, interaction with task manager, pen and laser pointer usage.

 

Continue reading...

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing