The brand new Remote Help feature appeared in my lab MEM Intune tenant and this blog post is all about my first-hand experience with the same.
First thing first, the new Remote Help feature from Microsoft is a MEM native remote assistance solution aimed to help IT admins to provide remote assistance to the users of Windows 10 or Windows 11 in this hybrid work-model world that we are in.
You can read more about this new feature from this official announcement post. Further, official documentation about this new feature can be found in the Microsoft docs.
The new Remote help tool is actually a reworked version of the Quick Assist tool. It uses the Remote Desktop Protocol (RDP) for the session connections over HTTPS and the traffic is encrypted with TLS 1.2. As expected, it uses the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com
It needs to be ensured that both the Requestor (End-User) and Helper (IT member) can reach the required endpoints over port 443, as already documented here.
It’s important to note that there is already the TeamViewer (3rd party) integration for Remote Assistance that has been available all this time with MEM Intune, which I have already covered in detail in this blog post of mine.
However, with the new Remote Help feature being MEM native, you don’t need to go through any complex setup steps. So let’s start with today’s post.
Table of Contents
Enable Remote Help in MEM Intune
Setting up Remote Help for the tenant is as easy as a few clicks. In the MEM portal,
- Navigate to Tenant administration > Connectors and tokens and you will find the new feature added in here.
- Click on the Settings tab.
- Configure the two options as per the requirement. Note that this is a tenant-wide config.
Click on Save and you have enabled the new Remote Help feature for your tenant. That is all.
Setup Role-based Access control for Remote Help in MEM Intune
Microsoft empowers organizational IT with granular RBAC permissions out of the box for the new Remote Help feature, with 3 levels of permission.
As such, you will have options to create custom RBAC roles to be assigned to the different support tiers with varying levels of permission in the sense as below
| Level 1 IT Support | View screen only [Screen sharing with no full control and elevation] |
| Level 2 IT Support | View screen with Full control |
| Level 3 IT Support | View screen with Full control and Elevation rights |
This should suffice the security requirements for any environment. Let us quickly walk through creating one custom RBAC role for the purpose of this blog.
- In the MEM portal, navigate to Tenant administration > Roles
- Click on Create and then select Intune role.
- Give the role a Name and provide a Description (optional). Once done, click on Next.
- Scroll down to the Remote help app section and select the permissions you want to set for the new role. When done, click on Next.
- Add Scope tags as per requirement and click on Next.
- Finally, finish creating the new custom role.
With the custom role created, it’s ready for assignment.
- Open the newly created role and go to the Assignments section. Click on Assign.
- Give the assignment a Name and provide a Description (Optional). Once done, click Next.
- Add the Group which holds the IT members to which you want to assign the role.
- Here you get to decide upto what level the IT members to whom the role is assigned is allowed to initiate a Remote Help session.
For the purpose of this blog, let's keep it to All devices meaning the group of IT members to whom the custom role is assigned is allowed to initiate Remote Help sessions on All devices of the tenant.
- Add Scope tags as per requirement.
- Finally, finish on creating the Role assignment.
With the Remote help feature is enabled and RBAC permissions in place, the only thing left is to deploy the Remote help application ((preview) to the managed Windows devices.
For unmanaged devices (if allowed by policy), the tool can be downloaded by the user from the link as provided below.
Deploy the new Remote help app to managed devices
Download the new Remote help application from the Microsoft website. This is an .EXE and as such can be easily deployed as a Win32 app from Intune. You can read more about this here.
Once you have the Win32 app package ready, all you need is to create the application in the MEM portal.
The install and uninstall commands are already specified in Microsoft’s documentation.
Follow the detection rules as specified in Microsoft’s documentation.
Create the app and deploy it to the devices. As usual, you can monitor the deployment state from the MEM portal.
With the Remote help feature enabled, RBAC permissions in place, and the Remote help tool deployed to the devices, the only thing left is to check how IT can use the new feature and the end-user experience for the same.
Using the new Remote Help feature in MEM Intune
IT Admins can initiate Remote help from the MEM portal. For that, you can navigate to the device from the MEM portal and click on the New remote assistance session remote action.
Once you click on the New remote assistance session, you will have the option to Launch remote help.
As a note, the above did worked for me in the lab while testing. But then somehow things stopped working and I can no longer see this option. Maybe some changes is going on in the backend and it will resurface back, as we all know the feature is in preview. But for now, as I am experiencing in my lab tenant, if you do not have TeamViewer integration enbaled, the New remote assistance session remote action remains greyed out, even with the Remote Help feature enabled for the tenant.
The other way around is to launch the remote help session manually where the Requestor (end-user) needs to reach out to the Helper (IT member) via any approved communication means to request help.
Both the Requestor and the Helper need to have the Remote Help tool installed on their devices. [Device can be unmanaged provided the configuration is set for the same!]
It is to be noted that both parties involved (Requestor and Helper) need to sign in to the Remote Help tool with their work or school account and accept the Privacy.
In the above snap, consider the Hyper-V VM as the device of a remote user (Requestor) asking for help and the base system as the device of the IT member who is ready to provide assistance. Both the Requestor and Helper need to open the Remote Help tool on their devices and sign in with their work credentials.
Once signed in, the Helper (IT Member) can proceed to click on the Get security code under the Give help section.
This generates a Security code that is valid for 10 minutes. This code needs to be provided to the Requestor.
The Requestor needs to put the security code as provided by the Helper in the field available under the Get Help section and click on Submit as shown above.
The remote session will get established post this and as you can see, the Helper gets to choose between two options – View screen or Take full control (depends on the RBAC role assigned to the Helper).
Just like information about the Requestor is shown to the Helper, similarly, the information of Helper is also displayed to the Requestor, which I missed capturing as a snap.
This is how the tool looks when a remote session is underway. [The snap shows the Helper device taking control of the Requestor device]
Remote help Monitoring from the MEM portal
The MEM portal gives you insights regarding how the Remote help is being used within the environment. We get a visual of the Average Session Time and Total Sessions that has concluded (or is active currently.)
Further, you can click on the Remote help sessions tab where you will see the list view of all the Remote help sessions performed. From here you get to see Provider ID (helper), Recipient ID (end-user), Device name, Session duration, and if it was a view-only or full control session.
Though Microsoft logs a small amount of session data to monitor the health of the remote help system, it can’t access a session or view any actions or keystrokes that occur in the session.
Ending
The Remote help is still in preview and it might happen that the feature and functionality being offered gets expanded in the future when it goes GA. Microsoft has already announced that this will be available at an additional cost to the licensing options that include Microsoft Endpoint Manager or Intune.
When it goes GA, I can only hope that Microsoft will come up with competitive pricing over the 3rd-party solution that is currently available, which will make this MEM-native remote assistance solution a great feature addition for the cost.
However, if you would ask me, I wish Microsoft bundles this within the M365 E5 licensing without any additional cost, if not the others. But whether that will happen or not is something that we need to wait for.
Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.