What is Remote Help?
Microsoft’s new Remote Support Solution helps IT admins take the remote control of the Windows 10 or Windows 11 devices that Intune manages. By leveraging this solution, admins don’t need to go through the complex integration process with the new remote help solution from the MEM admin center.
The Remote Help App is available as a download from Microsoft, and must be installed on each device before that device can be used to participate in a remote help session.
How does it work?
- This solution supports only User Attended Support with the current release. The user must accept and receive assistance. Remote Help requests can be screen sharing (view-only mode) or complete control.
- Remote Help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
- Both the helper and sharer must reach these endpoints over port 443: Remote Help communicates over port 443 (HTTPS).
- Intune subscription
- Remote help add-on license for all IT support workers (helpers) and users
- Windows 10/11
- Devices must install the remote help app. Device users can download the app directly from Microsoft. Click on the link to know more: https://aka.ms/downloadremotehelp
The Remote Help App supports the following capabilities:
- Enable Remote Help for your tenant
By default, Intune tenants aren’t enabled for remote Help. If you choose to turn on Remote Help, its use is allowed tenant-wide. Remote Help must be enabled before users can be authenticated through your tenant when using remote Help.
- Use Remote Help with unenrolled devices
Disabled by default, you can allow Help to devices that aren’t enrolled with Intune.
- Requires Organization login
To use Remote Help, both the helper and the sharer must sign in with your organization’s Azure Active Directory (Azure AD) account. You can’t use remote Help to assist users who aren’t members of your organization.
- Compliance Warnings
Before connecting to a user’s device, a helper will see a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
Unenrolled devices are always reported as non-compliant. This is because until a device enrolls with Intune, it can’t receive policies from Intune and cannot establish its compliance status.
- Role-based access control
Admins can set RBAC rules that determine the scope of a helper’s access such as:
- The users who can help others and the range of actions they can do while providing Help, like running elevated privileges while assisting.
- The users can only view a device and request complete control of the session while assisting others.
- Elevation of privilege
When needed, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer’s machine to enter credentials. For example, your Help Desk employees might enter their administrative credentials to complete an action on the sharer’s device that requires administrative permissions.
- Monitor active remote help sessions and view details about past sessions
In the Microsoft Endpoint Manager admin center, you can view reports about who helped who, on what device, and how long. You’ll also find details about active sessions.
Auditing and reporting about remote help sessions are limited to unenrolled devices.
Want to hear more?
If you would like to get more detailed information about this innovative solution, or connect with our specialist to learn how to implement it, feel free to reach out to our team here.