I think it’s too soon to compare Remote Help with a tool like TeamViewer because Remote Help feature with Microsoft Endpoint Manager just went on GA this week. I was looking at this option for quite a while and finally got time to test and write about it.
- Remote Help app and Quick Assist app
- Remote Help Benefits
- Remote Help Add-On License
- Network Considerations
- Configure Remote Help in MEM
- Create the Win32 app and upload it to MEM
- RBAC – Assign Users to role
- Create a new RBAC Permission Role
- How to Use
- Final Words
Remote Help app and Quick Assist app
You may have seen the Quick Assist app that is coming with the Windows 10 and Windows 11 devices. This is not the same as Remote Help app where it connects to the Microsoft Endpoint Manager tenant. With Quick Assist, you can connect to any Windows machine that is either connected to the MEM tenant or not. In other words, it is a free to use app.
Remote Help Benefits
- You don’t need to rely on other 3rd party remote support tools which sometimes can be dangerous to use as they can bring unwanted issues to your environment
- This is controlled via MEM and can be used to manage both enrolled and unenrolled devices
- Because RBAC can be done over providing help, if you have a set of computers that 1st level admins should not login, you can set up a new RBAC role and assign the permissions as required
- Microsoft Endpoint Manager can provide admins with support session logs/ reports
Remote Help Add-On License
Remote help subscription premium add-on to be assigned. This is a per-user add-on and check here for more info
This is what you will see when you go to the MEM portal > Tenant Administration > Premium Add-ons > click on view details on Remote help
Remote Help Add-on details on in the Admin Center Billing Page
Remote Help works over port 443 and connects to https://remoteassistance.support.services.microsoft.com by using RDP and the traffic is encrypted via TLS 1.2
Both Helper and Sharer should be able to reach the below endpoints via port 443
Configure Remote Help in MEM
This feature is disabled by default and the Intune Administrator needs to go in and change the settings
Go to https://endpoint.microsoft.com > Tenant Administration > Remote Help
Set the Enable remote help to Enabled
And Allow remote help to unenrolled devices to Enabled
Unenrolled devices will not be able to get grab the Remote Help app pushed by Intune. For these devices, the app needs to be installed manually.
Create the Win32 app and upload it to MEM
- Download the Remote Help app >> Check here
- Use the intunewin app util to prepare the remote help app >> Check here
- Upload the app to MEM
- Go to Apps > Windows in the MEM portal
- Add > App type: Windows app (Win32) > Select
- Select the intunewin package created previously and upload it
- Set the Name/ Description/ Publisher
- Set the Install command remotehelpinstaller.exe /quiet acceptTerms=1
- Set the Uninstall command remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
- Install behaviour System
- Press Next
- Under Requirements, OS architecture – Select x86, x64 or both
- Minimum OS – Select the OS level
- Press Next
- Under Detection rules, Rule format – Manually configure detection rules
- Detection rules – Select File and key in C:\Program Files\Remote help
- File or folder – RemoteHelp.exe
- Detection method – File or folder exists
- Press OK > Press Next and skip Dependencies and Supersedence
- Under Assignments, Assign it to the required Device Group
- Review and Create
This will now get installed in the specified device group.
RBAC – Assign Users to role
By default the Intune Admin can use this to support users. However since Intune Admin has the power to perform any change in the Endpoint manager tenant, it is advisable to create RBAC within the App.
Intune RBAC permission role Help Desk Operator have the all the below options set to Yes.
* View screen
* Take full control
Create a new RBAC Permission Role
- Go to Endpoint Manager > Tenant Administration > Roles > Create > Give a meaningful name > Next
- As shown below, set the options to Yes
- Press Next and add or skip Scope Tags (optional) > Create
- Go to the created role again > Assignments > Give a meaningful name > Press Next
- Assign it to the required Admins group > Next
- Set the Scope Groups – These are users/ devices that the relevant RBAC admin can access > Press Next
- Review and Create
How to Use
Now that we have completed the ground work, lets see how this is working in the MEM environment.
Helper – The IT admin who is supporting the user
Sharer – User who requires help
- IT admin to go to the MEM portal > Devices > Windows > Select the device to support > click on the 3 dots . . . and select New remote assistance session
This will open up a side pane. Click on Launch Remote Help
Admin will get his/ her remote app opened and make sure you are signed in.
Click on Get a Security code button
And now the Admin will be presented with a code that has a life time of 10 minutes
- Now Sharer to open the Remote Help app and accept the legal notes for the 1st time use
2. Key in the 6 digits that Admin instructs to enter and proceed
Sharer will see below
While the IT admin can see below. At this stage, Admin can Take full control or just View screen
Now back to the Sharer, They can see the below screen and need to press Allow
And Viola! The screen sharing will begin
If someone who is not an admin or hasn’t granted with RBAC permissions, they will get the below screen.
I played with the tool for couple of hours. I can see the app is stable, connects back to the same session after the user machine reboots and re-opens the app, elevation works with no issue at all etc. This just came out of GA, means it will go though many new updates and will become a competitor with a lot more features that can beat other 3rd party remote support tools.