This article will walk you through the steps to configure and use Intune Remote Help.
What is Remote Help:
I like this explanation, it is a “cloud-based solution” for secure help desk connections with role-based access controls. With the connection, support staff can remotely connect to the user’s device. It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the Remote Help sessions and Intune role-based access controls (RBAC) are used to set the desired level of access.
Remote Help is not supported on GCC, GCC High or DoD tenants. Click here for the latest support status.
Remote Help and Security
Security is baked into Remote Help.
- Remote Help communicates over port 443 (https) and connects to the Remote Assistance Service. at
https://remoteassistance.support.services.microsoft.comby using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2. - Trust is established via Azure Active Directory. Both the helper and the sharer must sign in with an Azure Active Directory (Azure AD) account from your organization.
- Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.
- Admins can set RBAC rules that determine the scope of a helper’s access.
Remote Help Prerequisites
In order to establish a remote connection via Remote Help, the following must exist.
- Intune subscription
- License: Remote Help add-on license or an Intune Suite license. Helpdesk admins and users need a license.
- Supported devices: Windows 10/11, Windows 365, and Android Enterprise Dedicated devices are supported.
- Remote Help App: Installation of the Remote Help app on the user (sharer) and Helpdesk admin (helper) computer.
- Enrolled device: The Helpdesk admin must be signed in on an Intune enrolled device.
- Permission: RBAC permissions are used to limit or grant additional access to the Helpdesk admin.
Install Remote Help
You can install Remote Help manually or deploy via Intune. If you decide to deploy via Intune, you must repackage remotehelpinstaller.exe as a .intunewin file, which is a Win32 app.
To install manually, just run RemoteHelpInstaller.exe after download.
Download link: https://aka.ms/downloadremotehelp
Repackage Remote Help as a Win32 app
To repackage, download the Win32 content prep tool. Click here to download. The downloaded file is Intunewinapputil.exe. Open command prompt and run the file. You will be prompted for:
- The folder path of remotehelpinstaller.exe(source folder)
- The setup file which is remotehelpinstaller.exe
- The output folder
- You can enter N for catalog folder. See the example below.
The Intunewinapputil will create the Win32 app. Check the output folder and remotehelpinstaller.intunewin should exist. Now we can deploy Remote Help via Intune.
Deploy Remote Help via Intune
Log into Microsoft Intune admin center and navigate to Apps > Windows
Under Windows apps, click Add
Under Select app type > click on Windows app (Win32)
On the bottom of this page, click Select
Click on Select app package file > then browse to the location of the file > add the file and click OK. See example below
Fill in the app information then click Next – see the example below.
Enter the program information as shown below.
- Install command should be: remotehelpinstaller.exe /quiet acceptTerms=1
- Uninstall command: remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
Enter the operating system architecture in your organization and the minimum operating system version
On the detection page, under Rules format, select Manually configure detection rules, then click on Add
Click on the drop-down next to Rule type and select File. Via the image below, enter the following detection rule.
To get the file version Value, navigate to the install path (c:\program files\remote help) and right click on RemoteHelp.exe > properties > details > and get the file version value (in my case it is 10.2.10012.1000) > once all the values are entered, click OK.
On this page click Next. Skip dependencies and supersedence and head over to the assignment page.
On the assignment page click on Add group under Required or Available for enrolled devices depending on use case. I decided on Required and install as soon as possible. Click Next
Review the setting and click Create on the Review + create page if all is well.
On one fo the target computers, navigate to Settings > Apps > Apps & features (or Installed apps depending on your version off Windows 11), Remote Help should be listed if the install was successful.
You can check the install status via the remotehelpinstaller.exe policy as well.
Enable Remote Help
Navigate to Tenant administration > Remote Help
On this page click on Settings > Configure > Select Enabled under Enable Remote Help
Under Allow Remote Help to unenrolled devices, pick your choice. I selected Not allowed
If you want to allow chat, select No under Disable Chat
Configure RBAC Permissions
RBAC permissions determine the scope of the Helpdesk admin’s access on the user’s computer. By default, the built-in Help Desk Operator role sets all the required permissions to Yes. See example below
You can assign the Help Desk Operator role, or duplicate it to create a custom role for specific access rights.
Assign the Role with the desired RBAC permissions
Next step is to assign the role to the group that houses the helpdesk admins(helpers). Navigate to Tenant administration > Roles
Double-left-click on the Help Desk Operator role. I created a custom role in my lab, so I will double-left-click on Remote Help Admin(the custom role) to open the assignment page.
Click on Assignments > Assign
Enter the name for the role assignment and a description.
On the Admin Groups section, add the group that houses your helpdesk admins(helpers)
Add a device group under Scope Group (members are the target computers) per the example below.
If a user’s(sharer) device is not a member of the scope group, the helpdesk admin cannot connect via Remote Help.
Review and create.
How to use Remote Help
The helpdesk admin must log in to an Intune enrolled device. The Remote Help application is already installed via the install step above. Log into the Remote help app via a user account from your tenant that is a member of the helpdesk admin(helper) group. See the image below.
Helpdesk Admin computer:
Click on Get a security code. Share the code with the user. The user gets 10 minutes to enter the code. If a few minutes expire, sometimes the connection is not made, so the user should enter the code ASAP.
Users’s Computer:
The user’s computer need to be a member of the scope group. Open Remote Help and login with a tenant account(or single signon will kick in). Accept the privacy notice as well and enter the security code. Examples below.
Helpdesk Admin’s Computer after the user enters the security code. The rest of the prompts are self-explanatory. The admin clicks on Take full control if required to provide support.
The user’s computer after the admin is connected. The only difference is the Remote Help bar. The user can click on Cancel control at any time to end the session.
The admin’s computer after connecting to the user. The admin is able to see the user’s desktop.
The admin can do the following from the black bar at the top of the Remote Help window:
- Select which user monitor to view
- Select the laser pointer, and change the color for better visibility.
- Select the pen to write or draw on the screen.
- Resize the screen, and lastly start a chat.
- Click Leave to stops the screen share. Click on the reconnect icon to share again if needed. The user is prompted to allow access.
Monitor Remote Help
To monitor sessions, navigate to Tenant administration > Remote Help > Monitor
Click on Remote Help sessions to view the alias of the admin (provider ID) and the user (recipient ID). The name of the users device, OS, session start and end date.
The End.
