- Article
- 18 minutes to read
Now generally available,remote helpis a premium companion app that works with Intune and allows your intelligence and field workers to get remote assistance when needed. With this connection, your support team can remotely connect to the user's device. During the session, they can view the device's screen and, if the device user allows it, take full control. Full control allows an assistant to make adjustments or perform actions directly on the device.
This function applies to:
- windows 10/11
In this article, we refer to users who provide support asassistantand users who receive help such asParticipantwhile sharing your session with the helper. Both helpers and sharers join your organization to use the app. Azure Active Directory (Azure AD) establishes the correct trust relationships for remote help sessions.
Remote Help uses Intune role-based access control (RBAC) to define the level of access granted to a helper. Through RBAC, you determine which users can provide support and how much support they can provide.
The Remote Help app is available from Microsoft for installation on Intune enrolled and non-Intune enrolled devices. The app can also be deployed to your managed devices through Intune.
Remote support capabilities and requirements
The Remote Help app supports the following features:
Enable remote help for your tenant- By default, Intune tenants are not enabled for remote assistance. If you choose to enable remote assistance, its use will be enabled tenant-wide. Remote Help must be enabled before users can authenticate through their tenant when using Remote Help.
Use remote help with unregistered devices- Disabled by default, you can allow support for devices not enrolled in Intune.
Organization login required- To use Remote Help, both the helper and the sharer must sign in with an Azure Active Directory (Azure AD) account in your organization. You cannot use remote help to help users who are not members of your organization.
Compliance Notices- Before connecting to a user's device, an assistant will see a violation notice on that device if it does not comply with assigned policies. This warning does not block access, but it does provide transparency about the risk of using sensitive data, such as administrative credentials, during the session.
Helpers who have access to device views in Intune will see a link to the device properties page in Microsoft Endpoint Manager in the notification. This allows an assistant to learn more about why the device is not supported.
Unenrolled devices are always reported as unsupported. This is because until a device is enrolled in Intune, it can't receive policies from Intune and therefore can't determine its compliance status.
Role-based access control- Administrators can define RBAC rules that determine the scope of a helper's access, such as: eg:
- The users who can help others and the set of actions they can take while helping, such as: B. who can perform elevated privileges while helping.
- Users who can only see one device and request full control of the session while helping others.
privilege collection- If necessary, a helper with the correct RBAC permissions can interact with the UAC prompt on the shared machine to enter the credentials. For example, your help desk staff can enter their administrative credentials to perform an action on the user's device that requires administrative privileges.
Monitor active remote help sessions and view details of past sessions- In the Microsoft Endpoint Manager admin center, you can view reports detailing who helped whom, on which device, and for how long. You can also find details about active sessions.
Unregistered devices have limited monitoring and reporting for remote help sessions.
requirements
- Intune-Subscription
- Additional remote help license for all IT support staff (helpers) and users (sharers) (https://aka.ms/PremiumAddOnsDocs)
- windows 10/11
- The remote help application for Windows. WatchInstall and update remote help
supervision
The following limitations apply to remote help:
- GCC, GCC High, or DoD tenants do not support Remote Help.
- You cannot establish a remote assistance session from one tenant to another tenant.
- May not be available in all markets or locations.
network considerations
Remote Help communicates over port 443 (https) and connects to the Remote Help Service athttps://remoteassistance.support.services.microsoft.comwith Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Both the helper and the sharer should be able to reach these endpoints on port 443:
| domain name | description |
|---|---|
| *.aria.microsoft.com | Used for accessibility features in the app |
| *.events.data.microsoft.com | Microsoft-Telemetriedienst |
| *.monitor.azure.com | Required to start telemetry and remote services |
| *.support.services.microsoft.com | Primary endpoint used for the remote help application |
| *.trouter.skype.com | It is used for the Azure communication service for chats and connections between parties. |
| *.aadcdn.msauth.net | Required to sign in to the application (AAD) |
| *.aadcdn.msftauth.net | Required to sign in to the application (AAD) |
| *.edge.skype.com | It is used for the Azure communication service for chats and connections between parties. |
| *.graph.microsoft.com | Used to connect to the Microsoft Graph service |
| *.login.microsoftonline.com | Required for the Microsoft login service. May not be available in all markets or preview locations |
| *.remoteassistanceprodacs.communication.azure.com | It is used for the Azure communication service for chats and connections between parties. |
| Microsoft Edge endpoint whitelist | The application uses the Edge WebView2 browser control. This article identifies domain URLs that you should whitelist to allow communication through firewalls and other security mechanisms. |
data and privacy
Microsoft logs a small amount of session data to monitor the status of the remote help system. These data include the following information:
- beginning and end of the session. This information is stored on Microsoft servers for 30 days.
- Who helped whom on which device? This information is stored on Microsoft servers for 30 days.
- Errors that originate from Remote Help itself, such as B. unexpected disconnections. This information is stored on the user's device in the Event Viewer.
- Functions used in the application, e.g. B. View and elevation only. This information is stored on Microsoft servers for 30 days.
Remote Help logs session details to the Windows event logs on both auxiliary and shared devices. Microsoft cannot access a session or see actions or keystrokes that occur within the session.
The helper and the sharer see the following information about the other person, taken from their organization profiles:
- The organization's profile photo (if any)
- company name
- verified domain
- Name and surname
- job title
Microsoft does not store data about the sharer or helper for more than 30 days.
Install and update remote help
Remote Help can be downloaded from Microsoft and must be installed on each device before the device can be used to participate in a Remote Help session. By default, users receive automatic updates, and Remote Help is automatically updated when an update is available.
Users who have opted out of automatic updates will be prompted to install this version of Remote Help when they open the app if a Remote Help update is required. You can use the same process to download and install Remote Help to install an updated version. It is not necessary to uninstall the previous version before installing the updated version.
- Intune administrators can download the app and deploy it to enrolled devices. For more information on app deployments, seeInstall apps on Windows devices.
- Individual users who can install applications on their devices can also download and install Remote Help.
supervision
- In May 2022, existing Remote Help users will see a recommended upgrade screen when opening the Remote Help app. Users can continue to use Remote Help without an update.
- On May 23, 2022, existing Remote Help users will see a mandatory upgrade screen when they open the Remote Help app. You cannot continue until you update to the latest version of Remote Help.
- Remote Assistance now requires Microsoft Edge WebView2 Runtime. If the Microsoft Edge WebView2 Runtime is not installed on the device during the Remote Help installation process, the Remote Help installation will install it. Uninstalling Remote Help does not uninstall the Microsoft Edge WebView2 Runtime.
Download remote help
Download the latest version of Remote Help directly from Microsoft ataka.ms/downloadremotehelp.
The latest version of Remote Help is4.0.1.13
Implement remote help as a Win32 application
To provide Remote Help with Intune, you can add the app as a Win32 Windows app and set a detection rule to identify devices that don't have the latest version of Remote Help installed. Before you can add Remote Help as a Win32 application, you must repackage itremotehelpinstaller.exeAs a.intunewinfile, which is a Win32 application file that you can deploy with Intune. For information on how to repackage a file as a Wind32 application, seePrepare Win32 application content to load.
After repackaging Remote Help as.intunewinfile, use the procedures inAdd a Win32 applicationwith the following details on how to load and implement remote help. The repackaged file is then called remotehelpinstaller.exeremote help.intunewin.
Select on the application information pageSelect the app package file, and place theremote help.intunewinFile you prepared earlier, and then selectOK.
add aEditorand then selectNext. The other information on the Application Information page is optional.
On the Schedule page, set the following options:
- ForInstall command line, we specifyremotehelpinstaller.exe /quiet acceptTerms=1
- Foruninstall command line, we specifyremotehelpinstaller.exe /uninstall /quiet acceptTerms=1
To disable automatic updates, specify enableAutoUpdates=0 as part of the install commandremotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0
Important
command line optionsaccept the termsmienable Automatic UpdatesAlways distinguish between upper and lower case.
You can leave the rest of the options at their default values and select themNextKeep going.
On the Requirements page, configure and select the following options based on your environmentNext:
- OS architecture
- minimal operating system
On the Detection Rules page, p. egrule format, selectConfiguring detection rules manuallyand then selectAddto open thedetection ruleBoard. Set the following options:
- Forrule type, selectarchive
- ForOutside, we specifyC:\Program\Remote Help
- Forfile or folder, we specifyRemoteHelp.exe
- Forverification procedure, selectstring (version)
- ForOperator, selectbetter than or equal
- Forcourage, specifies thatremote help versionyour bet. For example,10.0.22467.1000
- leavingLinked to a 32-bit application on 64-bit clientsdefined asNo
Go to the Assignments page and select one or more device groups that will install the Remote Help app.
Complete the Windows app creation for Intune to deploy and install Remote Assistance on eligible devices.
Set up remote help for your tenant
To set up your tenant to support Remote Help, review and complete the following tasks.
Task 1: Enable remote help
get intoMicrosoft Endpoint Manager Admin Centerand goes totenant management>remote help.
nothe configurationab:
- Defineenable remote helpProAbleto enable the use of remote help. By default, this settingdisabled people.
- DefineAllow remote help for unenrolled devicesProAbleif you want to enable this option. By default, this settingdisabled people.
- DefineDisable chatProSimto remove the chat feature in the Remote Help app. By default, chat is enabled and this preference is set toNo.
Selectointment .
supervision
When you buy licenses or start a trial, it can take a while to activate (between 30 minutes and 8 hours). When trying to create a remote assistance session, you may still see messages that remote assistance is not enabled for the tenant, even if you enabled remote assistance on the tenant after you enabled it.
Task 2: Configure remote help permissions
The following Intune RBAC permissions manage the use of the Remote Help app. activate eachSimgive permission:
- Category:remote help app
- Permissions:
- take full control- Otherwise
- Elevation- Otherwise
- preview screen- Otherwise
By default, the built-inhelp desk operatorthe role configures all these permissionsSim. You can use the built-in role or create custom roles to grant only the remote tasks and remote helper app permissions that you want different groups of users to have. For more information about using Intune RBAC, seeRole-based access control.
Important
If, during a remote assistance session, an assistant dies, theElevationPermission, the helper can't automatically see the sharing user's UAC prompt. Instead, a non-administrator user will see a button on the assistant's remote help toolbar that allows them to request access to the UAC prompt on the user's device. Upon request and acceptance, the helper can perform elevated actions on the user's device. When the user ends the Remote Help session, a dialog box appears warning that they will be disconnected if they continue. When the helper ends the session, the sharer does not disconnect.
Task 3: Assign roles to the user
After you create custom roles that you'll use to grant Remote Help permissions to different users, assign users to those roles.
get intoMicrosoft Endpoint Manager Admin Centerand goes totenant management>functions> and select a role that grants permissions to the Remote Help app.
Selectassignments>AssignOpen mindAdd role assignment.
nothe essentialpage, write aname of the homeworkand optionaltask descriptionand then chooseNext.
noThe administrators groupOn the page, select the group that contains the user you want to give permissions to. ChooseNext.
noScope (groups)Page, select a group that contains the users/devices that the previous member can manage. You can also select All Users or All Devices. ChooseNextKeep going.
Important
If a sharer's device is not within range of an assistant, that assistant cannot provide assistance.
noReview + Createpage, when finished, selectMourn. The new assignment appears in the assignment list.
How to use remote help
The use of remote help depends on whether you are requesting or providing help.
Ask for help
To request help, you need to contact their support team. You can get in touch by call, chat, email, etc. and you are the one who shares during the session. Be prepared to enter a security code given to you by the person serving you. Enter the code in your Remote Help instance to connect to the helper Remote Help instance.
As a participant, when you request help and you and the helper are ready to start:
Launch the Remote Help app on the device and sign in to authenticate with your organization. It might not be necessary to enroll the device in Intune if your administrator allows you to get help for unenrolled devices.
Once you've logged into the app, get the security code from the person who will help you and enter it belowget helpand then selectOf you.
After you submit the helper's security code, the helper will see information about you, including your full name, job title, company, profile photo, and verified domain. As a splitter, your app will display similar information about the helper.
At this point, the helper can request a session with full control of their device or choose to just share the screen. If they request full control, you can select the optionallow full controlOh dearreject the request. Full control must be established before the support session begins. If full control is required after the sessions have started, both users must log out and restart the remote assistance session.
After configuring the session type (Full Control or Screen Sharing), the session is set up and the helper can help troubleshoot the device.
During the service, helpers have theElevationPermission You can enter local administrator permissions on your shared device.Elevationallows the wizard to run executable programs or perform similar actions if you do not have sufficient permissions.
Once the issues are resolved, or at any time during the session, the participant or attendee can end the session. To end the session, selectleavingin the upper right corner of the Remote Help app. At the end of a session, for security reasons, the sharer is automatically disconnected from their device to ensure that all connections between devices are closed.
help
As a helper, after receiving a request from a user who needs help using the Remote Help app:
Launch the Remote Help app on your device. You can launch the app from the Microsoft Endpoint Manager admin center:
get intoMicrosoft Endpoint Manager Admin Centerand goes toDevices>all devicesand select the device you need help with.
Select on the remote action bar at the top of the device viewNew remote help session. This action opens the Remote Help application.
Alternatively, or for devices that aren't enrolled in Intune, locate the Remote Help app on your device and launch it manually. Once Remote Help opens, you'll need to sign in to authenticate with your organization.
When Remote Help opens, you must sign in to authenticate your organization. After you have logged in to the app,helpSelectReceive a security code. Remote Help generates a security code that you give to the person who requested help. Enter this code in your Remote Help instance to connect to your Remote Help instance.
As a helper, after the user enters the security code, you will see information about the user, including full name, title, company, profile picture, and verified domain. The user sees similar information about you.
At this point, you can request a full control session of the device you are sharing from, or choose to share only the screen. If you ask for full control, the sharer can do itallow full controlthe stopreject the request. Full control must be established before the support session begins. If full control is required after the sessions have started, both users must log out and restart the remote assistance session.
After determining that the session is using Shared View or Full Control, Remote Help displays a *compliance noticeif the user's device does not comply with the terms of their assigned compliance policies.
During the service, helpers have theElevationPermission You can enter local administrator permissions on your shared device.Elevationallows the wizard to run executable programs or perform similar actions if you do not have sufficient permissions.
Once the issues are resolved, or at any time during the session, the participant or attendee can end the session. To end the session, selectleavingin the upper right corner of the Remote Help app. At the end of a session, for security reasons, the sharer is automatically disconnected from their device to ensure that all connections between devices are closed.
Monitoring and Reporting
You can monitor the use of Remote Help in Microsoft Endpoint Manager.
between notMicrosoft Endpoint Manager Admin Centerand goes totenant admin>remote help.
On the Monitor tab you can view a number of active sessions and historical data about previous sessions.
On the Remote Help Sessions tab, you can view recordings of past sessions, including:
- The helper (provider ID) and sharer (recipient ID) of each session.
- The device that received support.
- The start and end time of the Remote Assistance session.
log files
Remote Help logs data during installation and during Remote Help sessions, which can be useful when investigating problems with the application.
install remote help- When Remote Help is installed or uninstalled, the following two records are created in the device users temporary folder, e.g. b.C:\Benutzer\<Benutzername>\AppData\Local\Temp. The * in the log file name represents a timestamp of when the log was created.
- Remote_Assist_*_QuickAssist_Win10_x64.msi.log
- remote_help_*.log
operational records- When using Remote Help, operational details are logged in the Windows Event Viewer:
- Event Viewer > Apps and Services > Microsoft > Windows > RemoteHelp
facilities details
The automatic creation of firewall rules has been removed from the Remote Help installer. However, system administrators can create firewall rules if necessary.
Depending on the environment in which Remote Assistance is used, it may be necessary to create firewall rules to allow Remote Assistance through Windows Defender Firewall. In situations where it is necessary, these are the Remote Help executables that should be allowed through the firewall:
- C:\Program Files\Remote Help\RemoteHelp.exe
- C:\Program Files\Remote Help\RHService.exe
- C:\Program Files\Remote Help\RemoteHelpRDP.exe
Supported languages
Remote help is supported in the following languages:
- Czech
- Danish
- Dutch
- English
- Finnish
- French
- German
- Greek
- Hungarian
- Italian
- Japanese
- Korean
- Norwegian
- pulido
- Portuguese Portugal)
- Romanian
- russian
- español
- Swedish
- turquoise
supervision
The remote help messaging feature only supports single-byte characters.
known issues
- When configuring a Conditional Access policy for appsoffice 365miOffice 365 SharePoint onlinewith the sub defined forRequires device to be marked as compatible, if a user's device is not registered or not supported, the Remote Help session will not be established. If a Conditional Access policy is configured as described above and the devices participating in the Remote Assistance session are not enrolled or not compliant, the tenant will not be able to use Remote Assistance.
What's new in Remote Help
Remote Help updates are released regularly. When we update Remote Help, you can read about the changes here.
6. September 2022
Version: 4.0.1.13 - Changes in this version:
Fixes were introduced with Remote Help 4.0.1.13 to address an issue that prevented multiple sessions from being opened at the same time. The fixes also fixed an issue where the app would launch without focus, preventing keyboard navigation and screen readers from working on startup.
Access for more informationUse remote help with Intune and Microsoft Endpoint Manager
July 26, 2022
Version: 4.0.1.12 - Changes in this version:
Introduced several fixes to resolve the "Try again later" message that appears when you are not authenticated. The fixes also include an improved auto update feature.
11. mayo 2022
Version 4.0.1.7 - Web view version 2
April 5, 2022
Version 4.0.0.0 - GA version
Next steps
Get help in the Microsoft Endpoint Manager admin center