Intune Remote Help

Remote Help is a new feature of Intune which allows you to remotely help a user. It is based on the Quick Assist tool found in Windows 10 and 11, but with several improvements - both parties need to be logged in with an Azure AD account in your tenant, and the helper can run elevated commands. There is also a RBAC role for controlling what level of access helpers have - e.g. view only or full control, whether they can interact with elevated windows.

During the pandemic I struggled with remote support on devices especially where we needed to run something elevated, which is not supported by Quick Assist, and Configuration Manager's remote control wouldn't work from outside the network, so Remote Help does look like a good step forward. Unfortunately it is not included in any of the usual licences (E3/E5) and is a paid-for extra. Unusually for this kind of tool, they are charging per user, rather than per technician, at time of writing the published price is $3.50 per user per month - for any reasonable sized company that will mean a huge cost, much more than TeamViewer which has been integrated into Intune for a while now. The licensing requirements for this are:

• Intune licence
• Windows 10 or 11
  

Configuring Remote Help

Before we can use Remote Help, we need to enable it. Go to MEM Admin Centre > Tenant admin > Remote help, click on Configure, then enable remote help.

Assigning Permissions

There are three new RBAC permissions used by Remote Help:

• View Screen gives permission to view the sharer's screen
• Elevation allows the helper to view elevated windows such as UAC prompts
• Take full control allows the helper to take control of the session
  

The built-in Help Desk Operator role sets these three permissions to Yes by default, if you wish you can create a custom role, for example a view-only role which cannot interact with anything or view elevated windows.

Assign the users or groups to the roles as suits your needs. For help with role based access control (RBAC) in Intune, see the Microsoft docs.

Installing Remote Help

Remote Help needs to be installed on all devices where your technical staff will be helping from, and on all end user devices where you want users to receive support. It can be downloaded from aka.ms/downloadremotehelp and deployed as a Win32 app in Intune. Unfortunately there is not a pre-packaged intunewin file for Remote Help and you have to make your own - see my previous post for instructions on creating a Win32 app. You will need the following settings when adding the app to Intune:

• Install command line remotehelpinstaller.exe /install /quiet acceptTerms=Yes
• Uninstall command line remotehelpinstaller.exe /uninstall /quiet acceptTerms=Yes
• Detection Rule
  • Rule type File
  • Path %PROGRAMFILES%\Remote help
  • File or folder RemoteHelp.exe
  • Detection method File or folder exists
  • Associated with a 32-bit app No
    

Helping a User

Initially you will need to make contact with the user, e.g. through your service desk or other support channels, and direct them to open the Remote Help application on their device, where they will be prompted to sign in with an organisational account. You then need to browse to their device within the MEM admin centre, and from the device's Overview screen click on the expand menu button, then New remote assistance session.

You should now see a screen with a link to launch remote help, so click on the link. This will open the Remote Help app on your device, and require you to sign in with your Azure AD account. Alternatively you could just open the Remote Help application on your device as going through the admin centre doesn't appear to do anything specific to the device you wish to access.

• As with Quick Assist, you'll then need to click Get a security code, and then share the security code with the user you wish to assist. They will then need to enter the security code to begin the session.
• The helper is asked if they want a view-only or full control session. If you connect in view-only you can't subsequently change to full control without quitting and starting a new session. The interface shows you the user's profile photo, name, the tenant name and the tenant's primary domain name.
  

  

• The end user is then shown a similar screen, with the helper's profile details, the session type (view or control) and asked whether they want to allow or decline the screen share.
• Once accepted, the remote window will appear. A useful tool in view-only mode is Annotate, as pictured in the screenshot.
  

  

• The user can pause the session at any time through their toolbar, and still has control of keyboard/mouse when you are in full control mode.
• In full control mode you also get a Task Manager button, which opens task manager on the end-user device.
• Either party can end the session by closing the window.
  

The Microsoft Docs states that where a user has connected in full control mode and elevated a window/application, that the user is signed out when the remote help session ends to make sure elevated permissions are cleared from the device. This didn't happen whenever I tested it but it may be part of a future update so something to be aware of.

Logging and Troubleshooting

Some usage data is logged for each session. If you go to MEM Admin Centre > Tenant admin > Remote help you should see some graphs on the Monitor page, showing current session count, average session length and a chart of total sessions per day. Clicking onto the Remote help sessions screen you'll get a list of each session, who was providing the help, and who received the help, along with their device name, OS, and session start/end date and time.

If you have difficulty establishing a session, make sure that all the required endpoints are accessible. The full list is available on the docs page.

Further Reading

• Use Remote Help with Intune and Microsoft Endpoint Manager
• Role Based Access Control (RBAC) with Intune