- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
The ability to control a device remotely, especially for ServiceDesk, is a crucial function when it comes to supporting end users and helping them out. Being able to do this wherever a device is connected is a must-have in the modern workplace era. Today, Intune integrates with TeamViewer, which makes it easier for ServiceDesk to launch a remote session with a client.
But now we have remote help in preview in the MEM portal. Remote help builds on Quick Assist and looks and feels a lot like it. However, it has features that we are missing in Quick Assist, such as logging and control over which tenant that accounts remotely controlling a device are coming from. Extremely important features!
With the release of Configuration Manager 2112 Technical Preview, we also learned that the feature in MEMCM to remotely control computers through the Cloud Management Gateway, which has been in Technical Preview for a couple of years, will never be released and removed from Technical Preview, which is sad.
Remote help overview
At the time of this writing, remote help is in preview. We know there will be an additional cost for it, but we don't know yet whether it will be an add-on license or how it will be licensed. However, there will be a cost for it when it becomes generally available. Compared to Quick Assist, remote help requires you to use an organizational account, which is extremely important!
What happens when you try to log on using an AAD account from another tenant? You will receive a message that you signed in with the wrong account.
When launching it for the first time, the end user gets information about privacy and what information will be shared with the controlling person.
It works great over all connections, just like Quick Assist; it uses TLS 1.2 over 443 and connects to Microsoft endpoints. More information on ports can be found here.
Remote help works well and has all the important features, as I see it:
- UAC—elevation support
- Remote control
- Multimonitor support
It performs well from a performance perspective as well. Be sure to test it out!
What are we missing, then? One thing we are missing is unattended remote control, where we have the need to control a kiosk device remotely, for example. But hopefully, these features will come later; time will tell.
Remote help is enabled under Tenant admin > Connectors and tokens. It is also here that we configure whether remote help to unenrolled devices is allowed. This setting enables remote control of users on unenrolled devices who are having issues enrolling their device.
We also have all the necessary auditing and reporting in the Endpoint Manager portal, which is a huge requirement for a product like this.
When we control a client remotely, it is very much the same as when we use Quick Assist. The remote controller needs to get a security key, and the end user needs to enter it to start the session.
Just like with Quick Assist, the end user being controlled remotely enters the code. The screenshot below shows the tools we have available when controlling a device remotely.
Install the remote help client
The remote help client needs to be deployed to all clients; it is a separate download that is downloaded and installed from here: https://aka.ms/downloadremotehelp.
To install it, run this command:
remotehelpinstaller.exe /install /quiet acceptTerms=Yes”
Note that the remote help client does not auto-update; we need to deploy an updated version when it is released manually. I found myself looking for the Autoupdate feature, as many apps have that today.
Role-based access control (RBAC)
Of course, it is very important to be able to delegate who can remotely control a client. We have three different roles to delegate in Intune.
We will focus on elevation. That permission is important, as it will affect the end user; the other two permissions are rather self-explanatory.
If the user who remotely controls the device has the "elevation" permission, the end user being remotely controlled will immediately be signed out when the remote help session ends. From a security perspective, this makes sense, but it would make more sense if the end user were logged off if elevation was used and the remote session was suddenly ended by a network issue, for example.
This behavior also depends on the option the person who remotely controls the device chooses when connecting. If only View Screen is used, then the end user is not logged off; they are only logged off if the "Take Full Control" option is used.
Subscribe to 4sysops newsletter!
If you elevate a command prompt and then are suddenly disconnected, that would be a security issue, as the end user has an admin prompt open; this makes total sense.
To summarize, remote help works well. Be sure to test it out! Beware of the logoff for the end user if the elevation permission is used.