Given that a remote assistance tool is built into the Microsoft Endpoint Configuration Manager solution (formerly SCCM), many customers have asked me whether similar functionality exists in InTune. Up until this point, third-party Teamviewer integration was the only option. While having the ability to integrate with TeamViewer is nice, not all customers have the required enterprise Teamviewer license already and personally I wasn’t super impressed with the experience in the demo’s I witnessed so it was exciting news for me when Microsoft committed to developing an integrated solution.
Deployment & Configuration
To get started, you must purchase the “Remote Help Add On” SKU from Microsoft 365. This license is not included with any of the existing SKU bundles so you’ll need to purchase as an add-on license through the same means you use to acquire your Microsoft 365 licenses today. The MSRP is $42.00/year or $3.50/month and these are user-based licenses. You will need a license for every user you intend to perform remote help assistance with as well as any technicians/admins.
Once you’ve purchased and assigned your licenses, the tenant-wide configuration settings will become available in the MEM management console.
Two, tenant-wide settings exist at present:
- Enable Remote Help – Enable remote help for managed devices to be initiated from Microsoft Endpoint Manager
- Allow remote help to unenrolled devices – Enabling this option will allow help to devices that aren’t enrolled with Intune.
Remote Help uses RBAC in InTune to set permissions for helpers. You can either ensure all your helpers have at least the “Help Desk Operator” role assigned, or create a custom roles in InTune to assign specific permissions. In the later model, it would be possible to scope users remote help privileges to only certain endpoints via InTune scope tags. If you choose the Help Desk Operators role route, the following sub-permissions are set to Yes by default:
- Take full control
- Elevation
- View Screen
Once you’ve configured your tenant settings and helper permissions, you can proceed by pushing out the Win32 app to both the “helper” and “sharer” devices. This part honestly took some of the wind out of my sails… I was expecting to see a tightly integrated, click to enable, browser-based assistance solution but it appears that isn’t the case – at least for now. The latest version of the app can be downloaded from aka.ms/downloadremotehelp . You then use the same process to deploy the app to Windows devices as with any other Win32 app in InTune: Microsoft Win32 Content Prep Tool. The Remote Help app, by default, will self-update via automatic updates. It is possible to opt-out of automatic updates when installing the app by using the install command: remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0
Remote Help In Action
OK – we are now ready to give this remote assistance experience a go! As a helper, you can simply initiate a session to a device by browsing to the device in the MEM Administrative Console and clicking on the New remote help assistance device action. Doing so pops up a new menu where you will click a link to Launch Remote Help.
If you successfully deployed the Remote Help app on your helper machine, the Win32 Remote Help app should open automatically (after perhaps a security prompt the first time ensuring you want to allow this action). Once signed into the app, you’ll see two different options: Get Help and Give Help.
In an ideal world for the InTune technician, simply clicking to initiate a session with a sharer would start a prompt to exchange a security code and then the session would initiate, but alas – it seems for now there will be a bit more to this for the end-user. Under the option to Give help, click Get a security code. You’ll be showing a one-time security code that must be entered by the sharer within 10 minutes.
The sharer must now be instructed to find and open the Remote Help app on their Windows device and enter the security code. This means the helper and the sharer will need to be conversating either via a call or chat. It’s not ideal and it leaves room for error from the end user in finding the app and correctly entering the security code but that functionality seems to mirror other solutions on the market such as TeamViewer. For now, l will just have to keep reminiscing about how easy it was to help users in the “olden days” with SCCM Remote Assist functionality it seems.
Upon successful connection, the helper will be given the option to either View Screen or Take Full Control.
The sharer needs to, once again, Allow the screen share/control session from their end in order for the session to start. In view screen only, the helper can annotate on the sharers screen but that’s it. Full control allows for helper control of the sharers device. Another somewhat disappointing aspect is that if full control is required after the sessions starts, both users must disconnect and restart the remote help session.
Curious if the solution is being used or need to pull audit logs to monitor remote help sessions? We can do that from directly within the MEM Administrative Console. You’ll need to search for it under Tenant Administration > Remote Help > Remote Help Sessions as it’s not with the rest of the built-in reports like I would have assumed.
Things to Keep in Mind
If you inspect or filter outbound traffic from your devices or networks, it’s important to make sure you review the necessary network endpoints and communications protocols listed in Remote Help Network Considerations. While most network rules do allow for outbound TCP 443, the requirement for allowing outbound RDP (TCP 3389) might not be something that’s allowed by default. I could see this requirement potentially causing issues for users on some public wireless networks where traffic is generally limited to web-browsing only.
One other caveat of Remote Help, is that it requires both the helper and the sharer to authenticate to the same Azure Active Directory tenant. In other words, you cannot help individuals from another organization or Microsoft 365 environment as each user has their own instance of Azure Active Directory they authenticate against. This one tripped me up a bit during testing as my work device is joined to my organizations Azure AD while my demo lab has a separate Microsoft 365 subscription/Azure AD and I couldn’t find a way to run the Remote Help app as another user. When clicking the sign in button, you don’t get any options to provide other credentials, it just SSO’s automatically using the logged in user.
Remote help is currently not available for GCC, GCC High or DoD tenants. At present, only Windows 10/11 endpoints are supported for remote help and your organization must have a subscription to InTune to take advantage of the solution.
Conclusion
While there are several shortcomings in this first release, I remain hopeful that this solution will continue to be further developed and perhaps make it feel less like a third-party solution that is bolted on after the fact. I’d also really like to see this end up as multi-platform someday, which I can only imagine is in the works. I’ll just keep my eyes on the release notes for the time being.
