Source: https://www.prajwaldesai.com/intune-remote-help-in-endpoint-manager/
The Remote Help is a new feature in Intune to remotely assist mobile devices managed by Microsoft Endpoint Manager. Let’s explore the Intune Remote Help solution in detail.
In this guide, you will learn what is remote help solution, prerequisites for using remote help feature, how to enable and configure the remote help for your Intune tenant.
The goal of this article is to make it easy and simple for you to understand about the remote help solution offered by Microsoft and how to use it.
Microsoft constantly adds new features to Intune (MEM) and most of them are a part of Public Preview. The new features that are being actively developed, and may not be complete are made available on a “Preview” basis.
You can find the Preview features with a (preview) tag in MEM portal and Intune Remote Help is one example of new preview feature that was added by Microsoft. After thorough testing, the Remote Help feature will move from Public Preview to GA.
To make it easier, similar to what Microsoft does, let’s use these two terms while we learn about the new remote help feature in Intune.
- Helper – The helper is the IT Support Personnel (also known as support staff). The helper is responsible for providing support to a remote user.
- Sharer – The remote user who requires IT assistance and is willing to share the session with Helper via Remote help app.
In the past, Microsoft announced TeamViewer as remote assistance solution in Intune. The TeamViewer service allows Intune managed PC users to get remote assistance help from their IT admins.
But when you try the Remote help app in Intune, you are definitely going to prefer it over the Team Viewer Solution.
Microsoft will add more updates to Intune remote help app in coming months. So, let’s wait and see what new features can we get to see in the remote help app.
Table of Contents
- What is Remote Help in Microsoft Endpoint Manager (Intune)?
- Prerequisites for using Remote Help in Intune
- Firewall Requirements for Intune Remote Help
- Enable Remote Help for your Intune Tenant
- Configure RBAC Permissions for Remote Help Solution
- Create Custom Roles for Intune Remote Help
- Download and Install Microsoft Remote Help App
- How to use Remote Help App
- Monitor Remote Help Sessions in Intune
- Intune Remote Help App Log files for Troubleshooting
What is Remote Help in Microsoft Endpoint Manager (Intune)?
According to Microsoft, Remote Help is an application that works with Intune and enables your front-line workers to get assistance when needed over a remote connection.
Your support staff can remotely connect to the user’s device using the Intune remote help app. Upon successful connection, a secure session is established between the connected devices.
It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the remote help sessions.
During the remote help session, the IT personnel can view device’s display and can also take full control (if permitted by device user).
Your support staff can either view the display and suggest the changes or take full control to directly make configurations or take actions on the device.
Remote help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.
The remote help app is available from Microsoft to install on both devices enrolled with Intune and devices that aren’t enrolled. The app can also be deployed through Intune to your managed devices.
Prerequisites for using Remote Help in Intune
To use the Intune Remote help solution, the following prerequisites are required.
- Intune Subscription – Since the remote help is a feature of Intune, a valid Intune subscription is required.
- Windows 10/11 – Only Windows 10 and Windows 11 devices are supported for remote help.
- Remote help application – Remote help is available as download from Microsoft and must be installed on each device before that device can be used to participate in a remote help session.
- Permissions to use Remote Help – This is discussed under the topic “Configure RBAC Permissions for Remote Help Solution”.
Firewall Requirements for Intune Remote Help
The table below lists all the firewall requirements for Intune Remote app to work.
| Domain/Name | Description |
| *.support.services.microsoft.com | Primary endpoint used for the remote help application |
| *.resources.lync.com | Required for the Skype framework used by remote help |
| *.infra.lync.com | Required for the Skype framework used by remote help |
| *.latest-swx.cdn.skype.com | Required for the Skype framework used by remote help |
| *.login.microsoftonline.com | Required for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations. |
| *.channelwebsdks.azureedge.net | Used for chat services within remote help |
| *.aria.microsoft.com | Used for accessibility features within the app |
| *.api.support.microsoft.com | API access for remote help |
| *.vortex.data.microsoft.com | Used for diagnostic data |
| *.channelservices.microsoft.com | Required for chat services within remote help |
Firewall Requirements for Intune Remote Help
Note – Remote help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Enable Remote Help for your Intune Tenant
Enabling remote help will allow users on enrolled devices to get assistance via the remote help app.
The steps to enable the remote help feature for your Intune tenant are as follows:
- Sign in to Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Connectors and tokens > Remote help (preview).
- On the Settings tab: Set Enable remote help to Enabled to allow use of Intune remote help.
- Select Save to apply the settings.
There is another option called “Allow remote help to unenrolled devices“. Enabling this option will allow users to receive help on devices that are not enrolled in MEM.
Configure RBAC Permissions for Remote Help Solution
In order to be able to use Remote help solution, you will need to be assigned the proper permissions.
You can use the built-in role or create custom Intune roles to grant only the remote tasks and remote help app permissions that you want different groups of users to have.
The following Intune RBAC permissions manage use of the remote help app:
- Take Full Control – Yes or No. This is the highest level of permissions that a remote help user can have. Full control enables a helper to directly make configurations or take actions on the device.
- Elevation – Yes or No. Allows helper to interact with the UAC prompt on end-user’s device.
- View Screen – Yes or No. A remote help app user who has view screen permissions is allowed to only view the screen.
If you want to create custom roles to grant only the remote tasks and remote help app permissions for users or groups, here are my suggestions.
You can create 3 roles for remote help app and assign the permissions accordingly.
- Remote Help – Full Control
- Remote Help – Elevation
- Remote Help – View Screen
If you are still testing the remote help feature, you can use the built-in “Help Desk Operator” role in Intune. The Help Desk Operator role sets all of these permissions to Yes.
From the below screenshot, you can see that the Help Desk Operator role has all the permissions – Elevation, View Screen and Take full control.
Create Custom Roles for Intune Remote Help
You can create a custom Intune role for remote help users with following steps:
- Sign in to Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Roles.
- To create a new custom role, select Create.
As an example, I will create a new custom role that allows users to have full control while using remote help app.
On the Add Custom Role > Basics tab, specify the name of the role as Remote Help – Full Control. Add a nice description and click Next.
On the Permissions tab, from the list of permissions, select Remote help app. Configure the following permissions.
- Elevation – Yes
- View Screen – Yes
- Take Full control – Yes
Click Next.
On the Scope tags section, select the scope tags. You can use scope tags to make sure that the right admins have the right access and visibility to the right Intune objects.
The default scope tag is automatically added to all untagged objects that support scope tags.
Click Next.
On the Review+Create tab, review the permissions and select Create. This completes the steps to create custom roles for Intune remote help app.
Using the same procedure described above, you can create 2 new roles, Remote Help – Elevation and Remote Help – View Screen by assigning proper permissions.
I’ve chosen to create 3 unique roles for each of those permissions. See below screenshot.
Download and Install Microsoft Remote Help App
Remote help must be installed on each device before that device can be used to participate in a remote help session.
You can download the latest version of remote help directly from Microsoft at aka.ms/downloadremotehelp. Save the RemoteHelp.exe installer, and we will now install it.
To install remote help app, double-click the RemoteHelp.exe file. On the Remote help welcome screen, select I accept the Microsoft License Terms and click Install.
The remote help app installation is in progress.
The Intune Remote help app is now installed.
How to use Remote Help App
The usage of the Remote help app is split into two scenarios:
- Give Help – You provide the help via the remote app
- Get Help – You require assistance from the IT
To launch the remote help app, click Start > Type “Remote Help” in search box, select Remote Help app.
On the login screen, sign in with your Microsoft organizational account.
Before you start to use the remote help app, you will have to accept the following terms.
To use this app, we’ll need to share some information about you with the person you’re helping or receiving help from. This information is used to verify your identity.
We may share the following information:
- First and last name
- First name and first initial of last name
- Email address
- Profile picture
- Company name (if applicable)
- Company domain (if applicable)
- Job title
We recommend closing any unnecessary apps and files you don’t want the other person to see.
If you have read the terms, click Accept.
After you successfully sign in to remote help app with your organizational account, you have 2 options.
- Get Help – The Get Help allows someone you trust to take control of your device and provide assistance.
- Give help – You help someone who is remote to solve a problem.
Let’s select Give Help. Click Get a security code.
Remote help generates a security code that you’ll share with the person who has requested assistance.
The sharer has to enter this code in their instance of remote help to establish a connection to your remote help instance.
By default, the security code expires in 10 minutes after you generate it. In case the security code is expired, you can generate a new code.
Once you share the security code to the sharer, the user must launch the Remote Help app and enter the same code and hit Submit button.
The remote help app now verifies the security code and initiates the connection.
The following information is displayed to the helper who is ready to help the remote user.
The remote user is ready for your help. We recommend requesting screen sharing if you don’t need to control the device.
There are two options to choose from:
- Take full control
- View screen
Depending upon the requirement, select one option. For example, let’s test the full control option.
The user at the other end (Sharer) receives the following message.
Remote user is asking for full control of your device. Remember to close anything you don’t want to see them.
The remote user can now Allow or Decline the full control. Assume that user clicks Allow button.
The below screenshot shows the remote help in action. The support staff has full control over the remote computer and provide further assistance.
After the issues are resolved, or at any time during the session, both the sharer or helper can end the session.
To end the session, select Leave in the upper-right corner of the remote help app. Upon the end of a session, the sharer is automatically signed out of their device as a security precaution to ensure all connections between the devices close.
Monitor Remote Help Sessions in Intune
You can monitor the use of remote help from within Microsoft Endpoint Manager (Intune).
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Connectors and tokens > Remote help (preview).
- On the Monitor tab, you’ll see a count of active sessions and historical data about past sessions.
On the Remote help sessions tab, you’ll see the records of past sessions, including:
- Provider ID – The helper ID of each session.
- Recipient ID – The recipient ID of each session.
- Recipient First Name – First name of the recipient.
- Recipient Last Name – Last name of the recipient.
- Device Name – The hostname of the device.
- OS – Operating System Details of the Device.
- Session Start – The Time when the Remote Help Session Started.
- Session End – The Time when the Remote Help Session Ended.
Intune Remote Help App Log files for Troubleshooting
When you use the remote help app, the remote help logs data during installation and during remote help sessions can be of use when investigating issues with the app.
When you install the remote help app or uninstall it, the following two logs are created in the device user’s Temp folder. Every user account has the temp folder created in the following location – C:\Users\username\AppData\Local\Temp
The * in the log file name represents a date and time stamp of when the log was created.
The below two log files can be used for troubleshooting issues with Intune remote help app.
- Remote_help_QuickAssist_Win10_x64.msi.log
- Remote_help.log
Operational logs – During the use of Intune remote help app, operational details are logged in the Windows Event Viewer.
The path of operational logs for Intune remote help app is Event Viewer > Application and Services > Microsoft > Windows > RemoteHelp.