1. Remote Help
Reference: Remotely assist users that are authenticated by your organization. | Microsoft Learn
Remote Help is a cloud-based solution for secure help desk connections with role-based access controls. With the connection, your support staff can remote connect to the user’s device. During the session, they can view the device’s display and if permitted by the device user, take full control. Full control enables a helper to directly make configurations or take actions on the device.
This feature applies to:
- Windows 10/11
In this article, we’ll refer to the users who provide help as helpers, and users that receive help as sharers as they share their session with the helper. Both helpers and sharers sign in to your organization to use the app. It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the Remote Help sessions.
- Remote Help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.
- The Remote Help app is available from Microsoft to install on both devices enrolled with Intune and devices that aren’t enrolled. The app can also be deployed through Intune to your managed devices.
Remote Help capabilities and requirements:
- Enable Remote Help for your tenant – By default, Intune tenants aren’t enabled for Remote Help. If you choose to turn on Remote Help, its use is enabled tenant-wide. Remote Help must be enabled before users can be authenticated through your tenant when using Remote Help.
- Use Remote Help with unenrolled devices – Disabled by default, you can choose to allow help to devices that aren’t enrolled with Intune.
- Requires Organization login – To use Remote Help, both the helper and the sharer must sign in with an Azure Active Directory (Azure AD) account from your organization. You can’t use Remote Help to assist users who aren’t members of your organization.
- Compliance Warnings – Before connecting to a user’s device, a helper will see a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
- Helpers who have access to device views in Intune will see a link in the warning to the device properties page in the Microsoft Intune admin center. This allows a helper to learn more about why the device is not compliant.
- Unenrolled devices are always reported as non-compliant. This is because until a device enrolls with Intune it can’t receive policies from Intune and as such is unable to establish its compliance status.
- Role-based access control – Admins can set RBAC rules that determine the scope of a helper’s access, like:
- The users who can help others and the range of actions they can do while providing help, like who can run elevated privileges while helping.
- The users that can only view a device, and which can request full control of the session while assisting others.
- Elevation of privilege – When needed, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer’s machine to enter credentials. For example, your Help Desk employees might enter their administrative credentials to complete an action on the sharer’s device that requires administrative permissions.
- Monitor active Remote Help sessions, and view details about past sessions – In the Microsoft Intune admin center you can view reports that include details about who helped who, on what device, and for how long. You’ll also find details about active sessions.
For unenrolled devices, auditing and reporting about the Remote Help sessions is limited.
Prerequisites
Referenced: Remotely assist users that are authenticated by your organization. | Microsoft Learn
- Intune subscription
- Remote Help add on license or an Intune Suite license for all IT support workers (helpers) and users (sharers)
- Windows 10/11
- The Remote Help app for Windows. See Install and update Remote Help
Network considerations
Referenced: Remotely assist users that are authenticated by your organization. | Microsoft Learn
- Remote Help communicates over port 443 (https) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Both the helper and sharer must be able to reach these endpoints over port 443:
Domain/Name | Description |
*.aria.microsoft.com | Used for accessibility features within the app |
*.events.data.microsoft.com | Microsoft Telemetry Service |
*.monitor.azure.com | Required for telemetry and remote service initialization |
*.support.services.microsoft.com | Primary endpoint used for the Remote Help application |
*.trouter.skype.com | Used for Azure Communication Service for chat and connection between parties |
*.aadcdn.msauth.net | Required for logging in to the application (AAD) |
*.aadcdn.msftauth.net | Required for logging in to the application (AAD) |
*.edge.skype.com | Used for Azure Communication Service for chat and connection between parties |
*.graph.microsoft.com | Used for connecting to the Microsoft Graph service |
*.login.microsoftonline.com | Required for Microsoft login service. Might not be available in preview in all markets or for all localizations |
*.remoteassistanceprodacs.communication.azure.com | Used for Azure Communication Service for chat and connection between parties |
Allow list for Microsoft Edge endpoints | The app uses Edge WebView2 browser control. This article identifies the domain URLs that you need to add to the allow list to ensure communications through firewalls and other security mechanisms |
Data and privacy
Microsoft logs a small amount of session data to monitor the health of the Remote Help system. This data includes the following information:
- Start and end time of the session. This information is stored on Microsoft servers for 30 days.
- Who helped whom and on what device. This information is stored on Microsoft servers for 30 days.
- Errors arising from Remote Help itself, such as unexpected disconnections. This information is stored on the sharer’s device in the event viewer.
- Features used inside the app such as view only and elevation. This information is stored on Microsoft servers for 30 days.
Remote Help logs session details to the Windows Event Logs on the device of both the helper and sharer. Microsoft can’t access a session or view any actions or keystrokes that occur in the session.
The helper and sharer both see the following information about the other individual, taken from their organizational profiles:
- Their organization profile picture (if present)
- Company name
- Verified domain
- First and Last name
- Job title
- Microsoft does not store any data about either the sharer or the helper for longer than 30 days.
2. Install and update Remote Help
Referenced: Remotely assist users that are authenticated by your organization. | Microsoft Learn
Remote Help is available as download from Microsoft and must be installed on each device before that device can be used to participate in a Remote Help session.
Download Remote Help
- Download the latest version of Remote Help direct from Microsoft at aka.ms/downloadremotehelp.
- The most recent version of Remote Help is 4.2.1167.0
Updates
- By default, users will be opted into automatic updates and Remote Help will update itself when an update is available.
- For users that opted out of automatic updates, when an update to Remote Help is required, users are prompted to install that version of Remote Help when the app opens. You can use the same process to download and install Remote Help to install an updated version. There’s no need to uninstall the previous version before installing the updated version.
Deploy Remote Help as a Win32 app
To deploy Remote Help with Intune, you can add the app as a Windows win32 app, and define a detection rule to identify devices that don’t have the most current version of Remote Help installed. Before you can add Remote Help as a Win32 app, you must repackage remotehelpinstaller.exe as a .intunewin file, which is a Win32 app file you can deploy with Intune. For information on how to repackage a file as a Wind32 app, see Prepare the Win32 app content for upload.
After you repackage Remote Help as a .intunewin file, use the procedures in Add a Win32 app with the following details to upload and deploy Remote Help. In the following, the repackaged remotehelpinstaller.exe file is named remotehelp.intunewin.
- On the App information page, select Select app package file, and locate the remotehelp.intunewin file you’ve previously prepared, and then select OK.
- Add a Publisher and then select Next. The other details on the App Information page are optional.
- On the Program page, configure the following options:
- For Install command line, specify remotehelpinstaller.exe /quiet acceptTerms=1
- For Uninstall command line, specify remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
- To opt out of automatic updates, specify enableAutoUpdates=0 as part of the install command remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0
Note
The command line options acceptTerms and enableAutoUpdates are always case sensitive.
On the Detection rules page, for Rules format, select Manually configure detection rules, and then select Add to open the Detection rule pane. Configure the following options:
- For Rule type, select File
- For Path, specify C:\Program Files\Remote Help
- For File or folder, specify RemoteHelp.exe
- For Detection method, select String (version)
- For Operator, select Greater than or equal to
- For Value, specify the version of Remote Help you are deploying. For example, 10.0.22467.1000
- Leave Associated with a 32-bit app on 64-bit clients set to No
Proceed to the Assignments page, and then select an applicable device group or device groups that should install the Remote Help app. Remote Help is applicable when targeting group(s) of devices and not for User groups.
3. Configure Remote Help for your tenant
To configure your tenant to support Remote Help, review and complete the following tasks.
Tasks in this process:
- #6595 – Task 1 – Enable Remote Help
- #6596 – Task 2 – Configure permissions for Remote Help
- #6597 – Task 3 – Assign user to roles
Referenced: Remotely assist users that are authenticated by your organization. | Microsoft Learn
4. How To Use Remote Help
The use of Remote Help depends on whether you’re requesting help or providing help.
5. Monitoring and Reports
You can monitor the use of Remote Help from within the Microsoft Intune admin center.
- Sign into the Microsoft Intune admin center and go to Tenant admin > Remote Help.
- On the Monitor tab, you’ll see a count of active sessions and historical data about past sessions.
- On the Remote Help sessions tab, you’ll see the records of past sessions, including:
- The helper (Provider ID) and sharer (Recipient ID) of each session.
- The device that received assistance.
- The start and end time of the Remote Assistance session.
6. Log Files
Remote Help logs data during installation and during Remote Help sessions, which can be of use when investigating issues with the app.
Installation of Remote Help –
When Remote Help installs or uninstalls, the following two logs are created in the device users’ Temp folder, for example, C:\Users\<username>\AppData\Local\Temp. The * in the log file name represents a date and time stamp of when the log was created.
- Remote_help_*_QuickAssist_Win10_x64.msi.log
- Remote_help_*.log
Operational logs – During use of Remote Help, operational details are logged in the Windows Event Viewer:
- Event Viewer > Application and Services > Microsoft > Windows > RemoteHelp
7. Installation Details, Firewall
Automatic firewall rule creation from the Remote Help installer has been removed. However, if needed, System administrators can create firewall rules.
Depending on the environment that Remote Help is utilized in, it may be necessary to create firewall rules to allow Remote Help through the Windows Defender Firewall. In situations where this is necessary, these are the Remote Help executables that should be allowed through the firewall:
- C:\Program Files\Remote help\RemoteHelp.exe
- C:\Program Files\Remote help\RHService.exe
- C:\Program Files\Remote help\RemoteHelpRDP.exe
8. Languages Supported
Remote Help is supported in the following languages:
- Czech
- Danish
- Dutch
- English
- Finnish
- French
- German
- Greek
- Hungarian
- Italian
- Japanese
- Korean
- Norwegian
- Polish
- Portuguese (Portugal)
- Romanian
- Russian
- Spanish
- Swedish
- Turkish
Note:
The Message function in Remote Help only supports single byte characters.
9. Known Issues
When setting a conditional access policy for apps Office 365 and Office 365 SharePoint Online with the grant set to Require device to be marked as compliant, if a user’s device is either unenrolled or non-compliant, then the Remote Help session won’t be established. If a conditional access policy is configured as described above and if the devices participating in the remote assistance session are unenrolled or non-compliant, the tenant will not be able to use Remote Help.