Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)
Remote help: a new remote assistance tool from Microsoft
Published Nov 02 2021 08:00 AM 95.4K Views
Microsoft

Today we are announcing the plan to roll out the public preview of a new remote help capability in Microsoft Endpoint Manager.

March 2020 was the last time many people worked at their company's physical office buildings. The global pandemic began and the world of work changed overnight as organizations scrambled to try and keep their workforces productive and their businesses running. The pandemic reshaped the way we work as organizations struggled to support remote workers and had to quickly find solutions to help employees manage technical issues on their devices from afar rather than onsite.

To ensure helpdesks continue to improve their levels of support, we are pleased to announce the public preview of a new remote help capability in Microsoft Endpoint Manager. This new cloud-based remote assistance solution will empower helpdesks to more securely support users of Windows devices.

Eighteen months into the workforce changes brought by the pandemic, we continue to see increasing cybersecurity vulnerabilities, as the number of personal and company-owned devices continues to grow. We've also seen continued employee frustration when unresolved technical issues lower productivity and support is not simply onsite. Organizations need to ensure that their helpdesk associates can securely provide remote assistance to users, no matter where they are. Remote help allows helpdesk associates to view or control employees' Windows devices so they can quickly troubleshoot and resolve technical issues, wherever the employee is working from.

We have developed new advanced endpoint management capabilities to meet the need for secure, connected experiences for IT administrators, helpdesk associates and Windows users on enrolled and unenrolled devices. Specifically, we will introduce four new capabilities for remote help:

  • Role-based access control (RBAC) and permissions: to define who is authorized to support which user or groups of users.
  • Elevation: to help Administrators determine if helpdesk associates can use local administrative privileges to troubleshoot an employees' device, or if elevation of the task permissions is required.
  • Compliance warnings: to help protect the organization from security risks, alerts are displayed to the helpdesk associate if a device is out of compliance and may introduce a security risk to the organization.
  • Reporting: to identify recurring issues and potentially suspicious activity.

Enable remote help in the Microsoft Endpoint Manager console for enrolled and unenrolled devicesEnable remote help in the Microsoft Endpoint Manager console for enrolled and unenrolled devices

Just right, just-in-time permissions

When we release role-based access controls for remote help in Microsoft Endpoint Manager, administrators can set parameters and define the actions that may be taken during a remote help session based on the helpdesk associate's role. Permissions can be set by administrators in Microsoft Endpoint Manager to limit the sessions to view-only, allow the associate to take full control of a user's device, or have the right to enter administrative credentials to perform specific actions (known as elevation).

Configure remote help role permissionsConfigure remote help role permissions

The new remote help capabilities will also enable administrators to set up tiers of helpdesk associates, and then determine which tier of associates can help which group of users. For example, if an organization has three tiers of helpdesk support, with RBAC the administrator can assign view-only permissions to tier 1 support, tier 2 can have full control permissions, and tier 3 could have the permissions required to elevate using their alternate local administrator credentials on the end user's device. For larger organizations with more detailed requirements, the RBAC capabilities can be set based on additional group parameters such as department or user work groups. For example, IT administrators can limit the tier 1 helpdesk group to help all groups except the finance department.

Add a custom role from Endpoint ManagerAdd a custom role from Endpoint Manager

Another example of elevation is helping to install the right software or drivers remotely for an employees' enhanced work from home set-up. When employees moved to remote work, many added additional peripherals such as printers, wireless mice, or keyboards to help their productivity. However, many organizations have endpoint policies that require local administrator privileges to add software or drivers to corporate devices (to limit support costs, address app license liability or lower the risks of malware). When a user is blocked from adding software or peripherals to their work devices based on these policies, they need their helpdesk or IT assistance. With remote help, the helpdesk associate can be granted permission to elevate: enter their local administrator credentials during a connected session (even if the end user needing help doesn't have administrator rights) and install software or drivers remotely.

Admin sees User Access Control promptAdmin sees User Access Control prompt

Checkpoints and controls to establish trust

Microsoft Endpoint Manager also has features to establish trust between helpdesk associates and users. As a session is being established, there are multiple checkpoints to ensure that the helpdesk associate is connected to the correct user and vice versa. Users are able to verify that they are giving access to a trusted helpdesk associate by seeing more information about that associate, such as a picture, name, company, job title and domain. The checkpoint works in the opposite direction too, so helpdesk associates can see the profile of the user they are helping. This information helps the user verify that they are giving control to the intended helpdesk associate. At any point, the user or the helpdesk associate can end the session.

Initiating new remote help sessions is flexible and easy.

Sessions can be initiated from the new remote help Windows app. To establish a secure connection, the helpdesk associate generates a code from the app and shares the code with the user. The user is then prompted to grant permission to establish a secure connection with the helpdesk associate.

Verifying the identity of the help desk associate and Windows user establishes trustVerifying the identity of the help desk associate and Windows user establishes trust

A remote helpdesk session can also be initiated by a helpdesk associate or IT administrator with RBAC permissions in Endpoint Manager. This way, administrators can take immediate action to bring a device into compliance. For example, if the organization requires hard drives to be encrypted, they can establish a remote help session with the user and remotely enable BitLocker to encrypt the hard drive.

Start a remote assistance session from the device menu in the Microsoft Endpoint Manager consoleStart a remote assistance session from the device menu in the Microsoft Endpoint Manager console

Warnings and reports to discover key issues

To ensure caution when dealing with non-compliant devices, when a helpdesk associate initiates a connection to a device that is not compliant with the organizations' policies, the helpdesk associate will see a warning suggesting they proceed with caution. For the duration of the remote help session, there is also a banner that will remind the helpdesk associate to exercise caution.

To help with governance, administrators can run a report covering all the remote help sessions. Reports can be created and analyzed by which helpdesk worker helped which user, on which device, and when the session started and ended for a set time period, with all data retained for 30 days. For example, reports could show if there are multiple sessions on the same device, and thus a potential technical issue with the endpoint. Reports could also help track helpdesk usage or look for suspicious activity.

Public preview and beyond

Remote help in Microsoft Endpoint Manager offers helpdesks the controls and flexibility they need to provide secure and simple remote assistance for Windows users. In doing so, it helps keep employees productive and less frustrated as they continue to work from home, at least some of the time.

We will be rolling out the remote help functionality as a preview in Endpoint Manager in the coming weeks* so customers can try the feature and provide us with feedback. When we roll out this functionality for general availability early in 2022, we intend to offer remote help as an advanced endpoint management add-on at a price above the existing licensing options that include Microsoft Endpoint Manager or Microsoft Intune. More information will be forthcoming when we finalize our pricing plans.

Microsoft Endpoint Manager information banner about future licensing for remote helpMicrosoft Endpoint Manager information banner about future licensing for remote help

In the meantime, please join us to learn more about Endpoint Manager at Microsoft Ignite 2021. We're offering an on-demand technical session to help you learn more about remote help in Endpoint Manager.

You can also let us know about your Endpoint Manager and remote help for Windows experiences through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. If you're interested in ongoing developments on Endpoint Manager, we invite you to follow the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.

*Remote help may not be available in all markets in the initial public preview.


We wanted to thank you all for your feedback during the early days of our initial preview. Based on your feedback, we will continue to work on improving experiences such as the elevation of privilege and will update this post and our documentation when material changes are introduced.

Update 11.29.2021: The rollout of the public preview* has started.  To learn more about how to try this experience, please see Remotely assist users that are authenticated by your organization.

Updated 12.14.2021: We updated the name of the installer on December 8, 2021 from remotehelp.exe to remotehelpinstaller.exe to resolve silent deployment issues and msi installation issues. While application functionality hasn't changed, we recommend visiting aka.ms/DownloadRemoteHelp to download the updated version.

 

 

84 Comments
Regular Visitor

"a premium above the existing price of licensing options" - Even for E5?
If so, that's a shame... maybe we'll be keeping MECM after all....

Occasional Contributor

Agree, this should not be a premium feature, it should have always been a part of Intune license!  Please tell me this is at least included in E5?

Occasional Contributor

dear Microsoft, you had only a simple task:

add QuickAssist to MEM.

 

and yet you manged to create another "premium" service...

🤦‍:male_sign:

Senior Member

Should be included in the regular Intune license. It's just a bit more advanced quick assist.

Senior Member

Thats crazy this is an additional license. This should just be included and just be baseline quick assist. 

 

Maybe if you put BOTH elevation and unattended access into it it could be a step up but even then its a hard pill to swallow when I can just use quick assist or even a Teams call to do basically the same thing.

Occasional Contributor

Bring it to existing MECM with CMG Infrastructures at NO ADDITIONAL COSTS. Thats the ONLY WAY you get the required ACCEPTANCE and CUSTOMER SATISFACTION!

 

Senior Member

I agree with the comments already.  Not sure why this would be charging unless you can do other things to the remote PC.  If this is just desktop sharing then both remote assistance (built into windows) and teams desktop sharing work just as well.

New Contributor

Another price tag? This should be included as part of Intune. 

Occasional Contributor

Many orgs I work with use Team Viewer today which is great. A built in version in Intune is good but think this needs to be included at a very low cost...Dont have an issue with it being extra price as many orgs will already be using and paying for something, but price needs to be very competitive to convince folk to move.

Occasional Visitor

We have remote control in MEMCM, it was in a technical preview for use with CMG and apparently it worked great according to some..

Remote control MEMCM-CMG Gone from all record stricken and gone, now this feature releases with a extra price tag.. nice :) 

well played M$ Well played

Senior Member

This should be included in the cost of Intune. At least for an E5 license, other than monitoring and reporting there is nothing special here.

Senior Member

I would recommend enabling Quick Assist (QA) in all your images and deployments.  Add the QA tile/link in a managed Start Menu for easy access.  Works great.

Occasional Contributor

This really needs to be included in the E/A3 and E/A5 license. We are a public school system and eating more licenses can't be done on the limited budget. We already pay hundreds of thousands. 

Occasional Contributor

Payola

Pay to play

 

 

Regular Visitor

I started using quick assist t3 CSS for SCCM way before it was the norm and every else was using logmein. Worked like a charm. Now it's permitted and used by everyone. What a joke.

Senior Member

What about remote help for mobile devices (Android/iOS)?

Occasional Visitor

I agree with RobQ_WIMVP, only small uplift to displace the user base from current remote user management tools. 

I guess customers without this type of solution in place, will be the first to move across.

Occasional Contributor

Should be included as part of the E5 license. Why move away from MECM remote takeover and pay the additional cost?

Occasional Contributor

*correction* Should be included as part of the E7 or perhaps E9 license. After all, this is so premium super magic enterprise feature.

New Contributor

Nice idea if it could work and help end-users using devices enrolled as Android Enterprise Dedicated, Fully-Managed and iOS (personal and corporate).

Most of our enrolled devices are mobile devices. 

Regular Contributor

This was exciting right up until the price aspect. We do use Teamviewer so maybe it could be worth.

Occasional Contributor

I would love it to be included, but I have a feeling existing providers would have a real problem with undercutting/monopoly if it was just given out. Still, I'll be watching this closely as deploying Teamviewer (non Enterprise) is a real pain, and having the solution already available would make it way easier to get out there.

Senior Member

Um... I would love to talk to the people who actually buy this.. There are many other third party products that do this WAY better that have way more features. Taking quick assist, integrating it into MEM and putting it behind CA isn't something that should be pay for, should simply exist within the product. Moving on..

Contributor

Microsoft must re-think about additional costs for this remote management, Quick assist can be incorporated with MEM.

MS may introduce the E7, E8 licenses for future releases with all these new features. :) Waiting for real-time price and combination of license logic from MS. 

New Contributor

We are very interested in testing this feature as soon as possible, our support engineers are currently using SCCM remote tools to connect the machines, but obviously not mobile devices, and only inside LAN/VPN: this missing features in actual platforms generates a "shadow" usage of other remote connection tecnologies that cover the grey area and we would like to eliminate in favor of a standard, secure and controlled platform.

Regular Visitor

What about taking remote control from/to a macOS?

Occasional Contributor

Yeah will it do macos as well? If not then I'll have to stick with what I'm already using because I need the cross platform. Also, lol that this comes with your hand out for more money at the same time you're already bumping the prices up 20% and some. Microsoft getting greeeeeedy.

Occasional Visitor

Another great feature that won't be used due to pricing. Microsoft love to price themselves out of their own products. It's baffling that it's not part of the E5 license.

Occasional Visitor

Would love to learn more about licensing. Does every user in the organization need a license, because they could potentially need help, or do you only license your helpdesk staff?

Regular Visitor

There are parts of Intune we find helpful, but many areas where Intune cannot compete or perform as well or with as many features as MECM, we would like this capability very much, but through the common interface of the Admin Console. 

New Contributor

So the plan is to charge extra for something that in reality should be standard within an enterprise. IMO, surely those on a certain licensing agreement level should have this as part of the standard offering. Otherwise it just seems like a cash grab and many organisations will simply go with other solutions. 

Senior Member

Hello, Once the remote help option is activated within Intune, how do you get the Remote Help application?
There are no explanations about it.
Thanks.

Occasional Visitor

We use Teamviewer for remote support in education, it would be nice if we could get this feature for free. Education being milked like crazy and any cost saving will be appreciated. but if that's not the case we will stick to Teamviewer.

Senior Member

Great feature but as others have said: The price tag makes undesirable for most companies.

 

Can you include it in the E3 at least? :stareyes:

New Contributor

"as an advanced endpoint management add-on at a price above the existing licensing options"

 

It's an important feature that should be included in Intune to begin with. If we are to cover your cost that is fine, but do not go greedy on this price. This is an expected feature of a MDM of the future, not a premium addon. It MUST compete with our current software used for this. Do not earn money on this specific feature but it's fine if some extra costs are to make up for the development - but we just had two Microsoft license cost increases.

 

I ask you to do an extra round with the billing team on this one

Occasional Visitor

Hello. We tried setting this up but after we try to start a session in Endpoint Manager and launched the remote help it goes to a blank page. What are we doing wrong? Also as asked before. Where can we find the app? It is not in the description. @Eugenie Burrage 

Occasional Contributor

REALLY want to use this option but without unattended access, this is not a complete solution.  Will wait until that is added before switching off of TeamViewer.

New Contributor

Unattended access is a must otherwise it is useless

New Contributor

When can we expect the Remote Help App and where do we get it from? @Eugenie Burrage 

Several comments about the app itself - it'll be downloadable from public docs, which will go live when it releases. We hope it'll be released soon, just a bit of final fit and finish underway right now. Look for docs shortly!

Occasional Contributor

@Intune_Support_Team @Eugenie Burrage I enabled it on my tenant, clicked the "Launch remote help " but only blank new tab is being opened (MS Edge latest version on Windows 11).

New Contributor

@giladkeidar @Srini Poluparthi 

 

   Documentation and remote help application can be downloaded from https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help 

 

Well you were not able to provide link to the new remote assistance tool when published but even better the version available (3.8.0.6) can not be deployed silently either with Intune or SCCM; the /quiet or /passive parameters seems to have no action, the tool does not install whatsoever

Also you should provide the link to download the tool directly in the Intune portal either from the Remote Help blade from the Tenant admin or when opening the blade to start a remote session from the device details

Occasional Contributor

my first impression of that tool:

the layout is #%$&%#$&

(locale pl_PL)

RafaFitt_0-1637825315527.png

 

Regular Visitor

How do I install silent remotehelp.exe because there comes a screen that says "are you sure you want to stop the installation"

Occasional Contributor

Remote Help enabled MEM

RBAC configured to allow Remote tasks for test users

Downloaded and installed Remote Help app on my device and also target device.

Worked well, generated a code, entered code on target device, was then able to take full control after the user granted permission.

Only issue I have found is that when I disconnect the remote session, the target device signs the user out of Windows.

New Contributor

@nlmitchell this is normal behavior. please check -> https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help#provide-help 

Plan to have the sharer save any active work before a remote help session ends to avoid an unexpected loss of work. This is because when a remote help session ends where a helper that has the Elevation permission set to Yes also uses Full control, the sharer is signed out of their device to ensure any elevated permissions are cleared from the device.

"

 

 

 

Occasional Contributor

@Erik_Schuiling thanks for confirming that. I feel that that particular behaviour coupled with the fact there are additional costs for this functionality would both be major blockers for our organisation using Remote Help rather than MECM Remote Takeover moving forward

Occasional Contributor

In one MVP blog I found

    remotehelp.exe /install /quiet /acceptTerms=yes

but even this doesn't work and interactively running the install always ask the question if I want to terminate the install in the middle of install ?!??
... as already mentioned before ...

The official docs still referring to 3.8.0.6 exe installer which brings RemoteHelp.exe 10.0.10011.16384 file version in program files directory

Doesn't look promising.
and of course missing Android and iOS apps

New Contributor

In addition to what the other members noticed above (issue with silent install and automatic log off after the elevated remote session), we noticed that when the sharer tries to close the Remote Help app during the remote session the warning message says "Close Quick Assist" rather than saying "Close Remote Help". Its no biggie..but you would want to let the user know that they are finishing a Remote Help session, not a Quick Assist session.

 

SriniPoluparthi_0-1637881149359.png

 

 

Co-Authors
Version history
Last update:
‎Dec 14 2021 04:50 PM
Updated by: