Enable and Configure Intune Remote Help Solution

In this article, we’ll walk you through the steps to enable and configure Intune Remote help feature in Endpoint Manager. The Remote Help is a new feature in Intune to remotely assist mobile devices managed by Microsoft Endpoint Manager.

The goal of this article is to make it easy for you to understand about the Intune remote help solution offered by Microsoft and how to use it. Let’s explore the Intune Remote Help solution in detail.

The Remote Help is a premium add-on application that works with Intune. You can buy the remote help licenses from Microsoft 365 admin center. When Microsoft introduced Remote Help solution in Intune, it was a Preview feature with a (preview) tag in MEM portal. The good news is Remote Help feature is now generally available in Intune.

In the past, Microsoft announced TeamViewer as remote assistance solution in Intune. The TeamViewer service allows Intune managed PC users to get remote assistance help from their IT admins. When you try the Remote help feature in Intune, you are definitely going to prefer it over the Team Viewer Solution.

To make it easier, similar to what Microsoft does, let’s use these two terms while we learn about the new remote help feature in Intune.

  • Helper: The helper is the IT Support Personnel (also known as support staff). The helper is responsible for providing support to a remote user.
  • Sharer: The remote user who requires IT assistance and is willing to share the session with Helper via Remote help app.

What is Remote Help in Intune?

According to Microsoft, Remote Help is an premium add-on that works with Intune and enables your front-line workers to get assistance when needed over a remote connection. Your support staff can remotely connect to the user’s device using the Intune remote help app. Once the connection is successful, a secure session is established between the connected devices.

It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the remote help sessions. During the remote help session, the IT personnel can view device’s display and can also take full control (if permitted by device user). Your support staff can either view the display and suggest the changes or take full control to directly make configurations or take actions on the device.

Remote help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.

The remote help app is available on Microsoft to install on both devices enrolled with Intune and devices that aren’t enrolled. The app can also be deployed through Intune to your managed devices.

Prerequisites for using Remote Help in Intune

To use the Intune Remote help solution, the following prerequisites are required:

  • Intune Subscription: The remote help is a feature of Intune, a valid Intune subscription is required.
  • Intune Remote Help License: Remote help add-on license for all IT support workers (helpers) and users
  • Support for Windows 10/11 devices: Only Windows 10 and Windows 11 devices are supported for remote help.
  • Remote help application: Remote help is available as download from Microsoft and must be installed on each device before that device can be used to participate in a remote help session.
  • Permissions to use Remote Help: This is discussed under the topic “Configure RBAC Permissions for Remote Help Solution”.

Advantages of using Remote Help Solution

  1. Integration with Endpoint Manager: Remote help is integrated into Endpoint Manager for both cloud and co-managed endpoints that eases adoption, administration.
  2. Supports Multiple Devices: The remote help solution supports enrolled and unmanaged devices, Windows 365 Cloud PC and Azure Virtual Desktops.
  3. RBAC Permission: Permission based controls scoped for IT helpdesk roles, department, and geography
  4. Integration with Azure Active Directory: The Azure Active Directory (AAD) Integration that enables user trust based on their corporate identity.
  5. Device Compliance Checks: Device compliance checks prior to securing the connection mitigates risk and creates opportunities to proactively remediate vulnerabilities real-time, taking that burden away from employees.

Limitations of Remote Help Solution in Intune

The Remote help solution available in Intune has the following limitations:

  1. Remote help is not supported on GCC, GCC High or DoD Tenants.
  2. You cannot establish a remote help session from one tenant to a different tenant. The remote help will work only on the devices that are part of same tenant.
  3. The Intune Remote Help solution may not be available in all markets or localizations.

Firewall Requirements for Intune Remote Help

The table below lists all the firewall requirements for Intune Remote app to work.

Domain/NameDescription
*.support.services.microsoft.comPrimary endpoint used for the remote help application
*.resources.lync.comRequired for the Skype framework used by remote help
*.infra.lync.comRequired for the Skype framework used by remote help
*.latest-swx.cdn.skype.comRequired for the Skype framework used by remote help
*.login.microsoftonline.comRequired for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations.
*.channelwebsdks.azureedge.netUsed for chat services within remote help
*.aria.microsoft.comUsed for accessibility features within the app
*.api.support.microsoft.comAPI access for remote help
*.vortex.data.microsoft.comUsed for diagnostic data
*.channelservices.microsoft.comRequired for chat services within remote help
Firewall Requirements for Intune Remote Help

Note: Remote help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.

Intune Remote Help Cost and Pricing

The price for the remote help add-on from Microsoft is $3.50 per user per month. Licenses for Premium add-ons can be purchased from Microsoft 365 Admin Center, Microsoft Volume License Servicing Center (VLSC) or from Microsoft partners/resellers.

Microsoft allows for a free trial of Remote Help by giving you a 90-day period to use the Premium add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there’s a 30-day grace period. After the trial period ends, you must purchase the licenses for Remote Help add-on.

Enable Remote Help for your Intune Tenant

Enabling remote help allows users on enrolled devices to get assistance via the remote help app. The steps to enable the remote help feature for your Intune tenant are as follows:

  • Sign in to Microsoft Endpoint Manager admin center.
  • Go to Tenant administration > Connectors and tokens > Remote help (preview).
  • On the Settings tab: Set Enable remote help to Enabled to allow use of Intune remote help.
  • Select Save to apply the settings.
Enable Remote Help for your Intune Tenant
Enable Remote Help for your Intune Tenant

There is another option called “Allow remote help to unenrolled devices”. Enabling this option allows users to receive help on devices that are not enrolled in MEM.

Configure Remote Help RBAC Permissions

To be able to use Remote help solution, you will need to be assigned the proper permissions. You can use the built-in role or create custom RBAC Intune roles to grant only the remote tasks and remote help app permissions that you want different groups of users to have.

The following Intune RBAC permissions manage use of the remote help app:

  1. Take Full Control – Yes or No. This is the highest level of permissions that a remote help user can have. Full control enables a helper to directly make configurations or take actions on the device.
  2. Elevation – Yes or No. Allows helper to interact with the UAC prompt on end-user’s device.
  3. View Screen – Yes or No. A remote help app user who has view screen permissions is allowed to only view the screen.

Create custom RBAC Remote Help Roles

If you want to create custom roles to grant only the remote tasks and remote help app permissions for users or groups, here are my suggestions. You can create 3 roles for remote help app and assign the permissions accordingly.

  1. Remote Help – Full Control
  2. Remote Help – Elevation
  3. Remote Help – View Screen

If you are still testing the remote help feature, you can use the built-in “Help Desk Operator” role in Intune. The Help Desk Operator role sets all of these permissions to Yes.

From the below screenshot, you can see that the Help Desk Operator role has all the permissions – Elevation, View Screen and Take full control.

Configure RBAC Permissions for Remote Help Solution
Configure RBAC Permissions for Remote Help Solution

Create Custom Roles for Remote Help in Intune

You can create a custom Intune role for remote help users with following steps:

  • Sign in to Microsoft Endpoint Manager admin center.
  • Go to Tenant administration > Roles.
  • To create a new custom role, select Create.
Create Custom Roles for Intune Remote Help
Create Custom Roles for Intune Remote Help

As an example, I will create a new custom role that allows users to have full control while using remote help app.

On the Add Custom Role > Basics tab, specify the name of the role as Remote Help – Full Control. Add a nice description and click Next.

Specify the Role Name and Description
Specify the Role Name and Description

On the Permissions tab, from the list of permissions, select Remote help app. Configure the following permissions.

  • Elevation: Yes
  • View Screen: Yes
  • Take Full control: Yes

Click Next.

Specify permissions for Intune Remote Help
Specify permissions for Intune Remote Help

On the Scope tags section, select the scope tags. You can use scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. The default scope tag is automatically added to all untagged objects that support scope tags. Click Next.

Custom Role - Scope Tags
Custom Role – Scope Tags

On the Review+Create tab, review the permissions and select Create. This completes the steps to create custom roles for Intune remote help app.

Create Custom Roles for Intune Remote Help
Create Custom Roles for Intune Remote Help

Using the same procedure described above, you can create 2 new roles, Remote Help – Elevation and Remote Help – View Screen by assigning proper permissions.

I’ve chosen to create 3 unique roles for each of those permissions. See below screenshot.

Custom Roles for Intune Remote Help
Custom Roles for Intune Remote Help

Download and Install Microsoft Remote Help App

Remote help must be installed on each device before that device can be used to participate in a remote help session. You can download the latest version of remote help directly from Microsoft at aka.ms/downloadremotehelp. Save the RemoteHelpinstaller.exe, and we will now install it.

To install remote help app, double-click the RemoteHelpInstaller.exe file. On the Remote help welcome screen, select I accept the Microsoft License Terms and click Install.

Install Microsoft Remote Help App
Install Microsoft Remote Help App

The remote help app installation is in progress.

Install Remote Help App
Install Remote Help App

The Intune Remote help app is now installed.

Launch Remote Help App
Launch Remote Help App

How to use Remote Help App in Intune

The usage of the Remote help app is split into two scenarios:

  • Give Help – You provide the help via the remote app
  • Get Help – You require assistance from the IT

To launch the remote help app, click Start > Type “Remote Help” in search box, select Remote Help app.

On the login screen, sign in with your Microsoft organizational account.

Intune Remote Help Sign-in
Intune Remote Help Sign-in

Before you start to use the remote help app, you will have to accept the following terms.

To use this app, we’ll need to share some information about you with the person you’re helping or receiving help from. This information is used to verify your identity.

We may share the following information:

  • First and last name
  • First name and first initial of last name
  • Email address
  • Profile picture
  • Company name (if applicable)
  • Company domain (if applicable)
  • Job title

We recommend closing any unnecessary apps and files you don’t want the other person to see. If you have read the terms, click Accept.

Remote Help App - Privacy
Remote Help App – Privacy

After you successfully sign in to remote help app with your organizational account, you have 2 options.

  1. Get Help – The Get Help allows someone you trust to take control of your device and provide assistance.
  2. Give help – You help someone who is remote to solve a problem.

Let’s select Give Help. Click Get a security code.

How to use Remote Help App
How to use Remote Help App

Remote help generates a security code that you’ll share with the person who has requested assistance.

The sharer has to enter this code in their instance of remote help to establish a connection to your remote help instance.

By default, the security code expires in 10 minutes after you generate it. In case the security code is expired, you can generate a new code.

Provide Help with Intune Remote Help App
Provide Help with Intune Remote Help App

Once you share the security code to the sharer, the user must launch the Remote Help app and enter the same code and hit Submit button.

How to use Intune Remote Help App
How to use Intune Remote Help App

The remote help app now verifies the security code and initiates the connection. The following information is displayed to the helper who is ready to help the remote user.

The remote user is ready for your help. We recommend requesting screen sharing if you don’t need to control the device.

There are two options to choose from:

  • Take full control
  • View screen

Depending upon the requirement, select one option. For example, let’s test the full control option.

How to use Intune Remote Help App
How to use Intune Remote Help App

The user at the other end (Sharer) receives the following message.

Remote user is asking for full control of your device. Remember to close anything you don’t want to see them.

The remote user can now Allow or Decline the full control. Assume that user clicks Allow button.

How to use Intune Remote Help App
How to use Intune Remote Help App

The below screenshot shows the remote help in action. The support staff has full control over the remote computer and provide further assistance.

After the issues are resolved, or at any time during the session, both the sharer or helper can end the session.

To end the session, select Leave in the upper-right corner of the remote help app. Upon the end of a session, the sharer is automatically signed out of their device as a security precaution to ensure all connections between the devices close.

Remote App Assistance
Remote App Assistance

Monitor Remote Help Sessions in Intune

You can monitor the use of remote help from within Microsoft Endpoint Manager (Intune).

  • Sign in to the Microsoft Endpoint Manager admin center.
  • Go to Tenant administration > Connectors and tokens > Remote help (preview).
  • On the Monitor tab, you’ll see a count of active sessions and historical data about past sessions.
Monitor Remote Help Sessions in Intune
Monitor Remote Help Sessions in Intune

On the Remote help sessions tab, you’ll see the records of past sessions, including:

  • Provider ID – The helper ID of each session.
  • Recipient ID – The recipient ID of each session.
  • Recipient First Name – First name of the recipient.
  • Recipient Last Name – Last name of the recipient.
  • Device Name – The hostname of the device.
  • OS – Operating System Details of the Device.
  • Session Start – The Time when the Remote Help Session Started.
  • Session End – The Time when the Remote Help Session Ended.
Monitor Remote Help Sessions in Intune
Monitor Remote Help Sessions in Intune

Intune Remote Help App Log files for Troubleshooting

When you use the remote help app, the remote help logs data during installation and during remote help sessions can be of use when investigating issues with the app.

When you install the remote help app or uninstall it, the following two logs are created in the device user’s Temp folder. Every user account has the temp folder created in the following location – C:\Users\username\AppData\Local\Temp

The * in the log file name represents a date and time stamp of when the log was created.

The below two log files can be used for troubleshooting issues with Intune remote help app.

  • Remote_help_QuickAssist_Win10_x64.msi.log
  • Remote_help.log

Operational logs – During the use of Intune remote help app, operational details are logged in the Windows Event Viewer. The path of operational logs for Intune remote help app is Event Viewer > Application and Services > Microsoft > Windows > RemoteHelp.

3 thoughts on “Enable and Configure Intune Remote Help Solution”

  1. Hi,

    Is it possible to get below use cases with remote help.

    Can software provide connection to outside network?
    Can software can provide file transfer?
    Can software can record session
    Can software can reach out to Linux device

    Reply
  2. Great Article.
    I can see MS is leveraging Quick Assist for this.
    My question is why cant I just user Quick Assist which is already there and help users instead of the remote help?
    At this point in time, I am not concerned about RBAC perms.
    So basically the Remote Help app with Intune just allows to assign permissions where Quick Assist does not. Is that the only difference between the two?

    Reply

Leave a Comment