In this article, we’ll walk you through the steps to enable and configure Intune Remote help feature in Endpoint Manager. The Remote Help is a new feature in Intune to remotely assist mobile devices managed by Microsoft Endpoint Manager.
The goal of this article is to make it easy for you to understand about the Intune remote help solution offered by Microsoft and how to use it. Let’s explore the Intune Remote Help solution in detail.
The Remote Help is a premium add-on application that works with Intune. You can buy the remote help licenses from Microsoft 365 admin center. When Microsoft introduced Remote Help solution in Intune, it was a Preview feature with a (preview) tag in MEM portal. The good news is Remote Help feature is now generally available in Intune.
In the past, Microsoft announced TeamViewer as remote assistance solution in Intune. The TeamViewer service allows Intune managed PC users to get remote assistance help from their IT admins. When you try the Remote help feature in Intune, you are definitely going to prefer it over the Team Viewer Solution.
To make it easier, similar to what Microsoft does, let’s use these two terms while we learn about the new remote help feature in Intune.
- Helper: The helper is the IT Support Personnel (also known as support staff). The helper is responsible for providing support to a remote user.
- Sharer: The remote user who requires IT assistance and is willing to share the session with Helper via Remote help app.
Table of Contents
What is Remote Help in Intune?
According to Microsoft, Remote Help is an premium add-on that works with Intune and enables your front-line workers to get assistance when needed over a remote connection. Your support staff can remotely connect to the user’s device using the Intune remote help app. Once the connection is successful, a secure session is established between the connected devices.
It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the remote help sessions. During the remote help session, the IT personnel can view device’s display and can also take full control (if permitted by device user). Your support staff can either view the display and suggest the changes or take full control to directly make configurations or take actions on the device.
Remote help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.
The remote help app is available on Microsoft to install on both devices enrolled with Intune and devices that aren’t enrolled. The app can also be deployed through Intune to your managed devices.
Prerequisites for using Remote Help in Intune
To use the Intune Remote help solution, the following prerequisites are required:
- Intune Subscription: The remote help is a feature of Intune, a valid Intune subscription is required.
- Intune Remote Help License: Remote help add-on license for all IT support workers (helpers) and users
- Support for Windows 10/11 devices: Only Windows 10 and Windows 11 devices are supported for remote help.
- Remote help application: Remote help is available as download from Microsoft and must be installed on each device before that device can be used to participate in a remote help session.
- Permissions to use Remote Help: This is discussed under the topic “Configure RBAC Permissions for Remote Help Solution”.
Advantages of using Remote Help Solution
- Integration with Endpoint Manager: Remote help is integrated into Endpoint Manager for both cloud and co-managed endpoints that eases adoption, administration.
- Supports Multiple Devices: The remote help solution supports enrolled and unmanaged devices, Windows 365 Cloud PC and Azure Virtual Desktops.
- RBAC Permission: Permission based controls scoped for IT helpdesk roles, department, and geography
- Integration with Azure Active Directory: The Azure Active Directory (AAD) Integration that enables user trust based on their corporate identity.
- Device Compliance Checks: Device compliance checks prior to securing the connection mitigates risk and creates opportunities to proactively remediate vulnerabilities real-time, taking that burden away from employees.
Limitations of Remote Help Solution in Intune
The Remote help solution available in Intune has the following limitations:
- Remote help is not supported on GCC, GCC High or DoD Tenants.
- You cannot establish a remote help session from one tenant to a different tenant. The remote help will work only on the devices that are part of same tenant.
- The Intune Remote Help solution may not be available in all markets or localizations.
Firewall Requirements for Intune Remote Help
The table below lists all the firewall requirements for Intune Remote app to work.
|*.support.services.microsoft.com||Primary endpoint used for the remote help application|
|*.resources.lync.com||Required for the Skype framework used by remote help|
|*.infra.lync.com||Required for the Skype framework used by remote help|
|*.latest-swx.cdn.skype.com||Required for the Skype framework used by remote help|
|*.login.microsoftonline.com||Required for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations.|
|*.channelwebsdks.azureedge.net||Used for chat services within remote help|
|*.aria.microsoft.com||Used for accessibility features within the app|
|*.api.support.microsoft.com||API access for remote help|
|*.vortex.data.microsoft.com||Used for diagnostic data|
|*.channelservices.microsoft.com||Required for chat services within remote help|
Note: Remote help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at
https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Intune Remote Help Cost and Pricing
The price for the remote help add-on from Microsoft is $3.50 per user per month. Licenses for Premium add-ons can be purchased from Microsoft 365 Admin Center, Microsoft Volume License Servicing Center (VLSC) or from Microsoft partners/resellers.
Microsoft allows for a free trial of Remote Help by giving you a 90-day period to use the Premium add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there’s a 30-day grace period. After the trial period ends, you must purchase the licenses for Remote Help add-on.
Enable Remote Help for your Intune Tenant
Enabling remote help allows users on enrolled devices to get assistance via the remote help app. The steps to enable the remote help feature for your Intune tenant are as follows:
- Sign in to Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Connectors and tokens > Remote help (preview).
- On the Settings tab: Set Enable remote help to Enabled to allow use of Intune remote help.
- Select Save to apply the settings.
There is another option called “Allow remote help to unenrolled devices”. Enabling this option allows users to receive help on devices that are not enrolled in MEM.
Configure Remote Help RBAC Permissions
To be able to use Remote help solution, you will need to be assigned the proper permissions. You can use the built-in role or create custom RBAC Intune roles to grant only the remote tasks and remote help app permissions that you want different groups of users to have.
The following Intune RBAC permissions manage use of the remote help app:
- Take Full Control – Yes or No. This is the highest level of permissions that a remote help user can have. Full control enables a helper to directly make configurations or take actions on the device.
- Elevation – Yes or No. Allows helper to interact with the UAC prompt on end-user’s device.
- View Screen – Yes or No. A remote help app user who has view screen permissions is allowed to only view the screen.
Create custom RBAC Remote Help Roles
If you want to create custom roles to grant only the remote tasks and remote help app permissions for users or groups, here are my suggestions. You can create 3 roles for remote help app and assign the permissions accordingly.
- Remote Help – Full Control
- Remote Help – Elevation
- Remote Help – View Screen
If you are still testing the remote help feature, you can use the built-in “Help Desk Operator” role in Intune. The Help Desk Operator role sets all of these permissions to Yes.
From the below screenshot, you can see that the Help Desk Operator role has all the permissions – Elevation, View Screen and Take full control.
Create Custom Roles for Remote Help in Intune
You can create a custom Intune role for remote help users with following steps:
- Sign in to Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Roles.
- To create a new custom role, select Create.
As an example, I will create a new custom role that allows users to have full control while using remote help app.
On the Add Custom Role > Basics tab, specify the name of the role as Remote Help – Full Control. Add a nice description and click Next.
On the Permissions tab, from the list of permissions, select Remote help app. Configure the following permissions.
- Elevation: Yes
- View Screen: Yes
- Take Full control: Yes
On the Scope tags section, select the scope tags. You can use scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. The default scope tag is automatically added to all untagged objects that support scope tags. Click Next.
On the Review+Create tab, review the permissions and select Create. This completes the steps to create custom roles for Intune remote help app.
Using the same procedure described above, you can create 2 new roles, Remote Help – Elevation and Remote Help – View Screen by assigning proper permissions.
I’ve chosen to create 3 unique roles for each of those permissions. See below screenshot.
Download and Install Microsoft Remote Help App
Remote help must be installed on each device before that device can be used to participate in a remote help session. You can download the latest version of remote help directly from Microsoft at aka.ms/downloadremotehelp. Save the RemoteHelpinstaller.exe, and we will now install it.
To install remote help app, double-click the RemoteHelpInstaller.exe file. On the Remote help welcome screen, select I accept the Microsoft License Terms and click Install.
The remote help app installation is in progress.
The Intune Remote help app is now installed.
How to use Remote Help App in Intune
The usage of the Remote help app is split into two scenarios:
- Give Help – You provide the help via the remote app
- Get Help – You require assistance from the IT
To launch the remote help app, click Start > Type “Remote Help” in search box, select Remote Help app.
On the login screen, sign in with your Microsoft organizational account.
Before you start to use the remote help app, you will have to accept the following terms.
To use this app, we’ll need to share some information about you with the person you’re helping or receiving help from. This information is used to verify your identity.
We may share the following information:
- First and last name
- First name and first initial of last name
- Email address
- Profile picture
- Company name (if applicable)
- Company domain (if applicable)
- Job title
We recommend closing any unnecessary apps and files you don’t want the other person to see. If you have read the terms, click Accept.
After you successfully sign in to remote help app with your organizational account, you have 2 options.
- Get Help – The Get Help allows someone you trust to take control of your device and provide assistance.
- Give help – You help someone who is remote to solve a problem.
Let’s select Give Help. Click Get a security code.
Remote help generates a security code that you’ll share with the person who has requested assistance.
The sharer has to enter this code in their instance of remote help to establish a connection to your remote help instance.
By default, the security code expires in 10 minutes after you generate it. In case the security code is expired, you can generate a new code.
Once you share the security code to the sharer, the user must launch the Remote Help app and enter the same code and hit Submit button.
The remote help app now verifies the security code and initiates the connection. The following information is displayed to the helper who is ready to help the remote user.
The remote user is ready for your help. We recommend requesting screen sharing if you don’t need to control the device.
There are two options to choose from:
- Take full control
- View screen
Depending upon the requirement, select one option. For example, let’s test the full control option.
The user at the other end (Sharer) receives the following message.
Remote user is asking for full control of your device. Remember to close anything you don’t want to see them.
The remote user can now Allow or Decline the full control. Assume that user clicks Allow button.
The below screenshot shows the remote help in action. The support staff has full control over the remote computer and provide further assistance.
After the issues are resolved, or at any time during the session, both the sharer or helper can end the session.
To end the session, select Leave in the upper-right corner of the remote help app. Upon the end of a session, the sharer is automatically signed out of their device as a security precaution to ensure all connections between the devices close.
Monitor Remote Help Sessions in Intune
You can monitor the use of remote help from within Microsoft Endpoint Manager (Intune).
- Sign in to the Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Connectors and tokens > Remote help (preview).
- On the Monitor tab, you’ll see a count of active sessions and historical data about past sessions.
On the Remote help sessions tab, you’ll see the records of past sessions, including:
- Provider ID – The helper ID of each session.
- Recipient ID – The recipient ID of each session.
- Recipient First Name – First name of the recipient.
- Recipient Last Name – Last name of the recipient.
- Device Name – The hostname of the device.
- OS – Operating System Details of the Device.
- Session Start – The Time when the Remote Help Session Started.
- Session End – The Time when the Remote Help Session Ended.
Intune Remote Help App Log files for Troubleshooting
When you use the remote help app, the remote help logs data during installation and during remote help sessions can be of use when investigating issues with the app.
When you install the remote help app or uninstall it, the following two logs are created in the device user’s Temp folder. Every user account has the temp folder created in the following location – C:\Users\username\AppData\Local\Temp
The * in the log file name represents a date and time stamp of when the log was created.
The below two log files can be used for troubleshooting issues with Intune remote help app.
Operational logs – During the use of Intune remote help app, operational details are logged in the Windows Event Viewer. The path of operational logs for Intune remote help app is Event Viewer > Application and Services > Microsoft > Windows > RemoteHelp.