How to Enable Remote Assistance Using Group Policy

In this post I will show you how to enable Remote Assistance using group policy. We also allow access through the Windows Defender Firewall with Advanced Security using Group Policy.

We will also look at the steps turn on remote assistance on a server manually as well. This is applicable when you want to turn on remote assistance on a single machine.

However the easiest way to enable remote assistance on your domain computers is by using the group policy. We will enable Configure Offer Remote Assistance setting. This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

If you enable this policy setting, users on their computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

Most of all Remote Assistance is a Windows feature. To initiate the remote assistance, the user has to accept the request of the administrator. A machine cannot be remote controlled when no one is logged on.

With the help of Remote Assistance feature you can invite someone to connect to your computer. After he or she is connected, that person can view your computer screen and chat with you about what you both see.

With your permission, your helper can even use his or her own mouse and keyboard to control your computer and show you how to fix a problem.

The Remote Assistance feature will not work in cases when the outbound traffic from port 3389 is blocked.

On a Windows Server, the remote assistance feature isn’t enabled by default. Hence you have enable the feature manually before using it.

Remote assistance can also be used with Configuration Manager. Read Remote Assistance feature in SCCM guide for more details.

Remote Assistance Firewall Requirements

If you enable Configure Offer Remote Assistance setting, you should also enable firewall exceptions to allow Remote Assistance communications.

The firewall exceptions required to Offer (Unsolicited) Remote Assistance on Windows 10 include.

Enable the Remote Assistance exception for the domain profile. The exception must contain:
Port 135:TCP
%WINDIR%\System32\msra.exe
%WINDIR%\System32\raserver.exe

Let’s look at the steps to enable Remote Assistance using group policy

How to Enable Remote Assistance using Group Policy

To enable remote assistance using group policy.

  • Login to a Domain controller or member server installed with Group Policy Management console.
  • Launch the Group Policy Management console.
  • You can either edit an existing Group Policy object or create a new one using the Group Policy Management Tool.
  • Expand the Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node.
  • Enable Configure Offer Remote Assistance setting.

Alright let’s do this step by step. I would recommend creating a new group policy to configure remote assistance. Do not edit the default policy because it is not the recommended method.

Before you apply this policy, test the policy on a separate OU and then plan your GPO deployment accordingly. Since I am configuring the policy in my lab, I am applying it on a domain level.

In the Group Policy Management console, right click your domain and click Create a GPO in this domain and link it here.

Create a Group Policy to Enable Remote Assistance
Create a Group Policy to Enable Remote Assistance

Specify a name to the group policy such as Enable Remote Assistance. Click OK.

Create a Group Policy to Enable Remote Assistance
Create a Group Policy to Enable Remote Assistance

Go to Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node. Right click Configure Offer Remote Assistance setting and click Edit.

Edit Configure Offer Remote Assistance Policy
Edit Configure Offer Remote Assistance Policy

On the Configure Offer Remote Assistance window, click Enabled. This enables the policy.

You must permit remote control of the computer. So from the drop-down, select Allow helpers to remotely control the computer.

Next to helpers, click Show button.

Edit Configure Offer Remote Assistance Policy
Edit Configure Offer Remote Assistance Policy

You can enter the names of the helpers. Add each user or group one by one. While adding helpers user or groups, use the following format.

  • <Domain Name>\<User Name>
  • <Domain Name>\<Group Name>

Click OK.

Allow Helpers to remotely control the computers
Allow Helpers to remotely control the computers

Close the GPMC editor.

Remote Assistance – Windows Defender Firewall Exception

In this step we will allow Remote Assistance access through the Windows Firewall using Group Policy. Again, you can create a new policy or edit the existing remote assistance policy.

I am editing the same policy that we just created in the above step. In the GPMC editor, go to Computer Configuration/Policies/Windows Settings. Expand Security Settings/Windows Defender Firewall with Advanced Security/Windows Defender Firewall with Advanced Security.

Right click Inbound Rules and click New Rule.

Add an Inbound Rule for Remote Assistance
Add an Inbound Rule for Remote Assistance

Under the Rule Type, select Port. Click Next.

Port Rule
Port Rule

On the Protocol and Ports window, select TCP and enter the port number 135. Click Next.

TCP 135
TCP 135

Select Allow the connection. Click Next.

Allow the Connection through Firewall
Allow the Connection through Firewall

Choose the profile to which the rule applies to. Click Next.

Windows Firewall Profile
Windows Firewall Profile

Finally specify a name to the firewall rule and click Finish.

Remote Assistance - Windows Defender Firewall Exception
Remote Assistance – Windows Defender Firewall Exception

Verify if Remote Assistance has been enabled or not

All you need to do now is wait for the policy to get applied on to your client computers. If the policy has been applied, you will notice the remote assistance feature is enabled.

Let’s check if the remote assistance has been enabled on our client computer. Login to the client computer and run the command systempropertiesremote.exe.

In the System Properties window, under Remote tab look for Remote Assistance. The Allow Remote Assistance connection to this computer box is enabled.

How to Enable Remote Assistance using Group Policy Snap12

In addition, let’s verify the firewall policy has been applied or not. On the client computer, run the command prompt as administrator. Run the command gpresult /r and notice the Remote Assistance policy under Computer Settings.

Group Policy Remote Assistance
Group Policy Remote Assistance

Enable Remote Assistance feature on Windows Server

As mentioned earlier, on a Windows Server does not have remote assistance feature enabled. Therefore you need to enable this feature.

Open the Server Manager, click on Manage, click Add Roles and Features. Select Role based or feature based installation. Click Next.

Add new role or feature to Windows Server
Add new role or feature to Windows Server

Click Next.

Windows Server Manager Roles
Windows Server Manager Roles

From the list of features, select Remote Assistance. Click Next.

Enable Remote Assistance on Windows Server
Enable Remote Assistance on Windows Server

On the Confirmation window, click Install.

Enable Remote Assistance on Windows Server
Enable Remote Assistance on Windows Server

The remote assistance feature installation is complete. Click Close.

Role Installation progress
Role Installation progress

Need Assistance?

Send us a message or post your question in forums.

2 thoughts on “How to Enable Remote Assistance Using Group Policy”

  1. Hi
    We are running Windows 10 Pro and have a few machines which are missing the local group “Offer Remote Assistance Helpers”. They got the GPO applied, but we can’t access it because of missing rights and it makes sense when the local group are missing, where the security group with the helper-members should be added to.

    Does anyone know why the local group “Offer Remote Assistance Helpers” are missing on the machines ?

    Reply
  2. Hi,

    Do you have a way to configure Offer Remote Assistance for devices which are Azure AD Joined & Intune managed?

    Thanks,
    Ronan

    Reply

Leave a Comment