In this post I will show you how to enable Remote Assistance using group policy. We also allow access through the Windows Defender Firewall with Advanced Security using Group Policy.
We will also look at the steps turn on remote assistance on a server manually as well. This is applicable when you want to turn on remote assistance on a single machine.
However the easiest way to enable remote assistance on your domain computers is by using the group policy. We will enable Configure Offer Remote Assistance setting. This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on their computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
Most of all Remote Assistance is a Windows feature. To initiate the remote assistance, the user has to accept the request of the administrator. A machine cannot be remote controlled when no one is logged on.
With the help of Remote Assistance feature you can invite someone to connect to your computer. After he or she is connected, that person can view your computer screen and chat with you about what you both see.
With your permission, your helper can even use his or her own mouse and keyboard to control your computer and show you how to fix a problem.
The Remote Assistance feature will not work in cases when the outbound traffic from port 3389 is blocked.
On a Windows Server, the remote assistance feature isn’t enabled by default. Hence you have enable the feature manually before using it.
Remote assistance can also be used with Configuration Manager. Read Remote Assistance feature in SCCM guide for more details.
Remote Assistance Firewall Requirements
If you enable Configure Offer Remote Assistance setting, you should also enable firewall exceptions to allow Remote Assistance communications.
The firewall exceptions required to Offer (Unsolicited) Remote Assistance on Windows 10 include.
Let’s look at the steps to enable Remote Assistance using group policy
How to Enable Remote Assistance using Group Policy
To enable remote assistance using group policy.
- Login to a Domain controller or member server installed with Group Policy Management console.
- Launch the Group Policy Management console.
- You can either edit an existing Group Policy object or create a new one using the Group Policy Management Tool.
- Expand the Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node.
- Enable Configure Offer Remote Assistance setting.
Alright let’s do this step by step. I would recommend creating a new group policy to configure remote assistance. Do not edit the default policy because it is not the recommended method.
Before you apply this policy, test the policy on a separate OU and then plan your GPO deployment accordingly. Since I am configuring the policy in my lab, I am applying it on a domain level.
In the Group Policy Management console, right click your domain and click Create a GPO in this domain and link it here.
Specify a name to the group policy such as Enable Remote Assistance. Click OK.
Go to Computer Configuration/Policies/Administrative Templates/System/Remote Assistance node. Right click Configure Offer Remote Assistance setting and click Edit.
On the Configure Offer Remote Assistance window, click Enabled. This enables the policy.
You must permit remote control of the computer. So from the drop-down, select Allow helpers to remotely control the computer.
Next to helpers, click Show button.
You can enter the names of the helpers. Add each user or group one by one. While adding helpers user or groups, use the following format.
- <Domain Name>\<User Name>
- <Domain Name>\<Group Name>
Close the GPMC editor.
Remote Assistance – Windows Defender Firewall Exception
In this step we will allow Remote Assistance access through the Windows Firewall using Group Policy. Again, you can create a new policy or edit the existing remote assistance policy.
I am editing the same policy that we just created in the above step. In the GPMC editor, go to Computer Configuration/Policies/Windows Settings. Expand Security Settings/Windows Defender Firewall with Advanced Security/Windows Defender Firewall with Advanced Security.
Right click Inbound Rules and click New Rule.
Under the Rule Type, select Port. Click Next.
On the Protocol and Ports window, select TCP and enter the port number 135. Click Next.
Select Allow the connection. Click Next.
Choose the profile to which the rule applies to. Click Next.
Finally specify a name to the firewall rule and click Finish.
Verify if Remote Assistance has been enabled or not
All you need to do now is wait for the policy to get applied on to your client computers. If the policy has been applied, you will notice the remote assistance feature is enabled.
Let’s check if the remote assistance has been enabled on our client computer. Login to the client computer and run the command systempropertiesremote.exe.
In the System Properties window, under Remote tab look for Remote Assistance. The Allow Remote Assistance connection to this computer box is enabled.
In addition, let’s verify the firewall policy has been applied or not. On the client computer, run the command prompt as administrator. Run the command gpresult /r and notice the Remote Assistance policy under Computer Settings.
Enable Remote Assistance feature on Windows Server
As mentioned earlier, on a Windows Server does not have remote assistance feature enabled. Therefore you need to enable this feature.
Open the Server Manager, click on Manage, click Add Roles and Features. Select Role based or feature based installation. Click Next.
From the list of features, select Remote Assistance. Click Next.
On the Confirmation window, click Install.
The remote assistance feature installation is complete. Click Close.