How to Configure Intune Remote Help: A Step-by-Step Guide 📖
This article is a step-by-step guide to enable and configure Intune remote help. Remote Help is a paid add-on that works with Intune and lets your information and front-line workers get help over a remote connection when they need it.
Once the remote help connection is initiated, your support staff can remotely connect to the user’s device. During the session, they can view the device’s display and, if permitted by the device user, take full control. Full control enables a helper to directly make configurations or take actions on the device.
Remote Help is a premium add-on application that works with Microsoft Intune. You can buy the remote help licenses from the Microsoft 365 admin center. When Microsoft introduced the Remote Help solution in Intune, it was a preview feature with a “preview” tag in the Intune portal. The good news is that the Remote Help feature is now generally available in Intune.
Table of Contents
What is Remote Help in Intune?
According to Microsoft, Remote Help is a premium add-on that works with Intune and enables your front-line workers to get assistance when needed over a remote connection. Your support staff can remotely connect to the user’s device using the Intune remote help app. Once the connection is successful, a secure session is established between the connected devices.
It’s through your Azure Active Directory (Azure AD) that the proper trusts are established for the remote help sessions. During the remote help session, the IT personnel can view device’s display and can also take full control (if permitted by device user). Your support staff can either view the display and suggest the changes or take full control to directly make configurations or take actions on the device.
Remote help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide.
The remote help app is available on Microsoft to install on both devices enrolled with Intune and devices that aren’t enrolled. The app can also be deployed through Intune to your managed devices.
Intune Remote Help vs TeamViewer in Intune
In the past, Microsoft announced TeamViewer as remote assistance solution in Intune. Through the TeamViewer service, Intune managed PC users can connect remotely to their IT administrators for assistance. When you try the Remote Help feature in Intune, you are definitely going to prefer it over the Team Viewer Solution.
Coming to the pricing, the TeamViewer solution cost slightly lesser than Remote help solution. Both the solutions are reliable and offer a good experience when providing remote assistance to devices.
Remote Help: Helper vs Sharer
To make it easier, similar to what Microsoft does, let’s use these two terms while we learn about the new remote help feature in Intune.
- Helper: The helper is the IT Support Personnel (also known as support staff). The helper is responsible for providing support to a remote user.
- Sharer: The remote user who requires IT assistance and is willing to share the session with Helper via Remote help app.
Prerequisites for using Remote Help in Intune
To use the Intune Remote help solution, the following prerequisites are required:
- Intune Subscription: The remote help solution is integrated with Intune, therefore a valid Intune subscription is required.
- Intune Remote Help License: Remote help add-on license for all IT support workers (helpers) and users. You have to assign the remote help license to support staff and users.
- Support for Windows 10/11 devices: Only Windows 10 and Windows 11 devices are supported for remote help.
- Remote help application: Remote help app is available as download from Microsoft and must be installed on each device before that device can be used to participate in a remote help session.
- Permissions to use Remote Help: This is discussed under the topic “Configure RBAC Permissions for Remote Help Solution“.
Remote Help App Capabilities
The Intune remote help app offers the following capabilities:
- Use Remote Help with unenrolled devices: You can choose to allow help to devices that aren’t enrolled with Intune. This setting is disabled by default and can be turned on from remote help settings.
- Requires Organization login: To use Intune Remote Help, both the helper and the sharer must sign in with an Azure Active Directory (Azure AD) account from your organization. You can’t use Remote Help to assist users who aren’t members of your organization.
- Compliance Warnings: Before connecting to a user’s device via Remote Help, a helper will see a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
- Role-based access control: Intune Admins can set RBAC rules that determine the scope of a helper’s access, like:
- The users who can help others and the range of actions they can do while providing help, like who can run elevated privileges while helping.
- The users that can only view a device, and which can request full control of the session while assisting others.
- Elevation of privilege: When required, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer’s machine to enter credentials. For example, your Help Desk employees might enter their administrative credentials to complete an action on the sharer’s device that requires administrative permissions.
- Monitor active Remote Help sessions, and view details about past sessions: In the Intune admin center you can view reports that include details about who helped who, on what device, and for how long. You’ll also find details about active sessions.
Advantages of using Remote Help Solution
- Integration with Intune (Endpoint Manager): Remote help is integrated into Microsoft Intune for both cloud and co-managed endpoints that eases adoption, administration.
- Intune Remote Help App: You can deploy the remote help app with Intune prior to using this feature.
- Supports Multiple Devices: The Intune remote help solution supports enrolled and unmanaged devices, Windows 365 Cloud PC and Azure Virtual Desktops.
- RBAC Permission: Permission based controls scoped for IT helpdesk roles, department, and geography
- Integration with Azure Active Directory: The Azure Active Directory (AAD) Integration that enables user trust based on their corporate identity.
- Device Compliance Checks: Device compliance checks prior to securing the connection mitigates risk and creates opportunities to proactively remediate vulnerabilities real-time, taking that burden away from employees.
Limitations of Remote Help in Intune
The Remote Help solution in Intune has the following limitations:
- Remote help is not supported on GCC, GCC High or DoD Tenants.
- You cannot establish a remote help session from one tenant to a different tenant. The Intune remote help will work only on the devices that are part of same tenant.
- The Intune Remote Help solution may not be available in all markets or localizations.
Firewall Requirements for Intune Remote Help
All the firewall specifications needed for the Intune Remote Help app to function are listed in the table below.
|*.support.services.microsoft.com||Primary endpoint used for the remote help application|
|*.resources.lync.com||Required for the Skype framework used by remote help|
|*.infra.lync.com||Required for the Skype framework used by remote help|
|*.latest-swx.cdn.skype.com||Required for the Skype framework used by remote help|
|*.login.microsoftonline.com||Required for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations.|
|*.channelwebsdks.azureedge.net||Used for chat services within remote help|
|*.aria.microsoft.com||Used for accessibility features within the app|
|*.api.support.microsoft.com||API access for remote help|
|*.vortex.data.microsoft.com||Used for diagnostic data|
|*.channelservices.microsoft.com||Required for chat services within remote help|
Note: Remote help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at
https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
Intune Remote Help Cost and Pricing Details
The price for the remote help add-on from Microsoft is $3.50 per user per month. Licences for Premium add-ons can be purchased from Microsoft 365 Admin Center, Microsoft Volume License Servicing Center (VLSC) or from Microsoft partners/resellers.
Microsoft allows for a free trial of Remote Help by giving you a 90-day period to use the Premium add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there’s a 30-day grace period. After the trial period ends, you must purchase the licences for Remote Help add-on.
Enable Remote Help for your Intune Tenant
Enabling remote help allows users on enrolled devices to get assistance via the remote help app. The steps to enable the remote help for your Intune tenant are as follows:
- Sign in to Microsoft Intune admin center.
- Go to Tenant administration > Connectors and tokens > Remote help.
- On the Settings tab: Set Enable remote help to Enabled to turn on the Intune remote help.
- Select Save to apply the settings.
There is another option called “Allow remote help to unenrolled devices”. Enabling this option allows users to receive help on devices that are not enrolled in Intune. We’ll discuss this option in the later section of this post.
Configure Intune Remote Help RBAC Permissions
To be able to use Remote help solution, you will need to be assigned the proper permissions. You can use the built-in role or create custom RBAC Intune roles to grant only the remote tasks and remote help app permissions that you want different groups of users to have.
The following Intune RBAC permissions manage use of the remote help app:
- Take Full Control – Yes or No. This is the highest level of permissions that a remote help user can have. Full control enables a helper to directly make configurations or take actions on the device.
- Elevation – Yes or No. Allows helper to interact with the UAC prompt on end-user’s device.
- View Screen – Yes or No. A remote help app user who has view screen permissions is allowed to only view the screen.
Create custom RBAC Remote Help Roles in Intune
If you want to create custom roles to grant only the remote tasks and remote help app permissions for users or groups, here are my suggestions. You can create 3 roles for remote help app and assign the permissions accordingly.
- Remote Help – Full Control
- Remote Help – Elevation
- Remote Help – View Screen
If you are still testing the remote help feature, you can use the built-in “Help Desk Operator” role in Intune. The Help Desk Operator role sets all of these permissions to Yes.
From the below screenshot, you can see that the Help Desk Operator role has all the permissions – Elevation, View Screen and Take full control.
Create Custom Roles for Remote Help in Intune
You can create a custom Intune role for remote help users with following steps:
- Sign in to Microsoft Endpoint Manager admin center.
- Go to Tenant administration > Roles.
- To create a new custom role, select Create.
As an example, I will create a new custom role that allows users to have full control while using remote help app. On the Add Custom Role > Basics tab, specify the name of the role as Remote Help – Full Control. Add a nice description and click Next.
On the Permissions tab, from the list of permissions, select Remote help app. Configure the following permissions.
- Elevation: Yes
- View Screen: Yes
- Take Full control: Yes
On the Scope tags section, select the scope tags. You can use scope tags to make sure that the right admins have the right access and visibility to the right Intune objects. The default scope tag is automatically added to all untagged objects that support scope tags. Click Next.
On the Review+Create tab, review the permissions and select Create. This completes the steps to create custom roles for Intune remote help app.
Using the same procedure described above, you can create 2 new roles, Remote Help – Elevation and Remote Help – View Screen by assigning proper permissions.
I’ve chosen to create 3 unique roles for each of those permissions. See below screenshot.
Language Support for Remote Help
Remote Help is supported in the following languages:
- Portuguese (Portugal)
Download and Install Remote Help App
Remote help app must be installed on each device before that device can be used to participate in a remote help session. You can download the latest version of remote help directly from Microsoft at aka.ms/downloadremotehelp. Save the RemoteHelpinstaller.exe, and we will now install it.
To install remote help app, double-click the RemoteHelpInstaller.exe file. On the Remote help welcome screen, select I accept the Microsoft License Terms and click Install.
The remote help app installation is in progress and takes few seconds to install on the computer.
The Intune Remote help app is now installed.
How to use Remote Help App in Intune
The usage of the Remote help app is split into two scenarios:
- Give Help – You provide the help via the remote app to a remote user.
- Get Help – You require assistance from the IT and you request it via the remote help app.
To launch the remote help app, click Start > Type “Remote Help” in search box, select Remote Help app. On the login screen, sign in with your Microsoft organizational account.
Before you start to use the remote help app, you will have to accept the following terms. To use this app, we’ll need to share some information about you with the person you’re helping or receiving help from. This information is used to verify your identity.
We may share the following information:
- First and last name
- First name and first initial of last name
- Email address
- Profile picture
- Company name (if applicable)
- Company domain (if applicable)
- Job title
We recommend closing any unnecessary apps and files you don’t want the other person to see. If you have read the terms, click Accept.
After you successfully sign in to remote help app with your organizational account, you have 2 options.
- Get Help – The Get Help allows someone you trust to take control of your device and provide assistance.
- Give help – You help someone who is remote to solve a problem.
Let’s select Give Help. Click Get a security code.
Remote help generates a security code that you’ll share with the person who has requested assistance. The sharer has to enter this code in their instance of remote help to establish a connection to your remote help instance. By default, the security code expires in 10 minutes after you generate it. In case the security code is expired, you can generate a new code.
Once you share the security code to the sharer, the user must launch the Remote Help app and enter the same code and hit Submit button.
The remote help app now verifies the security code and initiates the connection. The following information is displayed to the helper who is ready to help the remote user.
The remote user is ready for your help. We recommend requesting screen sharing if you don’t need to control the device.
There are two options to choose from:
- Take full control
- View screen
Depending upon the requirement, select one option. For example, let’s test the full control option.
The user at the other end (Sharer) receives the following message. Remote user is asking for full control of your device. Remember to close anything you don’t want to see them. The remote user can now Allow or Decline the full control. Assume that user clicks Allow button.
The below screenshot shows the remote help in action. The support staff has full control over the remote computer and provide further assistance.
After the issues are resolved, or at any time during the session, both the sharer or helper can end the session.
To end the remote help session, select Leave in the upper-right corner of the remote help app. Upon the end of a session, the sharer is automatically signed out of their device as a security precaution to ensure all connections between the devices close.
Monitor Remote Help Sessions in Intune
You can monitor the use of remote help from within Intune admin center using the following steps:
- Sign in to the Microsoft Intune admin center.
- Go to Tenant administration > Connectors and tokens > Remote help.
- On the Monitor tab, you’ll see a count of active sessions and historical data about past remote help sessions.
On the Remote help sessions tab, you’ll see the records of past sessions, including:
- Provider ID – The helper ID of each session.
- Recipient ID – The recipient ID of each session.
- Recipient First Name – First name of the recipient.
- Recipient Last Name – Last name of the recipient.
- Device Name – The hostname of the device.
- OS – Operating System Details of the Device.
- Session Start – The Time when the Remote Help Session Started.
- Session End – The Time when the Remote Help Session Ended.
Intune Remote Help Log files for Troubleshooting
When you use the remote help app, the remote help logs data during installation and remote help sessions which can be of use when investigating issues with the app.
When you install the remote help app or uninstall it, the following two logs are created in the device user’s Temp folder. Every user account has the temp folder created in the following location – C:\Users\username\AppData\Local\Temp
The * in the log file name represents a date and time stamp of when the log was created. The below two log files can be used for troubleshooting issues with Intune remote help app.
Operational logs – During the use of Intune remote help app, operational details are logged in the Windows Event Viewer. The path of operational logs for Intune remote help app is Event Viewer > Application and Services > Microsoft > Windows > RemoteHelp.
Deploy Remote Help App as Win32 App with Intune
To deploy Remote Help with Intune, you can add the app as a Windows win32 app, and define a detection rule to identify devices that don’t have the most current version of Remote Help installed. To make it easy for everyone, I have published a guide on deploying remote help app as Win32 app with Intune.
I was in Remote Help but when I set up an Application it need an Admin account, remote help hadn’t provied a popup to fill in the account instead is a pause screen and the user must fill it in for me.
How can I make full control event fill in the admin account when installing the application?
Is it possible to get below use cases with remote help.
Can software provide connection to outside network?
Can software can provide file transfer?
Can software can record session
Can software can reach out to Linux device
I can see MS is leveraging Quick Assist for this.
My question is why cant I just user Quick Assist which is already there and help users instead of the remote help?
At this point in time, I am not concerned about RBAC perms.
So basically the Remote Help app with Intune just allows to assign permissions where Quick Assist does not. Is that the only difference between the two?