Remote help with Intune

Earlier this year Microsoft rolled out some new additional licensing to Intune (formally known, for a time, as Microsoft Endpoint Manager) These cover new features including:

  • Microsoft Tunnel for Mobile Application Management
  • Advanced endpoint analytics
  • Remote Help

I’ve been having a look at Remote help, which is available as an individual add-on license or as part of the Intune Suite, to see how it works.

Remote help needs to be enabled in the tenant, this is found under Tenant administration and then Remote Help.  The settings tab provides the ability to enable/disable the functionality (which can take some hours to activate) as well as controlling whether to allow use of unenrolled devices and chat capabilities

Both the end-user (or as the Microsoft documentation calls it, Sharer) device and the person providing the assistance (or Helper, as per Microsoft documentation) require the Remote Help application to be installed. Unfortunately, at the time of writing at least, this is not pre-packaged for deployment via Intune (unlike the M365 App suite) and therefore has to be manually packaged and added into the list of Apps within an Intune tenant as a Win32app.

Intune RBAC permissions control the use of the Remote Help app, by default the Help Desk Operator has all three permissions enabled. These permissions are Take full control, Elevation, View Screen and can be used to create custom roles if required.

Remote Help requires a code to be entered on the machine requiring help that is generated on the machine used by the person providing assistance, this could be via a call or chat, however the code only lasts for 10 minutes before a new one is generated.

The Remote Help app requires a user to log into it with AzureAD  credentials and can only be used by users within the same tenant, it is not intended to provide support to people in other tenants or 3rd parties.

Whilst it is possible to find a machine in the Intune portal and launch a New remote assistance session, all this seems to do is launch the app.

You still need to press the button that says Get a security code

After which the code can be seen and shared

After being entered by the user requiring support you have the option to only view the screen or to view and have full control

You will receive a warning before connecting if the device is not compliant

To see UAC prompts the remote session needs to be elevated by pressing the button (providing the account has the permission) otherwise only a black screen is displayed until the UAC prompt is closed

A prompt is displayed to remind the user to close windows opened with administrative permissions

About the author