Let’s learn how you can configure Intune RBAC to enable Remote Help and manage the permissions and actions of helpdesk associates during remote assistance sessions. Remote help is a cloud-based remote assistance solution that will empower helpdesks to support users of Windows devices more securely.
With the introduction of role-based access controls for remote help in Microsoft Intune, admins gain the ability to configure parameters and define permissible actions during remote help sessions based on the role of the helpdesk associate.
In Microsoft Intune, administrators can establish permissions to restrict sessions to view-only mode, grant the associate full control over a user’s device, or authorize the associate to enter administrative credentials for executing specific actions, commonly referred to as elevation.
By leveraging these permissions, administrators can exercise precise control over remote assistance activities, ensuring security and aligning with organizational requirements. In case none of these roles align with your specific requirements, you have the option to create custom Intune roles tailored to your scenario.
Role-based access control (RBAC) enables Intune Administrators to manage and regulate the permissions granted to individuals for different Intune tasks within your organization. There is a set of twelve (12) predefined Intune roles available, known as RBAC roles.
- Windows LAPS Role Based Access Controls Using Intune
- Intune Inventory Options For Mac IOS Android Windows Devices And Custom Inventory
Intune RBAC Configuration for Remote Help
The following steps help you to configure RBAC for Intune Remote help application, which is based on Quick Assist. This application helps to remove security concerns with the Quick Assist app. You can follow the guide to Install Intune Remote Help Application with Intune.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- Navigate to Tenant administration > Roles.
In the All roles, you will find all the built-in roles, and created custom roles available in the tenant. The Help Desk Operators built-in role performs remote tasks on users and devices and can assign applications or policies to users or devices.
By default, the built-in Help Desk Operator role sets all of these permissions to Yes. You can use the built-in role or create custom roles to grant only the remote tasks and Remote Help app permissions that you want different groups of users to have.
In Endpoint Manager All roles, Click on Create and select Intune role from the appeared options.
On the Basics page, enter a name and description for the custom role, then choose Next. To modify the roles associated with a particular category, navigate to the “Permissions” page. When creating custom roles, you can enable the relevant permissions by selecting “Remote Help app” and toggling the switch to “Yes” to select the appropriate roles.
The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:
|Take full control||Yes/No||Take full control allows the helper to view and control the sharer’s device when remote help is enabled.|
|View screen||Yes/No||View screen allows the helper to view the sharer’s device when remote help is enabled.|
|Elevation||Yes/No||Elevation allows the helper to enter UAC credentials when prompted on the sharer’s device when remote help is enabled. Enabling elevation also allows the helper to view and control the sharer’s device when the sharer grants the helper access.|
You can duplicate built-in roles to create, edit, or assign Intune roles. Here’s how you can duplicate Intune RBAC Roles. You can assign a built-in or custom role to an Intune user, choose the created role you want to assign > Assignments > + Assign.
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.