New Intune Remote Help Solution is Available Now

Microsoft announced a New Intune Remote Help Solution available with Intune portal or admin center. Microsoft already has a third-party integrated solution (Teamviewer) for remote assistance or remote control from the MEM admin center portal. The Teamviewer solution comes with additional license charges.

The current remote assistance solution from Teamviewer needs additional integration and connectivity to Teamviewer servers. I did review the Teamviewer remote assistance solution (more details at the bottom of this post) integrated into Intune portal.

Microsoft already announced that this comes with an additional premium price (Intune Suite)over existing EMS or M365 E3/E5 licenses. It seems the Intune community got surprised by the other license requirement for the new Intune Remote Assistance solution integrated with the admin center. This feature will be Generally Available by early next year (2022).

Remote Help quickly troubleshoots and resolves technical issues and is currently only offered for Windows devices, and Microsoft is extending management to Android. More Details – Remote Help for Android In Intune For Enhancing Support And Troubleshooting Coming Soon.

Patch My PC

The New Intune Remote help application is based on Quick Assist. Quick Assist has some security concerns, but with this new solution, Microsoft is going to eliminate those security issues with the quick assist. The latest news is that OOBE Support is also available for Intune Remote help.

How to Install Intune Remote Help Application Using Intune HTMD Blog (anoopcnair.com)

New Intune Remote Help Solution Available with Intune MEM Admin Center from Microsoft
New Intune Remote Help Solution Available with Intune MEM Admin Center from Microsoft – Pic Credit to Microsoft

Intune Remote Support – Windows Autopilot OOBE Support

Intune Remote Support – Windows Autopilot OOBE Support. Intune Remote Help is available for the OOBE screen during Windows Autopilot Scenario. Remote Help for Android in Intune for Enhancing Support and Troubleshooting Coming Soon.

Intune Remote Support – Windows Autopilot OOBE Support

Remote Help Cost – Additional License

I think it’s fair play from Microsoft because the other solution providers like Teamviewer or Beyond Trust, or other third-party vendors are charging a lot of money for their integrated and non-integrated solutions. I have seen a couple of them, and I won’t say those are cloud-native architecture.

Adaptiva

Well, should I assume this remote help solution needs a backend infrastructure in Azure? Or is this a magic solution that doesn’t require any infra to support all the regulatory, and security requirements?

This is one of the points I mentioned that the additional licensing requirement is a fair play from Microsoft. We will wait and see more about the architecture of this solution sometime later. All the details are taken from the Microsoft Ignite announcements from Microsoft. More details are in the resources section of this post.

Overview of Intune Remote Help Solution

Remote help supports only User Attended Support with the current release- The user must be present to accept and receive assistance. Remote Help requests can be screen sharing (view-only mode) or full control.

Compliance warning – The admin is prompted with a warning at the start of the session if a device is non-compliant and is shown a non-compliance banner throughout the remote session. This will help the admin to take appropriate cautions while fixing the issues of the device remotely.

Establishing Trust between IT admin and end-user – Strong initial handshake to ensure trust between admin and user by displaying admin and end-user information such as name, profile picture, company, title, and verified domain. This is very much needed to avoid any hacking impersonation kind of situation.

Overview of Remote Help Solution
Overview of Remote Help Solution Pic Credit to Microsoft

Intune Remote Help Prerequisites

Let’s check out the Intune Remote Help prerequisites. Remote Help has the following limitations: This is not supported on GCC, GCC High, or DoD Tenants. You cannot establish a Remote Help session from one tenant to a different tenant. and this solution may not be available in all markets or localizations.

  • Intune subscription
  • Remote Help add-on license or an Intune Suite license for all IT support workers (helpers) and users (sharers)
  • Windows 10/11
  • The Remote Help app for Windows. See Install and update Remote Help

Proxy Firewall Network Requirement for Intune Remote Help Setup

Let’s see what are Proxy, Firewall, and Network Requirement for Intune Remote Help Setup. As expected, Remote help communicates over port 443 (HTTPS). The Remote Help service in place is Remote Assistance Service at https://remoteassistance.support.services.microsoft.com.

NOTE! The connection used is the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.

Domain/NameDescription
*.support.services.microsoft.comPrimary endpoint used for the remote help application
*.resources.lync.comRequired for the Skype framework used by remote help
*.infra.lync.comRequired for the Skype framework used by remote help
*.latest-swx.cdn.skype.comRequired for the Skype framework used by remote help
*.login.microsoftonline.comRequired for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations.
*.channelwebsdks.azureedge.netUsed for chat services within remote help
*.aria.microsoft.comUsed for accessibility features within the app
*.api.support.microsoft.comAPI access for remote help
*.vortex.data.microsoft.comUsed for diagnostic data
*.channelservices.microsoft.comRequired for chat services within remote help
Proxy Firewall Network Requirement for Intune Remote Help Setup

Integrate Intune Remote Support Solution Remote Help

The new Remote Support solution from Microsoft helps IT admins to take the remote control of the Windows 10 or Windows 11 devices that are managed by Intune. You don’t need to go through the complex integration process with the look of the new remote help solution from the MEM admin center.

You will need to integrate the Remote Help solution from the Microsoft Endpoint Manager Admin center portal – Tenant AttachConnectors and Tokens. Click on the Remote Help tab to start the integration process.

In the remote help tab, you will get two settings options:

  • Enable Remote Help – Enabled
  • Allow Remote Help to Unenrolled devices – Allowed
  • Click on Save button to continue.
Integrate Remote Support Solution Remote Help
Integrate Remote Support Solution Remote Help Pic Credit to Microsoft

RBAC Permissions for Microsoft Intune Remote Help Solution

You will be able to provide time permission to the remote helper operator. This is fully integrated with all your Azure AD authentication methods. You don’t have any built-in roles for Remote Helper Operator as per the screenshots that Microsoft shared.

I have shared the design that Microsoft shared to have three tiers of remoter helper operator permissions. The Intune or MEM admin can set permissions in the Microsoft Endpoint Manager admin center to limit the sessions to have:

  • View-only permission
  • Allow Take full control permission
  • Granular option to enter administrative credentials for elevated permissions.

The following is the table that Microsoft shared to give an overview of permissions for each MEM Remote Help offering functionality. The first set of permissions is for checking the status of the connector etc. I think this is not required for all remote help support staff.

RBAC Permissions for Microsoft Remote Help Solution
RBAC Permissions for Microsoft Remote Help Solution Pic Credit to Microsoft
  • Read – Allows read only access to the remote assistance app blades (for both Remote Help and TeamViewer).
  • Update – Allows access to the Monitor and Sessions tab of the remote help blade in MEM Admin center.
  • View Reports – Allows update access to the remote assistance app blades (for both Remote Help and TeamViewer).

The following list of permissions is mainly required for the admins who will take the remote control of end users’ devices. I think some of these are the minimum permissions required (like “Offer Remote Assistance permission” + one of the other permission) for helpdesk operators to perform remote help.

  • Take Full Control of User’s Device – Allows the helper (admin or hepdesk user) to control the end-user’s device.
  • Elevation – Allows helper to interact with the UAC prompt on end-user’s device. The helpdesk admin can enter the credentials as well.
  • View Screen – Allows the helpdesk admin to start a screen sharing session.
  • Offer Remote Assistance – Enabled the “new remote assistance session” option in the devices menu.

3 Tier Helpdesk Support RBAC options with Remote Help

I like the granularity of the RBAC controls that you will have in place with the new remote help tool in Intune MEM admin center portal. There are three tiers of permissions that Microsoft designed as out of the box. You will have options to create custom RBAC roles for remote help solutions.

  • Tier 1 Support will have View-only permissions.
  • Tier 2 support can have full control permissions.
  • Tier 3 could have the permissions required to elevate using their alternate local administrator credentials on the end user’s device.

The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:

  • Category: Remote Help app
  • Permissions:
    • Take full control – Yes/No
    • Elevation – Yes/No
    • View screen – Yes/No
3 Tier Helpdesk Support RBAC options with Remote Help
3 Tier Helpdesk Support RBAC options with Remote Help – Pic Credit to Microsoft

End User Experience of Remote Help Solution from Intune

There are two types of solutions provided by the Remote Help solution. The admin can initiate remote assistance from Intune MEM Admin center portal, and the end-user can initiate the request for remote assistance using the security code from the new remote help Windows app.

Download the Remote Help Client for Windows 11 or Windows 10 devices from https://aka.ms/downloadremotehelp

End User Experience of Remote Help Solution from MEM Intune
End User Experience of Remote Help Solution from MEM Intune – Pic Credit to Microsoft

The following is the admin experience of initiating the remote help or remote assistance from devices node similar to TeamViewer’s remote assistance options (I think). You will need to click on Launch Remote Help link, as you can see in the below screenshot.

End User Experience of Remote Help Solution from MEM Intune
End-User Experience of Remote Help Solution from MEM Intune – Pic Credit to Microsoft

Reports Available Remote Help Solution from Microsoft

There is some very useful reporting also available with the Remote Help solution from Microsoft. I don’t think any third-party solutions can provide a single pane of glass reporting functionality with the MEM admin center.

  • Providers ID – Admin ID
  • Recipients ID – End Users ID
  • Recipients First Name – End User’s first name
  • Recipient Last Name – End User’s last name
  • Device Name – Hostname of the Device
  • OS – Operating System Details of the Device
  • Session Start – The Time at which the Remote Help Session Started
  • Session End – The Time at which the Remote Help Session Ended
Reports Available Remote Help Solution from Microsoft
Reports Available Remote Help Solution from Microsoft – Pic Credit to Microsoft

Intune Remote Help for Managed Windows iOS and Android Devices

iOS, Windows, and Android Devices managed by Intune can be administered remotely using TeamViewer.  Bur remote help for non-Windows devices is coming soon as per the roadmap from Remya. More details – Insights Of Microsoft Intune Suite Roadmap From Microsoft Secure Event HTMD Blog (anoopcnair.com).

Intune Remote Help for Managed Windows iOS and Android Devices
Intune Remote Help for Managed Windows iOS and Android Devices

TeamViewer has options integrated with Intune. This TeamViewer integration gives an out of box experience from Intune console.

TeamViewer integration with Intune helps IT Pro to provide remote assistance for Windows, iOS, and Android devices. You will see more details about Intune remote assistance.

Microsoft announced a native remote assistance solution New Remote Help Solution Available With Intune MEM Admin Center From Microsoft. Microsoft already announced that this comes with an additional premium price over existing EMS or M365 E3/E5 licenses.

Intune Remote Assistance with TeamViewer Prerequisites

The Intune administrator within the Azure portal must have the following Intune roles. I would recommend reading Microsoft documentation about the prerequisites and Intune RBAC roles.

  • Update Remote Assistance: Allows administrators to modify the TeamViewer connector settings
  • Request Remote Assistance: Allows administrators to start a new remote assistance session for any user. Any Intune role within a scope does not limit users to this role. Also, users or device groups assigned an Intune role within a scope can also request remote assistance.
  • The Trial version of TeamViewer or TeamViewer license to integrate Intune. Also, these license requirements are the same for remote assistance of Windows, iOS, and Android.

Video Experience – TeamViewer Intune Remote Assistance

Intune Integration with TeamViewer

As I mentioned above, Intune integration with TeamViewer is out of the experience for Intune admins. Microsoft and TeamViewer worked together to integrate TeamViewer’s API with Intune and Azure AD. 

The Intune Integration with TeamViewer is available in the Azure portal. I would recommend taking a free trial version of TeamViewer for fourteen (14) days.

Intune remote assistance

You can follow the below steps to Intune Integration with TeamViewer from the Azure portal Intune devices blade. More details are available in the video tutorial. To provide Intune remote assistance to Windows 10 devices, configure the Intune TeamViewer connector using the following steps:

  1. In the MEM Admin center select All Services, and search for Microsoft Intune.
  2. In Microsoft Intune, select Devices, and then click on TeamViewer Connector.
  3. Select Connect (connection status will be Requires setup), and then accept the license agreement.
  4. Connection Status changes – Enabling connector…please wait
  5. Connection Status changes – Loading connector…please wait
  6. Connection Status changes – Connecting
  7. Select Log in to TeamViewer to authorize.
  8. A web page opens to the TeamViewer site. Enter your TeamViewer trial of full license credentials, and then Sign In. Close the web page.
  9. Click on Refresh to change the connection status to Active.
Intune remote assistance

Enable Intune Remote Assistance for All Devices

After the TeamViewer connector is configured, you’re ready to administer a device remotely. Use the following steps to enable all devices to take Intune remote assistance. More details are available in the video tutorial.

  1. In the Intune, select All Services, and search for Microsoft Intune.
  2. In Microsoft Intune, select Devices, and then select All devices.
  3. From the list, select the device that you want to administer remotely. In the device properties, select New Remote Assistance Session.
  4. Click on Yes on New Remote Assistance Session the popup. Use the “Start Remote Assistance” link in the essentials session to start remote assistance for this device.
  5. Now all your devices are ready for Intune remote assistance.
Intune remote assistance

How to Start Intune Remote Assistance

Once you complete the following two sections, 1. Intune Integration with TeamViewer and 2. Enable Intune Remote Assistance for All Devices; you will be able to take Intune Remote assistance of Windows devices (also, Android and iOS devices) with TeamViewer. More details are available in the video tutorial.

Actions – Intune Admin Experience

  1. In the MEM Admin Center, select All Services, and search for Microsoft Intune.
  2. In Microsoft Intune, select Devices and select the device you want to take remote assistance from Intune.
  3. Click on Remote Assistance button to start the remote assistance.
  4. A web page opens to the TeamViewer site. The TeamViewer application will get downloaded. Run the TeamViewer application.
  5. Wait for the remote device to get ready for remote assistance connection.

Actions – End User Experience

As  TeamViewer remote assistance policy is flowing from Intune, it may take around 1 minute to reach the device. Make sure this Intune Remote assistance policy reached the device from Intune Company Portal.

Intune remote assistance
  1. Launch the Intune Company Portal.
  2. Select the notification “Your IT administrator is requesting control of this device for a remote assistance session”.
  3. A web page opens to the TeamViewer site. The TeamViewer application will get downloaded. Run the TeamViewer application (TeamViewerQS-id*.exe).
  4. TeamViewer Remote control pop windows and select Allow button.

TeamViewer Intune Remote Assistance Experience for Windows Devices

You have many rich controls of TeamViewer Intune Remote Assistance when you have control of the remote Windows machine. You can transfer files, enable remote printing, etc… More details are available in the video tutorial.

Intune remote assistance

Resources

https://www.teamviewer.com/en/integrations/microsoft-intune/

Use TeamViewer to remotely administer Intune devices

  • Blog Post – https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/remote-help-a-new-remote-assistance-tool-from-microsoft/ba-p/2822622
  • Video – https://techcommunity.microsoft.com/t5/video-hub/enable-remote-help-scenarios-with-microsoft-endpoint-manager/ba-p/2911349
  • Remotely assist users that are authenticated by your organization – https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

15 thoughts on “New Intune Remote Help Solution is Available Now”

  1. Hi Anoop, thanks very much for the walk-through. Are you able to detail where we can download the new “Remote Help” app seen here please?

    Reply
  2. Nah, this should be included with an E5 license, and as an add-on for E3. It’s being built on top of the Skype framework and remote assistance, so it’s not like they’re starting from scratch like TeamViewer did.

    Reply
    • Good to know. Thank you for the details on infra. I had no clue about that. But if they build something on the existing one then the future evolution of the product will be limited. Isn’t it? Fore example – if they want to add a recording option to track or forensic purpose etc…thinking loud

      Reply
  3. I’m struggling with this….I’ve enabled Remote Help in Connectors, successfully deployed the Remote Help app as a Win32 app in MEM, but cannot initiate a Remote Help session through the device actions as the Remote Assistance option remains greyed out. I even tried to do it directly through through the Remote Help app but after entering the code, it says “…the person trying to help doesn’t have the right permissions to assist you” even though the account I am using is a Global Admin. Is this a possibly a limitation with Hybrid Azure AD Joined devices? I ask because all my W10/11 devices at this point in time are HAADJ…

    Reply
  4. Hi Anoop,

    I installed RemoteHelp.exe on 2 machines including Windows 11 and Windows 10. RemoteHelp tool was launching then closed out.

    Have you seen this issue?

    Reply
  5. New RemotehelpInstaller.exe has been released that fixies install issues.

    Any word on pricing? Hard to move to a larger evaluation without knowing that much.

    Reply
  6. Hi Anoop,

    does this app signs the user out every time someone takes full control of the user’s machine?

    Can you switch from remote control to remote view within the app, or you need to close the remote help app everytime to switch between two?

    URLs that are required for this app, can we allow authentication and SSL inspection for them, or they need to be allowed explicitly?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.