Microsoft announced a New Intune Remote Help Solution available with Intune portal or admin center. Microsoft already has a third-party integrated solution (Teamviewer) for remote assistance or remote control from the MEM admin center portal. The Teamviewer solution comes with additional license charges.
The current remote assistance solution from Teamviewer needs additional integration and connectivity to Teamviewer servers. I did review the Teamviewer remote assistance solution (more details at the bottom of this post) integrated into Intune portal.
Microsoft already announced that this comes with an additional premium price (Intune Suite)over existing EMS or M365 E3/E5 licenses. It seems the Intune community got surprised by the other license requirement for the new Intune Remote Assistance solution integrated with the admin center. This feature will be Generally Available by early next year (2022).
Remote Help quickly troubleshoots and resolves technical issues and is currently only offered for Windows devices, and Microsoft is extending management to Android. More Details – Remote Help for Android In Intune For Enhancing Support And Troubleshooting Coming Soon.
The New Intune Remote help application is based on Quick Assist. Quick Assist has some security concerns, but with this new solution, Microsoft is going to eliminate those security issues with the quick assist. The latest news is that OOBE Support is also available for Intune Remote help.
Intune Remote Support – Windows Autopilot OOBE Support
Intune Remote Support – Windows Autopilot OOBE Support. Intune Remote Help is available for the OOBE screen during Windows Autopilot Scenario. Remote Help for Android in Intune for Enhancing Support and Troubleshooting Coming Soon.
Remote Help Cost – Additional License
I think it’s fair play from Microsoft because the other solution providers like Teamviewer or Beyond Trust, or other third-party vendors are charging a lot of money for their integrated and non-integrated solutions. I have seen a couple of them, and I won’t say those are cloud-native architecture.
Well, should I assume this remote help solution needs a backend infrastructure in Azure? Or is this a magic solution that doesn’t require any infra to support all the regulatory, and security requirements?
This is one of the points I mentioned that the additional licensing requirement is a fair play from Microsoft. We will wait and see more about the architecture of this solution sometime later. All the details are taken from the Microsoft Ignite announcements from Microsoft. More details are in the resources section of this post.
Overview of Intune Remote Help Solution
Remote help supports only User Attended Support with the current release- The user must be present to accept and receive assistance. Remote Help requests can be screen sharing (view-only mode) or full control.
Compliance warning – The admin is prompted with a warning at the start of the session if a device is non-compliant and is shown a non-compliance banner throughout the remote session. This will help the admin to take appropriate cautions while fixing the issues of the device remotely.
Establishing Trust between IT admin and end-user – Strong initial handshake to ensure trust between admin and user by displaying admin and end-user information such as name, profile picture, company, title, and verified domain. This is very much needed to avoid any hacking impersonation kind of situation.
Intune Remote Help Prerequisites
Let’s check out the Intune Remote Help prerequisites. Remote Help has the following limitations: This is not supported on GCC, GCC High, or DoD Tenants. You cannot establish a Remote Help session from one tenant to a different tenant. and this solution may not be available in all markets or localizations.
- Intune subscription
- Remote Help add-on license or an Intune Suite license for all IT support workers (helpers) and users (sharers)
- Windows 10/11
- The Remote Help app for Windows. See Install and update Remote Help
Proxy Firewall Network Requirement for Intune Remote Help Setup
Let’s see what are Proxy, Firewall, and Network Requirement for Intune Remote Help Setup. As expected, Remote help communicates over port 443 (HTTPS). The Remote Help service in place is Remote Assistance Service at https://remoteassistance.support.services.microsoft.com.
NOTE! The connection used is the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
|*.support.services.microsoft.com||Primary endpoint used for the remote help application|
|*.resources.lync.com||Required for the Skype framework used by remote help|
|*.infra.lync.com||Required for the Skype framework used by remote help|
|*.latest-swx.cdn.skype.com||Required for the Skype framework used by remote help|
|*.login.microsoftonline.com||Required for logging in to the application (AAD). Might not be available in preview in all markets or for all localizations.|
|*.channelwebsdks.azureedge.net||Used for chat services within remote help|
|*.aria.microsoft.com||Used for accessibility features within the app|
|*.api.support.microsoft.com||API access for remote help|
|*.vortex.data.microsoft.com||Used for diagnostic data|
|*.channelservices.microsoft.com||Required for chat services within remote help|
Integrate Intune Remote Support Solution Remote Help
The new Remote Support solution from Microsoft helps IT admins to take the remote control of the Windows 10 or Windows 11 devices that are managed by Intune. You don’t need to go through the complex integration process with the look of the new remote help solution from the MEM admin center.
You will need to integrate the Remote Help solution from the Microsoft Endpoint Manager Admin center portal – Tenant Attach – Connectors and Tokens. Click on the Remote Help tab to start the integration process.
In the remote help tab, you will get two settings options:
- Enable Remote Help – Enabled
- Allow Remote Help to Unenrolled devices – Allowed
- Click on Save button to continue.
RBAC Permissions for Microsoft Intune Remote Help Solution
You will be able to provide time permission to the remote helper operator. This is fully integrated with all your Azure AD authentication methods. You don’t have any built-in roles for Remote Helper Operator as per the screenshots that Microsoft shared.
I have shared the design that Microsoft shared to have three tiers of remoter helper operator permissions. The Intune or MEM admin can set permissions in the Microsoft Endpoint Manager admin center to limit the sessions to have:
- View-only permission
- Allow Take full control permission
- Granular option to enter administrative credentials for elevated permissions.
The following is the table that Microsoft shared to give an overview of permissions for each MEM Remote Help offering functionality. The first set of permissions is for checking the status of the connector etc. I think this is not required for all remote help support staff.
- Read – Allows read only access to the remote assistance app blades (for both Remote Help and TeamViewer).
- Update – Allows access to the Monitor and Sessions tab of the remote help blade in MEM Admin center.
- View Reports – Allows update access to the remote assistance app blades (for both Remote Help and TeamViewer).
The following list of permissions is mainly required for the admins who will take the remote control of end users’ devices. I think some of these are the minimum permissions required (like “Offer Remote Assistance permission” + one of the other permission) for helpdesk operators to perform remote help.
- Take Full Control of User’s Device – Allows the helper (admin or hepdesk user) to control the end-user’s device.
- Elevation – Allows helper to interact with the UAC prompt on end-user’s device. The helpdesk admin can enter the credentials as well.
- View Screen – Allows the helpdesk admin to start a screen sharing session.
- Offer Remote Assistance – Enabled the “new remote assistance session” option in the devices menu.
3 Tier Helpdesk Support RBAC options with Remote Help
I like the granularity of the RBAC controls that you will have in place with the new remote help tool in Intune MEM admin center portal. There are three tiers of permissions that Microsoft designed as out of the box. You will have options to create custom RBAC roles for remote help solutions.
- Tier 1 Support will have View-only permissions.
- Tier 2 support can have full control permissions.
- Tier 3 could have the permissions required to elevate using their alternate local administrator credentials on the end user’s device.
The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission:
- Category: Remote Help app
- Take full control – Yes/No
- Elevation – Yes/No
- View screen – Yes/No
End User Experience of Remote Help Solution from Intune
There are two types of solutions provided by the Remote Help solution. The admin can initiate remote assistance from Intune MEM Admin center portal, and the end-user can initiate the request for remote assistance using the security code from the new remote help Windows app.
Download the Remote Help Client for Windows 11 or Windows 10 devices from https://aka.ms/downloadremotehelp
The following is the admin experience of initiating the remote help or remote assistance from devices node similar to TeamViewer’s remote assistance options (I think). You will need to click on Launch Remote Help link, as you can see in the below screenshot.
Reports Available Remote Help Solution from Microsoft
There is some very useful reporting also available with the Remote Help solution from Microsoft. I don’t think any third-party solutions can provide a single pane of glass reporting functionality with the MEM admin center.
- Providers ID – Admin ID
- Recipients ID – End Users ID
- Recipients First Name – End User’s first name
- Recipient Last Name – End User’s last name
- Device Name – Hostname of the Device
- OS – Operating System Details of the Device
- Session Start – The Time at which the Remote Help Session Started
- Session End – The Time at which the Remote Help Session Ended
Intune Remote Help for Managed Windows iOS and Android Devices
iOS, Windows, and Android Devices managed by Intune can be administered remotely using TeamViewer. Bur remote help for non-Windows devices is coming soon as per the roadmap from Remya. More details – Insights Of Microsoft Intune Suite Roadmap From Microsoft Secure Event HTMD Blog (anoopcnair.com).
TeamViewer has options integrated with Intune. This TeamViewer integration gives an out of box experience from Intune console.
TeamViewer integration with Intune helps IT Pro to provide remote assistance for Windows, iOS, and Android devices. You will see more details about Intune remote assistance.
Microsoft announced a native remote assistance solution New Remote Help Solution Available With Intune MEM Admin Center From Microsoft. Microsoft already announced that this comes with an additional premium price over existing EMS or M365 E3/E5 licenses.
Intune Remote Assistance with TeamViewer Prerequisites
The Intune administrator within the Azure portal must have the following Intune roles. I would recommend reading Microsoft documentation about the prerequisites and Intune RBAC roles.
- Update Remote Assistance: Allows administrators to modify the TeamViewer connector settings
- Request Remote Assistance: Allows administrators to start a new remote assistance session for any user. Any Intune role within a scope does not limit users to this role. Also, users or device groups assigned an Intune role within a scope can also request remote assistance.
- The Trial version of TeamViewer or TeamViewer license to integrate Intune. Also, these license requirements are the same for remote assistance of Windows, iOS, and Android.
Video Experience – TeamViewer Intune Remote Assistance
Intune Integration with TeamViewer
As I mentioned above, Intune integration with TeamViewer is out of the experience for Intune admins. Microsoft and TeamViewer worked together to integrate TeamViewer’s API with Intune and Azure AD.
The Intune Integration with TeamViewer is available in the Azure portal. I would recommend taking a free trial version of TeamViewer for fourteen (14) days.
You can follow the below steps to Intune Integration with TeamViewer from the Azure portal Intune devices blade. More details are available in the video tutorial. To provide Intune remote assistance to Windows 10 devices, configure the Intune TeamViewer connector using the following steps:
- In the MEM Admin center select All Services, and search for Microsoft Intune.
- In Microsoft Intune, select Devices, and then click on TeamViewer Connector.
- Select Connect (connection status will be Requires setup), and then accept the license agreement.
- Connection Status changes – Enabling connector…please wait
- Connection Status changes – Loading connector…please wait
- Connection Status changes – Connecting
- Select Log in to TeamViewer to authorize.
- A web page opens to the TeamViewer site. Enter your TeamViewer trial of full license credentials, and then Sign In. Close the web page.
- Click on Refresh to change the connection status to Active.
Enable Intune Remote Assistance for All Devices
After the TeamViewer connector is configured, you’re ready to administer a device remotely. Use the following steps to enable all devices to take Intune remote assistance. More details are available in the video tutorial.
- In the Intune, select All Services, and search for Microsoft Intune.
- In Microsoft Intune, select Devices, and then select All devices.
- From the list, select the device that you want to administer remotely. In the device properties, select New Remote Assistance Session.
- Click on Yes on New Remote Assistance Session the popup. Use the “Start Remote Assistance” link in the essentials session to start remote assistance for this device.
- Now all your devices are ready for Intune remote assistance.
How to Start Intune Remote Assistance
Once you complete the following two sections, 1. Intune Integration with TeamViewer and 2. Enable Intune Remote Assistance for All Devices; you will be able to take Intune Remote assistance of Windows devices (also, Android and iOS devices) with TeamViewer. More details are available in the video tutorial.
Actions – Intune Admin Experience
- In the MEM Admin Center, select All Services, and search for Microsoft Intune.
- In Microsoft Intune, select Devices and select the device you want to take remote assistance from Intune.
- Click on Remote Assistance button to start the remote assistance.
- A web page opens to the TeamViewer site. The TeamViewer application will get downloaded. Run the TeamViewer application.
- Wait for the remote device to get ready for remote assistance connection.
Actions – End User Experience
As TeamViewer remote assistance policy is flowing from Intune, it may take around 1 minute to reach the device. Make sure this Intune Remote assistance policy reached the device from Intune Company Portal.
- Launch the Intune Company Portal.
- Select the notification “Your IT administrator is requesting control of this device for a remote assistance session”.
- A web page opens to the TeamViewer site. The TeamViewer application will get downloaded. Run the TeamViewer application (TeamViewerQS-id*.exe).
- TeamViewer Remote control pop windows and select Allow button.
TeamViewer Intune Remote Assistance Experience for Windows Devices
You have many rich controls of TeamViewer Intune Remote Assistance when you have control of the remote Windows machine. You can transfer files, enable remote printing, etc… More details are available in the video tutorial.
Use TeamViewer to remotely administer Intune devices
- Blog Post – https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/remote-help-a-new-remote-assistance-tool-from-microsoft/ba-p/2822622
- Video – https://techcommunity.microsoft.com/t5/video-hub/enable-remote-help-scenarios-with-microsoft-endpoint-manager/ba-p/2911349
- Remotely assist users that are authenticated by your organization – https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………