Intune Remote Help – From Zero to Hero

This is a comprehensive guide to Intune Remote Help. Hope you find this useful.

  1. Remote Help Benefits
  2. Remote Help License Requirements
  3. Network Considerations
  4. Configure Remote Help App in Intune
  5. Remote Help Win32 App Deployment
  6. Firewall Rules Considerations
  7. RBAC – Assign Users to role
  8. Create a new RBAC Permission Role
  9. Create The Conditional Access Policy for the Remote Help App
  10. How to Use
  11. Initiating Chat in the App
  12. Restarting the Device Remotely
  13. If and When
  14. Monitoring Remote Help Sessions
  15. Monitor Conditional Access Sign-in Logs
  16. Wrapping Up

Remote Help Benefits

  • You don’t need to rely on other 3rd party remote support tools which sometimes can be dangerous to use as they can bring unwanted issues to your environment
  • This is controlled via Intune and can be used to manage both enrolled and unenrolled devices
  • Because RBAC can be done over providing help, if you have a set of computers that 1st level admins should not login, you can set up a new RBAC role and assign the permissions as required
  • Microsoft Intune can provide admins with support session logs/ reports

Remote Help License Requirements

Option 1 – Microsoft Intune Suite

Purchasing a Microsoft Intune Suite subscription and assign to the users

Option 2 – Remote help add-on

This is a per-user add-on and check here for more info

This is what you will see when you go to the Intune portal > Tenant Administration > Premium Add-ons > click on view details on Remote help

Remote Help Add-on details on in the Admin Center Billing Page

Helper – The IT admin who is supporting the user
Sharer – User who requires help

Network Considerations

Remote Help works over port 443 and connects to https://remoteassistance.support.services.microsoft.com by using RDP and the traffic is encrypted via TLS 1.2

Both Helper and Sharer should be able to reach the below endpoints via port 443

Domain/NameDescription
*.aria.microsoft.comUsed for accessibility features within the app
*.events.data.microsoft.comMicrosoft Telemetry Service
*.monitor.azure.comRequired for telemetry and remote service initialization
*.support.services.microsoft.comPrimary endpoint used for the Remote Help application
*.trouter.skype.comUsed for Azure Communication Service for chat and connection between parties
*.aadcdn.msauth.netRequired for logging in to the application Microsoft Azure Active Directory (Azure AD)
*.aadcdn.msftauth.netRequired for logging in to the application Azure AD
*.edge.skype.comUsed for Azure Communication Service for chat and connection between parties
*.graph.microsoft.comUsed for connecting to the Microsoft Graph service
*.login.microsoftonline.comRequired for Microsoft sign-in service. Might not be available in the preview in all markets or for all localizations
*.remoteassistanceprodacs.communication.azure.comUsed for Azure Communication Service for chat and connection between parties
Allowlist for Microsoft Edge endpointsThe app uses Microsoft Edge WebView2 browser control. This article identifies the domain URLs that you need to add to the allowlist to ensure communications through firewalls and other security mechanisms

Configure Remote Help App in Intune

This feature is disabled by default and the Intune Administrator needs to go in and change the settings

Go to https://intune.microsoft.com > Tenant Administration > Remote Help

Enable the below options and hit Save

Set the Enable remote help to Enabled
And Allow remote help to unenrolled devices to Enabled
Unenrolled devices will not be able to get grab the Remote Help app pushed by Intune. For these devices, the app needs to be installed manually.

Remote Help Win32 App Deployment

  • Use the intunewin app util to prepare the remote help app 🔗Check here
  • Run IntuneWinAppUtil.exe as Administrator
  • Upload the app to Intune
    • Go to Apps > Windows in the Intune portal
    • Add > App type: Windows app (Win32) > Select
    • Select the intunewin package created previously and upload it
  • Set the Name/ Description/ Publisher
  • Set the Install command remotehelpinstaller.exe /quiet acceptTerms=1
  • Set the Uninstall command remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
  • Install behavior System
  • Press Next
  • Under Requirements, OS architecture – Select x86, x64 or both
  • Minimum OS – Select the OS level
  • Press Next
  • Under Detection rules, Rule formatManually configure detection rules
  • Detection rules – Select File and key in C:\Program Files\Remote help
  • File or folder – RemoteHelp.exe
  • Detection method – File or folder exists
  • Press OK > Press Next and skip Dependencies and Supersedence
  • Under Assignments, Assign it to the required Device Group
  • Review and Create

This will now get installed in the specified device group.

Firewall Rules Considerations

Create the below exceptions needs to be created in Defender Firewall if needed. Check the below locations to be whitelisted.

  • C:\Program Files\Remote help\RemoteHelp.exe
  • C:\Program Files\Remote help\RHService.exe
  • C:\Program Files\Remote help\RemoteHelpRDP.exe

RBAC – Assign Users to role

By default, the Intune Admin can use this to support users. However since Intune Admin has the power to perform any change in the Endpoint manager tenant, it is advisable to create RBAC within the App.

Intune RBAC permission role Help Desk Operator has all the below options set to Yes.
* View screen
* Elevation
* Take full control

Create a new RBAC Permission Role

  • Go to Endpoint Manager > Tenant Administration > Roles > Create > Give a meaningful name > Next
  • As shown below, set the options to Yes
  • Press Next and add or skip Scope Tags (optional) > Create
  • Go to the created role again > Assignments > Give a meaningful name > Press Next
  • Assign it to the required Admins group > Next
  • Set the Scope Groups – These are users/ devices that the relevant RBAC admin can access > Press Next
  • Review and Create

Create The Conditional Access Policy for the Remote Help App

This is a newly introduces option where now the admins can specifically add Remote Help as an app in Conditional Access Policies to explicitly request to complete the MFA challenge. This is an added layer as bad actors use remote support tools widely to get into computers.

  • Install the Azure AD Preview Powershell module by running Powershell as Administrator

Install-module AzureADPreview

  • Connect-AzureAD and login with the Global Admin or appropriate account
  • New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2
  • Create the Conditional Access Policy as below. Select RemoteAssistanceService from the apps that need to be included
  • Make sure you set the Grant option with Require MFA or setup other required Strong Authentication option

How to Use

Now that we have completed the groundwork, let’s see how this is working in the Intune environment.

Person who is providing help

IT admin to go to the Intune portal > Devices > Windows > Select the device to support > click on the 3 dots . . . and select New remote assistance session

This will open up a side pane. Click on Launch Remote Help

Admin to sign-in to the remote app and complete the MFA challenge

Click on Get a Security Code button

Person Who is Asking for Help

And now the Admin will be presented with a code that has a lifetime of 10 minutes

Now Sharer to open the Remote Help app, complete MFA and accept the legal notes for the 1st time use

Sharer to complete the MFA challenge as well

Key in the 6 digits that Admin instructs to enter and proceed

Sharer will see below

While the IT admin can see below. At this stage, Admin can Take full control or just View screen

Now back to the Sharer, They can see the below screen and need to press Allow

And Viola! The screen sharing will begin

Initiating Chat in the App

Click the icon shown below to initiate a chat with the other side. They will get the chat window popped up on the screen

Restarting the Device Remotely

Use the below-shown icon to restart the sharer’s device.

They will get the below message on their computer and once the device is restarted, it will be automatically joined to the previously connected Remote Help session

If and When

  • When the Sharer Device is not compliant with the Intune Compliance Policies
  • If someone is not an admin or hasn’t been granted RBAC permissions, they will get the below screen.

Helper Screen

Sharer Screen

Monitoring Remote Help Sessions

Intune Portal > Tenant Administration > Remote Help

Use the below tabs to monitor the Remote Help sessions.

Monitor Conditional Access Sign-in Logs

Look for the Application == RemoteAsistanceService and its sign-ins if you need to monitor the MFA behavior for the Remote Help app

Wrapping Up

Intune is going to be a one-stop shop for all device management tasks sooner or later and Remote Help is one helpful tool from the tool box. Hope this guide was helpful for you to plan your remote tool deployment as well

Discover more from EMS Route

Subscribe to get the latest posts to your email.

2 thoughts on “Intune Remote Help – From Zero to Hero

  1. Hi, when there is the possibility to connect to the device even without the presence of the user I will surely implement it instead of team viewer.

    Like

    Reply
  2. Pingback: Intune Newsletter - 26th May 2023 - Andrew Taylor

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.