Remote Help: part of the Intune suite, is a cloud-based solution for secure help desk connections with role-based access controls. With the connection, support staff can remote connect to users devices.

[[TOC]]

General Prerequisites

Before enabling and using Intune Remote Help, ensure the following prerequisites are met:

• Intune Subscription: Your organization must have an active Intune subscription.
• Remote Help Add-On License or Intune Suite License:
  To utilize Remote Help, both IT support workers (helpers) and users (sharers) need either the Remote Help add-on license or an Intune Suite license.
  • Helper: The helper is the IT Support Personnel (also known as support staff). The helper is responsible for providing support to a remote user.
  • Sharer: The remote user who requires IT assistance and is willing to share the session with Helper via Remote help app.
  • Education: Remote Help is included in the following Microsoft 365 Education plans:
  • Microsoft 365 A1 for devices
  • Microsoft 365 Education A3 Faculty and Student Use Benefit
  • Microsoft 365 Education A5 Faculty and Student Use Benefit

Supported Platforms

Remote Help is available on the following platforms:

Windows 10/11

• Helpers and sharers can use Remote Help on Windows 10 and Windows 11 devices.
• This includes both standard Windows 10/11 installations and Windows 365 Cloud PCs.
• ARM64-based Windows devices are also supported.

Android Enterprise Dedicated Devices

• Remote Help is compatible with Android Enterprise Dedicated Devices, limited to Samsung and Zebra devices running MX version 8.3 or higher.
  • Unattended control is only supported on MX version 9.3 and higher.

macOS

• Remote Help is compatible with macOS versions 11, 12, 13, and 14 using a browser app. Note that this is a view-only solution.

Prerequisites for Windows

• The remote help application must be installed on the sharer’s device.
• The helper and sharer can be on a enrolled or unenrolled device.
• Intune management extension is required for the remote launch feature and that is supported on Windows 10 and 11. Specifically, for Windows 10 the OS builds need to be greater than or equal to version 19042 and have KB5018410 patch installed. The OS version should be greater than or equal to 10.0.19042.2075 or 10.0.19043.2075 or 10.0.19044.2075.
  • Win 11: July 25, 2023—KB5028245 (OS Build 22000.2245)
  • Win 10: August 22, 2023—KB5029331 (OS Build 19045.3393)

Remote Help capabilities and requirements on Windows

The Remote Help app supports the following capabilities on Windows:

• Conditional access: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses.
• Compliance Warnings: Before a helper can connect to a user’s device, the helper sees a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
  • Helpers who have access to device views in Intune will see a link in the warning to the device properties page in the Microsoft Intune admin center. The link allows a helper to learn more about why the device isn’t compliant.
  • If the user’s device isn’t enrolled, the helper sees a prompt that the user’s device is unenrolled.
• Elevation of privilege: When needed, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer’s machine to enter credentials. For example, your Help Desk employees might enter their administrative credentials to complete an action on the sharer’s device that requires administrative permissions.
• Enhanced chat: Remote Help includes enhanced chat that maintains a continuous thread of all messages. This chat supports special characters and other languages including Chinese and Arabic.
• Remotely start session: The helper is able to launch Remote Help seamlessly on the helper and user’s device from Intune by sending a notification to the user’s device. The notification allows helpdesk and the sharer to be connected to a session quickly without exchanging session codes.

Prerequisites for Android Enterprise Dedicated Devices

• Set up Managed Google Play for your tenant.
  Install the Intune app on devices with a version higher than 5.0.5541.0.
• Devices must NOT have device configuration policy set to block Screen capture
• Zebra devices only: Set up Zebra OEMConfig for your tenant.
• The helper must be licensed to use the Remote Help add-on.
• The helper must have appropriate RBAC permissions to use Remote Help on Android:
  • Category: Remote Help app
  • Permissions:
  • Take full control: Yes (required for control)
  • View screen: Yes (required for screen share)
  • Unattended control: Yes (required for unattended control)
  • If the user doesn’t have the correct RBAC permissions for a particular mode, the corresponding options are disabled when attempting to start a Remote Help session.

Remote Help capabilities and requirements on Android

The Remote Help app supports the following capabilities on Android:

• Screen sharing: View of the remote screen. To minimize impact on end user privacy, this option is recommended unless full control is necessary.
• Full control: Full control of the remote device.
• Unattended control: Full control of the device without the presence of an end user.
• Compliance warnings: Before a helper connects to a user’s device, the helper sees a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.

Prerequisites for macOS devices:

• macOS versions: 11 Big Sur, 12 Monterey, 13 Ventura, and 14 Sonoma.
• Browser versions of Safari (version 16.4.1+), Chrome (version 109+), and Microsoft Edge (version 109+).

Remote Help capabilities and requirements on macOS

• Use Remote Help with unenrolled devices: Disabled by default, you can choose to allow help to devices that aren’t enrolled with Intune.
• Conditional access: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For more information on setting up conditional access, go to Set up Conditional Access for Remote Help
• Compliance Warnings: Before connecting to a user’s device, the helper sees a non-compliance warning about that device if it’s not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
  • If the user’s device that the helper is trying to connect to isn’t enrolled, the helper sees a prompt that the user’s device is unenrolled.
• Chat functionality: Remote Help includes enhanced chat that maintains a continuous thread of all messages. This chat supports special characters and other languages including Chinese and Arabic. For more information on languages supported, see Languages Supported.

Firewall Requirements

_{Note: Remote help communicates over port 443 (HTTPS) and connects to the Remote Assistance Service at https://remoteassistance.support.services.microsoft.com by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.}

Enablement Steps

::: video

:::

Image	Comments
	1. Log into the Microsoft Endpoint Manager admin center: Navigate to Tenant administration > Remote help > Settings. Click Configure. Switch the “Enable Remote Help” setting to Enabled.
	2. Use Remote Help with Unenrolled Devices (Optional): By default, Remote Help is disabled for unenrolled devices. You can choose to allow help for devices that aren’t enrolled with Intune by switching the “Allow Remote Help to unenrolled devices” setting to Allowed.
	3. Deploy Remote Help in Intune: You can download the latest version of the Intune Remote help app directly from Microsoft at aka.ms/downloadremotehelp. Once downloaded, rename the file to remotehelpinstaller.exe, and launch the Win32 content prep tool and package the .exe ready for deployment. When uploading to Intune, ensure you complete the following steps: For Install command line, specify remotehelpinstaller.exe /quiet acceptTerms=1 For Uninstall command line, specify remotehelpinstaller.exe /uninstall /quiet acceptTerms=1 To disable automatic updates, use the install command remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=0
	4. Role-Based Access Control (RBAC): Remote Help uses Intune role-based access controls (RBAC) to set the level of access a helper is allowed. Through RBAC, you determine which users can provide help and the level of help they can provide. To protect the privacy of users who may be using the sharer device, helpers should use the minimum level of privilege required to remotely assist the device. Only request an Unattended session if you know that there’s no user at the sharer device to accept the remote help session. The following Intune RBAC permissions manage the use of the Remote Help app. Set each to Yes to grant the permission: Category: Remote Help app Elevation: Yes/No View screen: Yes/No Take full control: Yes/No Unattended Control: Yes/No Category: Remote Tasks Offer remote assistance: Yes/No By Default, the built-in Help Desk Operator role sets all of these permissions to Yes. You can use the built-in role or create custom roles to grant only the remote tasks and Remote Help app permissions that you want different group of users to have.

Enablement via PowerShell and Graph

::: video

:::
It is possible to enable Remote Help using PowerShell and Graph. Please see below example of a PowerShell script which will enable Remote Help, allow unenrolled devices to receive assistance, and create an Intune role containing all relevant Remote Help RBAC permissions.

Connect-MgGraph -Scopes RoleAssignmentSchedule.ReadWrite.Directory, Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All, Policy.ReadWrite.ConditionalAccess, DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, openid, profile, email, offline_access, Policy.ReadWrite.PermissionGrant, RoleManagement.ReadWrite.Directory, Policy.ReadWrite.DeviceConfiguration, DeviceLocalCredential.Read.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementServiceConfig.ReadWrite.All, Policy.Read.All, DeviceManagementRBAC.ReadWrite.All

$rolename = "Remote Help Admins"
$roledescription = "Access to Remote Help"

$enableuri = "https://graph.microsoft.com/beta/deviceManagement/remoteAssistanceSettings"

$json = @"
{
    "allowSessionsToUnenrolledDevices": true,
    "blockChat": false,
    "remoteAssistanceState": "enabled"
}
"@

Invoke-MgGraphRequest -Method PATCH -Uri $enableuri -Body $json

$roleurl = "https://graph.microsoft.com/beta/deviceManagement/roleDefinitions"

$rolejson = @"
{
    "description": "$roledescription",
    "displayName": "$rolename",
    "id": "",
    "rolePermissions": [
        {
            "resourceActions": [
                {
                    "allowedResourceActions": [
                        "Microsoft.Intune_RemoteAssitanceApp_ViewScreen",
                        "Microsoft.Intune_RemoteAssitanceApp_Elevation",
                        "Microsoft.Intune_RemoteAssitanceApp_Unattended",
                        "Microsoft.Intune_RemoteAssitanceApp_TakeFullControl"
                                              ]
                }
            ]
        }
    ],
    "roleScopeTagIds": [
        "0"
                        ]
}
"@

Invoke-MgGraphRequest -Method POST -Uri $roleurl -Body $rolejson -ContentType "application/json"

Helper/Sharer Experience

Image	Comments
	1. First open When first opening the application, the helper/sharer may be prompted to sign in to the application. If Seamless SSO is enabled, this will not apply.
	2. Privacy Notice The helper/sharer will be prompted to accept a privacy notice, allowing for the sharing of information to the helper/sharer they will be helping or receiving help from. The information shared is as follows: First and Last name First name and first initial of last name Email Address Profile Picture Company Name (if applicable) Company Domain (if applicable) Job Title This is followed by a recommendation to close any unnecessary apps and files.
	3. Get/Give help Once signed in and the privacy notice accepted, the helper/sharer will be able to get/give help. This screen will also provide the device name, in order for the admin to investigate the device in the Intune portal prior to connecting if necessary.
	4. Connect Helper to Sharer Once both helper and sharer have Remote Help open, the helper should select “Get a security code” and share this with the sharer.
	5. Take full control or View Screen Once the sharer has submitted the security code from the helper, the helper will receive information about the sharer. They will also be given the choice to “Take full control”, or “View screen”. Once a choice has been made, the choice will be presented to the sharer in order to accept the choice.
	6. Device compliance warning Should the device the helper is connecting to not be compliant in Microsoft Intune, a warning will be displayed prior to showing the desktop. “The device you are connected to is not compliant with your organization’s security policies. Please be cautious when entering or accessing sensitive information as the device may be compromised.” There is also a link which will take you to the Microsoft Intune Center, where you can then review the device’s compliance state. You can also choose to leave the session, or continue.