Remote Help

👋 Introduction

Remote Help is a Microsoft cloud-based remote support tool designed for IT teams. It enables support staff (helpers) to securely connect to users’ devices (sharers) using organizational accounts via Microsoft Entra ID, ensuring secure and authenticated sessions.

With Remote Help, you can leverage Intune’s role-based access control (RBAC) to define exactly who can provide support and what level of access they have. This gives organizations granular control over remote assistance, helping maintain security and compliance throughout the support process.

Features

• Support for unenrolled devices: You can enable assistance for users on devices not enrolled in Intune.
• Organization sign-in: To prevent impersonations, both the helper and the person receiving support use Microsoft Entra accounts to verify their identity.
• Compliance warnings: If a device doesn’t meet your organization’s compliance policies, helpers will see a warning before connecting.
• Role-based access control (RBAC): Admins can fine-tune who can provide assistance, the permissions they have on the remote device, and whether users can simply view or take full control.
• Monitor sessions: View real-time and historical reports in the Intune admin center, including who helped whom, which device was involved, session duration, and audit logs.

Limitations

• If you’re helping users on unenrolled devices, the auditing and reporting features are more limited.
• You cannot establish a Remote Help session from one tenant to a user in a different tenant.

✅ Prerequisites

General prerequisites

License

• Remote Help add on license or Intune Suite license for all helpers and sharers

Supported platforms

• Windows 10/11
• Windows 10/11 on ARM64 devices
• Windows 365
• Android
• Android Enterprise dedicated devices (Samsung and Zebra devices)
• macOS 11 - 15
• iOS/iPadOS (works with supported browsers)
• Azure Virtual Desktop
• Linux (not officially supported but works with supported browsers)
• Browser
  • Safari
  • Chrome
  • Edge
  • Firefox

Platform prerequisites

Remote Help on Windows

• Supports enrolled and unenrolled devices.
• Sharer's device must be Intune-enrolled (to remotely start a session).
• Remote Help uses port 443 (HTTPS) to connect to https://remotehelp.microsoft.com via RDP, secured with TLS 1.2.
  (See Microsoft docs for the full list of required network endpoints.)

Remote Help on macOS

No special prerequisites are required.

Remote Help Web App

• Single-Sign-On

Remote Help on Android

• Samsung devices (Android Enterprise Dedicated)
• Zebra devices (Android Enterprise Dedicated)

📊 Data and 🔒 privacy

Microsoft logs minimal session data to monitor Remote Help health, this includes:

• Session times: When a session starts and ends (retained for 30 days).
• Session details: Includes the identities of the helper and sharer, and the device involved (retained for 30 days).
• Errors: Issues like disconnections are logged on the sharer's device in Event Viewer.
• Features used: Actions performed during the session, such as view-only mode or elevation requests (retained for 30 days).

Remote Help logs session details locally in Windows Event Logs for both helper and sharer.
Microsoft cannot access session content or see actions or keystrokes.

Both the helper and sharer see these details from each other's organizational profiles:

• Profile picture (if you have one)
• Company name
• Verified domain
• First and last name
• Job title

INFO

Microsoft stores nothing longer then 30 days.

🧑‍🔧 Configuration

Tenant Config

To configure Remote Help in your tenant (for any supported platform), follow these steps:

Turn on Remote Help

1. Sign in to the Microsoft Intune admin center and head to Tenant administration → Remote Help.
2. Select the Settings tab.
   1. Enable Remote Help
   2. Choose whether to allow users to receive help on unenrolled devices, then set this option to Allowed if desired.
   3. Choose whether to allow helpers and sharers to chat with each other during a session, then set this option to No if desired.

Set up permissions for Remote Help

Remote Help uses Intune’s role-based access controls (RBAC) to decide who can help and what they’re allowed to do.

The Help Desk Operator Role gives you all permissions for a remote help session.

Here are the main permissions you can configure for Remote Help sessions:

	Category: Remote Help app Elevation View screen Unattended control Take full control
	Category: Remote tasks Offer remote assistance

NOTE

Some permissions are dependent on others. When you enable a setting, related permissions are automatically granted:

• Enabling Take full control also enables View screen.
• Enabling Elevation also enables both Take full control and View screen.
• Enabling Unattended control automatically grants all other permissions.

The default Help Desk Operator role comes pre-configured with all necessary Remote Help permissions enabled. You can assign this role as-is, or create custom roles to tailor permissions for different support scenarios. For more details on configuring RBAC, see Role-based access control.

Assign users to roles

To grant helpers the necessary permissions, assign them to the appropriate role:

1. Sign in to the Microsoft Intune admin center and navigate to Tenant administration → Roles and select a role.
2. Now open Assignments, then click Assign to create a new role assignment.
3. On the Basics page, enter a name and description and click Next.
4. On the Admin Groups page, select your helper group and click Next.
5. Now enter a Scope tag if you want and then create the Assignment.

App deployment

You can either deploy the App through Intune or install it directly on the target machines.

To install it manuall you can download the latest version of Remote Help directly from Microsoft or your can install it with Winget.

Winget install Microsoft.RemoteHelp

To deploy the app through Intune, you have two main options:

• Download and package: Download the installer, package it as an INTUNEWIN file, and deploy it as a Win32 app via Intune.
• Universal App deployment (no packaging): Use my Universal App deployment method to install the app directly with Winget, without the need for packaging.

If you choose the INTUNEWIN method, use the following information for deployment:

# Install command
remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=1

# Uninstall command
remotehelpinstaller.exe /uninstall /quiet acceptTerms=1

detection Rule

• For Rule type, select File
• For Path, specify C:\Program Files\Remote Help
• For File or folder, specify RemoteHelp.exe
• For Detection method, select String (version)
• For Operator, select Greater than or equal to
• For Value, enter the Remote Help version to deploy (e.g., 10.0.22467.1000).
• Leave Associated with a 32-bit app on 64-bit clients set to No

WebApp

Sharer: https://aka.ms/rh	Remote Helper: https://aka.ms/rhh

Macos

If you have a MacOS Client you can download the latest version of Remote Help directly from Microsoft.

iOS

To use Remote Help on iOS, install the Intune App or access the Web App using a supported browser.

Android

To use Remote Help on Android Enterprise devices, install the Intune App or access the Web App using a supported browser.

Additionally, ensure that screen capture is allowed in your Android device policies.

For Zebra devices: Configure Zebra OEMConfig as described in the Microsoft documentation.

Conditional Access

To control Remote Help with conditional access you need to create a Service Principal using the Remote Assistance Service AppId.

New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"

⌨️ Usage

To start a remote session you can either start the app yourself and exchange a security code with the enduser or you can start a session directly trough Intune. Then the security code is already taken care of by Intune.

If you want to start a remote session right from Intune, just open the Intune Admin portal, head to Devices, pick the device you want to help, and hit New remote assistance session.

A flyout will appear, and a notification is sent to the end user. When the user clicks the toast notification, Remote Help launches automatically and waits for you to initiate the session, no code exchange required. If the end user has already started Remote Help, the flyout updates to show a green checkmark next to Launch Remote Help. You can then proceed directly to step 4.

To start a remote session without Intune, use the following instructions.

1. The user first need to sign in to the Remote Help Client or has SSO active.

2. Next the helper clicks the Get security code button and then has 10 Minutes time to give this code to a sharer (Enuser that needs help).
3. The sharer takes the security code from the helper and puts it into the appropriate box in the Remote Help Client.

Helper view	Sharer view

4. Now the sharer sees a waiting screen while the Helper is choosing if he wants to Take full control or View screen.

Security Check

Before the helper can take control or view the screen, both parties will see each other's organizational details (name, company, domain, etc.) to confirm identities and prevent impersonation. This step ensures that only authorized helpers from your organization can provide assistance.

Helper view	Sharer view

5. Once the helper has selected their desired action, the sharer receives a pop-up window displaying the helper’s account details and the requested action (view screen or take control). The sharer can then choose to allow or decline the connection.

Information

If you do not have the required RBAC permissions in Intune to act as a helper, a notification window will appear informing you that you lack the necessary permissions to provide remote assistance.

6. The sharer now just sees a simple bar at the top where he can stop the session with X or start a Chat 💬.

7. The helper has a view tools in his bar to direct the session.
   • Request Control
   • Admin Session 🖥️
   • Laser pointer 📍
   • On-Screen Pen 🖊️
   • Fullscreen 🪟
   • Chat 💬
   • Restart machine ↩️ (only in admin mode)
   • Task manager 📟 (only in admin mode)
   • Leave

8. If the helper requests control, the sharer gets the request in his Remote Help bar, where he can Allow or Deny.

9. If you need to start an elevated window during a Remote Help session, the UAC prompt will appear on the secure desktop by default. This means your session view will go black and display a ⏸️ symbol, as you cannot see the secure desktop until an Admin Session is enabled.

Helper view	Sharer view

10. If the helper to enter credentials or have access to the UAC prompt, you can activate an Admin Session.

11. Once the Admin Session is enabled, if a UAC prompt appears, the helper will be able to view and interact with the elevated windows directly.

Helper view	Sharer view

IMPORTANT

While the Admin Session is enabled you will see a warning message reminding you of closing all elevated windows before leaving the session.

If the session is closed by the sharer while an admin session is still active, the user will be signed out immediately. This ensures that all elevated windows are closed, protecting admin credentials.

12. When the session gets ended by either side, all parties will see a coresponding message.

Helper view	Sharer view

🔍 Monitoring

You can keep an eye on how Remote Help is being used right from the Intune admin center.

1. Sign in to the Microsoft Intune admin center and go to Tenant admin → Remote Help.
2. On the Monitor tab, you’ll see active sessions and some history about past sessions.

3. On the Remote Help sessions tab, you’ll find details about past sessions.

Information

• For Android Enterprise Dedicated devices, you’ll see “--” for Recipient ID and Recipient name since these devices don’t have user affinity.
• Reporting is more limited for unenrolled devices.

💡 Conclusion

Remote Help makes it easy for IT teams to support users securely and efficiently, right from Microsoft Intune. 🚀 With Entra ID sign-in, RBAC, and session auditing, you can be confident that support sessions stay safe and compliant. Whether you’re helping users on Windows, Mac, Android or even unenrolled devices, Remote Help has you covered. 💻 📱

🔧 ✅ Microsoft continues to improve Remote Help, so you’ll see even more capabilities over time. Recent updates have included support for additional platforms, enhanced security features, and improved integration with Intune and Microsoft Entra ID. Stay tuned for new features such as expanded unattended access, deeper reporting, and broader device compatibility as Microsoft responds to customer feedback and evolving IT needs.

If your organisation uses Microsoft tools, Remote Help could be a practical choice for modern endpoint support. 🤝 It's still not quite on par with other remote control solutions, but it makes great strides and its integration into the Microsoft environment gives it a huge advantage.