There are some scenarios where a user is using their corporate managed device and needs assistance. That is covered in a previous blog pos titled Enabling Remote Help and Supporting Users with Intune | Microsoft Community Hub. However, it is possible that some of these users may need assistance while working on their personal devices. Which is also possible by using Microsoft Intune and Remote Help.

This blog will focus on what is needed in Intune configuration to support unenrolled devices with Remote Help capability, and possible experiences on the helper side with different configurations in place.

Configuring Remote Help Feature

By default, Remote Help feature is not allowed to work with unenrolled devices. However, from the Tenant Configuration – Remote Help – Configure task, it is possible to enable remote help for unenrolled devices.

Image 1: Remote Help Configuration

If the configuration in the tenant does not allow Remote Help for unenrolled devices, the Sharer will experience a message stating the organization does not allow Remote Help to be used on unenrolled devices.

Image 2: Sharer View – Org. does not allow Remote Help on Unenrolled Devices

In this case, what needs to be done from the Intune service is allowing the Remote Help to be used with unenrolled devices. The configuration is done from Tenant Administration – Remote Help – Settings section utilizing “Configure” task.

Image 3: Remote Help Configuration – Allow Remote Help to unenrolled devices

Once Remote Help is configured properly to work with unenrolled devices, the helper will be able to start supporting those users. However, experience on helper’s side may change based on helper being a global admin or not. Now, let’s take a look at two different scenarios and experiences.

Helper Being a Global Administrator

During configuration of the Remote Help service, we need to scope the operator’s role. Usually configuration is made to cover “All devices” of the organization. It is also possible to add groups and have different helpers cover different users / devices in the company.

Image 4: Helpdesk Operator Role Assignment – All Devices

Let’s assume a scenario where the helper user also assumes a global administrator role as well. In this case, the helper will start the helping process by sharing their Security Code as seen below.

Image 5: Global Admin starts remote help

The user will enter the security code to Remote Help application in their personal device. Note that the device is a personal unmanaged device.

Image 6: User Enters Security Code

Following the approval process, remote help sharing starts. The only difference from helping a managed device is the warning helper gets highlighting that the device is not enrolled in Microsoft Endpoint Manager and the helper must be careful while entering sensitive data on the endpoint.

Image 7: Remote Help on Unenrolled Endpoint

This is a quite streamlined experience for a helper who is also a global admin. However, it is a bit different for a helper who is only a Helpdesk Operator.  Let’s take a look at that scenario and what needs to be done in order to make it happen.

Helper being a non-Global Administrator

In a more likely scenario where the helper is not a Global Administrator, helper will see an error message when they initiate a connection.

Image 8: Remote Help Permission Error

Reason behind this issue is the fact that role assignment is done on device level, while the device sharer is using can not be found in the tenant – as this is an unenrolled device. In order to support this scenario, role assignments for helpdesk operators should be done at a user level. This is detailed in a note for assign users to roles section of configure remote help for your tenant documentation available here.

Image 9: Helpdesk Operators Assignment Properties

Once we edit the scope and add the user’s group to the assignment, the helper role will be able to start evaluating users instead of devices and will be able to access unenrolled device.

Image 10: Helpdesk Operator Assignment Properties

From the experience perspective, helper user (Atil) shared their security key with the sharer user (Yaz Ece); sharer user enters the security key to their remote help application and following the approval procedures, helper will be able to view or control sharer’s screen.

Image 11: Sharer Experience – Security Code Entry

Since the device is an unenrolled device which is not managed by Microsoft Endpoint Manager, helpers will see the warning message stating that the security of this device is not guaranteed and needs caution while entering or accessing sensitive information.

Image 12: Remote Help on Unenrolled Endpoint

Wrap Up

Microsoft Intune Remote Help can be used to support users’ personal devices as needed. In order to do that, remote help should be configured in order to allow access to unenrolled devices, also role scope should be set to include users instead of devices. As “All Devices” security principal does not include unenrolled devices by definition.