Remote help: a new remote assistance tool from Microsoft

Published Nov 02 2021 08:00 AM 48.4K Views
Microsoft

Today we are announcing the plan to roll out the public preview of a new remote help capability in Microsoft Endpoint Manager.

March 2020 was the last time many people worked at their company's physical office buildings. The global pandemic began and the world of work changed overnight as organizations scrambled to try and keep their workforces productive and their businesses running. The pandemic reshaped the way we work as organizations struggled to support remote workers and had to quickly find solutions to help employees manage technical issues on their devices from afar rather than onsite.

To ensure helpdesks continue to improve their levels of support, we are pleased to announce the public preview of a new remote help capability in Microsoft Endpoint Manager. This new cloud-based remote assistance solution will empower helpdesks to more securely support users of Windows devices.

Eighteen months into the workforce changes brought by the pandemic, we continue to see increasing cybersecurity vulnerabilities, as the number of personal and company-owned devices continues to grow. We've also seen continued employee frustration when unresolved technical issues lower productivity and support is not simply onsite. Organizations need to ensure that their helpdesk associates can securely provide remote assistance to users, no matter where they are. Remote help allows helpdesk associates to view or control employees' Windows devices so they can quickly troubleshoot and resolve technical issues, wherever the employee is working from.

We have developed new advanced endpoint management capabilities to meet the need for secure, connected experiences for IT administrators, helpdesk associates and Windows users on enrolled and unenrolled devices. Specifically, we will introduce four new capabilities for remote help:

  • Role-based access control (RBAC) and permissions: to define who is authorized to support which user or groups of users.
  • Elevation: to help Administrators determine if helpdesk associates can use local administrative privileges to troubleshoot an employees' device, or if elevation of the task permissions is required.
  • Compliance warnings: to help protect the organization from security risks, alerts are displayed to the helpdesk associate if a device is out of compliance and may introduce a security risk to the organization.
  • Reporting: to identify recurring issues and potentially suspicious activity.

Enable remote help in the Microsoft Endpoint Manager console for enrolled and unenrolled devicesEnable remote help in the Microsoft Endpoint Manager console for enrolled and unenrolled devices

Just right, just-in-time permissions

When we release role-based access controls for remote help in Microsoft Endpoint Manager, administrators can set parameters and define the actions that may be taken during a remote help session based on the helpdesk associate's role. Permissions can be set by administrators in Microsoft Endpoint Manager to limit the sessions to view-only, allow the associate to take full control of a user's device, or have the right to enter administrative credentials to perform specific actions (known as elevation).

Configure remote help role permissionsConfigure remote help role permissions

The new remote help capabilities will also enable administrators to set up tiers of helpdesk associates, and then determine which tier of associates can help which group of users. For example, if an organization has three tiers of helpdesk support, with RBAC the administrator can assign view-only permissions to tier 1 support, tier 2 can have full control permissions, and tier 3 could have the permissions required to elevate using their alternate local administrator credentials on the end user's device. For larger organizations with more detailed requirements, the RBAC capabilities can be set based on additional group parameters such as department or user work groups. For example, IT administrators can limit the tier 1 helpdesk group to help all groups except the finance department.

Add a custom role from Endpoint ManagerAdd a custom role from Endpoint Manager

Another example of elevation is helping to install the right software or drivers remotely for an employees' enhanced work from home set-up. When employees moved to remote work, many added additional peripherals such as printers, wireless mice, or keyboards to help their productivity. However, many organizations have endpoint policies that require local administrator privileges to add software or drivers to corporate devices (to limit support costs, address app license liability or lower the risks of malware). When a user is blocked from adding software or peripherals to their work devices based on these policies, they need their helpdesk or IT assistance. With remote help, the helpdesk associate can be granted permission to elevate: enter their local administrator credentials during a connected session (even if the end user needing help doesn't have administrator rights) and install software or drivers remotely.

Admin sees User Access Control promptAdmin sees User Access Control prompt

Checkpoints and controls to establish trust

Microsoft Endpoint Manager also has features to establish trust between helpdesk associates and users. As a session is being established, there are multiple checkpoints to ensure that the helpdesk associate is connected to the correct user and vice versa. Users are able to verify that they are giving access to a trusted helpdesk associate by seeing more information about that associate, such as a picture, name, company, job title and domain. The checkpoint works in the opposite direction too, so helpdesk associates can see the profile of the user they are helping. This information helps the user verify that they are giving control to the intended helpdesk associate. At any point, the user or the helpdesk associate can end the session.

Initiating new remote help sessions is flexible and easy.

Sessions can be initiated from the new remote help Windows app. To establish a secure connection, the helpdesk associate generates a code from the app and shares the code with the user. The user is then prompted to grant permission to establish a secure connection with the helpdesk associate.

Verifying the identity of the help desk associate and Windows user establishes trustVerifying the identity of the help desk associate and Windows user establishes trust

A remote helpdesk session can also be initiated by a helpdesk associate or IT administrator with RBAC permissions in Endpoint Manager. This way, administrators can take immediate action to bring a device into compliance. For example, if the organization requires hard drives to be encrypted, they can establish a remote help session with the user and remotely enable BitLocker to encrypt the hard drive.

Start a remote assistance session from the device menu in the Microsoft Endpoint Manager consoleStart a remote assistance session from the device menu in the Microsoft Endpoint Manager console

Warnings and reports to discover key issues

To ensure caution when dealing with non-compliant devices, when a helpdesk associate initiates a connection to a device that is not compliant with the organizations' policies, the helpdesk associate will see a warning suggesting they proceed with caution. For the duration of the remote help session, there is also a banner that will remind the helpdesk associate to exercise caution.

To help with governance, administrators can run a report covering all the remote help sessions. Reports can be created and analyzed by which helpdesk worker helped which user, on which device, and when the session started and ended for a set time period, with all data retained for 30 days. For example, reports could show if there are multiple sessions on the same device, and thus a potential technical issue with the endpoint. Reports could also help track helpdesk usage or look for suspicious activity.

Public preview and beyond

Remote help in Microsoft Endpoint Manager offers helpdesks the controls and flexibility they need to provide secure and simple remote assistance for Windows users. In doing so, it helps keep employees productive and less frustrated as they continue to work from home, at least some of the time.

We will be rolling out the remote help functionality as a preview in Endpoint Manager in the coming weeks* so customers can try the feature and provide us with feedback. When we roll out this functionality for general availability early in 2022, we intend to offer remote help as an advanced endpoint management add-on at a price above the existing licensing options that include Microsoft Endpoint Manager or Microsoft Intune. More information will be forthcoming when we finalize our pricing plans.

Microsoft Endpoint Manager information banner about future licensing for remote helpMicrosoft Endpoint Manager information banner about future licensing for remote help

In the meantime, please join us to learn more about Endpoint Manager at Microsoft Ignite 2021. We're offering an on-demand technical session to help you learn more about remote help in Endpoint Manager.

You can also let us know about your Endpoint Manager and remote help for Windows experiences through comments on this blog post or reach out to @IntuneSuppTeam on Twitter. Tweet your feedback about Microsoft Endpoint using the hashtag #MEMpowered. If you're interested in ongoing developments on Endpoint Manager, we invite you to follow the Microsoft Endpoint Manager Blog and @MSIntune on Twitter.

Update 29/11/21: The rollout of the public preview* has started.  To learn more about how to try this experience, please visit our documentation page: Remotely assist users that are authenticated by your organization. | Microsoft Docs .


*Remote help may not be available in all markets in the initial public preview.

 

61 Comments
Co-Authors
Version history
Last update:
‎Nov 29 2021 01:25 PM
Updated by: