Monday, 8 June 2026

You have Intune Remote Help already, you might as well use it

You may remember the surprise announcement late last year when Microsoft announced that they would unify the key capabilities of endpoint management by adding the components of the Intune Suite to Microsoft 365 E3 and Microsoft 365 E5 SKUs. These advanced Intune capabilities include Remote Help, which will be included in Microsoft Enterprise Mobility and Security E3 (EMS E3) and therefore Microsoft 365 E3. We believe that this change will be rolled out starting in July 2026.

I have already implemented Remote Help for a number of enterprise and SMB customers and I’m confident that this licensing change will prompt many other customers to move from third party solutions with a view to reducing costs.

What does Remote Help give to your organization?

  • Deliver simple, cloud-connected, and secure assistance to workers anywhere, anytime. 
  • Secure screen sharing and full control of Windows, macOS and Android (Zebra and Samsung) so that helpers (administrators) can support sharers (end users).
  • Role Based Access Control (RBAC); helpers do not need to have excessive permissions on Intune or the devices.
  • Ability to monitor Remote Help sessions; every session is logged with details like helper name, sharer name, device name and length of session.
  • Allows helpers to enter UAC credentials when prompted on the sharer's device for elevated permissions.
  • Enhanced chat in multiple languages.

What are the advantages of Remote Help over other third-party tools?

  • Remote sessions can be launched natively from the Intune admin center by selecting a device.
  • Intune can be integrated with ServiceNow to show a real time list of ServiceNow incidents for a user from the Troubleshooting pane. Remote sessions can be launched from there. 
  • Zero Trust enforcement; uses Microsoft Entra authentication and can be protected with Conditional access. For example, you can require multifactor authentication (MFA) for helpers or restrict access to specific locations or compliant devices.
  • Compliance checks and warnings; helpers can see a noncompliance warning before connecting to a non-compliant device.
  • You can choose to limit remote sessions to Intune enrolled devices only (although you can allow unenrolled devices also).
  • Remote sessions are restricted to your tenant only. This is useful for privacy reasons, especially in Europe, where there are GDPR restrictions. 
  • The data from Remote Help sessions can be combined with Endpoint Analytics to identify common issues.

It won’t hurt to try it out in advance of the licensing changes.

From the Microsoft Intune admin center, navigate to Tenant administration > Intune add-ons. Click View details for Remote Help and this will connect you to the Microsoft 365 admin center where you can request a trial.

Click Start free trial for 250 Remote Help licenses to be added to your tenant for 90 days. You can then assign the licenses to users. Remember that both the helper and sharer need a Remote Help license.


Enable Remote Help

This operation is carried out at the tenant level. In the Microsoft Intune admin center, navigate to Tenant administration > Remote Help. On the Settings tab, click Configure.

  • Set Enable Remote Help to Enabled to allow the use of Remote Help. By default, this setting is disabled.
  • Set Allow Remote Help to unenrolled devices to Enabled if you want to allow this option. By default, this setting is disabled.
  • Set Disable chat to Yes to remove the chat functionality in the Remote Help app. By default, chat is enabled and this setting is set to No.


RBAC and permissions

It is recommended to enforce least privilege and grant the minimum Remote Help permissions for each support role. The Help Desk Operator role already contains the necessary permissions to use Remote Help. However, consider using a custom role to be more granular with the permissions. In the Microsoft Intune admin center, navigate to Tenant administration > Roles. Click Create and choose Intune role.

Select the permissions for the Remote Help app only.

  • View screen allows the helper to view the sharer’s device when Remote Help is enabled.
  • For Android devices, Unattended control will start Remote Help as soon as the helper selects a new session, without a sharer having to grant access. At the time of writing, Unattended control is not yet supported for Windows, this would be useful for managing kiosks. 
  • Take full control allows the helper to control the sharer’s device when Remote Help is enabled.
  • Elevation allows the helper to enter UAC credentials when prompted on the sharer’s Windows device.

The custom role can be assigned to Admin Groups (Entra groups containing the helpers) and targeted at Scope Groups (Entra groups containing the sharers; this can also be All Users or All devices).


Remote Help app

Windows

Download the Remote Help app for Windows. At under 8MB, it’s very lightweight. It must be installed on the helpers device and any device where support is to be offered. There are a few ways to deploy this app.

  • Install manually; requires local administrator permissions and is not sustainable.
  • Add Remote Help to Intune as an Enterprise App Catalog app and assign to your users or devices. There is a cost associated with this method.
  • Deploy Remote Help as a Win32 app. The following parameters can be used.
    • Install command line, specify remotehelpinstaller.exe /quiet acceptTerms=1
    • Uninstall command line, specify remotehelpinstaller.exe /uninstall /quiet acceptTerms=1
    • Detection Path, specify C:\Program Files\Remote Help
    • Detection File or folder, specify RemoteHelp.exe

macOS

Download the Remote Help app for macOS. It can be automatically deployed to your estate of Intune enrolled macOS device. 

Web App

In situations where the sharer needs assistance but is unable to install the full client application for Windows or macOS, the sharer can use the Web App to share their screen to a helper. This web app provides view only capabilities to the helper.

Android

Remote Help app for Android is available on the Google Play store for installation on Zebra and Samsung devices.


The Remote Help experience on Windows

I have two users in my lab. Fred is the helper and Joe is the sharer. Both have Windows 11 devices with the Remote Help app installed.


Fred’s device is on the left in the screenshot. He navigates to Joe’s device in the Intune admin center and chooses New remote assistance session.

The New remote assistance session blade opens, and Fred selects Remote Help > Continue.

Joe receives a Remote Help notification that Fred is available to help him. He is invited to Open Remote Help

Fred is also invited to Open Remote Help.

The Remote Help app launches on Fred’s device, and he can see that Joe is ready for support. Fred can choose to Take full control or View screen. For now, he chooses View Screen.

Joe gets a notification to Allow the remote help session.

The remote help session is established and Fred can see Joe’s screen.


 Fred and Joe can chat during the session.

Fred can Request control. Joe gets a notification to Allow.

Now Fred can control Joe’s device. Joe can Cancel control at any time.

Fred can elevate his permissions on Joe’s device by entering administrator credentials at the UAC prompt.

Note that I had to create and deploy an Intune configuration policy so that Fred could see the UAC prompt on Joe’s device.

Settings catalog > Local Policies Security Options > User Account Control Allow UI Access Applications To Prompt For Elevation > enabled (allow UIAccess applications to prompt for elevation without using the secure desktop).


The Remote Help experience on macOS

Fred is still the helper and Joe is the sharer. Fred is using his Windows 11 device and Joe wants to share his MacBook with Fred for assistance, although the MacBook is not enrolled in Intune. This time we will use the web app, which supports screen sharing but not full control. If full control is needed, then you have to use the full macOS client application.


 Fred browses to https://aka.ms/rhh and signs in. Note that rhh = Remote Help helper. 

The long format is https://remotehelp.microsoft.com/helper

A Security code is generated which Fred shares with Joe. 

On the MacBook, Joe browses to https://aka.ms/rh and signs in. Note that this time rh = Remote Help

The long format is https://remotehelp.microsoft.com/sharer

Joe must accept the privacy terms by clicking OK.

Joe enters the security code and selects Share screen.


 Fred is notified that Joe is ready and clicks Screen sharing to start the session.

Joe sees Fred’s session request and clicks Allow to continue.

Fred gets a compliance warning to say that the MacBook is not enrolled in Intune. He can Leave or choose to continue by clicking OK.


Finally, Joe can choose which screen to share. He clicks Share screen.


Joe has shared his MacBook screen with Fred for assistance. 

I hope that this blog post has been useful to explore the functionality and configuration of Intune Remote Help.

Until next time……

Posted by at No comments:
Labels: , , , ,

Saturday, 3 January 2026

My first look at Intune Agents (part3)

This is the third is a series of blog posts about Intune Agents. Intune Agents (also known as Security Copilot agents) are AI-powered assistants, available in the Intune Admin Center, that enhance enterprise security. They automate tasks for endpoint protection, identity management, threat intelligence, and device configuration, and they help IT teams quickly address vulnerabilities, policy gaps, and emerging threats.

The first post in the series introduced Security Copilot and SCUs, and then took a closer look at the Change Review Agent. The second post concentrated on the Device Offboarding Agent. In this post I'll be looking at the Policy Configuration Agent, arguably the most useful of the Intune Agents. It helps IT admins to translate complex requirements and industry standard documents into actionable Intune settings. You give the agent an input that has your policy requirements. It can be a document you upload or direct text input. In this way, admins can quickly generate Intune settings catalog policies.

Set up the agent as follows.

In the Intune admin center, select Agents > Policy Configuration Agent > View details

In Overview, select Set up agent.


The Set up Policy Configuration Agent pane lists the required permissions to set up the agent, and provides more information about the setup requirements. Select Set up agent.


When it completes, the agent is ready to use.


I want to add a document to give some context to the agent. I do this selecting Create New > Knowledge source. My first thought would be that it would be really cool to be able to add a CIS benchmark baseline here. 


I entered a Knowledge Source name and description. However this first attempt at adding a Knowledge Source failed. The CIS benchmark is a 7MB PDF. It was then that I noticed that only .txt files up to 100KB are supported. I believe that this is under review. 

Also there is an error in the UI which then refers to 2KB being the maximum. 


For demo purposes I copied the first few pages from the CIS benchmark into a .txt file and I could create a Knowledge Source with the following instructions.

Ensure 'Enforce password history' is set to '24 or more password(s)'
Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
Ensure 'Minimum password age' is set to '1 or more day(s)'
Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'
Ensure 'Network access: Remotely accessible registry paths' is configured

Select Review to continue.


The agent has provided suggested next steps. Click on the Suggestion.


We are provided with a Document Analysis Summary.


Scrolling down we can see the proposed settings. I've reviewed them and I'm happy that is what I want.


Next step is to create a Policy Draft.


Enter a name and refer to the CIS benchmark Knowledge source. Under Instructions, I've asked the agent to create a configuration policy with these settings.


The agent generates a suggested Policy Draft. Click on the draft.


The agent shows us the suggested policy settings. Click on Create configuration profile.


We can see the policy settings. Click Next.


The configuration profile has been created, based on the Settings catalog. Assign the configuration profile to a group as required.

I can also just use natural language to generate a configuration policy without the need for a knowledge source. 


In this case I just need a Policy Draft.


Enter a name and description but do not select a knowledge source. Under Instructions, I've asked the agent to generate a policy to set the local timezone on Windows devices. to GMT. This is a standard request.


The agent has provided a suggested draft. Click on the draft.


We can see the policy summary.


Scroll down to see the specific settings. Click Create configuration policy.


Looks good. This is exactly the setting I would configure if I was doing this manually. Continue to create the policy and assign to a group.

I hope you are finding these posts helpful to see how useful the Intune agents can be. Currently there are three available (in Preview), but more will surely follow. My next post in this series will explore how we can find and use additional agents.

Until next time....






Posted by at No comments:
Labels: , , ,

Wednesday, 17 December 2025

My first look at Intune Agents (part2)

This is a continuation of the blog post I published last week. In that post I had my first look at Intune Agents and looked more closely at the Change Review Agent. This time I'll be looking at the Device Onboarding Agent. This agent identifies stale devices across Intune and Entra ID, provides actionable insights, and offboards stale devices for you.

Some things to know:

  • To run an Agent, you will need sufficient Security Compute Units (SCUs) in the tenant, as per the previous blog post.
  • The agent supports Windows, iOS/iPadOS, macOS, Android, and Linux devices.
  • The agent supports both corporate-owned and BYOD scenarios.
  • At this time, the agent doesn't support:
    • Hybrid Entra-joined Windows devices
    • Windows Autopilot devices
    • Shared devices
    • Microsoft Teams Phones
  • Once the Agent has been configured, it can be run by a Read Only Operator (Intune) and Security Reader (Entra).
  • The agent identifies devices that were retired, wiped, or deleted from Intune within the last 30 days.
  • The agent limits results to the first 10,000 devices.
Ok, so let's get started. Navigate to Agents in the Intune Admin Center.


Click View details for the Device Offboarding Agent.


Click to Run the Agent.


You are told that re-running the agent clears previous suggestions and recommendations. Click Run to start the job.


The Agent finishes and I have a result. This is my test lab where I have created a stale device for demonstration purposes. I can see Suggested next steps and one device affected. Click on Remove Windows Corporate devices.


We are presented with a Summary and associated factors. The Summary tells us that "there is one corporate Windows device that is no longer in Intune but is in other portals. This device should be removed". It would be better if I had more devices in the report but that is still pretty cool.

We also get a recommended action plan of six actions. 

Action 1: Download affected device list.
Click Download CSV


The CSV file contains the Entra device ID(s) of the stale devices.


Action 2: Back up BitLocker recovery keys
We are presented with the recommended steps to back up BitLocker recovery keys (outside the scope of the agent).


Action 3: Back up Local Admin Password Solution
We are presented with the recommended steps to export LAPS passwords (outside the scope of the agent).


Action 4: Remove devices from the Defender portal
We are presented with the recommended steps to remove devices from the Defender portal (outside the scope of the agent).


Action 5: Remove devices from Autopilot
We are presented with the recommended steps to remove devices from Autopilot (outside the scope of the agent).


Action 6: Disable devices in Microsoft Entra
The last action allows us to disable the stale devices in Microsoft Entra. Click on Disable devices.


We have to confirm that we want to Disable the devices. This action removes all the stale devices from Entra ID.


We can now see this under the Suggestions tab. These are not retained when the Agent is run again.


Note that you have to manually change the Status tab to Completed.

I hope you find this useful. Until next time......

See my follow up post

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)