The ‘traditional’ way of using remote assistance is initiated by a user requiring help, where they send an assistance request to a ‘helper’. In practice, I rarely see this method used – most probably due to the effort required on the user’s part to initiate the session. By enabling unsolicited remote assistance, we can initiate the session from the helper’s side – all the user has to do is accept our help offering – a much more seamless experience for them!
As with most windows configuration, the easiest way to go about enabling it on your domain is via Group Policy. Create a new Group Policy object, named ‘Unsolicited Remote Assistance’. Right click the new Group Policy object and proceed to edit it. The settings we need to enable are located in Computer Configuration/Policies/Administrative Templates/System/Remote Assistance.
Configure Offer Remote Assistance
Enable Configure Solicited Remote Assistance and set Maximum ticket time (value) to 1hr.
Enable Configure Offer Remote Assistance. Be sure to specify that helpers can control the remote computer, then define which users are permitted to act as helpers. For simplicity, I just add DOMAIN\Domain Admins as helpers. Any users offering help will need to be a local administrator on the system being helped.
Configure Solicited Remote Assistance
By default Windows firewall won’t allow these connections, so we’ll add some firewall rules to allow this. In the same GPO, navigate to Computer Configuration> Policies> Windows Settings> Security Settings> Windows Firewall with Advanced Security> Inbound Rules.
We will the need to create a few rules:
- Allow program: %systemroot%\system32\sessmgr.exe
- Allow program: %systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
- Allow program: %systemroot%\system32\Raserver.exe
- Allow port: TCP 135
The final part of the GPO is related to how UAC prompts are handled. By default windows shows them on an alternative desktop, we need to disable this so that UAC prompts are visible in the remote assistance session. If we fail to do this, whenever a UAC prompt shows we will just see a black screen with a pause icon/symbol on it. Navigate to Computer Configuration> Policies> Windows Settings> Security Settings> Local Policies> Security Options, then enable the User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop policy.
Allow UIAccess applications
Now that we have completed our GPO for offering remote assistance, it will need linking somewhere appropriate, so that the systems you wish to offer help to receive our updated settings. In my test lab I have a single computers OU, so I’ve linked it there. Once the Group Policy has applied to your systems (reboot or gpupdate /force), you should be good to go ahead and offer assistance.
The command to start offering remote assistance is ‘msra.exe /offerra’. You can optionally include a computer name or IP address at the end, so you can tie it into other management systems you may have. Alternatively, you could create shortcuts for those regular customers!
Windows Remote Assistance
No comments:
Post a Comment