Offering Remote Help in Windows
One of our clients recently asked to present all their options for Remote Support to their end-users. This organisation, like many others is always keen to keep costs down and has opted not to use a third-party solution, but instead to leverage existing native tools.
To that end we put together a list of the ways that Remote Support can be achieved.
Skype for Business / Microsoft Teams
Screen sharing with Skype for Business or Teams is by far the easiest way to grab a quick screen share, including the ability to request remote control. However, you can’t interact with any elevated programs, nor provide an administrative logon to run an administrative program.
Both of these products; Skype for Business and Teams are just not geared for allowing administrative level access or elevation.
However, certainly for a quick “Hey, can you have a look at this?” it’s very useful for ad-hoc collaboration rather than genuine IT professional to end-user support offering.
Even consumer Skype has the option to present screensharing
Solicited Remote Assistance
Any user can ask for remote assistance via Windows Help and Support, or searching for Windows Remote Assistance in the start menu (note for Windows 10 the easiest is to search for help)
Type “Remote Assistance”
Or type “Help”
Of course, your machine has to be authorised / enabled / to Allow Remote Assistance connections to this computer.
Invite someone you trust to help you
You also need your Firewall enabled to allow Remote Connections
Choose your option to invite your trusted helper.
Tell your helper the connection password
The person helping would go to remote assistance and click the option to help someone else, after which they get
Once you are connected then you will be able to ask for control after which you can see what they see and help as needed.
Unsolicited Remote Assistance
Again, use the Remote Assistance option. This feature would normally be locked down in a well administered environment. Remote Support engineers should be a member of an appropriate AD Security Group such as:
“[CLIENT]_Workstation_All_Admin_Resource” or “[CLIENT]_Workstation_Standard_Admin_Resource” can offer to help people who haven’t asked for it via Remote Assistance. You will need to start Remote Assistance with your administrative account. To do this run the file directly C:\Windows\System32\msra.exe
Choose, “Help someone who has invited you”
Select: Click Advanced connection option for help desk
Enter the IP Address or hostname of the target computer
At the target computer the user sees.
Once accepted then you see
You can Request control after which the target computer again shows a prompt
Now you’re fully able to interact with the target computer, including with any administrative elevated tasks. Just remember that running a task on that machine and logging in as an administrator does leave a Kerberos ticket lying around for 10 hours or until that machine is rebooted. You could potentially clear this by running klist purge from a command line or rebooting the machine when you’re done, or accepting that the user doesn’t have anything dodgy that allows them to elevate their permissions by hijacking that ticket.
Remote Desktop Connection
The Admins favourite, “Remote Desktop Connection Manager” C:\WINDOWS\system32\mstsc.exe. Usually run with /admin switch.
Again, you should be a member of an Administrator Group that has rights to run Remote Desktop connections, and not be blocked by policy “Deny interactive Logon”. If you don’t have an account that has local logon rights, but you are using LAPS, – Local Administrator Password Solution then you can use the target computer’s local administrator account and password.
The local admin account is individual to that computer, changed automatically periodically, and can’t be used to run scheduled tasks, services, etc. To get a computer’s local admin password you can look in Active Directory Users and Computers (advanced features enabled and attribute editor tab used) or just run LAPS UI from your Administration servers. You will need to be in the appropriate admin groups to be able to see this information of course.
You can then use the local admin account (machinename\administrator) and the above password to log onto the machine via RDP.
This does log the current user off, so this isn’t a let’s watch what the user is doing, however it allows resolution of domain type issues that prevent any domain account from logging on.
Remote Desktop Connection Manager
Another tool we love is the Microsoft Remote Desktop Connection Manager, https://www.microsoft.com/en-gb/download/details.aspx?id=44989 This little utility gives you the abilty to create multiple RDP sessions in one interface. You can group up your Servers and Workstations and have your credentials at the ready. Again, the great thing is that it is free!
I wasn’t going to mention third-party applications, but I call out TeamViewer simply because they have a feature for Remote connections to iOS devices. In today’s remote working world, a lot of users need help with Corporate applications on a mobile device. If you haven’t tried it, give it a shot. It is a wee bit fiddly to get up and running on the device, but if you can get the device broadcasting via it;s screen recording capability, then you’re in business.