Secure remote help can be powerful but may not be cheap
As companies went remote at the start of the COVID-19 pandemic, it quickly became obvious that enterprise VPNs aren’t effective for remote workers, with some organizations having to limit employees to connecting on alternate days to avoid overloading VPN capacity.
Shifting resources that were on the office network to the cloud makes remote access easier and more efficient. But, the traditional remote desktop solutions a lot of organizations rely on for end-user support usually require a VPN, leaving some of those users frustrated by technical issues they need help with.
The remote control built in to Microsoft Endpoint Configuration Manager doesn’t work for devices that are themselves remotely connected, for example. It also requires devices to be managed, so it can’t be used to support someone working from home on their own laptop.
SEE: Security, employee compliance biggest challenges when supporting remote workers (TechRepublic)
Even if staff are in the office, the IT team may not be. There are plenty of remote control tools on the market that are used for support, but they usually have a client-server model, in which the user is running a background service on their PC. This means an attacker might be able to trick them into accepting a connection and allowing a remote control session.
Deploying and managing remote control tools to users isn’t always straightforward, especially when if it’s being done remotely as well. Even if there is an official solution, users may install their own remote connection options anyway. And since remote control tools that aren’t centrally managed effectively bypass the enterprise firewall, it can be hard to even know there’s been an intrusion or track what access was gained.
Quick Assist gets an assist
The Quick Assist tool built into Windows 10 has been a popular option for remote support, with no firewall ports to open and no need to deploy an extra app or to talk users on their own PC to make sure they don’t install a malicious look-alike app by mistake while installing the solution themselves. It also includes simple connection security: IT teams could give the user a short passcode, so they know the remote connection request is trustworthy.
When Microsoft recently replaced the Quick Assist app, it also moved it to the Microsoft Store, which it said would improve app performance and make generating passcodes faster. Although the new version will be pre-installed in the next Windows 11 update, Windows 10 users will still have to install it themselves. This will change in future, but they currently need to have an admin user account to get it, and it’s not yet available for the long-term support releases of Windows 10.
While it can be distributed as an offline app through the Microsoft Store for Business, that only works until the end of Q1 2023, when the business Store will be replaced by the Windows Package Manager, which uses winget and Intune.
Once installed, Quick Assist may be the simplest route for supporting a wide range of users, but larger organizations want more controls for permissions for remote control and more assurance that the right user is talking to legitimate IT support staff and vice versa. For that, Microsoft has a new, though somewhat pricey, service with a granular set of controls integrated into Endpoint Manager.
This uses a new app called Remote Help that’s based on the Quick Assist codebase but adds extra security and permissions management. It’s also more powerful, which means that these extra controls are critical.
Remote Help allows IT staff to assist users remotely
With Quick Assist, if the person helping needs to do something that requires elevated permissions like opening RegEdit or even installing drivers, they have to wait for the person they’re helping to click the UAC prompt and allow this. Although, support won’t be able to see what the UAC prompt says to help explain it to users.
They also have to have a local admin account to be able to elevate, and if sensible security policies have been followed and users have not been given admin accounts, they won’t be able to get elevated privileges to even install the new version of Quick Assist.
With Remote Help, support sees the UAC prompt and can interact with it; that means they can click through themselves if the person they’re helping has local admin or log in with their own account to get elevated privileges for running troubleshooting tools. If a security policy requires having a local admin to install new software or drivers, someone who bought a new printer or keyboard to be more productive in their home office can’t install it themselves; with Remote Help, IT staff can do that for them.
Because they can elevate privileges remotely, you want to be sure the person connecting is who they say they are. Remote Help relies on Azure Active Directory for that, showing the profile photo, company details, job title, email address and other information from Azure AD, so users know they can trust the person helping them, and IT staff know more about who they’re helping, which may be useful for solving their problem.
That means Remote Help can’t be used to support people who aren’t on the organization’s tenant, without requiring PCs to be enrolled with Intune. Remote Help also supports both cloud and co-managed endpoints as well as Windows 365 Cloud PCs and Azure Virtual Desktop.
Remote Help is supported by Endpoint Manager
Remote Help uses Endpoint Manager’s role-based access controls, so admins can manage permissions to choose who can help which users and what they can do. Groups can be assigned to set tiers of help desk support and to specify which group of users gets different levels of support, scoping help desk roles by department, responsibility, geography or however else the groups are set up.
Use RBAC to set which helpers will only be able to see what’s on screen, who can take full control of the device and who can use their admin credentials to elevate. It’s also recommended to have extra controls in place to protect the devices of users in the finance team who handle sensitive data, for example.
Endpoint Manager integration also means IT staff can track who was involved in each support session, on what device and how long it took; although, there are more details about Remote Help sessions on managed devices than unenrolled PCs. Reports Manager helps to identify trends, like a repeated problems with the same device or a specific PC model or within a particular location that might indicate underlying issues.
As well as having users ask for help through the app, IT staff can also start a Remote Help session straight from Endpoint Manager if they see that a device isn’t in compliance—an unmanaged PC that’s not encrypted or using personal OneDrive rather than OneDrive for Business, for example—or if they see that the user has poor battery life or bad network performance.
And when they connect to a device, there’s a warning if it’s out of compliance, perhaps because it’s behind on Windows Update or Defender is turned off, so they know not to elevate privileges or use troubleshooting tools that might expose sensitive information to an attacker if the PC has been compromised.
Remote frustrations remain
There are some things about Remote Help that users may find confusing. For example, a helper who has permission to elevate privileges has used full control to connect to a user’s PC, then both the helper and the user will currently get logged off that PC when the session ends to make sure any elevated permissions are removed, even if they didn’t actually encounter a UAC prompt or use their credentials for admin tasks. That can mean employees losing work they haven’t saved. Fortunately, this will be changing.
In a future update, helpers will have to confirm they need to interact with UAC prompts, and users will only be logged off after the session if the helper has clicked Yes. Also, when users click to close a Remote Help session in which the helper has elevated privileges, they’ll get a warning that this will log them off to clean up those privileges, and they can leave the session open if they need to save work or finish something they’re working on.
When the person helping is the one who closes the session, the user won’t be logged off, even if the session has been elevated, so help desk staff will have to remember to close any elevated processes they open—the same way they would if they had walked over to someone’s computer to help them.
SEE: Mobile device security policy (TechRepublic Premium)
Even though helpers don’t need users to click through UAC, they do need them to be in front of their PC and to accept the Remote Help session, so it doesn’t support unattended access. Help desk staff may find that frustrating, but it may reassure employees that their personal devices won’t be accessed or updated without them knowing about it just because they use them for work.
Although it’s integrated into Endpoint Manager, Remote Help needs an additional licence ($3.50 per user per month) for both users and help desk staff as well as an Intune licence (stand-alone or as part of Enterprise Mobility+ Security E3/5, Microsoft 365 E3/5, or F3/5). Also, for now, Remote Help only works with Windows 10 and 11, including Windows 365 Cloud PCs, but the app will be available for Android soon. It’s likely to come to other devices and platforms in the future, making Remote Help more competitive with solutions like Team Viewer, but the price will keep it out of range for organizations with a very tight IT budget.