About MSRA

Question

Does anyone know all the necessary conditions for performing active remote assistance via MSRA by directly entering an IP address? What configurations need to be made in Group Policy?

Currently, I have enabled remote assistance through Group Policy and excluded MSRA from the firewall. However, I still cannot directly perform remote assistance, though user-initiated invitations work.
thanks

Answer 1

To successfully perform active Remote Assistance via MSRA using an IP address, several specific conditions must be met. You've already made some good progress by enabling Remote Assistance via Group Policy and configuring the firewall, but you still need to check more bellow here : 1. Enable “Offer Remote Assistance” in Group Policy (GPO)

Check at:

Computer Configuration > Administrative Templates > System > Remote Assistance

Enable the following:

• Offer Remote Assistance
• Set to “Enabled”
• Add the user/group account(s) who are allowed to offer assistance (e.g., Domain\Admins)
• Choose either:
  • Allow helpers to only view the computer, or
  • Allow helpers to remotely control the computer

2. Allow Remote Assistance in Windows Firewall

Even if MSRA is excluded, this part is critical.

On the client machine (the one receiving assistance): Make sure the following inbound rules are enabled:

• Remote Assistance (TCP-In) – on port 3389
• Remote Desktop – Remote Assistance Mode (TCP-In)
• Check via PowerShell (on the target machine):

Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Remote Assistance*"} | Format-Table DisplayName, Enabled

• If needed, enable them:

Enable-NetFirewallRule -DisplayName "Remote Assistance (TCP-In)"
Enable-NetFirewallRule -DisplayName "Remote Desktop - Remote Assistance Mode (TCP-In)" 

3. Remote Registry Service Must Be Running

MSRA uses the Remote Registry service to connect via IP.

• On the target machine, run:

Set-Service -Name RemoteRegistry -StartupType Automatic
Start-Service -Name RemoteRegistry 

4. Network Discovery and File & Printer Sharing Enabled

On the target/client PC, you must enable:

• Network Discovery
• File and Printer Sharing

You can do this via the Control Panel or via PowerShell:

Set-NetFirewallRule -DisplayGroup "Network Discovery" -Enabled True
Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled True 

5. Target Must Be Online and Resolvable

MSRA via IP does not work well unless:

• DNS name resolution works correctly, OR
• The IP address maps correctly to the machine name (NetBIOS or DNS)

Even though you're trying to use IP directly, MSRA internally still performs name resolution. You can workaround it using the hosts file:

192.168.xxx.xxx    targetmachine 

• Then use:

msra /offerra targetmachine

Using only the IP like msra /offerra 192.168.xxx.xxx usually fails unless name resolution can map it correctly.

6. Remote Desktop Services (RDP) Must Be Enabled on Target

Even though you're not using full RDP, Remote Assistance piggybacks on RDP.

Enable RDP:

• Control Panel > System > Remote settings > “Allow Remote Connections to this Computer”

Or via GPO:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely

7. Helper Account Permissions

The account offering assistance must be:

• Added to the “Offer Remote Assistance” policy (already mentioned above)
• A member of the local administrators group on the target or an allowed helper via GPO

8. No Third-Party Security Blocking the Connection

Some antivirus or endpoint protection systems block MSRA sessions, especially unsolicited ones.

Temporarily disable any security software (like BitDefender, Symantec, etc.) to test.

9. UAC Settings

If the user receiving help is a standard user and UAC is on, the helper must be an administrator, or the session will have limited functionality.