Configure and deploy Remote Help with Microsoft Intune
Remote Help must be enabled, assigned, and deployed before support teams can use it for managed remote assistance. Configuration includes tenant settings, licensing, helper permissions, app deployment, and validation of device readiness.
Remote Help works within the organization's tenant. Helpers and sharers must sign in with organizational Microsoft Entra ID accounts, and cross-tenant Remote Help sessions aren't supported.
Review licensing and prerequisites
Remote Help requires licensing for everyone targeted to use the service, including both helpers and sharers. It also requires a supported platform or device, and Intune-enrolled devices must be registered with Microsoft Entra ID. Remote Help requires a subscription in addition to Microsoft Intune Plan 1 or Plan 2.
Remote Help supports multiple platforms, including Windows, Windows 365, Azure Virtual Desktop, macOS, supported Android Enterprise dedicated devices, and the web app. Platform capabilities differ, so deployment planning should consider whether users need view-only support, full control, elevation, or unattended Android support.
Before deployment, confirm that:
- Remote Help licenses are assigned to helpers and sharers.
- Helpers and sharers are in the same tenant.
- Devices use supported platforms.
- Enrolled devices are registered with Microsoft Entra ID.
- Required network endpoints are reachable.
- Support staff have the required Intune RBAC permissions.
Note
Remote Help can take time to become available after licenses are assigned. New or trial licenses can take from 30 minutes to several hours before sessions recognize that Remote Help is enabled for the tenant.
Enable Remote Help for the tenant
Remote Help is disabled by default. To enable it, open the Microsoft Intune admin center and go to Tenant administration > Remote Help. On the Settings tab, set Enable Remote Help to Enabled, then save the configuration.
The tenant settings also include:
- Allow Remote Help to unenrolled devices: Allows Remote Help sessions for supported unenrolled devices when enabled.
- Disable chat: Removes chat from the Remote Help app when set to Yes.
Allowing unenrolled devices can be useful for some support scenarios, but it gives administrators less device context and more limited auditing. For stronger management visibility, prefer enrolled devices when possible.
Assign Remote Help permissions with Intune RBAC
Remote Help uses Intune role-based access control to define who can provide help and what level of access they can use. The built-in Help Desk Operator role includes the required Remote Help permissions, but custom roles are often better when different support teams need different access levels.
A helper needs Remote Tasks - Offer remote assistance, Remote Assistance Connector - Read, and at least one Remote Help app permission, such as View screen, Take full control, Elevation, or Unattended.
| Permission | Description |
|---|---|
| Remote Help - View screen | Allows the helper to view the sharer's screen without taking control. |
| Remote Help - Take full control | Allows the helper to take full control of the sharer's device. |
| Remote Help - Elevation | Allows the helper to interact with User Account Control prompts on Windows. |
| Remote Help - Unattended | Allows the helper to connect to supported Android Enterprise dedicated devices without requiring the sharer to accept the connection each time. |
| Remote Tasks - Offer remote assistance | Allows the helper to offer remote assistance to users. |
| Remote Assistance Connector - Read | Allows Remote Help to read the tenant Remote Assistance Connector configuration. |
Use least privilege when designing support roles:
- Give first-level support view-only or full-control permissions only when required.
- Restrict elevation to trusted support staff.
- Use unattended access only for supported Android Enterprise dedicated device scenarios.
- Use scope groups so helpers can assist only the users or devices they are responsible for.
- Use custom roles when the built-in role grants more access than needed.
To assign users to the Help Desk Operator Role, go to Microsoft Intune admin center > Tenant administration > Roles > select Help Desk Operator > Assignments and add an assignment.
Important
If the sharer or the sharer's device is outside the helper's RBAC scope, the helper can't provide assistance. For unenrolled devices, use user scope groups because the All Devices scope group doesn't include unenrolled devices.
Deploy the Remote Help app
The Remote Help app must be installed on devices that use the native Remote Help experience. Administrators can deploy it with Intune, or users can install it themselves if they have permission to install apps. Remote Help can update itself, and newer versions can also be deployed through Intune.
For Windows devices, Remote Help can be deployed as an Enterprise App Catalog app or packaged and deployed as a Win32 app. When using the Win32 app method, package the Remote Help installer as an .intunewin file, configure silent install and uninstall commands, and use a detection rule based on the installed Remote Help executable version.
For macOS, the native Remote Help app can be deployed through Intune as a required app. The native app is needed when full control is required. If only screen sharing is needed, the web app can be used with reduced capabilities.
For Android Enterprise dedicated devices, deploy the Remote Help app from Managed Google Play and assign it as required to the devices that need support. Android deployments might also require app permissions or OEM-specific configuration, such as Samsung Knox or Zebra OEMConfig settings.
Configure platform-specific requirements
Some platforms need additional setup before Remote Help works smoothly.
On Windows, Remote Help requires Microsoft Edge WebView2 Runtime. If WebView2 isn't already installed, the Remote Help installer installs it. Remote launch from Intune also requires the Intune management extension on the sharer's device.
On macOS, users might need to allow privacy permissions for screen sharing and accessibility. Intune can help streamline some of these permissions through a Settings catalog profile.
On Android Enterprise dedicated devices, required permissions must be granted so the Remote Help app can start and display support sessions. Camera permission is required, but Remote Help doesn't store camera input.
For more information about platform-specific requirements and deployment steps, see: