Evaluate privacy, permission, and compliance considerations

Completed

Remote Help is a support capability, and it must be used without exposing users or devices to unnecessary risk. Privacy controls, role-based access, and compliance reviews help keep Remote Help sessions secure, transparent, and aligned with organizational policy.

Protect user privacy in every session

Remote Help is designed so the user remains aware of the support interaction. The helper and the sharer both sign in with organizational Microsoft Entra ID accounts, and Remote Help shows identity information such as name, company, verified domain, and job title before the session continues.

A session can be started from the Remote Help app or, for supported enrolled devices, from the Microsoft Intune admin center. In a code-based session, the helper provides the security code to the user. The user then reviews the helper's identity and chooses whether to allow screen sharing or full control, or decline the request.

Because the session is interactive, the user can end it at any time. This makes Remote Help different from broad administrative tools because access is visible to the user and tied to an approved support session.

Apply least-privileged permissions for support staff

Support agents should have only the Remote Help permissions they need. In Microsoft Intune, assign helpdesk roles or custom role-based access control (RBAC) permissions that let an agent connect to devices without giving broad administration rights.

Check these permission principles:

• Limit the agent's scope to the device groups they support.
• Allow screen sharing and full control only when it is required for the task.
• Use separate roles for viewing sessions and performing elevated actions.

This approach reduces the chance that a helper can make changes outside the intended support scenario. It also makes audit trails easier to interpret because each session maps to a narrower set of permitted actions.

Control elevation and session behavior

Remote Help can support elevated actions on Windows when the helper has the required Remote Help elevation permission. Elevation allows the helper to interact with User Account Control prompts on the sharer's device and perform actions that require administrative privileges.

Elevation should be treated as a privileged support capability. It shouldn't be granted to every helper by default. Organizations should define when elevation is allowed, which support roles can use it, and when an issue should be escalated instead of handled during the same session.

Use these session controls to protect the environment:

• Require explicit user consent for screen sharing and full control.
• Grant elevation only to support roles that need it.
• Disable unattended access for normal user support workflows.
• Limit Remote Help use on devices with sensitive data or stricter security requirements.
• Review support activity regularly to detect unusual access patterns.

Align Remote Help with compliance and audit requirements

Remote Help is part of your endpoint support process, so it should be covered by the same compliance checks as other device management activities. That means reviewing session logs, device compliance states, and access decisions regularly.

Key compliance checks include:

• Verifying the helper and sharer identities in session reports.
• Confirming that the assisted device was within the helper's support scope.
• Reviewing whether the session used view-only or full control.
• Checking whether denied or failed sessions indicate missing permissions, device issues, or policy restrictions.
• Comparing Remote Help activity with device compliance and support ticket records.

Remote Help session details are useful when you need to show that support actions followed policy and that user privacy was respected.

Review privacy and permission settings as part of support operations

Make privacy and permissions reviews a regular part of support operations. Remote Help policies and role assignments should continue to match the organization's support model, regulatory requirements, and device risk profile.

A recurring review should cover:

• Who can provide Remote Help.
• Which users and device groups can receive help.
• Whether full control and elevation are still appropriate for each role.
• Whether unenrolled device support is allowed or should be restricted.
• How session metadata is reviewed and who can access it.

Remote Help stores a limited amount of session data, such as session start and end time, who helped whom, the assisted device, and features used during the session. It doesn't store session recordings, screen images, or keystrokes, and this session data is retained for up to 30 days.