Print - Remote Assistance in the Corporation

Providing phone support to a user who has limited computer skills not only frustrates both parties but also is much less efficient than being onsite with the user. In response to the cries of support staff and end users alike, Microsoft includes Remote Assistance, a remote control tool for troubleshooting and support, in Windows XP.

Remote Assistance uses Microsoft's proven Windows 2000 Server Terminal Services technology to provide what amounts to a Terminal Services session between a support professional's computer and an end user's computer. Through a Remote Assistance session, a support technician can see exactly what's happening on the user's screen and can even remotely control the user's computer. Despite some features that target home users, Remote Assistance is a usable, secure solution for corporate Help desks and support staff, especially when coupled with Group Policy in an Active Directory (AD) environment.

Remote Assistance has some similarities to XP's Remote Desktop feature, but you shouldn't confuse the two. Both features use Terminal Services technology, but Remote Desktop concentrates on increasing productivity by providing access to a session on a Windows system (e.g., accessing files and applications on your work computer from your home computer), whereas Remote Assistance lets a support person chat with a user and view and control the user's system with the intent of resolving a problem. For a description of Remote Desktop's unique capabilities, see "What's Remote Desktop?" May 2002, http://www.winnetmag.com, InstantDoc ID 24539.

Establishing a Session
That Remote Assistance seems geared toward home users is most apparent when you look at the methods available for initiating a Remote Assistance session. The Remote Assistance links within XP's Help and Support Center provide three options for inviting help.

The first option, Use Windows Messenger, can be a good way for a home user to establish a support session with a friend, assuming that both parties have Windows Messenger accounts. However, this method relies on Windows Messenger for user authentication and doesn't let the user specify a password for the Remote Assistance session.

The second option, or use email, lets you send a request for assistance through your Simple Messaging API (MAPI)—compliant email client. Attached to the email message is a file that has the extension .MsRcIncident. This attachment, known as an invitation file, is an XML file that, when executed by the target user, launches Windows Help and Support, which in turn starts Remote Assistance to initiate the support session to the requester's computer.

The third option, Save invitation as a file (Advanced), lets users save the invitation file and transfer it to the target user through another method, such as an Internet-based mail application or removable media. Both the second and third options let you specify a password so that unintended recipients of the invitation don't have an open door to the end user's system.

The invitation file alone doesn't give the recipient (aka the helper) explicit permission to connect to and control the requesting user's system. The requesting user can always grant or deny the initial connection and, after the connection is made, allow or deny the helper's request to take control of the system.

Although the typical methods for requesting and providing assistance might suit the needs of small companies and home users, most corporate IT organizations will want to tighten the reins a bit. You can modify Remote Assistance settings on individual machines, but using Group Policy in an AD environment provides more control as well as easier administration. For further security, you can also configure your corporate firewall to minimize Remote Assistance—related security risks.

Configuring Remote Assistance
You can configure Remote Assistance through the System Properties dialog box's Remote tab. To let a user request help from someone, select the Allow Remote Assistance invitations to be sent from this computer check box on the user's workstation. Clicking Advanced presents the Remote Assistance Settings dialog box, which Figure 1 shows. If you clear the Allow this computer to be controlled remotely check box, you can restrict Remote Assistance sessions to view-only mode. To shorten the window of opportunity for unscrupulous invitation interceptors, you can limit the amount of time an invitation is active.

Group Policy also lets you specify users in your organization who can offer Remote Assistance without receiving an invitation. Group Policy's Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance setting lets you set the same options that you can set on the Remote tab of the System Properties dialog box. The wording and method of selecting view-only or remote control mode differ slightly from that on the Remote tab, but the results are identical.

The Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance setting presents functionality that's available only through Group Policy. The Offer Remote Assistance setting lets you authorize users to initiate a session without having received an invitation. When setting the Offer Remote Assistance properties, which Figure 2 shows, you should specify Allow helpers to remotely control the computer unless you want to allow view-only mode. You also need to specify who within your organization can initiate Remote Assistance offers. To specify those users, first click Show, then use the Domain\User or Domain\Group syntax to add entries to the list of helpers. You won't get a chance to verify that the information you entered is accurate, so double-check each name before you add it to the helpers list.

Offering Remote Assistance
After support professionals are added to the helpers list on designated computers, they can initiate a Remote Assistance session provided that both their system and the end user's system are running XP and that both the support professional and the end user are members of the same domain or of domains that have a trust relationship. The typical method of offering a Remote Assistance session is as follows:

Click Start, Help and Support.
Click the Tools link, then select the Offer Remote Assistance tool in the left-hand pane.
In the right-hand pane, click Connect, select the name of the user you want to assist from the drop-down list, then click Start Remote Assistance.

The session will proceed just as if it were initiated by a user invitation.

If you expect to offer Remote Assistance frequently, you might want to use a more streamlined method of creating the offer. Create a shortcut that has as its target the URL hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm. Clicking this shortcut launches the Help and Support Center and displays the pane that lets you specify the machine to connect to. You can distribute this shortcut to support professionals in your organization.

Firewalls and Remote Assistance
Because Terminal Services technology uses RDP for communication between systems, port 3389 must be open on your firewall. You can provide an extra measure of security by blocking outbound traffic on port 3389 so that users won't be able to use Remote Assistance to communicate with systems outside the firewall.

Using Network Address Translation (NAT) with Remote Assistance is a complex topic that's outside the scope of this article. For information about the behavior of Remote Assistance in various firewall and NAT environments, see the Microsoft article "Supported Connection Scenarios for Remote Assistance" (http://support.microsoft.com/?kbid=301529).

Working Around Limitations
If you're using Remote Assistance in a corporate scenario, you'd ideally like to limit or disable users' ability to solicit Remote Assistance help from unauthorized people. Unfortunately, disabling Solicited Remote Assistance also disables the ability to accept offered Remote Assistance. Until Microsoft addresses this inconsistency, the only way to work around this problem is through user training. After you create an infrastructure through which your support professionals can initiate Remote Assistance, train end users to use that infrastructure rather than sending invitations for Assistance. If you must rely on the invitation model, require your users to use strong passwords with reasonable expiration times on invitations and establish a consistent method for everyone in your organization to use for invitation delivery.

I get the following error when offering RA on a pc I know I've enabled RA for myself on: "Access to the requested resource has been disabled by your adminstrator"

Remote Assistant is not working properly if your behind a non pnp firewall cause it's not only opening port 3389 as Microsoft claims but also a high port between 30.000 and 40.000.

create a shortcut with this target to launch it without first opening internet explorer: %windir%\PCHealth\HelpCtr\Binaries\helpctr.exe /url hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/unsolicited/unsolicitedrcui.htm

Was this error finalised? If so, what is the response? I'm getting the same error. I get the following error when offering RA on a pc I know I've enabled RA for myself on: "Access to the requested resource has been disabled by your adminstrator"

Miriam and Jim, Did you use Group Policy to configure Remote Assistance? The article states "The Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance setting presents functionality that's available only through Group Policy". You can use Local Policy to configure this if you aren't using company-wide Group Policy.

Same error here. No solution yet. I'm trying this feature for weeks now. I've created a hugh document on this issue, read every newsgroup post, forums, kb, technet, google, etc... No answer. I do know that Service Pack 2 will change some structure to RA, but I doubt the above problem gets a adequate solution.

The reason why you guys get this error message is that group policy has to be applied to the TARGET machine not to the computer that you are trying to send "Remote Assistance" request from. If you set "Offer Remote Assistance" (Solicited Remote Assistance can be left alone) to "enable" in Group Policy of TARGET computer it will work just fine. Don't forget to close and open again "Offer Remote Assistance" Wizard in Help and Support Center after you have made changes to group policy, otherwise it's not going to work.

I finally found the solution after weeks for the error in the topic starter. With an un-solicited you first need to start the sessmgr.exe. You can do this by settings the services "Remote Desktop Help Session Manager" to Automatic. And if you would like to keep your existing logon session, please start it manually after changing the Startup Type. Wooo Haaa! (Al Pacino)

Did anyone find a solution for this. We also want to use Remote Assistance, and it seems to be working on some systems but not others. I'm pushing the change out using a company-wide GPO, so it should work for everyone. I'm baffled.

I created a template for windows 2000 DCs to apply this to XP desktops with GP. Works great!!!

I get the "offer Remote Assistance" windows, but when I try to connect to a PC of my LAN I get the error: "The Remote Server Computer doesn't exist or is not available" But I'm sure the PC exists, and I tried both with PC name and IP... any idea of what can be? Thanks...

I have had it working in an NT4 Domain using local policies. However since I removed my normal logon from the Domain Admins group, I can no longer offer remote assistance. Is there a way round this?

I can't get this working guys....any ideas? I've set the local policy on the target machine, I've got domain admin priveleges and added it to the "helpers" list in the local policy, and I don't see any service relating to "Remote Desktop Help Session Manager"...what's the deal with this? Thanks

First: Please consider the many factors which allow Remote Assistance to function properly. Remote LAN and WAN must be providing DHCP forwarding, WINS/DNS must be accurately reconciled, GPO must have Remote Assistance enabled, and that "Trusted" or allowed user must be the person "Assisting" the trusted domain machine

can anybody give a link that I can place on a user's desktop that will send a remote assistance invitation directly to me (at an e-mail address) without going through the help menu. thanks

I got it working, by enabling remote desktop help session manager, it also took about a day for the group policy to kick in company wide.

If you need to disable requensting remote assistance but don't want to disable offering remote assistance just edit rcscreen1.htm to display "NOT ALLOWED" or something like that