Help users over the phone with Unsolicited Remote Assistance

For years I’ve used UltraVNC as my remote control system of choice when helping out users over the phone. Unfortunately, I’ve fallen out of love with it since adopting Windows Vista and Windows 7, as performance is sometimes pretty poor and several features just don’t work properly. You get what you pay for, I suppose (UltraVNC is free). It’s also a bit of a pain to deploy via GPO Software Installation, which makes it a headache when you have hundreds of workstations. In particular the mirror driver, which aids performance, is pretty much impossible to deploy in this way.

When deploying my first Windows 7 clients I resolved to find another way, and it turned out to be something I could have used all along: Unsolicited Remote Assistance, which is built-in functionality on Domain-joined workstations.

If you’ve used MSN/Windows Live Messenger much you may have dabbled with the Remote Assistance feature there, and if your experience has been like mine, you’ve profusely sworn at how infrequently it actually works. The Remote Assistance feature for domain networks uses the same system, but with two important differences:

  1. It actually works reliably.
  2. The ‘helper’ (you) can initiate the Remote Assistance session, hence the name Unsolicited Remote Assistance.

The main difference between this and software like VNC is that you cannot initiate an assistance session without the user’s consent. It is therefore not a solution for monitoring student use, or for working on an unattended workstation, but is ideal for helping someone out over the phone.

Enabling Unsolicited Remote Assistance

Setup is very simple and done via group policy: the main settings can be found under Computer Configuration\Administrative Templates\System\Remote Assistance

The most important setting to configure is Offer Remote Assistance, which you should set to Enabled, with the option Allow helpers to remotely control the computer. You then simply specify AD users and groups that are permitted to be the helper. For simplicity’s sake, I use a single dedicated AD group called “Remote Assistance Agents”, and add accounts to that as necessary.


Unless you’ve disabled the client firewall, you’ll need to configure the following policy in order to let the Remote Assistance requests through:

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
Windows Firewall: Allow inbound Remote desktop exceptions

Configure this setting with a list or range of IP addresses that are allowed to connect. Typically you will want to restrict this to the IP addresses used by the IT support team.

Starting an assistance session

I’ll be covering Windows 7 clients in the most detail here, simply because that’s what I’ve been using it with. Vista is almost identical, and the UI for Windows XP is similar, though a little more clumsy.

Step 1: Open Windows Remote Assistance.

You should find this under Maintenance on the Start Menu. Once open, select the second option, “Help someone who has invited you”.

(On XP, you will need to go to Start -> Help and Support, click Tools, then Help and Support Center Tools, then Offer Remote Assistance.)

Step 2: Use the Advanced connection option

For some insane reason, the UI is geared towards consumer use, which in my mind is actually a far less likely scenario. As a result, you’ll find the option you need as a tiny link at the bottom of the page named Advanced connection option for help desk.

If you end up using this feature a lot, you will want to skip these first 2 steps in future. To do so, create a new shortcut to C:\Windows\System32\msra.exe /offerra

Step 3: Specify the computer to connect to

From here it’s simply a case of typing the name of the workstation you want to connect to, or picking from a history list of the last few you connected to.

Step 4: Get the user to consent

On the user’s workstation, they will need to click ‘Yes’ on a dialogue box asking them if they want to be helped by you. My advice is to get them to stop whatever they are doing before you send the request, or they will end up clicking on something and burying the request behind another window, at which point your clueless user will have no idea how to retrieve it. Get past this hurdle, and you’ll have view access to their desktop, at which point you can yell at them if they start fiddling while you send a second request to take control.

Tags: , ,

About The Angry Technician

The Angry Technician is an experienced IT professional in the UK education sector. Normally found in various states of annoyance on his blog. All views are those of his imaginary pet dog, Howard.

21 responses to “Help users over the phone with Unsolicited Remote Assistance”

  1. heekay says :

    awesome tip!

  2. Killer_Bot says :

    I’m currently using something called ‘Skeep VNC’ which acts as a frontend for TightVNC and can deploy it across an AD domain in seconds. You select the station, hit ‘deploy’ wait ten seconds and then remote in.

    Has worked perfect for me and it’s free, user’s don’t get any prompts either so does everything I need it to.

    This looks interesting, may look into it but I prefer sessions where the user isn’t prompted to allow the session.

  3. Dale says :

    What about multiple monitor support? I know that Vista terminal services introduced it, but does msra support it?

    • AngryTechnician says :

      Good question. Currently the only workstation in the school with multiple independent monitors is my own, so I’ll have to set up a second and try assisting myself to see what happens. Watch this space.

  4. Chris says :

    Just tried it. Multiple monitors work fine. Just scales the image or lets you view full size with scroll bars.

  5. Giles says :

    I use GenControl which installs a client remotely , silently and quickly. Or Purgos.

    Only tried with XP.,49202-order,4/reviews.html

  6. Nick says :

    I’m in a Linux shop with E Directory. Not familiar with AD or Domains. Is there some way to get unsolicited remote assistance to work without an AD or a Domain? I actually got it to work, an across subnets. I login as the same user on both machines. Example; I log into my computer (helper with JOEUSER) then I log into user computer with the same username JOEUSER. I set group policy Remote assistance> show and add JOEUSER as helper. Then I changed firewall setting under work policies on Remote assistance DCOM and RAserver from domain to domain, private. Then I could get in. If I could create a single user just for remote assistance on every machine I though it would work. But it doesn’t. Any help?

  7. Gerard Sweeney says :

    Apparently, this shortcut works for XP:

    “%ProgramFiles%\Internet Explorer\iexplore” hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/Unsolicitedrcui.htm

    I tried it, and it does indeed pop up with the Offer Remote Assistance box.
    I’m unable to test whether it works completely though.

    Any use?

  8. Gerard Sweeney says :

    Oh, and credit where credit is due – I lifted this from

    This site:

    suggests using
    %windir%\explorer.exe “hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,C=US/Remote%20Assistance/Escalation/Unsolicited/Unsolicitedrcui.htm”

    which also brings up the necessary box.

  9. Jake Fraser says :

    It’s not so deployable remotely, but I’d chime in and say LogMeIn Free is an excellent product which includes a client for Android and iPhone handsets and lets you control PCs from anywhere in the world through a browser or optional nominally-chargeable PC client. The Free license is fine for commercial use, and it can be made very secure. Check it out – I introduced to the PR agency I do IT for and it’s made all the difference, particularly with the remote offices in the Middle East and users working from home.

  10. Margaret says :

    Excellent advice so far. But would be correct to say that Windows Firewall: Allow inbound Remote desktop exceptions have to be Allow Desktop exception instead?

    • AngryTechnician says :

      It’s only after you posted this that I realised I didn’t explain that setting at all. I’ve now updated it above to describe what the setting is for.

  11. Luis says :

    I been using the remote assistance for a couple months now. I use to run Dameware and love it. One thing I miss is saving all the ip address and username that way I would not have to look for there name in a list.

    Is there a way I could save the ip address and username like dameware?

    I know it has a history of ip address but they are all numbers.

  12. Mark Scholes says :

    2 points that caught me out: 1. the firewall details have to be done in the new windows 7 firewall settings. 2. I got a distorted screen, apparently due to 1366×768 resolution, solution is ” Computer Configuration -> Policies -> Administrative Templates -> System -> Remote Assistance -> Turn on bandwidth optimization, set to ‘Enabled’ and ‘Full optimization'”, or there’s a hotfix from microsoft:

Trackbacks / Pingbacks

  1. VNC and windows 7 - 28th January, 2010
  2. VNC and windows 7 - 28th September, 2010
  3. Remote support tools on Windows 7 ? (VNC) - Page 2 - 2nd March, 2012
  4. Remote Support Software - 5th February, 2014
%d bloggers like this: