Help users over the phone with Unsolicited Remote Assistance
For years I’ve used UltraVNC as my remote control system of choice when helping out users over the phone. Unfortunately, I’ve fallen out of love with it since adopting Windows Vista and Windows 7, as performance is sometimes pretty poor and several features just don’t work properly. You get what you pay for, I suppose (UltraVNC is free). It’s also a bit of a pain to deploy via GPO Software Installation, which makes it a headache when you have hundreds of workstations. In particular the mirror driver, which aids performance, is pretty much impossible to deploy in this way.
When deploying my first Windows 7 clients I resolved to find another way, and it turned out to be something I could have used all along: Unsolicited Remote Assistance, which is built-in functionality on Domain-joined workstations.
If you’ve used MSN/Windows Live Messenger much you may have dabbled with the Remote Assistance feature there, and if your experience has been like mine, you’ve profusely sworn at how infrequently it actually works. The Remote Assistance feature for domain networks uses the same system, but with two important differences:
- It actually works reliably.
- The ‘helper’ (you) can initiate the Remote Assistance session, hence the name Unsolicited Remote Assistance.
The main difference between this and software like VNC is that you cannot initiate an assistance session without the user’s consent. It is therefore not a solution for monitoring student use, or for working on an unattended workstation, but is ideal for helping someone out over the phone.
Enabling Unsolicited Remote Assistance
Setup is very simple and done via group policy: the main settings can be found under Computer Configuration\Administrative Templates\System\Remote Assistance
The most important setting to configure is Offer Remote Assistance, which you should set to Enabled, with the option Allow helpers to remotely control the computer. You then simply specify AD users and groups that are permitted to be the helper. For simplicity’s sake, I use a single dedicated AD group called “Remote Assistance Agents”, and add accounts to that as necessary.
Unless you’ve disabled the client firewall, you’ll need to configure the following policy in order to let the Remote Assistance requests through:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
Windows Firewall: Allow inbound Remote desktop exceptions
Configure this setting with a list or range of IP addresses that are allowed to connect. Typically you will want to restrict this to the IP addresses used by the IT support team.
Starting an assistance session
I’ll be covering Windows 7 clients in the most detail here, simply because that’s what I’ve been using it with. Vista is almost identical, and the UI for Windows XP is similar, though a little more clumsy.
Step 1: Open Windows Remote Assistance.
You should find this under Maintenance on the Start Menu. Once open, select the second option, “Help someone who has invited you”.
If you end up using this feature a lot, you will want to skip this step in future. To do so, create a new shortcut to C:\Windows\System32\msra.exe /expert
(On XP, you will need to go to Start -> Help and Support, click Tools, then Help and Support Center Tools, then Offer Remote Assistance.)
Step 2: Use the Advanced connection option
For some insane reason, the UI is geared towards consumer use, which in my mind is actually a far less likely scenario. As a result, you’ll find the option you need as a tiny link at the bottom of the page named Advanced connection option for help desk.
Step 3: Specify the computer to connect to
From here it’s simply a case of typing the name of the workstation you want to connect to, or picking from a history list of the last few you connected to.
Step 4: Get the user to consent
On the user’s workstation, they will need to click ‘Yes’ on a dialogue box asking them if they want to be helped by you. My advice is to get them to stop whatever they are doing before you send the request, or they will end up clicking on something and burying the request behind another window, at which point your clueless user will have no idea how to retrieve it. Get past this hurdle, and you’ll have view access to their desktop, at which point you can yell at them if they start fiddling while you send a second request to take control.