Unsolicited Remote Assistance

Yes it is possible to make the Remote Assistance somewhat usable.

Upside:
– It’s free
– I recommend setting it up as a backup (If e.g. TeamViewer servers are down again).
Downside:
– UAC Prompts are not visible to you
– Supporter needs to be local Administrator
– Only Local and Routed Networks (e.g. no NAT)

First you need to make a new Domain Local Group named “Remotesupport” and add all your Supporters (the Globlal Group of there teams) to it.
Make a new Policy (on DC) and name it “Unsolicited Remote Assistance”.
Go to the Directory “Computer Configuration\Policies\Administrative Templates\System\Remote Assistance”.
Enable the Policy “Configure Solicited Remote Assistance” with default settings.
Enable the Policy “Configure Offer Remote Assistance”, click on “Show…” and enter “\Remotesupport”.
The last step you have to go is linking it under your Domain (or OU) it should apply to.

Allow in your Windows Firewall:
– TCP 135
– %systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
– %systemroot%\system32\Raserver.exe
– %systemroot%\system32\sessmgr.exe
You can add this to the “Unsolicited Remote Assistance” policy if you use the Windows Firewall (“Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Inbound Rules”)

Now all your remote support team has to do is opening “msra.exe /offerra” and entering the Client IP or Hostname.

If you really depend on being able to see the UAC prompt you can lower your device security to the bare minimum by disabling the Secure Desktop:
Seriously don’t do it. That allows Malware running with user Privileges to log your keystrokes.
I warned you.
Ok, I think you really want to do it, so I won’t stop you from enabling the Policy (“Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop”)
My recommendation: Put this setting in a separate policy and enable it as needed (e.g. your primary remote assistance application fails). Normally applying a policy can take up to 15 Minutes. Just run “winrs -r:HOSTNAME gpupdate /force” as Administrator to force apply them immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *