Historically, remote support tools have been much better from third parties versus trying to provide remote support with built-in tools. Supporting users means seeing “their” graphical user interface. Unfortunately, most of the time trying to resolve a technical issue is simply getting connected to the users remote machine than the problem since most issues are quick fixes.
I’ve used 3rd party utilities such as Teamviewer and LogMeIn. Both are great products by the way and can save you in a pinch. However, if you’ve upgraded your Windows 7 machines which should have happened as Windows 7 went EOL (End of Life) support in January as well as Windows Server 2008 you will have windows 10. If you do then great! It comes with a built-in feature called “Quick Assist”. If you’re still on Windows 7 get the windows 10 media creation tool here and upgrade your PC for free: https://www.microsoft.com/en-us/software-download/windows10
Microsoft has been implementing different remote desktop technologies to enable this and it was available on older version of windows 10 but it wasn’t until the UWP (Universal Windows Platform) version of the “Quick Assist that it really felt like the ease of use had improved.
However, regarding reliability the quick assist platform runs on Azure and a user authenticates against Azure using their Microsoft credentials. As long as you are using Azure AD this is great for end-users that you are supporting. If you’re using traditional AD the user will have to log in using their work or personal Microsoft Account.
Just yesterday there was a major failure in the authentication mechanism for Office 365, office.com, and outlook.com among others. This shows how much hinges on these authentication mechanisms to function flawlessly. If you were dependent on quick assist you would not be able to connect your clients machines. That’s where having a backup solution is a necessity.
Different remote support solutions to use as a backup are available. For a LAN, if you have the money, time, and savvy you can implement SCCM which has a useful remote utility to allow an administration to see what the user see on their screen. Effectively sharing a GUI session. This is not a built-in tool but it is a tool that Microsoft sells themselves and has many other integrations with Windows Server services for automations in large corporate environments.
The downside is how you handle remote support with clients that are connecting from home with their laptops and need to access network resources or you need to be able to administer their machines.
Several such methods for remote user to access business network:
- Microsoft Direct Access (Now Defunct but still functional)
- AlwaysOn VPN (Windows 10 only)
- Cloud Based Storage through OneDrive or SharePoint
Other methods for administrators to remotely access the machine
- Microsoft Direct Access
- AlwaysOn VPN
- Quick Assist (UWP)
- Microsoft Teams
A major benefit and downside for administrators is the built-in security aware features of the Microsoft software. The benefit is the added security of preventing administrative tasks to be performed by remote users such as through a teams meeting. To that same issue, the downside is that an administrator may have difficulty performing administrative tasks on a remote machine through a Teams meeting session.
Enough about that here’s how to use quick assist. On the administrators PC press (Windows Key) and enter “quick assist”. If it’s not available check the Microsoft Store and install it.
Click on “Give Assistance”
The remote user will see the same screen and need to launch the application in the same way.
On the Administrator’s PC click on “Assist another person”
You will be asked to sign in to a Microsoft account.
Next, you will be provided with a temporary security code to give to the person you are supporting remotely.
They will enter it into the “Code from assistant” box.
The remote user will need to click on “Share Screen”
The administrator will have 2 connection type options
If you need to interact with the desktop select “take full control”. View screen will require instructing the user by voice each step needed to be performed and would be performed by the remote user.
The remote user will then see this screen showing the options that the remote administrator selected to connect with:
If they are ok with the settings they would click “Allow”.
Note: the remote user that you are supporting did not need to sign-in to their Microsoft Account.
The remote administrator will then connect to the PC and see the following remote tools and options:
As an administrator you want to make it easy for your end-users to receive support when needed regardless of their location. Since this utility is baked in to Windows 10 and can be used for free it’s a no-brainer to add this to users’ desktops via a GPO (Group Policy Object). First I’ll go over how to set this on a single machine assuming that you are in a Workgroup environment first for non-domain joined PCs.
The first step is to get a shortcut
Then you will see the shortcut icon. Leave this open.
From here you can just right click and click “send to desktop” and your done for the currently signed in user.
However if you have multiple user accounts on the same desktop in a workgroup environment you may want to use this method:
Multiple Users / One Desktop / Workgroup
Now we need to copy the shortcut to the Public desktop. This will apply settings to all users desktops on that machine.
Press (Windows Key + E) to open up the file manager (Windows Explorer). Then, you will want to enable “hidden folders”.
Click “File” and then “Change folder and search options”.
Then, click “View”. Then, “show hidden files, folders, and drives”
Press (Alt + D) to move the cursor to the address bar.
Navigate to C:\users\public\public desktop
Then, copy and paste the quick assist icon here.
Now, for most admins you will probably want to enable the hidden folders again.
(Optional) Since you’re already looking at these settings a couple I would enable would be:
Changing this to launch with “This PC” as it already has a quick access view and just seems redundant.
I also prefer to spawn my folder windows separate from explorer.exe so I always set the checkbox for “Launch folder windows in a separate process”.
You could also use the following steps for the domain joined PCs in the local group policy editor even thought the machine wouldn’t domain joined.
Domain Joined PCs
This solution uses group policy to apply the desktop shortcut. There are many variations you could set on how it the desktop icon could be applied. In this example, I’m just going to use computers instead of users and set it to domain-wide to apply to all PCs. Note, that this will only update on domain-joined PCs with users that are signed in as domain users. If a local user signs in to a domain joined PC this setting will not apply to them.
Start -> Run -> gpmc.msc
Using a domain administrator member account
Right click on Domain and click on “Create GPO in this domain and link it here”
Give it a name
I want this policy to apply regardless of a successful authentication with a domain user account. Therefore, we’ll apply these settings to the systems themselves by using computer objects in the security filtering. For this to apply to the machines they will have to be rebooted instead of a user logging off and back on.
Before we remove “authenticated users” we’ll have to add “domain computers” because one or the other of those are a minimum requirement for a GPO to function:
Now you will see 2 entries
Now we’ll remove the “Authenticated users” group from our security filtering settings:
You will get this message:
This should be fine since we’re only applying a computer/machine policy here and not a combination that would contain any user policies. However, to be on the safe side Microsoft recommends that you take the following actions:
Right-click and click “Edit”
Right-click and select “new”