Introduction -
This is part 4 of a four part series on 'How to remotely assist Azure AD Joined devices'.
Remotely assisting Intune managed devices poses challenges for MSPs as MSP technicians don't normally have Global Admin rights to the tenant and usually perform admin tasks via the Microsoft Partner Portal.
MSP technicians face several challenges including -
- The MSP technician account is not a local admin of the Azure AD Joined / Intune Managed device
- The end user is a standard user and has no local admin rights
- Windows 10 blacks out the screen during UAC prompts when clients are being assisted via TeamViewer or Microsoft QuickAssist.
- The Intune Security Baseline denies user elevation prompts with the message - This app has been blocked by your system administrator.
To solve these issues I have designed a three stage solution which includes the following
- Add users or groups as local admins to all Azure AD Joined devices
- Deploy a PowerShell script to disable the prompt on the secure desktop
- Update the Endpoint Security Baseline
======================================================================
This is Part 1 of a 4 part series
Remote Administration and Assistance - Four part tutorial
1. Add users or groups as local admins to all Azure AD Joined devices - Link -
2. PowerShell script to disable the prompt on secure desktop - Link
3. Updating the Endpoint Security Baseline - Link
4. How to remotely connect and assist - Link - This article
=======================================================================
4. How to remotely connect and assist
Now that you've configured Intune / Endpoint Manager to securely be able to remotely connect and assist users with Azure AD Joined devices, it's now time time to test that this is possible.
If your company hasn't invested in any remote assistance utilities like TeamViewer etc, you can use the built in Windows 10 assistance tool called Quick Assist.
This step by step tutorial will take you through the process for assisting clients on Intune / Endpoint Manager managed devices -
Quick Assist -
Technician starts Quick Assist on their Windows 10 device
The technician will then select - Assist another person.
The technician will receive a code that they share with the person receiving assistance
Technician tells the end user to start Quick Assist and enter the security code
The end user selects - Share Screen
Technician selects - Take full control - Continue
End user acknowledges that the technician can see files and control the computer -
End user selects - Allow
Technician's computer advises that the end user is NOT in Administrator mode.
The end user's screen advises that screen sharing is on
The technician can now control the remote device with full admin rights.
Technician can run PowerShell as Admin.
When prompted by UAC for admin credentials, enter your Global Admin
credentials or the credentials of an Azure AD account with the right to
log on as a local administrator of Azure AD joined devices (Configured
earlier in this tutorial - Link)
Technician can successfully run as their credentials.
If the client attempts to run PowerShell as admin with their credentials, it will fail.
=====================================================================
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/
GitHub Repository - https://github.com/TeamTerry
No comments:
Post a Comment