Remote Help in Microsoft Intune works by enabling IT administrators to remotely control a user’s mobile device, allowing them to view the device’s screen and interact with it in real-time. This enables administrators to quickly diagnose and fix issues on the device, without needing to be physically present with the user.
To use Remote Help in Microsoft Intune, IT administrators first need to enable the feature in the Intune console. Once enabled, administrators can initiate a remote session with a user’s device by sending an invitation link to the user via email or text message. The user then clicks on the link to join the remote session, allowing the administrator to remotely control the device.
In the blog post I will showcase how to enable this feature via PowerShell instead of the Microsoft Intune admin center portal.
Pre-requsites
- An active Microsoft Intune subscription.
- An Azure AD (Active Directory) subscription with administrative access.
- The Azure AD application registration credentials, including client ID and secret.
- Permissions to access and manage Microsoft Intune and Microsoft Graph API resources.
- PowerShell and AzureAD PowerShell module installed on the local machine to run PowerShell scripts.
- A valid Azure AD authentication token to authenticate and authorize Microsoft Graph API requests.
Create the Client Secret for MS Graph
Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell
- Connect to Azure Portal and go to Azure Active Directory
- Click on App Registrations and select – New Registration
- Give the App a Name – MSGraph-DeviceMgmt-Secret
- You will get two important information created for later use within Powershell
- Application ID
- Tenant ID
- Now let’s grant this App MSGraph Permission. Click on Add a permission and select MS Graph and search for Device – DeviceManagementConfiguration and select read-write permissions and Add Permissions
- Select Grant admin consent for domain
Note that RemoteSettings, aka Remote Help, falls under Device Management Configurations. We will use that for the permissions (read-write)
- We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
- Give it a name (Deviceconfig_secret) and expiry date (12 months)
- Copy the Secret Value
Variable Region
Delcare all the variable within this section. Lets take a look at what we are declaring within the script:
- GraphEndpoint and resource URL if you notice we are using the remoteAssistanceSettings
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"- From the above section we have the values for Client ID, Secret and tenant id which we will paste in here.
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"Execution block
Execution code block within this section. Lets take a look at what we are we executing within the script:
- The body payload to enable disable the Remote Help Assistance settings
- RemoteAssistanceState – Enabled/Disabled
- AllowSession to Unenrolled Devices – $true or $false
- Block chat – $true or $false
$payload = @{
"@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
"remoteAssistanceState" = "disabled"
"allowSessionsToUnenrolledDevices" = $false
"blockChat" = $false
} | ConvertTo-JsonFinal Script
Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – https://github.com/askaresh/avdwin365mem/blob/main/enableremotehelpmem
# Define the Graph API endpoint and resource URL
$graphEndpoint = "https://graph.microsoft.com"
$resourceUrl = "$graphEndpoint/beta/deviceManagement/remoteAssistanceSettings"
# Define the authentication parameters
$clientId = "XXXXXXXX-6f08-XXXXX-a6ff-XXXXXXXXXXXXX"
$clientSecret = "Q-D8Q~XXXXXXXXXXXXXXXXXXXXXXXXXXX"
$tenantId = "XXXXXXXXXX-d8f4-4c55-XXXXX-XXXXXXXXXXX"
$authority = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$scope = "https://graph.microsoft.com/.default"
# Authenticate to the Graph API and obtain an access token
$tokenResponse = Invoke-RestMethod -Method Post -Uri $authority `
-Body @{
client_id = $clientId
client_secret = $clientSecret
scope = $scope
grant_type = "client_credentials"
} `
-Headers @{
"Content-Type" = "application/x-www-form-urlencoded"
}
$accessToken = $tokenResponse.access_token
# Define the payload for the PATCH request
$payload = @{
"@odata.type" = "#microsoft.graph.remoteAssistanceSettings"
"remoteAssistanceState" = "enabled"
"allowSessionsToUnenrolledDevices" = $false
"blockChat" = $false
} | ConvertTo-Json
# Send a PATCH request to the remoteAssistanceSettings resource with the updated payload
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
"Content-length" = $payload.Length
}
Invoke-RestMethod -Method Patch -Uri $resourceUrl -Headers $headers -Body $payloadValidations
After running the powershell script now check the portat it will be enabled
Overall, Remote Help in Microsoft Intune is a powerful tool for IT administrators, enabling them to quickly diagnose and fix issues on mobile devices, improving productivity and reducing downtime. If you’re using Microsoft Intune, be sure to take advantage of this powerful feature to improve your device management capabilities.
References & Useful Links
| Useful Links | Credits |
| Update remoteAssistanceSettings – https://learn.microsoft.com/en-us/graph/api/intune-remoteassistance-remoteassistancesettings-update?view=graph-rest-beta | Microsof |
| Enabling Remote Help and Supporting Users with Intune – Microsoft Community Hub | Microsoft |
I hope you will find this helpful information for enabling Remote Help using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Thanks,
Aresh Sarkari