Teamviewer in Intune

September 8, 2016

Hello,

Since the beginning of the computer era , endusers require support, preferably on site with some coffee and chocolates to go. But reality is remote using some kind of tool that allows remote control.

Windows 8 and above lack that functionality with windows intune, not the fault of Intune but something proper to the OSE itself.

Now we can integrate cloud service 1 ( Intune ) with cloud service 2 ( Teamviewer ) for remote assistance. Great ! Let’s see how it goes.

First we need to activate the teamviewer functionality in Intune.

Check out Administrator -> Teamviewer -> Activate

clip_image002

Now follow the wizard as it will guide you through the creation of a user with the required service and allows the creation of a trial account for testing.

clip_image004

Now let’s pretend to be a needy user on a Windows 10 anniversary update build so he/she opens the intune portal and requests assistance

clip_image006

Now we ( the admin ) actually the same person 🙂 sees the alert in the intune admin console

clip_image008

Now we can immediately start the session from the console …

clip_image010

Teamviewer software is being downloaded and installed

clip_image012

And request validation is launched on the client machine

clip_image014

After installation connection is created automatically

clip_image016

The user grants access …

clip_image018

… Et voila we have client side to see who is taking control …

clip_image020

… And the admin side for helping out our customer.

clip_image022

You can perform some more advanced actions like blank screen on user side, block input, lock screen etc.

clip_image024

And you recieve a free word of advice from and a pat on the back from Teamviewer ! We (always) play it fair.

So there you have it, easy and simple but a world of difference for our connected enduser.

Enjoy

Gino D

Advertisements

RDS 2012 R2 Shadowing

June 24, 2015

 

Hello,

I really like the rds 2012 session based environment. Recently we had to implement a way for a specific helpdesk group to be able to assist users in their rds sessions.

So, what are the possibilities for achieving this :

· Mstsc /shadow

· Server Manager

· Remote assistance

Option 1 : mstsc /shadow

You can use the default mstsc ( from windows 8.1 ) with the shadow option.

You have to supply servername and session id.

Log on to the server and query sessions using query session command, you’ll need the id.

clip_image002

Next up you can shadow a sessions using mstsc /v: servername /shadow:id /control

clip_image004

User will recieve a prompt and will accept or deny the request. ( This is Polish by the way, love multi language environments 🙂 )

clip_image006

So you need to be an admin on the rds host server in order to perform the shadowin or you can set the required remote control rights using a command prompt

clip_image008

This command will set them full control on rdp protocol.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “domain\group”,2

Or by using the Terminal Services Configuration tool from a 2008 ( R2 ) server and connecting to your 2012 R2 rds hosts.

clip_image010

Grant required rights.

clip_image012

There are also some gpo’s to modify some of the security settings

<Computer Configuration> |<User Configuration>

\Administrative Templates\Windows Components\Remote Desktop Services

\Remote Desktop Session Host\Connections

\Set rules for remote control of Remote Desktop Services user sessions

clip_image014

Okay so much for option 1, but this is not really user friendly for our helpdesk users, they need to connect to all server individually , query for the id and start mstsc with specific options. Sure, you can script it ( like https://rcmtech.wordpress.com/2014/05/01/rdsh-2012-r2-shadow-users-without-connection-broker-admin-rights/ ) but I like to hold on standard options whenever possible.

Option 2 : Server manager

You basically go through the same steps but you present the helpdesk group the server manager executable. You add all the RDS session hosts and the session broker , you’ll see all connections and can shadow from the console.

clip_image016

You’ll see the sessions when selecting a collection, you can rightclick and shadow a session.

clip_image018

Perfect you might say , but … in order to achieve this the helpdesk user needs to be part of the local admin group on the session broker server and have the remote control and query right on the rds session host servers.

See http://blogs.technet.com/b/askperf/archive/2013/10/22/windows-8-1-windows-server-2012-r2-rds-shadowing-is-back.aspx and https://technet.microsoft.com/en-us/library/hh831453.aspx.

So this is not ideal for delegation, I don’t want to give my helpdesk group local admin rights on the session broker server.

Option 3 : remote Assistance

Remote assistance ? Well yes why not ? It’s allready being used for taking control of physical machines , it can be delegated and you have view and control functionality.

First up , create a policy that configures the remote assistance settings :

clip_image020

And modify your auc settings in order to allow remote assistance to respond to uac prompts that normally appear in the secure desktop. ( otherwise your user will see the prompt, you’ll see a pause allways nice 🙂 )

clip_image022

Now I have noticed on the RDS2012 R2 session hosts that the group required for remote assistance users ( offer remote assistance helpers ) was not created automatically, if the group is not present your remote assistance will not work.

clip_image024

So the solution was to add the remote assistance feature to the server and then the group appeared after policy was recieved.

clip_image026

Then just connect to the server using msra /offerra and the remote assistance tool will query the available sessions and perform normal remote assistance behavior.

clip_image028

So there you have it, several possibilities to allow a helping hand to your users, my favorite is the remote assistance. Not as easy to use as the server manager but known technology that can be delegated using standard tools.

Enjoy.

Gino D


Remote control in CM2012

June 9, 2012

Okay we have all heard it. Everybody loved it. Remote control without logged on user in CM2012. Let’s see remote control in action.
Let’s start with the remote choices :

-> Remote Desktop

-> Remote Assistance

-> Remote Control
First you define the settings by creating or modifying a client setting.


Set the desired options. Here we configured all remote control possibilities and we have defined a viewers remote control group.


We deploy the custom settings to all systems here.

Now in order to start the remote control we can use the cm console or the cmrcviewer.exe under cm_instal\AdminConsole\Bin\x64\CmRcViewer.exe


You see that we can log on to the console while at logon screen and we can send ctrl-alt-delete.


Notice that the user automatically sees who is taking control.


The user also has access to a sessions status screen where he / she can close the session.


If a user is logged on then control prompt is presented.


You can also lock kb and mouse in the remote session.



If we set the permissions to view only we immediately see the result


In order to use the remote assistance feature you need to install it first on the server where you will start the session.


Now what’s nice about the remote assistance feature is that the user gets a prompt for viewing only and then has to explicitly accept in order for the administrator to get remote control on his machine. I believe this offers nice granularity.
Step 1 Remote Viewing

Step 2 Remote Control


Bye.