Microsoft released with Windows 7 a new version of the remote assistance tool. This built-in feature (natively installed on all windows 7 clients) is very handy and makes payable third party solutions obsolete. The following tutorial describes how you can implement this solution in your company network.
Remote Assistance vs. Remote Desktop
Remote Assistance and Remote Desktop are built-in functions of Windows 7 that are used in a different manner.
Remote Desktop is used to remotely connect to other clients and with each logon it creates a new user session. With remote desktop you can connect to a client that has no active user session. It’s mainly used to connect to servers.
Remote Assistance on the other hand is a tool to interact with the user working on the workstation. To make a remote assistance connection happen the user and the helpdesk employee have to be logged-in on their workstations. After the connection is initiated both employees can see the same screen and the helpdesk employee can interact with the users desktop.
Improved Version of Remote Assistance in Windows 7
- Connection improvements with a transparent NAT using Toredo and IPv6
- Redesigned User-interface to enhance user experience
- Bandwidth optimized with RDP protocol (lighter footprint)
- Full compatibility with the new security features of Windows 7 (UAC)
- Group policy settings to control the settings globally
- Downwards compatibility to support Windows XP clients
Remote Assistance IP Ports and Windows Firewall
In a internal network with disabled windows firewall there are no problems to expect.
When using the Windows 7 default domain profile, the default firewall configuration is already set correctly and the remote maintenance option active.
Used ports, if you want to have access from remote location (Is not addressed in this document):
Windows 7 to Windows XP or Vista to Windows XP TCP port 3389 (local / remote) for DCOM connections to port 135 (TCP) More: KB Microsoft
With Windows Vista Clients
Remote Assistance is fully backward compatible
With Windows XP Clients
Remote Assistance in Windows 7 is backward compatible with Remote Assistance in Windows XP, but there are some limitations. The GUI on the Windows XP computer is not the same as in Windows 7 and the custom error messages, which are set by GPO cannot be displayed. With XP you cannot give Remote Assistance for Windows 7 devices. This means that the help desk staff to has work with Windows 7 clients.
The program msra.exe is installed by default on all Windows 7 clients.
Group Policy SettingsIn order to allow clients to access, you have to set some Group Policy settings.
Policy Name: RemoteAssistance
Path: Computer Configuration -> Administrative Templates -> System -> Remote Assistance
1. Turn on session logging = Enable
Each session is logged in this path: Users\user_name\Documents\Remote Assistance Logs
2. Turn on bandwidth optimization
3. Customize Warning Messages
4. Solicited Remote Assistance = Disable
5. Offer Remote Assistance
Here you define which groups have access to remote assistance. Like the help desk group.
The following error message may occur:
Remote Assistance connection could not be establishedYou need to create a local group within the GPOs.
Path: Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups
Add Local Group
To this local group you need to assign a user group that is defined to offer remote assistance to clients.
Example Connection sequence with Remote Assistance
1. The help desk staff leads by clicking on the shortcut or runing MSRA / offerRA from the command line will get the following GUI:
2. If the target computer is connected to the network and a user logged on, the connection will be established:
3. This message prompts on the users screen:
4. Now it tells the user that the connection has been successfully established. For performance optimization Windows Aero is turned off, the color depth is reduced to 16 bit and the background image is disabled:
5. The help desk staff has now visual access to the employees screen:
6. To gain control the staff has to make a request "request control":
7. The user has to reconfirm this request and agrees hereby that the help desk staff can control his workstation:
After the handshake, the help desk employee can remotely work in the current user session.
Closing the window on either side causes the remote assistance session immediately.