Export (0) Print
Expand All
Expand Minimize

Remote Assistance and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2

Updated: December 16, 2009

Applies To: Windows 7, Windows Server 2008 R2

In this section

Benefits and purposes of Remote Assistance

Overview: Using Remote Assistance in a managed environment

How Remote Assistance communicates through the Internet

Controlling Remote Assistance to prevent the flow of information to and from the Internet

Procedures for controlling or disabling Remote Assistance

Additional references

This section describes four ways that Remote Assistance can work:

  • Remote Assistance through instant messaging. Because this is designed more for a home scenario than an enterprise scenario, it is not described fully in this document, but there are links to additional information in Additional references later in this section.

  • Solicited Remote Assistance (a user sends an invitation, through e-mail or as a file, to a person who can provide assistance).

  • Offer Remote Assistance within a domain setting (a designated set of people, such as support professionals, offer assistance to users).

  • Easy Connect, which allows a Remote Assistance connection between two computers to be initiated by using the Peer Name Resolution Protocol (PNRP).

    noteNote
    Additional network configuration steps are required to make the PNRP available in enterprise environments.

ImportantImportant
On a computer running Windows Server® 2008 R2, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance by using the Add Features Wizard in Server Manager before it can be used.

With Remote Assistance, a support person or helper can offer assistance to users with computer issues or questions. The support person might connect from a computer running Windows® 7 or Windows Server 2008 R2.

After the user and helper are connected and the Remote Assistance session begins, both can view the user's computer screen, communicate in real time about what they see, and use the mouse and keyboard to work on the user's computer.

Multiple protections are built into Remote Assistance:

  •  
  • Remote Assistance sessions use the Remote Desktop Protocol (RDP) and end-to-end encryption.

  • The person who is being assisted must consent before the desktop can be viewed remotely, regardless of how the Remote Assistance process begins (through instant messaging, through an invitation sent through e-mail or delivered as a file, or through Offer Remote Assistance).

  • A person who is requesting assistance must send an automatically-generated 12-character password that the helper must type before assistance can begin.

  • The person being assisted can stop the Remote Assistance session at any time.

  • Through Remote settings (Advanced button) in Control Panel\System, you can set the maximum amount of time that a Remote Assistance invitation can remain open.

The following sections provide more detail, including information about the three types of Remote Assistance: instant message–based Remote Assistance, Solicited Remote Assistance where the invitation is sent as an e-mail or delivered as a file, and Offer Remote Assistance (used within a domain).

The Remote Assistance Wizard guides you through one of several processes:

  • Creating an e-mail or file invitation for remote assistance, and then generating a password for the session.

  • Offering remote assistance to a specific computer (identified by name or IP address).

In a managed environment, a firewall on your organization's network will likely prevent helpers outside your network from connecting directly to a computer on your network because the firewall blocks inbound Remote Assistance connections. However, you can control Remote Assistance by disabling all types of Remote Assistance or by allowing certain types. For example, by allowing only Offer Remote Assistance within your domain, you could specify a list of support professionals in your organization who can offer assistance. Only the people on that list can assist users through Remote Assistance. (Offer Remote Assistance only works within a domain environment.)

For a list of Group Policy settings that are relevant for controlling Remote Assistance in a managed environment, see Using Group Policy to limit communication through Remote Assistance later in this section.

noteNote
In addition, on a server running Windows Server 2008 R2, before users can access Remote Assistance, they must install the Remote Assistance feature and then start the Remote Assistance Wizard by clicking Start, All Programs, Maintenance, and then Windows Remote Assistance.

There are two stages to the Remote Assistance process:

  • Remote Assistance invitation. An invitation or "ticket" is sent from one computer to another and the computers establish communication.

  • Remote Assistance session. The helper views or changes the configuration on another person's computer.

For more information about the communication in these processes, see How Remote Assistance communicates through the Internet later in this section.

When choosing ways to control Remote Assistance, consider the types of assistance that are included in Remote Assistance in Windows Server 2008 R2. The following list briefly describes each type. Details about how to control these types of assistance are provided later in this section.

noteNote
The types of Remote Assistance refer to how the Remote Assistance session is initiated. For all types of Remote Assistance, the person receiving assistance must consent before assistance can begin.

  • Instant message–based Remote Assistance. Both the person seeking assistance and the person who gives assistance must be using instant-messaging software based on the Rendezvous API (for example, Windows Live Messenger 8.0). A person seeking assistance can select a buddy from his or her list and ask that person to provide Remote Assistance. For information about this approach, see Additional references later in this section.

  • Solicited Remote Assistance where an invitation is sent by e-mail or delivered as a file. A person sends an invitation, through e-mail or as a file, to a person who can provide assistance.

  • Solicit Remote Assistance through Easy Connect. The system generates a 12-digit password, which the person requesting assistance must provide to a person who can provide assistance.

  • Offer Remote Assistance. For Offer Remote Assistance to work, a certain amount of configuration is necessary, and the computers must be within a domain. This means that the system administrator can determine who can offer remote assistance within the domain.

    noteNote
    A support professional who is working on a computer running Windows XP cannot offer remote assistance to computers running Windows 7 or Windows Server 2008 R2. The support professional must have a computer running Windows Vista®, Windows 7, Windows Server 2008, or Windows Server 2008 R2. (With any of these operating systems, the support professional can also offer remote assistance to a computer running Windows XP).

For more information, see Controlling Remote Assistance to prevent the flow of information to and from the Internet and Procedures for controlling or disabling Remote Assistance later in this section.

Windows Firewall includes a list of exceptions that you can chose, including an exception for Remote Assistance. Enabling the Remote Assistance exception has different effects, depending on which of the following network categories the computer is using at a given time:

  • Private network. This category is intended for home or small office networks, and it is less restrictive than the public network category. For a private network, network discovery is on by default. Network discovery is the ability of a computer to recognize or be recognized by computers and other devices on the network.

  • Public network. This category is intended for networks in public places (such as coffee shops or airports). The public network category is intended to be more restrictive to help keep the computers secure. For a public network, network discovery is off by default.

  • Domain network. This category is automatically applied when a computer is connected to a domain. For a domain network, network discovery is on by default.

noteNote
In a domain, if you enable the Windows Firewall exception for Remote Assistance, Port 135 TCP is opened. If you do not want to open this port, you can use a Group Policy setting to allow authenticated traffic that is protected by Internet Protocol security (IPsec) to bypass Windows Firewall. For more information, see Additional references later in this section.

The following table lists the network categories and describes how the Remote Assistance exception in Windows Firewall works in each category:

 

Network Category Remote Assistance Exception in Windows Firewall

Private

Public

Domain

  • Remote Assistance exception is disabled by default.

  • If the exception for Remote Assistance is enabled:

    • Port 135 TCP is opened for Distributed Component Object Model (DCOM) for Offer Remote Assistance. For an alternative approach, see the note that precedes this table.

    • systemroot\System32\msra.exe (for both Offer Remote Assistance and Solicited Remote Assistance) can communicate through the firewall.

    • systemroot\System32\raserver.exe (for Offer Remote Assistance) can communicate through the firewall.

The following list provides details about how Remote Assistance communicates through the Internet:

  • Specific information sent or received. Information that is transmitted in a Remote Assistance ticket includes the user name, IP address, and computer name. Information that is transmitted during a Remote Assistance session depends on the features that are being used (for example, screen sharing), and it is sent in real time by using point-to-point connections.

    noteNote
    In Solicited Remote Assistance, when a user creates an e-mail invitation for remote assistance, Remote Assistance uses the Simple MAPI (SMAPI) standard to communicate with the e-mail client, which means that the invitation is attached to the e-mail message.

  • Default settings. By default, the Remote Assistance feature is not installed on a server running Windows Server 2008 R2. The feature must be installed before a Remote Assistance session (solicited or offered) can begin.

    Default settings for Windows Firewall also have important effects on Remote Assistance as described in Windows Firewall settings in relation to Remote Assistance earlier in this section. However, the Remote Assistance Wizard allows you to begin selecting Remote Assistance options. Then it may display a notification that Windows Firewall is blocking Remote Assistance and provide you with information about how to configure Windows Firewall to make an exception for Remote Assistance. With this notification, a support professional can tell if Windows Firewall is blocking the attempted actions. However, if a support professional tries to use Offer Remote Assistance for a computer on which Windows Firewall is blocking the session, the session will not be established and no notification will appear on either computer.

    Regardless of any other settings, users can always prevent someone from connecting to their computers by declining prompts to begin a Remote Assistance session.

  • Triggers. With Solicited Remote Assistance, a user establishes contact with the helper by sending an invitation through e-mail, by saving an invitation as a file and transferring it manually (such as on a floppy disk), or through compatible instant-messaging software. To be compatible, instant-messaging software must use the Rendezvous API (an example is Windows Live Messenger 8.0).

    With Offer Remote Assistance, you offer unsolicited assistance to a user (which the user can decline). To do this, you must be an administrator on the user's computer or you must be on an Offer Remote Assistance list that is configured for the user's computer.

  • User notification. When you are at a computer running Windows 7 or Windows Server 2008 R2, you are notified of an offer of assistance (solicited or unsolicited) from another person. You must accept the invitation before the other person can see your computer. Then, before the other person can take control of your computer, you are asked whether to allow this. (Remote Assistance can also be configured to allow the other person to view but not take control of your computer.)

  • Logging. On the computer running Windows 7 or Windows Server 2008 R2, Remote Assistance records events in the System log in Event Viewer, and in a log file in the path \Users\user name\Documents\Remote Assistance Logs.

    Events such as a person initiating a connection or a person accepting or rejecting an invitation are recorded in the Remote Assistance logs, and the details include taking and releasing control, sending and accepting files, and ticket creation and deletion. Remote Assistance also records details such as whether assistance is solicited or unsolicited and detailed user name and IP address information.

  • Encryption. The Remote Desktop Protocol (RDP) encryption algorithm, RC4 128-bit, is used.

    noteNote
    One item in the Remote Assistance invitation (for Solicited Remote Assistance) that is not encrypted in some cases is a plain-text IP address. This plain-text IP address is included by default, for compatibility with Windows XP and Windows 2003. However, you can configure an option so that invitations will include the user's IP address in the encrypted form only (the form used by Windows Server 2008 R2 and Windows 7), without the address being unencrypted as required for Windows XP, Windows Vista, and Windows Server 2003. For more information, see Procedures for controlling or disabling Remote Assistance later in this section.

  • Access. No information is stored at Microsoft® facilities.

  • Transmission protocol and port. The port is dynamically selected by Remote Assistance, and the protocol is RDP. For Offer Remote Assistance, DCOM is also used.

  • Ability to disable. Solicited Remote Assistance and Offer Remote Assistance can be disabled by using Group Policy or through Control Panel. They can also be disabled by using an unattended installation with an answer file. For more information, see Procedures for controlling or disabling Remote Assistance later in this section.

When choosing among ways of controlling Remote Assistance, consider the types of assistance that are included in Remote Assistance in Windows 7 and Windows Server 2008 R2. The following list provides suggestions for using or controlling each type in a managed environment:

  • Controlling instant-message-based Remote Assistance: This is actually a form of Solicited Remote Assistance, so when you turn off Solicited Remote Assistance, you also turn off instant-message-based Remote Assistance. You can turn this off through Control Panel, through Group Policy, or with an unattended installation by using an answer file.

    As an alternative, you can exclude instant-messaging software from standard corporate computer configurations, and make sure that users do not have administrative accounts, so that they cannot install software on their computers. (This section does not provide details about how to do this.)

  • Controlling Solicited Remote Assistance where an invitation is sent by Easy Connect or e-mail or delivered as a file: On a computer running Windows 7 or Windows Server 2008 R2, you can avoid installing Remote Assistance, which turns off all forms of Remote Assistance. If you install Remote Assistance, you can turn off Solicited Remote Assistance through Group Policy or with an unattended installation by using an answer file. (This also turns off instant-message-based Remote Assistance, which is a form of Solicited Remote Assistance.)

    As a way to limit but not turn off Solicited Remote Assistance, you can configure it so that the IP address in the invitation is only in encrypted form. (This type of invitation does not work if it is sent to someone on a computer running Windows XP or Windows 2003). Another alternative is to allow Solicited Remote Assistance but allow the helper to view but not take control of the user's computer.

  • Controlling Offer Remote Assistance: On a computer running Windows Server 2008 R2, you can avoid installing Remote Assistance, which turns off all forms of Remote Assistance. If you install Remote Assistance, you can turn off Offer Remote Assistance through Group Policy or with an unattended installation by using an answer file.

    However, you might prefer to allow only Offer Remote Assistance and control the list of support professionals who are allowed to offer assistance. For Windows 7, Windows Server 2008 R2 (and several earlier operating systems), you can control this list on an individual computer or through Group Policy. If you do this, you also need to use Group Policy to enable the Remote Assistance exception in Windows Firewall.

    If you allow Offer Remote Assistance, another alternative is to allow the helper to view but not take control of the user's computer.

The following section provides information about using Group Policy. Later sections provide information about all methods for controlling Remote Assistance.

There are multiple Group Policy settings that you can configure to control the use of Remote Assistance, including settings for the following:

  • Solicited Remote Assistance

  • Offer Remote Assistance

  • Allow only Windows Vista or later connections

These policy settings are located in Computer Configuration under Policies (if present), in Administrative Templates\System\Remote Assistance. The configuration options for these policy settings are described in the following list:

  • Solicited Remote Assistance

    • Solicited Remote Assistance (enabled): When this policy setting is enabled, a person can create a Remote Assistance invitation that a helper at another computer can use to connect to the computer of the person who is requesting assistance. If given permission, the helper can view the screen, mouse, and keyboard activity in real time.

      The following additional configuration options are available when you enable this policy setting:

    • Solicited Remote Assistance (disabled): If the status is set to Disabled, the person at this computer cannot request Remote Assistance.

    • Solicited Remote Assistance (not configured): If the status is set to Not Configured, the configuration of solicited Remote Assistance is determined by the system settings.

  • Offer Remote Assistance

    • Offer Remote Assistance (enabled): When this policy setting is enabled, a remote user or administrator can offer Remote Assistance to a computer. When you configure this policy setting, you must also specify the list of users or user groups that will be allowed to offer remote assistance. Administrators of a given computer can offer remote assistance by default; they do not need to be added to the list.

      Additional configuration options are available when you enable this policy setting.

    • Offer Remote Assistance (disabled or not configured): If you disable or do not configure this policy setting, a helper cannot offer unsolicited remote assistance to that computer.

  • Allow only Windows Vista or later connections

    • Allow only Windows Vista or later connections (enabled): If you enable this policy setting, when an invitation for Solicited Remote Assistance is sent from a computer running Windows 7 or Windows Server 2008 R2, the invitation will include the user's IP address in encrypted form, but not in clear text as required by Windows XP and Windows Server 2003.

    • Allow only Windows Vista or later connections (disabled or not configured): If you disable or do not configure this policy setting, for Solicited Remote Assistance, invitations will include the user's IP address in clear text (as required for compatibility with Windows XP and Windows Server 2003), not only in the encrypted form that is used by Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

For information about additional configuration options, including a setting called Customize Warning Messages, see the Remote Assistance policy settings in Group Policy. To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2.

noteNote
You can also use Group Policy to specifically control how Remote Assistance interacts with the User Account Control in Windows 7 or Windows Server 2008 R2 when the user does not have administrative credentials but the support professional does. In this case Remote Assistances presents a User Account Control prompt to the remote helper. Otherwise, the desktop becomes a secure desktop and cannot be viewed remotely, so the support professional is presented with a blank screen.

To prevent this from occurring, in Group Policy, in Computer Configuration under Policies (if present), in Windows Settings\Security Settings\Local Policies\Security Options, find the setting called User Account Control: Allow UI Access applications to prompt for elevation without using the secure desktop.

The procedures in this section are grouped according to the method by which you perform them:

  • Controlling Remote Assistance on an individual computer running Windows 7 or Windows Server 2008 R2

  • Controlling Remote Assistance by using Group Policy

  • Controlling Remote Assistance during an unattended installation by using an answer file

This subsection contains procedures for configuring Remote Assistance on an individual computer running Windows 7 or Windows Server 2008 R2. The first two procedures apply only to Windows Server 2008 R2. The remaining procedures apply both to Windows 7 and Windows Server 2008 R2.

  1. If you recently installed Windows Server 2008 R2, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add features. Then skip to step 3.

  2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

    Then, in Server Manager, under Features Summary, click Add Features.

  3. In the Add Features Wizard, select the check box for Remote Assistance.

  4. Follow the instructions in the wizard to complete the installation.

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)

  2. In Server Manager, under Features Summary, click Remove Features.

  3. In the Remove Features Wizard, clear the check box for Remote Assistance.

    In this wizard, you remove a feature by clearing a check box (not by selecting a check box).

  4. Follow the instructions in the wizard to complete the removal.

noteNote
You can perform the following procedure only if Remote Assistance is installed. For information about installing and uninstalling Remote Assistance, see the previous procedures.

  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click System.

  3. In the left pane, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, click Advanced.

  6. Select the check box labeled Create invitations that can only be used from computers running Windows Vista or later.

    ImportantImportant
    When this option is selected, Remote Assistance invitations that are sent from this computer contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP or Windows Server 2003.

For information about a Group Policy setting that overrides this Control Panel setting, see To use Group Policy to maximize the encryption in Remote Assistance invitations that are sent later in this section.

  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click System.

  3. In the left pane, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, click Advanced.

  6. Clear the check box labeled Allow this computer to be controlled remotely.

For information about a Group Policy setting that overrides this Control Panel setting, see To use Group Policy to allow helpers to view but not take control of a user’s computer later in this section.

  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click System.

  3. In the left pane, click Remote settings.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. On the Remote tab, under Remote Assistance, clear the check box labeled Allow Remote Assistance connections to this computer. (Clearing this check box disables Solicited Remote Assistance, but it does not disable Offer Remote Assistance.)

  6. Click OK.

  7. Click the Back button, and then double-click User Accounts.

  8. Click Manage User Accounts.

  9. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  10. Under Users for this computer, determine if the list includes the people who should be able to offer Remote Assistance to this computer. If it does not, use the Add button to add one or more user accounts to the list.

  11. Click the account of a person who you want to allow to offer Remote Assistance to this computer, click Properties, and make sure the Group Membership tab is selected. Click Other, expand the list, and click Offer Remote Assistance Helpers. (If you click Administrator instead of Other, the person will have full control on this computer, which includes offering remote assistance.)

For information about a Group Policy setting that overrides this Control Panel setting, see To use Group Policy to configure exclusive "Offer Remote Assistance" later in this section.

This subsection contains procedures for controlling Remote Assistance by using Group Policy. For information about an additional Group Policy setting, which affects the way Remote Assistance interacts with User Account Control in cases where the user (the person receiving assistance) does not have administrative credentials, see the note just before Procedures for controlling or disabling Remote Assistance earlier in this section.

  1. See Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Server 2008 R2 or Windows 7. Then open Group Policy Management Console (GPMC) by running gpmc.msc and edit an appropriate Group Policy object (GPO).

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. In the details pane, double-click Allow only Windows Vista or later connections, and then click Enabled. (You can also click the Explain tab to see details about how the setting works.)

    ImportantImportant
    When this setting is enabled, Remote Assistance invitations sent from computers affected by this policy setting contain the IP address in encrypted form only, which prevents the invitation from working if it is received on a computer running Windows XP or Windows Server 2003.

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. If you permit Solicited Remote Assistance, in the details pane, double-click Solicited Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer, and then click OK.

  4. If you permit Offer Remote Assistance, in the details pane, double-click Offer Remote Assistance, click Enabled, and under Permit remote control of this computer, select Allow helpers to only view the computer. (If you have not already clicked Show and used the Add button to add the accounts of support professionals who you want to allow to offer assistance, you must do so before you can click OK.)

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.

  4. For the Offer Remote Assistance setting, click Enabled, click Show, and use the Add button to add accounts of support professionals who you want to allow to offer assistance.

  1. As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.

  2. Expand Computer Configuration, expand Policies (if present), expand Administrative Templates, expand System, and then click Remote Assistance.

  3. In the details pane, double-click Solicited Remote Assistance, click Disabled, and then click Next Setting.

  4. For the Offer Remote Assistance setting, click Disabled, and then click OK.

This subsection contains procedures for controlling Remote Assistance by using an answer file with an unattended installation.

  1. Use the methods that you prefer to create an answer file for an unattended installation. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows Server 2008.

  2. Confirm that your answer file includes the following line:

    <CreateEncryptedOnlyTickets>true</CreateEncryptedOnlyTickets>
    

  1. Use the methods that you prefer to create an answer file for an unattended installation or remote installation. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment for Windows 7 and Windows Server 2008 R2.

  2. To disable Solicited Remote Assistance, confirm that your answer file includes the following line:

    <fAllowToGetHelp>false</fAllowToGetHelp>
    

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft