🚀 Remote Help in Intune – Setup, Roles & How to Avoid the UAC Black Screen

-

If you’re still using Quick Assist in enterprise environments, it’s time to move forward.

With Remote Help in Intune, you get:

  • ✅ Entra ID integration
  • ✅ Role-based access control (RBAC)
  • ✅ Elevation support
  • ✅ Auditing and logging

🔔 Important: Starting June 2026, Remote Help is included in Microsoft 365 E3 and E5 licenses — removing the need for separate licensing and making it the natural choice for enterprise remote support.

🔐 Step 1 – Assign Required Roles (Important!)

Before anything else, you must assign the correct roles.

Navigate to:

Intune admin center → Tenant administration → Roles
✅ Recommended roles:
  • Help Desk Operator
  • Remote Help Operator (if available in your tenant)
Required permissions:
  • Remote Help usage
  • Device interaction
  • User support capabilities

👉 Without proper role assignment, Remote Help will either fail or run in limited mode.

Step 2 – Enable and Configure Remote Help

Go to:

Intune admin center → Tenant administration → Remote Help

Enable the following:

  • Enable Remote Help
  • Enable role-based access control
📩 Step 3 – Deploy the Remote Help App

Deploy Remote Help via Intune:

Apps → Windows → Add → Microsoft Store app (new)

Search for:

Remote Help

Assign it to:

  • IT administrators
  • Support staff
⚠️ BEFORE YOU START – Fix the UAC Black Screen Issue

This is the most critical step.

If you skip this configuration, you will run into:

đŸ”Č Black screen when trying to run anything as administrator
❌ What happens WITHOUT configuration

When you choose:

Run as administrator

Windows switches to:

🔐 Secure Desktop (UAC isolation)

Result:

  • Remote session cannot display the prompt
  • Screen turns black
  • You lose visibility and control


✅ Fix – Configure UAC via Intune

To resolve this, configure UAC properly.

Navigate to:

Devices → Configuration profiles → Settings catalog

Then:

  1. Click Add settings
  2. Search for:
    Secure Desktop
  3. Locate:
    User Account Control: Switch to the secure desktop when prompting for elevation

👉 Set this to:

Disabled
✅ What this changes

After disabling Secure Desktop:

  • UAC prompts stay in the normal desktop session
  • Remote Help can display them correctly
  • ✅ No more black screen
  • ✅ Full admin workflow remotely









🔐 Optional – Recommended UAC Behavior

You can also configure:

User Account Control: Behavior of the elevation prompt

Suggested configurations:

For standard environments:

Prompt for credentials

For kiosk / locked-down environments:

Automatically deny elevation requests
đŸ§Ș Step 4 – Start a Remote Help Session
  1. Launch Remote Help
  2. Sign in with Entra ID
  3. Select:
    Take full control
  4. During the session, click:
    Elevate

✅ This ensures the session runs with admin privileges.

💡 Pro Tip (Important)

Never log off during a Remote Help session.

The session is tied to the current user context and will disconnect immediately.

👉 Instead, always use:

Elevate
⚔️ Quick Assist vs Remote Help (Reality Check)
FeatureQuick AssistRemote Help
Enterprise ready
RBAC
Entra ID integration
UAC handling❌ Poor✅ Proper
Elevation support⚠️ Limited✅ Built-in
🧠 Best Practice (Real-world / Kiosk / Library setups)

For controlled environments like kiosks or libraries:

  • ✅ Use Remote Help only
  • ✅ Disable Secure Desktop (UAC)
  • ✅ Keep users as standard users
  • ✅ Use RBAC for support staff
🚀 Final Thoughts

If you want a modern, secure, and fully functional remote support solution in Intune:

Remote Help is the way forward
Quick Assist is no longer enough

And remember:

🔑 If you don’t disable Secure Desktop, you will get a black screen — no matter what tool you use



Kommentarer

Skicka en kommentar

PopulÀra inlÀgg i den hÀr bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

đŸ””Troubleshooting Intune Device Enrollments: Understanding GUIDs, Registry Paths, and EnterpriseMgmt Tasks

-
Bild
This guide explains how to diagnose Intune MDM issues on a Windows device by using two key locations: Task Scheduler → EnterpriseMgmt Registry → HKLM\SOFTWARE\Microsoft\Enrollments These two locations always contain matching GUID folders , and together they show the full state of the device’s MDM enrollment. 📌 Introduction: Why do these GUID folders exist? When a Windows device enrolls into Intune (MDM) , Windows generates a unique GUID folder for that enrollment. That GUID is used in two places: đŸ”č 1. Task Scheduler Task Scheduler → Microsoft → Windows → EnterpriseMgmt → {GUID} This folder contains scheduled jobs that handle: MDM sync certificate renewal policy retrieval push notification handling đŸ”č 2. Registry HKLM\SOFTWARE\Microsoft\Enrollments\{GUID} This folder contains detailed information: tenant ID enrollment type certificate thumbprints renewal status MDM server URLs device identity 👉 Both folders describe the same en...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »