Supporting Windows 7 Users with Remote Assistance

10/7/2009

Contents

Understanding Remote Assistance
Implementing and Managing Remote Assistance
Summary
Additional Resources

Implementing and Managing Remote Assistance

Remote Assistance is a powerful and flexible feature that can be used in many different ways to support users within large enterprises, medium-sized businesses, and SOHO environments. This section outlines how to initiate Remote Assistance sessions from both the UI and the command line. This section also demonstrates how to use Remote Assistance in an enterprise Help Desk environment involving two common scenarios:

Helper offers Remote Assistance to a User who telephones the Help Desk with a problem.
User creates a Remote Assistance invitation and saves it on a network share that is monitored by Help Desk personnel.

For information on other scenarios for implementing Remote Assistance, including sending invitations with Windows Mail and Windows Messenger, search for the topic “Remote Assistance” within Windows Help and Support.

Initiating Remote Assistance Sessions

Remote Assistance sessions can be initiated from either the UI or the command line. A significant usability enhancement, from the perspective of support personnel, is that Offer RA is no longer buried within Help And Support as it is in Windows XP, but instead is easily accessible now from the graphical user interface (GUI).

Initiating Remote Assistance from the GUI

Initiating Remote Assistance sessions from the GUI can be done using the following methods:

From the Start menu, click Start, point to All Programs, select Maintenance, and then select Windows Remote Assistance.
Click Start and type assist in the Start menu search box. When Windows Remote Assistance appears in the search results under Programs, click it.

Either of these actions will open the initial Remote Assistance screen, shown in Figure 22-2.

Figure 22-2 The initial screen of Windows Remote Assistance

When this initial screen appears, you can do either of the following:

Solicit Remote Assistance from someone by clicking the Invite Someone You Trust To Help You option, which displays the How Do You Want To Invite Your Trusted Helper? screen, as shown in Figure 22-3.

Figure 22-3 The screen for soliciting Remote Assistance from someone
Accept a Remote Assistance invitation from someone or offer Remote Assistance to someone by clicking the Help Someone Who Has Invited You option, which displays the Choose A Way To Connect To The Other Person’s Computer screen, as shown in Figure 22-4.

Figure 22-4 The screen for offering Remote Assistance to someone

The How Do You Want To Invite Your Trusted Helper? screen (see Figure 22-3) lets you select from the following methods for soliciting Remote Assistance:

Save This Invitation To A File Selecting this option lets you save your Remote Assistance invitation file to a folder on your computer or to an available shared folder on the network.
Use E-mail To Send An Invitation Selecting this option starts your e-mail client application, creates a new message, and attaches the invitation file to the message. Note that if you do not have an SMAPI-compatible e-mail client application on your computer, this option will be unavailable.
Use Easy Connect Selecting this option creates and publishes your Remote Assistance invitation file to the cloud using PNRP and displays a 12-character password that you must communicate OOB to your Helper for him to accept your invitation. If, however, you previously used Easy Connect to establish a Remote Assistance session with the same Helper, the Helper can accept your invitation without any password required.

The Choose A Way To Connect To The Other Person’s Computer screen (see Figure 22-4) lets you accept a Remote Assistance invitation from someone or offer Remote Assistance to someone. The following options are available on this screen for accepting a Remote Assistance invitation from someone:

Use An Invitation File Selecting this option lets you browse your local file system or network share for the Remote Assistance invitation from someone who needs your help. You will need the password associated with the invitation, which must be provided OOB by the User who needs help.
Use Easy Connect Selecting this option lets you browse the PNRP cloud for the Remote Assistance invitation from someone who needs your help. The first time you use Easy Connect to help this individual, you will need the password associated with the invitation, which must be provided OOB by the User who needs help. For subsequent times that you use Easy Connect to help this individual, the password is not required.

To offer Remote Assistance to someone, click the Advanced Connection Option For Help Desk link at the bottom of Figure 22-4. Additional steps for soliciting and offering Remote Assistance are described in the scenario sections later in this chapter.

HOW IT WORKS

RA Invitation Files

Remote Assistance invitation files (.MsRcIncident) are XML-formatted file documents that include information used by the Helper’s computer that will attempt to connect. This ticket information is encrypted to prevent unauthorized users from accessing the information if e-mail or file transfer is used to send the invitation over an unsecured network.

If the e-mail method is used to send the invitation file to the Helper, the invitation file is sent as an e-mail attachment with a filename of RATicket.MsRcIncident. If the file transfer method is used instead, the invitation file is created by default on the desktop of the User’s computer, and the filename of the invitation is Invitation.MsRcIncident.

Initiating Remote Assistance from the Command Line

Remote Assistance in Windows 7 and Windows Vista is implemented as a stand-alone executable called Msra.exe. You can initiate Remote Assistance sessions directly from the command line or by using scripts. The syntax and usage for this command is explained in Table 22-3.

Table 22-3. Syntax and Usage for Command-Line Remote Assistance (Msra.exe)

OPTION	SUPPORTED ON	DESCRIPTION
/novice	Windows 7 Windows Vista	Starts Remote Assistance as Novice (User) in Solicited RA mode and presents the user with the choice of either sending a Remote Assistance ticket using a SMAPI-enabled e-mail application such as Windows Mail or by saving the invitation as a file. After this choice has been made, Windows Remote Assistance opens on the User’s computer in the Waiting For Connect state.
/expert	Windows 7 Windows Vista	Starts Remote Assistance in the Helper mode and presents the choice of either specifying the location of a Remote Assistance ticket to open or specifying the User’s computer name or address (Offer RA). The computer name can be either a host name (if the User is on the local subnet) or an FQDN (DNS name), and the address can be either an IPv4 address or an IPv6 address. Unsolicited Remote Assistance without an invitation requires preconfiguration of the remote computer being helped.
/offerRA computer	Windows 7 Windows Vista	Starts Remote Assistance as Helper in Unsolicited (Offer) RA mode and uses DCOM to remotely open Remote Assistance on the User’s computer and then connect to the User’s computer to initiate a Remote Assistance session. The User’s computer can be specified using either its computer name or address. The computer name can be either a host name (if the User is on the local subnet) or a FQDN (DNS name), and the address can be either an IPv4 address or an IPv6 address. This method is demonstrated in more detail in the section titled "Scenario 3: Offering Remote Assistance Using DCOM" later in this chapter.
/email password	Windows 7 Windows Vista	Starts Remote Assistance as Novice (User) in Solicited RA mode and creates a password-protected RA ticket that is attached to a new Remote Assistance invitation message opened by the default SMAPI-enabled e-mail client (which by default is Windows Mail). The password must be six characters or more and must be relayed separately to the Helper. The e-mail client application launches a window with the invitation file attached. The User must enter the e-mail address of the Helper in the To field to send the message to the Helper.
/saveasfile path password	Windows 7 Windows Vista	Starts Remote Assistance as Novice (User) in Solicited RA mode and creates a password-protected Remote Assistance ticket that is saved at the path specified. The path can be either a local folder or network share, and the User must have appropriate permissions on the destination folder to create the file. The path must include a file name for the ticket. (The .MsRcIncident file extension will be automatically added to the file name.) The password must be six characters or more. Use of this method is demonstrated in more detail in the section titled "Scenario 2: Soliciting Remote Assistance by Creating Remote Assistance Tickets and Saving Them on Monitored Network Shares" later in this chapter.
/openfile path password	Windows 7 Windows Vista	Starts Remote Assistance as Expert (Helper) in Solicited RA mode and opens a previously created Remote Assistance ticket that was saved within the path specified. The path may be either a local folder or network share, and the Helper must have appropriate permissions on the destination folder to open the file. The path must include the file name of a valid ticket that has the .MsRcIncident file extension. The password must be the same password that was used by the User to secure the ticket when it was created.
/geteasyhelp	Windows 7 only	Starts Remote Assistance as Novice (User) in Solicited RA mode and with the Easy Connect option already selected. After the Remote Assistance invitation has been posted to the PNRP cloud, the User is presented with a 12-character password that she must communicate OOB to the Expert (Helper), which the Helper can then use to accept the invitation and initiate the Remote Assistance session.
/offereasyhelp address	Windows 7 only	Starts Remote Assistance as Expert (Helper) in Offer RA mode and with the Easy Connect option already selected. The Helper is presented with a dialog box for entering the 12-character password that was communicated OOB to him by the Novice (User), which is needed by the Helper to accept the invitation and initiate the Remote Assistance session.
/getcontacthelp address	Windows 7 only	Starts Remote Assistance as Novice (User) in Solicited RA mode with the Easy Connect option already selected and with the Remote Assistance history contact specified by address already selected. You can find address for a contact in your Remote Assistance history by opening the RAContacthistory.xml file located in the \Users\Username\Appdata\Local folder on your computer. The format for address is a 40-character hexadecimal string with .RAContact appended to it.
/offercontacthelp address	Windows 7 only	Starts Remote Assistance as Expert (Helper) in Offer RA mode with the Easy Connect option already selected and with the Remote Assistance history contact specified by address already selected. You can find address for a contact in your Remote Assistance history by opening the RAContacthistory.xml file located in the \Users\Username\Appdata\Local folder on your computer. The format for address is a 40-character hexadecimal string with .RAContact appended to it.

Scenario 1: Soliciting Remote Assistance Using Easy Connect

In Windows 7, the simplest way for home users to request assistance from others is to use Easy Connect. (Easy Connect is not intended for enterprise environments because it requires global P2P connectivity to work.) In the following scenario, Tony Allen, a Novice user, requests help from Karen Berg, a friend who is an Expert user. Tony solicits Karen’s help for the first time by starting Remote Assistance on his computer and selecting Invite Someone You Trust To Help You followed by Use Easy Connect. At this point, Windows Remote Assistance displays a password, as shown in Figure 22-5.

Figure 22-5 Tony’s computer displays the password needed for Karen to connect using Remote Assistance.

Tony telephones Karen, indicates that he wants her to help him using Remote Assistance, and gives her the password. Karen now starts Remote Assistance on her own computer and selects Help Someone Who Has Invited You. Windows Remote Assistance opens and displays the dialog box shown in Figure 22-6.

Figure 22-6 Karen needs Tony’s password to connect to his computer using Remote Assistance.

Karen enters the password Tony has given her and clicks Enter. Karen’s computer searches the PNRP cloud for Tony’s Remote Assistance invitation and displays Attempting To Connect in the Remote Assistance status bar. When the invitation has been found, the status bar message changes to Waiting For Acceptance. At this point, a dialog box will appear on Tony’s computer asking if he would like to allow Karen to connect to his computer and view his desktop (shown in Figure 22-7). Tony has two minutes to respond to this dialog box before the offer times out and the dialog box disappears, which will cause a message saying “The person you are trying to help isn’t responding” to appear on Karen’s computer.

Figure 22-7 Tony must allow the Remote Assistance connection to occur.

Tony clicks Yes and the Remote Assistance session begins. At this point, the desktop properties of Tony’s desktop may change (based on configurable settings) to optimize the network bandwidth used by Remote Assistance for screen updates on Karen’s computer. Karen can now request control from Tony, send files to Tony or receive files from him, chat with Tony, or disconnect the session. Tony can send and receive files, chat, or pause or disconnect the session.

If Tony needs help again from Karen on some future occasion, the steps involved are simpler. Tony starts Remote Assistance and selects Invite Someone You Trust To Help You. Remote Assistance displays the history list of recent contacts Tony has used before as Helpers, as shown in Figure 22-8.

Figure 22-8 Karen is listed as a contact in Tony’s history list.

Tony clicks Karen’s contact info in his history list. This time, instead of a password being displayed, a message appears, indicating that Tony should tell Karen he needs her help (shown in Figure 22-9).

Figure 22-9 No password is needed on subsequent requests for help that use Easy Connect.

Tony telephones Karen and asks her to start Remote Assistance on her computer. Karen does this and selects Who Do You Want To Help (shown in Figure 22-10).

Figure 22-10 Tony is listed as a contact in Karen’s history list.

Karen clicks Tony’s contact info in her history list. Karen’s computer searches the PNRP cloud for Tony’s Remote Assistance invitation and displays Waiting For Acceptance in the Remote Assistance status bar when the invitation is found. Tony then clicks Yes, and the new Remote Assistance session begins.

You can also use the new command-line switches for Msra.exe in Windows 7 to simplify the Easy Connect experience even further. For example, if Tony frequently needs help from Karen, Karen (the Expert user) could create a shortcut on Tony’s desktop that executes the following command:

msra.exe /getcontacthelp address

Here, address is the value of the ADDRESS attribute in Karen’s Remote Assistance history contact information on Tony’s computer, which is stored as an XML element in the RAContacthistory.xml file located in the \Users\TALLEN\Appdata\Local folder on Tony’s computer. The contents of this file might look like the following:

<?xml version="1.0"?>
<RAINVITATIONCOLL>
<RAINVITATIONITEM NAME="KBERG" COMPUTERNAME="KBERG-PC" AVATAR="Qk1QgA...[lots of
characters]..."
PUBLICKEY="BgIAAAC..."
ADDRESS="5823b8d7b47af2c1cd94f32535a79d8f0569e7d0.RAContact"
TYPE="1"
TIME="20090320170235.779000"/>
</RAINVITATIONCOLL>

Using this example, the shortcut Karen creates on Tony’s computer should execute the following command:

msra.exe /getcontacthelp 5823b8d7b47af2c1cd94f32535a79d8f0569e7d0.RAContact

Karen can then create a similar shortcut on her own computer using Tony’s Remote Assistance history contact information, which is stored as an XML element in the RAContacthistory.xml file located in the \Users\KBERG\Appdata\Local folder on Karen’s computer. After this is done, Tony can request assistance by simply double-clicking the shortcut on his desktop, and once he has informed Karen of this, Karen then double-clicks the corresponding shortcut on her own computer, and when Tony agrees to allow the connection, the session is started.

DIRECT FROM THE SOURCE

How Easy Connect Works

John Thekkethala, Program Manager

Remote Assistance Team

The new Easy Connect feature simplifies Remote Assistance by enabling a direct P2P transfer of the Remote Assistance invitation using PNRP. When the User starts Remote Assistance and selects Invite Someone You Trust To Help You and then Use Easy Connect, a Remote Assistance invitation is created, encrypted, and published as a payload on a node in the PNRP cloud. This invitation will be retrieved by the Helper from the PNRP cloud and the information is used to establish a Remote Assistance connection to the User.

When the invitation is created, a 12-character alphanumeric password is generated automatically and is displayed in the Tell Your Helper The Easy Connect Password dialog box. The first time the User uses any particular Helper, the password must be relayed OOB to the Helper before the Helper can connect to the User’s computer. The password is case insensitive and avoids characters and numbers that could look similar (such as I and 1, 5 and S, and 0 and O).

After the PNRP node has been created in the PNRP cloud, the User’s computer waits for an incoming connection from the Helper’s computer. This node will exist for 30 minutes before expiring and invalidating the invitation.

The Helper starts Remote Assistance, selects Help Someone Who Has Invited You and then Use Easy Connect, and enters the password relayed OOB from the User. The Helper’s computer uses the password to locate the PNRP node containing the User’s invitation, grabs the payload (that is, the invitation), and decrypts it. Remote Assistance uses the invitation to connect to the User’s computer. Of course, after the Remote Assistance connection has been established, the User must still provide explicit consent before his desktop is remoted.

When a Remote Assistance session has been established using Easy Connect, the User and the Helper become trusted contacts of each other. The Remote Assistance history store on each computer is used to maintain a list of records of trusted contacts that were established using Easy Connect. These records contain the following information for each trusted contact:

User name
Computer name
User graphic (associated with the user logon account)
Date and time of connection
Public key of the connected user

Each history record identifies a specific user on a specific computer. A record is created only if each side of the connection has positive confirmation that the other side has received the user’s entire contact info. Note that the Remote Assistance contact history does not include the user’s role (User or Expert). This means that when trust is established between two user/computer pairs, either one of them may take the role of User and ask the other for assistance.

The next time the User tries to solicit assistance from the same Helper using Easy Connect, the User simply starts Remote Assistance and selects the Helper from the User’s Remote Assistance contact list—no password is needed because the Helper is already trusted by the user. The Remote Assistance ticket is exchanged using Secure PNRP. All the User needs to do is notify the Helper that assistance is requested, and this can be done by telephone, IM, or any other OOB method.

After the User has notified the Helper that assistance is requested, the Helper starts Remote Assistance and selects the contact of the user. The Helper’s computer uses Secure PNRP to retrieve the Remote Assistance invitation and the Remote Assistance session with the User is established without any password needing to be entered by the Helper.

Scenario 2: Soliciting Remote Assistance by Creating Remote Assistance Tickets and Saving Them on Monitored Network Shares

Another way that you can use Remote Assistance in an enterprise environment is by having users create invitation files and save them on a network share that is monitored by Help Desk personnel. This way, when Help Desk determines that a new ticket has been uploaded to the share, a support person can call the user on the telephone to obtain the password for the ticket and then use the ticket to establish a Remote Assistance session with the user who needs help.

To make the procedure easier, administrators can first deploy a script on users’ desktops that uses command-line Remote Assistance (via Msra.exe) to create the invitation file and save it on the network share. For example, let’s say that users’ invitation files should be uploaded to \\FILESRV3.contoso.com\Support\IncomingTickets, a folder in the Support share on the file server named FILESRV3. The following script, named SubmitTicket.vbs, could be deployed on each user’s desktop to accomplish this task.

dim strPassword
dim strUser
dim strTicketName

strPassword = InputBox("Enter a password for your ticket")
Set WshShell = Wscript.CreateObject("Wscript.Shell")
strUser = WshShell.ExpandEnvironmentStrings("%username%")
strTicketName = strUser & "-" & Year(Now) & "-" & Month(Now) & "-" & Day(Now)  & _
   "-" & Hour(Now) & "-" & Minute(Now) & "-" & Second(Now)
strRA = "msra.exe /saveasfile \\FILESRV3\Support\IncomingTickets\" & _
   strTicketName & " " & strPassword
WshShell.Run strRA

When the user double-clicks this script to run it, an Input box appears asking the user to provide a password to be used to secure the invitation. After the user supplies a password, a new Remote Assistance ticket is created and saved in the target folder on the file server. The name of the ticket is unique and consists of the user’s name followed by the date and time, such as tallen-YYYY-MM-DD-HH-MM-SS.MsRcIncident. When the support person monitoring the share has obtained the ticket’s password using an OOB method such as a telephone call, the support person opens the ticket. After the user grants consent, the Remote Assistance connection is established.

To monitor the IncomingTickets folder in the network share, Help Desk personnel can use the file-screening capabilities of file servers running Windows Server 2008. To do this, perform the following steps to create a passive file screen that monitors the folder and sends an e-mail alert to a Help Desk alias whenever a new ticket is uploaded to the folder:

Install or upgrade the File Server role on the Windows Server 2008 computer where the Support folder is located.
Start the File Server Resource Manager console from Administrative Tools, right-click the root node, and select Configure Options.
Specify the DNS name of the IP address of a Simple Mail Transfer Protocol (SMTP) host that can be used to forward alert e-mails that are generated by the file screen you will create.
Click OK to close File Server Resource Manager Options and expand the console tree to select File Screens under File Screening Management.
In the Action pane, select the Create File Screen option.
Click Browse to select the Incoming folder for the File Screen Path.
Select the Define Custom File Screen Properties option and click Custom Properties.
Choose the Passive Screening option so that uploaded tickets will only be monitored and not blocked by the screen.
Click Create to create a new file group called RA Tickets, and click Add to add files of type *.MsRcIncident to the group.
Click OK to return to the properties sheet for the new file screen and select the check box for the RA Tickets file group you just created.
Click the E-mail tab and specify a support alias (such as support@contoso.com) that will be notified whenever a new ticket is uploaded to the folder. Configure a suitable subject and body for the message.
Click Create to create the new file screen and then choose the option to save the screen without creating a template.
Test the new file screen by opening a command prompt on a user’s computer and then typing msra.exe /saveasfile path password, where path is the UNC path to the Incoming folder within the Support share on the file server, and password is any password of six or more characters that you specify.

Scenario 3: Offering Remote Assistance Using DCOM

Before you can offer Remote Assistance to other users, your user account must be authorized as a Helper on the User’s computer. You should use Group Policy to do this in an enterprise environment. (See the section titled "Managing Remote Assistance Using Group Policy" later in this chapter for information on how to do this.)

After a support person (or group of individuals) has been configured as a Helper for all Windows 7 computers in a domain or organizational unit (OU), the support person can offer Remote Assistance to users of those computers when they need assistance. For this scenario, let’s say that Tony Allen (tallen@contoso.com) is a Windows 7 user who needs assistance with an issue on his computer. Tony telephones the Help Desk department, and the call is taken by Karen Berg (kberg@contoso.com), who asks Tony for the name or IP address of his computer. Tony provides Karen with his fully qualified computer name (TALLEN-PC.contoso.com) or IP address. Karen then offers assistance to Tony by starting Remote Assistance on her computer, selecting Help Someone Who Has Invited You, clicking Advanced Connection Option For Help Desk, and entering the name or IP address of Tony’s computer (shown in Figure 22-11).

Figure 22-11 Karen offers help to Tony using an unsolicited RA.

The experience is even easier if Karen needs to offer help to Tony again on some future occasion. Karen simply starts Remote Assistance on her computer, selects Help Someone Who Has Invited You, and clicks Advanced Connection Option For Help Desk, and the name or IP address of Tony’s computer is displayed in her Remote Assistance history list (shown in Figure 22-12).

Figure 22-12 The history list makes it easy to start Remote Assistance sessions with users that were helped before.

Karen then clicks Tony’s computer in her history list and clicks Next, and when Tony accepts the offer, the session begins.

Managing Remote Assistance Using Group Policy

In an enterprise environment, Remote Assistance can be managed using Group Policy. The policy settings for Remote Assistance are all machine settings and are found in the following policy location:

Computer Configuration\Policies\Administrative Templates\System\Remote Assistance

When these policy settings are written to the registry on targeted computers, they are stored under the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\Terminal Services

Remote Assistance policy settings are summarized in Table 22-4.

Table 22-4. Group Policy Settings for Remote Assistance

POLICY	DESCRIPTION
Solicited Remote Assistance	Enabling this policy allows users of targeted computers to use Solicited RA to request assistance using e-mail, file transfer, or IM. Disabling this policy prevents users from using Solicited RA. The default setting is Not Configured, which allows users to change their Remote Assistance settings using the Remote tab of the System item in Control Panel. If the policy is Enabled, you can further configure whether Helpers can be prevented from sharing control of the User’s computer, the maximum ticket lifetime, and the method used for sending invitations by e-mail. (Windows 7 does not support the MAILTO method—select SMAPI instead if the targeted computers are running Windows 7.) Ticket lifetime applies only to Remote Assistance invitations sent by e-mail or file transfer. The default ticket lifetime when Group Policy is not being used is six hours. If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Solicited RA to work. In an unmanaged environment, this setting can also be configured using the Remote tab of the System CPL in Control Panel. This policy is also supported on Windows XP Professional and Windows Server 2003.
Offer Remote Assistance	Enabling this policy allows designated Helpers to use Offer RA to offer assistance to users of targeted computers. Disabling this policy or leaving it Not Configured prevents Offer RA from being used to offer assistance to users of targeted computers. If the policy is Enabled, you can further configure whether Helpers can view or control the Users’ computers, and you must specify a list of Helpers who are allowed to Offer RA to the users of the targeted computers. Helpers can be either users or groups and must be specified in the form domain_name\username or domain_name\groupname. If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Offer RA to work. (In Windows 7, the Remote Assistance exception is open by default for the domain firewall profile.) This policy is also supported on Windows XP Professional and Windows Server 2003. See the Explain tab of this policy setting for more details.
Allow Only Vista Or Later Connections	The default Windows 7 invitation file includes an XP-specific node for backward compatibility. This node is not encrypted and allows Windows XP computers to connect to the Windows 7 computer that created the ticket. Enabling this policy causes all Remote Assistance invitations generated by users of targeted computers to not include the XP node, thereby providing an additional level of security and privacy. Disabling this policy or leaving it Not Configured leaves information such as IP address and port number unencrypted in Remote Assistance invitations This policy setting applies only to Remote Assistance invitations sent using e-mail or file transfer and has no effect on using IM to solicit assistance or on using Offer RA to offer assistance. In an unmanaged environment, this setting can also be configured by clicking Advanced from the Remote tab of the System Properties dialog box. This policy is supported only on Windows Vista and later platforms.
Customize Warning Messages	Enabling this policy causes a specified warning to be displayed on targeted computers when a Helper wants to enter Screen Sharing state or Control Sharing state during a Remote Assistance session. Disabling this policy or leaving it Not Configured causes the default warning to be displayed in each instance. If the policy is Enabled, you can further specify the warning message to be displayed in each instance. This policy is supported only on Windows Vista and later platforms.
Turn On Session Logging	Enabling this policy causes Remote Assistance session activity to be logged on the targeted computers. For more information, see the section titled "Remote Assistance Logging" earlier in this chapter. Disabling this policy causes Remote Assistance auditing to be disabled on the targeted computers. The default setting is Not Configured, in which case Remote Assistance auditing is automatically turned on. This policy is supported only on Windows Vista and later platforms.
Turn On Bandwidth Optimization	Enabling this policy causes the specified level of bandwidth optimization to be used to enhance the Remote Assistance experience over low-bandwidth network connections. Disabling this policy or leaving it Not Configured allows the system defaults to be used. If the policy is Enabled, you must specify the level of bandwidth optimization you want to use from the following options: No Optimization No Full Window Drag Turn Off Background Full Optimization If No Optimization is selected, the User’s computer will use the Windows Basic theme with full background, and during a shared control session, the Helper will be able to drag full windows across the User’s screen. Additional optimization turns off effects to allow a more responsive experience for the Helper. This policy is supported only on Windows Vista and later platforms.

Configuring Remote Assistance in Unmanaged Environments

Users of unmanaged computers can enable and configure Remote Assistance using the Remote tab of the System CPL in Control Panel (shown in Figure 22-13). Enabling or disabling Remote Assistance and configuring its settings this way requires local administrator credentials on the computer, so a UAC prompt will appear when the user tries to do this.

Figure 22-13 Configuring Remote Assistance from the Remote tab of System in Control Panel

Note that settings changes made this way will affect all users on the system. Clicking Advanced lets you specify whether remote control of the computer will be allowed during a Remote Assistance session, what the maximum lifetime of a Remote Assistance invitation can be before it times out (the default is six hours), and whether invitations supported only by Remote Assistance in Windows Vista or later versions will be created (see Figure 22-14).

Figure 22-14 Advanced configuration settings for Remote Assistance

In managed environments, when the following Group Policy setting is Enabled, the Control Panel settings for configuring Remote Assistance become unavailable (appear dimmed):

Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance

Additional Registry Settings for Configuring Remote Assistance

Additional behavior for Remote Assistance can be configured by modifying certain registry settings. Specifically, per-user registry settings for Remote Assistance are found under the following key:

HKCU\Software\Microsoft\Remote Assistance

These settings are changeable when in the Waiting To Connect mode or when in the connected mode from the Settings button.

DIRECT FROM THE SOURCE

Troubleshooting Remote Assistance in Windows 7 and Windows Vista

John Thekkethala, Program Manager

Remote Assistance Team

When I attempt to create an invitation with e-mail or save-to-file, I see a warning message stating that Windows Firewall is currently blocking Remote Assistance.

The Remote Assistance firewall exception will change depending on your network location (Private, Public, or Domain). If you are at home, your network location type should be set to Private, which enables the Remote Assistance firewall exception automatically. If your network location is set to Public, the Remote Assistance firewall exception is not enabled automatically for security purposes. It will need to be enabled by an administrator.

If you are connected to a managed network (for example, when you are within a corporate domain), the network location is categorized as Domain, and the Remote Assistance exception is not enabled automatically. It is expected to be configured by Group Policy by your system administrator.

I cannot use Remote Assistance to connect from my home computer to a work computer.

Remote Assistance uses Teredo (IPv6) to traverse NATs. However, Teredo cannot be used to traverse corporate edge firewalls that provide NAT for intranet clients and block dynamic ports or outbound UDP traffic. Because you do not have a globally reachable IPv4 address within the corpnet, Remote Assistance cannot make a connection to you from outside the corpnet.

If I disable the Windows Firewall, I cannot make a Remote Assistance connection in certain cases. This is counterintuitive, because I expect connectivity to be less restrictive with the firewall disabled.

In Windows 7 and Windows Vista, the Windows Firewall is IPv6 aware. The Remote Assistance exception in the Windows Firewall enables Teredo for edge traversal. If the Windows Firewall is disabled, the ability to use Teredo for NAT traversal is also disabled. The Windows Firewall must be running with the Remote Assistance exception enabled for Remote Assistance to be able to traverse NATs using Teredo.

I cannot use Remote Assistance to connect from my work computer to my home computer.

Your corporate firewall may be configured to block outbound P2P connections. In a managed environment (domain-joined computers), which is typically found in a corporate network, the Remote Assistance exception does not enable Teredo (edge traversal), because corporate firewalls typically block outbound UDP traffic. NAT traversal using Teredo is disabled by default in this scenario. If the person you are trying to help is behind a UPnP NAT or is connected directly to the Internet, you should be able to make a connection. Check with your network administrator to see whether outbound P2P connections through the corporate firewall can be enabled.

When I move my laptop (or change my home network location) from a private to a public location, I am not able to connect to certain computers.

If you have a laptop that moves between work and home, the properties of the Remote Assistance firewall exception in the Windows Firewall will change depending on whether your network location is classified as Private, Public, or Domain. In a Private location, the Remote Assistance exception is enabled by default. If you are using a UPnP NAT, the Remote Assistance exception will allow communications with the UPnP NAT to enable Remote Assistance connections that make use of UPnP. In a Public network, the Remote Assistance exception is not enabled by default and will need to be enabled using administrator credentials. In addition, the default Public profile does not permit UPnP communication for security purposes, thereby restricting Remote Assistance connectivity in certain cases.

I am on a low-bandwidth connection, and the person helping me is experiencing slow screen refreshes.

Under Settings, set the Bandwidth Usage to Low to reduce the bandwidth used during a Remote Assistance connection. Keep in mind that display quality decreases as bandwidth usage is limited.

Why can’t I connect to Windows XP computers that are behind a NAT as easily as I can connect to Windows 7 or Windows Vista computers?

Remote Assistance in Windows XP does not support Teredo for NAT traversal. Consequently, a Windows 7– or Windows Vista–to–Windows XP Remote Assistance connection may fail in cases in which both computers are behind non-UPnP NATs.

How does Remote Assistance make a connection?

When the Remote Assistance invitation is created, the User’s computer will set itself as a listener on all of its IP addresses (IPv4 and IPv6), including its Teredo address. All of these listeners are waiting for a connection from the Helper’s computer. The address and port information associated with these different listeners is relayed to the Helper’s computer via the Remote Assistance invitation (which gets transported by Windows Messenger when Messenger is used to launch Remote Assistance). The Helper’s computer then tries to connect concurrently on all the address/port pairs in the invitation. The first successful connection that is made is used for the Remote Assistance session and the rest of the connection attempts are terminated.

How do I troubleshoot a connection failure between two home-based Windows 7 or Windows Vista computers that are behind NATs?

Refer to the Remote Assistance Connectivity information in Tables Table 22-5 and Table 22-6 to verify that the network configuration you have is supported for Remote Assistance connectivity. Then confirm that the Windows Firewall on the computer of the person that is being helped is running and configured for Remote Assistance as follows:

The Windows Firewall is IPv6 compatible and must be running to enable NAT traversal using Teredo.
The network location of the computer must be set to Private or Public because Teredo is not enabled in Domain or Managed settings.
The Remote Assistance exception in the firewall must be enabled to allow Remote Assistance connections.

Now check that there is no edge firewall between the User and Helper because it may block P2P applications like Remote Assistance.

Finally, confirm that the User and Helper are not behind a symmetric NAT and that Teredo is able to get to the Qualified state on both computers. To determine this, do the following:

First, initiate Teredo by forcing Remote Assistance into the Waiting To Connect state. You can do this by typing msra.exe /saveasfile myinvitation mypassword at a command prompt.
Next, check to see if Teredo can be activated on both computers and goes into the Qualified state. Open an elevated command prompt window and type netsh interface teredo show state at the command prompt. The output should show Teredo in the Qualified state. If Teredo does not go to the Qualified state on both computers, a Remote Assistance connection may not be possible between these two computers. Teredo will not go into the Qualified state if one of the following two conditions exists:
- A global Teredo server could not be reached at teredo.ipv6.microsoft.com.
- The computer is behind a symmetric NAT. To verify this, look at the output of netsh interface teredo show state and check the output on the NAT: line, which specifies NAT type.

When I am helping someone who is a standard user, I cannot run a program that needs administrator privileges even though I have administrator privileges to the User’s computer.

Remote Assistance allows a User to share control of his computer with a remote Helper. If the User is a standard user, the remote Helper is given the same privileges as the standard user. If the Helper attempts to start a program that requires administrator credentials, by default these credentials must be entered locally (on the Secure Desktop) by the User and cannot be entered remotely by the Helper. This is required to prevent a security loophole where Admin programs started by a remote Helper could be hijacked by the local User simply by terminating the Remote Assistance session. In managed environments in which client computers are running Windows Vista Service Pack 1 (SP1) or later versions, however, a new Group Policy setting can be enabled that allows Remote Assistance to turn off the Secure Desktop during a Remote Assistance session even if the User is a standard user. As a result, the remote Helper can now enter administrator credentials when a UAC prompt appears during a Remote Assistance session to perform Admin-level tasks on the User’s computer. To configure this behavior, enable the following policy setting:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess Applications To Prompt For Elevation Without Using The Secure Desktop

Cross-Platform Connectivity for Remote Assistance

For environments in which different versions of Windows are used, Tables 22-5 and Table 22-6 summarize the Remote Assistance connectivity between Expert and Novice users on computers running Windows XP, Windows Vista, and Windows 7.

Table 22-5. Remote Assistance Connectivity for Expert on Windows XP

		EXPERT ON WINDOWS XP
		Directly Connected	Behind UPnP NAT	Behind non-UPnP NAT	Behind Corporate Edge Firewall^**
NOVICE (USER) ON WINDOWS XP	Directly Connected	Yes	Yes	Yes	Yes
	Behind UPnP NAT	Yes	Yes	Yes	Yes
	Behind non-UPnP NAT	Yes, using Msgr Only	Yes, using Msgr Only	No	No
	Behind Corporate Edge Firewall^**	Yes, using Msgr Only	Yes, using Msgr Only	No	Yes, if both are behind same firewall No, if both are behind different firewalls
NOVICE (USER) ON WINDOWS 7 OR WINDOWS VISTA	Directly Connected	Yes	Yes	Yes	Yes
	Behind UPnP NAT	Yes	Yes	Yes	Yes
	Behind non-UPnP NAT	Yes, using Msgr Only	Yes, using Msgr Only	No	No
	Behind Corporate Edge Firewall^**	Yes, using Msgr Only	Yes, using Msgr Only	No	Yes, if both are behind same firewall No, if both are behind different firewalls

Table 22-6. Remote Assistance Connectivity for Expert on Windows Vista and Windows 7

		EXPERT ON WINDOWS VISTA AND WINDOWS 7				Directly Connected	Behind UPnP NAT	Behind non-UPnP NAT	Behind Corporate Edge Firewall^**
NOVICE (USER) ON WINDOWS XP	Directly Connected	Yes	Yes	Yes	Yes
	Behind UPnP NAT	Yes	Yes	Yes	Yes
	Behind non-UPnP NAT	Yes, using Msgr Only	Yes, using Msgr Only	No	No
	Behind Corporate Edge Firewall^**	Yes, using Msgr Only	Yes, using Msgr Only	No	Yes, if both are behind same firewall No, if both are behind different firewalls
NOVICE (USER) ON WINDOWS 7 OR WINDOWS VISTA	Directly Connected	Yes	Yes	Yes	Yes
	Behind UPnP NAT	Yes	Yes	Yes	Yes
	Behind non-UPnP NAT	Yes, using Teredo^*	Yes, using Teredo^*	Yes, using Teredo^*	None
	Behind Corporate Edge Firewall ^**	No	No	No	Yes, if both are behind same firewall No, if both are behind different firewalls