Without the secure desktop the UAC dialog is running like every other Windows dialog on the interactive desktop of the user. This makes the device vulnerable to UAC spoofing attacks. If you and your security department are feeling okay with that fact, you can re-configure the devices and get a working Remote Support solution out of the box from Microsoft built directly into Windows 10 called Quick Assist.' This article describes some of the settings you can enable and configure in Windows 10 and newer devices. These settings are created in an endpoint protection configuration profile in Intune to control security, including BitLocker and Microsoft Defender. To configure Microsoft Defender Antivirus, see Windows 10 device restrictions. Before you begin.
-->The Intune and TeamViewer integration enables remote support using TeamViewer, and the connector is managed directly in Intune. Remote control is included in Microsoft Endpoint Configuration Manager. It's used to remotely administer, provide assistance, or view any workgroup computer and domain-joined computer. After searching through the Intune Device restrictions available for Windows 10, I couldn’t find any UI settings for that. I had to use a Custom Profile type for that. (Custom Profiles are also called OMA-URI Settings ) This blog post will describe how to Create an Intune Device Profile Restriction User Login to restrict login rights. Windows 10 Insider VM (I used the build 19577) Microsoft DHCP Server with pre-defined option ID 235; Microsoft Intune DO configuration; Gathering the missing MDM config info to do the actual configuration. First, I installed the Windows 10 Insider VM and had a look at the new DO GPO settings.
Devices managed by Intune can be administered remotely using TeamViewer. TeamViewer is a partner program that you purchase separately. This articles shows you how to configure TeamViewer within Intune, and how to remotely administer a device.
This feature applies to:
- Android device administrator (DA)
- Android Enterprise personally owned devices with a work profile (BYOD)
- iOS/iPadOS
- macOS
- Windows
Prerequisites
The administrator configuring the TeamViewer connector must have an Intune license. You can give administrators access to Microsoft Endpoint Manager without them requiring an Intune license. For more information, see Unlicensed admins.
The Intune administrator in the Endpoint Manager admin center must have the following Intune roles:
- Update Remote Assistance: Allows administrators to modify the TeamViewer connector settings.
- Request Remote Assistance: Allows administrators to start a new remote assistance session for any user. Users with this role are not limited by any Intune role within a scope. Also, user or device groups assigned an Intune role within a scope can also request remote assistance.
Use a supported Intune-managed device:
- Android device administrator (DA)
- Android Enterprise personally owned devices with a work profile (BYOD)
- iOS/iPadOS
- macOS
- Windows
Note
- Organization-owned devices are not supported. Team viewer works with the Company portal app. It doesn't work with the Intune app.
- TeamViewer may not support Windows Holographic (HoloLens), Windows Team (Surface Hub), or Windows 10 S. For supportability, see TeamViewer (opens TeamViewer's web site) for any updates.
A TeamViewer (opens TeamViewer's web site) account with the sign-in credentials. Only some TeamViewer licenses may support integration with Intune. For specific TeamViewer needs, see TeamViewer Integration Partner: Microsoft Intune.
By using TeamViewer, you're allowing the TeamViewer for Intune Connector to create TeamViewer sessions, read Active Directory data, and save the TeamViewer account access token.
Configure the TeamViewer connector
To provide remote assistance to devices, configure the Intune TeamViewer connector using the following steps:
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Tenant administration > Connectors and tokens > TeamViewer Connector.
- Select Connect, and accept the license agreement.
- Select Log in to TeamViewer to authorize.
- A web page opens to the TeamViewer site. Enter your TeamViewer license credentials, and then Sign In.
Remotely administer a device
Microsoft Endpoint Manager Remote Assistance
After the connector is configured, you're ready to remotely administer a device.
- In the the Microsoft Endpoint Manager admin center.
- Select Devices > All devices.
- From the list, select the device that you want to remotely administer > New Remote Assistance Session. You may have to select the three dots (...) to see this option.
- After Intune connects to the TeamViewer service, you'll see some information about the device. Connect to start the remote session.
In TeamViewer, you can complete a range of actions on the device, including taking control of the device. For full details of what you can do, see the TeamViewer community page (opens TeamViewer's web site).
When finished, close the TeamViewer window.
End user experience
When you start a remote session, users see a notification flag on the Company Portal app icon on their device. A notification also appears when the app opens. Users can then accept the remote assistance request.
Microsoft Intune Remote Control
Note
Windows devices that are enrolled using 'userless' methods, such as Device Enrollment Manager (DEM) and Windows Configuration Designer (WCD), don't show the TeamViewer notification in the Company Portal app. In these scenarios, it's recommended to use the TeamViewer portal to generate the session.
Intune Remote Actions
Next steps
-->There are four options available for remotely administering devices managed by Microsoft Endpoint Manager:
- Microsoft Teams is the hub for teamwork where you can chat, meet, and collaborate no matter where you are.
- Quick Assist is a Windows 10 application that lets two people share a device over a remote connection.
- TeamViewer is a third-party program that you purchase separately. It provides a comprehensive set of remote access and support capabilities. The Intune and TeamViewer integration enables remote support using TeamViewer and the connector is managed directly in Intune.
- Remote control is included in Microsoft Endpoint Configuration Manager. It's used to remotely administer, provide assistance, or view any workgroup computer and domain-joined computer.
Features, Platforms, Licensing | Teams | Quick Assist | TeamViewer (Intune) | Remote control (ConfigMgr) |
---|---|---|---|---|
Remote view and control | ||||
Chat | ||||
File transfer | ||||
Elevated admin access | ||||
Unattended access | ||||
Simultaneous remote control | ||||
Multi-user support | ||||
Remote actions | ||||
Over-the-internet support | ||||
Audit reporting | ||||
Support for all platforms (Windows, iOS, Android, macOS) | ||||
Integrated with Windows 10 – no additional app required | ||||
Requires device to be co-managed by Configuration Manager and Intune | ||||
Requires additional licensing* |
* Teams requires Microsoft 365 licensing. Use of TeamViewer and Intune requires licensing from both TeamViewer and Intune. Remote Control is a feature of Configuration Manager and requires Configuration Manager licensing.