Windows Vista: Supporting users using Remote Assistance (Part 3)

The main Remote Assistance scenario within a corporate network environment is the support of workstations in the corporate network and in a domain. The user's computer must be properly configured before they are granted RA. This is done through Group Policy, as explained in the previous section.

Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 1Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 1 Windows Vista: Supporting users using Remote Assistance (Part 1)
Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 2Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 2 Windows Vista: Supporting users using Remote Assistance (Part 2)

Mitch Tulloch

Managing Remote Assistance with Group Policy

In an enterprise environment, Remote Assistance can be managed by Group Policy. The policy settings for RA are all machine settings that are in the policy location below:

Computer Configuration Administrative TemplatesSystemRemote Assistance

When these policy settings are written to the registry on the target computers, they will be saved under the registry key below:

HKLMSOFTWAREPoliciesMicrosoftWindowsNTTerminal Services

The RA policy settings are summarized in Table 4 below.

Policy

Describe

Solicited Remote Assistance

Enabling this policy will allow target computer users to use Solicited RA to request support by email, files or IM messages.Disabling this policy will prevent users of Solicited RA.Its default setting is Not Configured, which means that users can change their RA settings using the Remote tab of the System CPL in Control Panel.

If the policy is Enabled, you can configure the Helper to be barred from sharing data in the user's computer, the maximum lifetime of the card, and the method used to send the message. invite.(Windows Vista does not support the MAILTO method - choose SMAP instead if the target computers are running Windows Vista.) The lifetime of the card only applies RA invitations by email or file exchange.The lifetime of the default card when Group Policy is not used for 6 hours.

If this policy is enabled, you must enable the RA (Remote Assistance) exception in Windows Firewall to allow Solicited RA to work.

In an unmanaged environment, this setting can be configured using the Remote tab of the System CPL in Control Panel.

This policy is also supported on Windows XP Professional and Windows Server 2003.

Offer Remote Assistance

This policy will allow designated helpers to use Offer RA to support targeted computer users.Disabling this policy or integrating Not Configured will prevent Offer RA from being used to provide support to users of targeted computers.

If this policy is used (Enabled), you can configure in the following cases: a helper can observe or control a user's computer, you must specify a list of helpers, but Users are allowed to use Offer RA to support users.The members of the help team can be user or group and must be specified in the form domain_name username or domain_name groupname .

Using this policy you must enable the Remote Assistance exception in Windows Firewall to make Offer RA work.

This policy is also supported in Windows XP Professional and Windows Server 2003. You can see the Explain tab of the settings for detailed information.

Allow Only Vista Or Later Connections

The default invitation file in Vista includes an XP-specific button for backward compatibility.This button is unencrypted and tells the computer that XP computers connect to the Vista computer that created the card.Enabling this policy may cause all RA invitations created by the target computer user to not include the XP node, thus allowing for increased security and privacy.Disabling this policy or selecting Not Configured will cause information such as the IP address and port number not encrypted in RA invitation.This policy setting applies only to RA invitations sent by email or file transfer, which are not effective on IM for support or by using Offer RA for support.

In an unmanaged environment, this setting can also be configured by clicking Advanced from the Remote tab in the System Properties dialog box.

This policy is only supported on Windows Vista and later platforms.

Customize Warning Messages

This policy creates a specific alert to display on target computers when the Helper wants to enter Screen Sharing State or Control Sharing State during an RA session.Disabling it or Not Configured will only show the default alert in each case.

If you use this policy, you can specify the warning message that will be displayed in each case.

This policy is only supported in Windows Vista and later platforms.

Turn On Session Logging

This policy records the RA session activity on the target computers.For more information, see the 'Taking notes in RA' section.Disabling it will cause RA validation to be disabled on target computers.The default setting is Not Configured, in this case, automatic RA checking is enabled.

This policy is only supported in Windows Vista and later platforms.

Turn On Bandwidth Optimization

This policy specifies the specific level of bandwidth optimization used to improve RA efficiency on network connections with low bandwidth, low speed.Disabling it or choosing Not Configured will cause the system to be used by default.

Using this policy, you must specify the bandwidth optimization you want to use from the following options:

  1. No Optimization
  2. No Full Window Drag
  3. Turn Off Background
  4. Full Optimization (Use 8-Bit Color)

If you select the No Optimization option, the user's computer will use Windows Basic with all other uses, during the course of a session sharing control, the Helper can drag the window in the screen of user.

This policy is only supported in Windows Vista and later platforms.

Table 4: Group Policy settings for Remote Assistance

Note : In Windows XP, members of the Domain Admins group Admin are fully recognized as with immediate helpers' rights that are not included in the help list of the Offer Remote Assistance policy settings. This does not appear in Windows Vista, where the Domain Admin group must be explicitly added to the list of helpers so that they have the same rights as helpers for Offer RA.

Configure Remote Assistance in an unmanaged environment

Users of unmanaged computers can activate and configure RA using the Remote tab of the System CPL in the Control Panel (Figure 4). Enabling or disabling RA and configuring its settings this way requires local administrator credentials on the computer, so a User Account Control window will appear when the user is actually does this configuration.

Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 3Windows Vista: Supporting users using Remote Assistance (Part 3) Picture 3
Figure 4: Remote Configuration from Remote tab of System CPL in Control Panel.

Note that changes in this way will affect all users on the system. Peer registry settings for RA can be found under the following key:

HKLMSYSTEMCurrentControlSetControlRemote Assistance

In an unmanaged environment, when the following Group Policy settings are Enabled, the Control Panel settings for configuring RA will be lost.

Computer Configuration Administrative TemplatesSystemRemote AssistanceSolicited Remote Assistance

Note : Group Policy settings always prevail over locally configured settings when they appear together.

Additional Registry settings for configuring RA

Additional behavior for Ra can be configured by changing some registry settings. Peer user settings for RA are found in the following key:

HKCUSofwareMicrosoftRemote Assistance

These settings can be changed in 'Waiting To Connect' mode or in connected mode from the Settings button

Note: If Group Policy is used to manage RA settings and any configured policy settings overlap with the registry settings, the policy settings will prevail.

Conclude

RA has been enhanced in Windows Vista to provide better user performance, enhanced usability, NAT-traversal flexibility and high security. In this article, I have shown you the practices for adding RA in an enterprise environment:

  1. Use Group Policy to allow target computer users in a domain or OU to receive RA offers from helpers.

  2. Use Group Policy to enable the exception of RA (RA exception) in Windows Firewall.

  3. Use Group Policy to deploy scripts that allow users to run the msra.exe executable file if they want to customize how to launch RA sessions - for example, to upload invitations to a shared network that is checked with members. support.

  4. If all supported computers run Windows Vista, use Group Policy to encrypt the RA card to hide sensitive information such as IP addresses and computer names.

  5. If the company policy requires RA records for verification, use Group Policy to enable logging on the RA on the computer and run the script to periodically transfer both helpers and copies. Write User RA user to a safe place.

  6. To satisfy company policy and security requirements, use Group Policy to customize the text messages that users see before they allow helpers to see the screen or shared controls.

4 ★ | 1 Vote