Msra Microsoft Remote Access



Most desktops run Windows 10 Pro Version 1909, Build 18363.657. The machines access the Internet through an automatic proxy configuration address (.pac file). Years ago, we implemented a solution to facilitate IT support, using Microsoft Remote Assistance (msra.exe), which works as follows. Type msra in the search box on taskbar and click msra in the list. Way 2: Open it via Run. Use Windows+R to show the Run dialog, input msra and tap OK. Way 3: Open it through CMD. Step 1: Get into Command Prompt. Step 2: Type msra.exe and press Enter. Way 4: Turn it on in Windows PowerShell. Step 1: Access Windows PowerShell from Start Menu. Remote Desktop Protocol (RDP) is a Microsoft-proprietary remote access protocol that is used by Windows systems administrators to manage Windows Server systems remotely.

Learning has never been so easy!

The most timely resolution of issues often requires remote inspection of the issue at hand or remote demonstration/implementation of the solution. Microsoft's Remote Desktop Connection would allow the troubleshooter (or 'helper') to remotely control the desktop, but the user receives little-to-no insight or education because only the Remote User sees the session (the Local User is unable to see his/her own screen during a RD session).

There are two tools I primarily use that allow remote assistance while not shutting out the User:

1) Remote Assistance - Built into XP's Help and Support. We'll use this tool to politely interact with the User and offer unsolicited help.
2) Gencontrol - (http://www.gensortium.com/products/gencontrol.html) is a freeware tool that pushes out a tightvnc dll to the remote PC, starts it up, and tosses the VNC control window back to you. This tool is much more invasive (doesn't ask permission), but may be used when the user is unavailable or incapable of responding to the Remote Assistance prompts..

Let's get started!

8 Steps total

Step 1: Creating a Group Policy for Unsolicited RA

Let's explore Microsoft's built-in Remote Assistance tool. Though a knowledgeable user may create Remote Assistance invitations to send to the troubleshooter (also called the 'helper' in this How-To), it is a multi-step process that often requires a walk-through to initiate.

To avoid the above scenario, we want to setup a group policy for our domain machines that allows our helper (users or groups) to offer Remote Assistance without an invitation from the User.

Create a group Policy (named and enforced appropriately ). The policy is located in the:

Computer Configuration, Administrative Templates, System, Remote Assistance .. container.

You must enable the 'Offer Remote Assistance' policy as shown in the screenshot.

Step 2: Modify what Helpers are Authorized to Offer Unsolicited RA

Right Click on the 'Offer Remote Assistance' Policy and select 'Properties'

(*Note:The policy may be configured to specify whether helpers may perform tasks ('take control') or just observe.)

Click the 'Show' button to display the list of authorized Helpers..

Step 3: Add any additional Helper Accounts

Enter new accounts in the format Domainusername.

Accounts with these credentials will be able to Offer Unsolicited Remote Assistance. You'll need to verify that these helpers are members of the local 'Administrators' group on the computers you want to establish a Remote Assistance session with.

Step 4: Complete your Group Policy, Apply it to the Correct Containers..

Explaining the intricacies of this step is outside the scope of this how-to, but you'll want to verify your new policy is applied to the machines you want to offer Remote Assistance to.

This Group Policy will need to be applied before your 'helpers' will be allowed to offer an unsolicited Remote Assistance session.

Step 5: Help Desk Step: Offer Remote Assistance Without an Invitation

You can manually open a Remote Assistance invitation by performing the following steps:

*****************XP********************

a) Open Help and Support Center(start -> Help and Support)
b) Click Tools
c) Click 'Help and Support Center Tools'
d) Click 'Offer Remote Assistance'

*************Vista*************
a) Click Start
b) Type any/all of 'Windows Remote Assistance' or start-Run msra

---------------------------
You will be prompted for the Computer Name / IP Address of the machine you'd like to assist.

After you have selected the machine, RA will prompt you for the local user of that machine to send the request to. The user will be asked to allow permission for your helper's account to see their session. Control may be requested after that time just as in a standard Remote Assistance session.

Step 6: Creating a Shortcut for Remote Assistance (Optional)

It can be a pain for the expert 'helper' to navigate Microsoft's clumsy Help and Support Center menu every time they need to offer assistance. Though you can add the 'Offer Remote Assistance' tool to your Help and Support favorites, it is still quicker to create a shortcut.

To create a Desktop Shortcut:
a) Right Click the Desktop,
b) Select New-> Shortcut
c) In the location field, copy/paste the following:
-------Windows XP shortcut---------------
'C:Program FilesInternet Exploreriexplore.exe' hcp://CN=Microsoft%20Corporation,L=Redmond,S=Washington,
C=US/Remote%20Assistance/Escalation/Unsolicited/Unsolicitedrcui.htm

(*Note there is no space character between 'S=Washington,' and 'C=US..' the lines were separated for readability)

--------Windows Vista Shortcut--------
msra.exe /expert

d) Select Next
e) Name your Shortcut and Click Finish

This will give you a shortcut on your desktop directly to the Help and Support Window.

Step 7: (XP ONLY) Using Gencontrol to Establish a Remote Assistance Session (optional)

(Note: Consider using the 'runas' command to spawn Gencontrol as the user with appropriate credentials)

1) Open Gencontrol
2) Type in your Domain/PC Name
3) Click Connect

If you are running Gencontrol with admin rights to the machine, Gencontrol will spawn a tightVNC session and toss the command back to the helper's machine.

Step 8: Additinal Firewall Considerations (windows firewall)

Tomb raider macbook air download. For firewall options, here's a copy/paste from a related article (located here: http://brettlive.com/2006/10/04/remote-assistance-remote-desktop/)
-----
Next, the 4 firewall policy settings are located in Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile

1 – Enable the Windows Firewall: Allow local port exceptions
2 – Add the following entry to the Windows Firewall: Define port exceptions setting:
135:TCP:*:Enabled:Offer Remote Assistance

3 – Enable Windows Firewall: Allow local program exceptions
4 - Add the following entries to Windows Firewall: Define program exceptions:
%WINDIR%SYSTEM32Sessmgr.exe:*:Enabled:Remote Assistance
%WINDIR%PCHealthHelpCtrBinariesHelpsvc.exe:*:Enabled:Offer Remote Assistance
%WINDIR%PCHealthHelpCtrBinariesHelpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice

Using group policy and creating a simple shortcut can dramatically reduce the time speant on calls while simultaneously increasing user awareness of 'the fix' by allowing them to observe the 'helper' working.

It is a large temptation for help-desk support to utilize the quickest tool (in this case, likely Gencontrol).. however I would strongly recommend using the built-in Remote Assistance (preferably with shortcuts) for user privacy sake!

Published: Feb 03, 2009 · Last Updated: Feb 16, 2012

References

  • Technet Article on Remote Assistance

24 Comments

Microsoft Remote Access Vista

  • Sonora
    Keith7261 Feb 5, 2009 at 02:44pm

    Awesome. Thank you for sharing. I haven't used this before because the Microsoft instructions were not very clear (to me).

  • Chipotle
    benpbolton Feb 5, 2009 at 03:47pm

    Thanks Keith! Remote Assistance can be a pretty nice tool that offers the opportunity for some great user eduction (and reduces the wear on the 'ole sneakers;))

  • Datil
    spiceuser Feb 17, 2009 at 03:08pm

    This should be helpful! Thanks!

  • Pimiento
    Scripting .. Apr 3, 2009 at 08:32am

    Download macbook pro tiger dvd installation. Java 8 update 162 download 64 bit mac. This is helpful. Well Can anyone help me to get details of the avaya phone which is conencted to the System in Domain
    Details like: Extn number
    Call registry
    Is there also any way to get the port number of the system ...
    Please help

  • Sonora
    rxmurillo Apr 27, 2009 at 03:46pm

    does anybody know how we can do this on Vista?

  • Chipotle
    benpbolton Apr 30, 2009 at 11:32am

    Creating the shortcut is the only difference on Vista. I've updated the how-to.. MS (finally) made remote assistance a stand alone executable that wasn't launched from IE. You can run 'msra.exe /expert' to get to the RA mode in Vista.

  • Sonora
    DJ9688 May 14, 2009 at 01:29pm

    I like it. but keep getting Permission denied. we use RDP all day

  • Chipotle
    benpbolton May 18, 2009 at 03:04pm

    @DJ, as long as you've added your user accounts to the 'helpers' group, the only remaining item to check is that you're an admin on the local machine you're attempting to remotely assist.. does that help at all?

  • Robert (Spiceworks) Jun 10, 2009 at 06:07pm

    Once again our users can explain things that the Microsoft documentation takes a long time to get across. Thanks for sharing!

  • Jalapeno
    Laker Jun 17, 2009 at 10:34am

    This is great information in an understandable fasion, thanks Roeman! This will work great in my office but how would you configure a firewall to accept an unsolicited RA on a different domain than yours?

  • Chipotle
    benpbolton Jun 25, 2009 at 02:01pm

    @Laker,

    Well, I'm unfamiliar with the cross-domain scenarios myself. I understand that the domains must trust each other.. MS actually recommends the 'invitation' method across the internet. The trouble with the invitation system, in my opinion, is that the individuals who are the most likely to need assistance are the least capable of creating a remote assistance invitation:)

    As far as LAN firewall options, here's a copy/paste from a related article (located here: http://brettlive.com/2006/10/04/remote-assistance-remote-desktop/)

    Next, the 4 firewall policy settings are located in Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile

    1 – Enable the Windows Firewall: Allow local port exceptions
    2 – Add the following entry to the Windows Firewall: Define port exceptions setting:
    135:TCP:*:Enabled:Offer Remote Assistance

    3 – Enable Windows Firewall: Allow local program exceptions
    4 - Add the following entries to Windows Firewall: Define program exceptions:
    %WINDIR%SYSTEM32Sessmgr.exe:*:Enabled:Remote Assistance
    %WINDIR%PCHealthHelpCtrBinariesHelpsvc.exe:*:Enabled:Offer Remote Assistance
    %WINDIR%PCHealthHelpCtrBinariesHelpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice

  • Pimiento
    cameronsloan Sep 18, 2009 at 05:31pm

    Hello..I love using Remote Assistance. I have been tweaking the groups and policies for a while now to get it just right for all of my sites. The question I have now is..'Can we get Remote Assistance as an option from within the Spiceworks Helpdesk..Troubleshoot | Remote Control?'

    Thanks.

  • Pimiento
    RoemanB Oct 15, 2009 at 10:57am

    That sounds like a great spiceworks feature request! I know I'd use it..

  • Jalapeno
    Jason Tucker Dec 31, 2009 at 02:53pm

    Once you have this setup download this desktop gadget. Its a simple click to offer remote assistance or remote desktop to any machine on your network.
    http://www.scriptingpod.com/rcf-gadget.asp

  • Sonora
    jaihawk777 Nov 3, 2010 at 12:06pm

    Trying to set this up at work and have done all the steps but keep getting a 'Program failed to start. Please try again'. It looks like a service that won't start, but I've turned on all that I suspect is involved.

  • prev
  • 1
  • 2
  • next

MetaLAN

Remote
  • Up and running in 5 minutes
  • Agent less - No need to install anything on the endpoints
  • Free download - No registration required

Prerequisites

You will require the Group Policy Management Tools on Windows 7, Windows 8, Windows10, Windows Server 2008, Windows or Server 2012, Windows Server 2016 or Windows Server 2019. These are part of the Remote Server Administration Tools (RSAT) availabale form the Microsoft web site.

Instructions

To enable Remote Assistance and allow access through the Windows Firewall with Advanced Security using Group Policy (Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2012) please follow these instuctions.

Msra Microsoft Remote Access Portal


Turning on Remote Access using Group Policy

    1. Edit an existing Group Policy object or create a new one using the Group Policy Management Tool.
    2. Expand the Computer Configuration/Policies/Software Settings/Administrative Templates/System/Remote Assistance node and open the Offer Remote Assistance rule.
    3. Check the Enabled radio button. Under Options: select Allow helpers to remotely control the computer from the drop down list. Click the Show… button.
    4. Enter the users or groups you want to have permissions to offer Remote Assistance, one per line. Then click OK.
    5. Click the OK button to exit and save the new setting.
    6. Make sure the Group Policy Object is applied to the relevant computers using the Group Policy Management Tool.


Allowing access through the Windows Firewall with Advanced Security using Group Policy

Msra Microsoft Remote Assistance

    1. Edit an existing Group Policy object or create a new one using the Group Policy Management Tool.
    2. Expand the Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/Windows Firewall with Advanced Security/Inbound Rules node.
    3. Check the Predefined: radio button and select Remote Assistance from the drop down list. Click Next
    4. Check the Remote Assistance rules for the Domain Profile and click Next.
    5. Check the Allow the Connection radio botton and click Finish to exit and save the new rule.
    6. Make sure the Group Policy Object is applied to the relevant computers using the Group Policy Management Tool.