Windows 7 / Networking

Managing Remote Assistance Using Group Policy

In an enterprise environment, Remote Assistance can be managed using Group Policy. The policy settings for Remote Assistance are all machine settings and are found in the following policy location:

Computer Configuration\Policies\Administrative Templates\System\Remote Assistance

When these policy settings are written to the registry on targeted computers, they are stored under the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\Terminal Services

Remote Assistance policy settings are summarized in Table below.

Group Policy Settings for Remote Assistance

PolicyDescription
Solicited Remote AssistanceEnabling this policy allows users of targeted computers to use Solicited RA to request assistance using e-mail, file transfer, or IM. Disabling this policy prevents users from using Solicited RA. The default setting is Not Configured, which allows users to change their Remote Assistance settings using the Remote tab of the System item in Control Panel.
If the policy is Enabled, you can further configure whether Helpers can be prevented from sharing control of the User's computer, the maximum ticket lifetime, and the method used for sending invitations by e-mail. (Windows 7 does not support the MAILTO method-select SMAPI instead if the targeted computers are running Windows 7.) Ticket lifetime applies only to Remote Assistance invitations sent by e-mail or file transfer. The default ticket lifetime when Group Policy is not being used is six hours.
If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Solicited RA to work.
In an unmanaged environment, this setting can also be configured using the Remote tab of the System CPL in Control Panel.
This policy is also supported on Windows XP Professional and Windows Server 2003.
Offer Remote AssistanceEnabling this policy allows designated Helpers to use Offer RA to offer assistance to users of targeted computers. Disabling this policy or leaving it Not Configured prevents Offer RA from being used to offer assistance to users of targeted computers.
If the policy is Enabled, you can further configure whether Helpers can view or control the Users' computers, and you must specify a list of Helpers who are allowed to Offer RA to the users of the targeted computers. Helpers can be either users or groups and must be specified in the form domain_name\username or domain_name\groupname.
If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Offer RA to work. (In Windows 7, the Remote Assistance exception is open by default for the domain firewall profile.)
This policy is also supported on Windows XP Professional and Windows Server 2003. See the Explain tab of this policy setting for more details.
Allow Only Vista Or Later ConnectionsThe default Windows 7 invitation file includes an XP-specific node for backward compatibility. This node is not encrypted and allows Windows XP computers to connect to the Windows 7 computer that created the ticket. Enabling this policy causes all Remote Assistance invitations generated by users of targeted computers to not include the XP node, thereby providing an additional level of security and privacy. Disabling this policy or leaving it Not Configured leaves information such as IP address and port number unencrypted in Remote Assistance invitations This policy setting applies only to Remote Assistance invitations sent using e-mail or file transfer and has no effect on using IM to solicit assistance or on using Offer RA to offer assistance.
In an unmanaged environment, this setting can also be configured by clicking Advanced from the Remote tab of the System Properties dialog box. This policy is supported only on Windows Vista and later platforms.
Customize Warning MessagesEnabling this policy causes a specified warning to be displayed on targeted computers when a Helper wants to enter Screen Sharing state or Control Sharing state during a Remote Assistance session. Disabling this policy or leaving it Not Configured causes the default warning to be displayed in each instance.
If the policy is Enabled, you can further specify the warning message to be displayed in each instance.
This policy is supported only on Windows Vista and later platforms.
Turn On Session LoggingEnabling this policy causes Remote Assistance session activity to be logged on the targeted computers. For more information, see the section titled "Remote Assistance Logging" earlier in this tutorial. Disabling this policy causes Remote Assistance auditing to be disabled on the targeted computers. The default setting is Not Configured, in which case Remote Assistance auditing is automatically turned on.
This policy is supported only on Windows Vista and later platforms.
Turn On Bandwidth OptimizationEnabling this policy causes the specified level of bandwidth optimization to be used to enhance the Remote Assistance experience over low-bandwidth network connections. Disabling this policy or leaving it Not Configured allows the system defaults to be used.
If the policy is Enabled, you must specify the level of bandwidth optimization you want to use from the following options:
  • No Optimization
  • No Full Window Drag
  • Turn Off Background
  • Full Optimization
If No Optimization is selected, the User's computer will use the Windows Basic theme with full background, and during a shared control session, the Helper will be able to drag full windows across the User's screen. Additional optimization turns off effects to allow a more responsive experience for the Helper.
This policy is supported only on Windows Vista and later platforms.

Note In Windows XP, members of the Domain Admins group are granted Helper privileges implicitly even if they are not added to the Helpers list of the Offer Remote Assistance policy setting. This is no longer the case in Windows 7 and Windows Vista, where the Domain Admins group must now be added explicitly to the Helpers list to grant them Helper privileges for Offer RA.

[Previous] [Contents] [Next]