Managing Remote Assistance Using Group Policy
In an enterprise environment, Remote Assistance can be managed using Group Policy. The policy settings for Remote Assistance are all machine settings and are found in the following policy location:
Computer Configuration\Policies\Administrative Templates\System\Remote Assistance
When these policy settings are written to the registry on targeted computers, they are stored under the following registry key:
HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\Terminal Services
Remote Assistance policy settings are summarized in Table below.
Group Policy Settings for Remote Assistance
| Policy | Description |
| Solicited Remote Assistance | Enabling this policy allows users of targeted computers to use Solicited RA to request assistance using e-mail, file transfer, or IM. Disabling this policy
prevents users from using Solicited RA. The default setting is Not Configured, which allows users to change their Remote Assistance settings using
the Remote tab of the System item in Control Panel. If the policy is Enabled, you can further configure whether Helpers can be prevented from sharing control of the User's computer, the maximum ticket lifetime, and the method used for sending invitations by e-mail. (Windows 7 does not support the MAILTO method-select SMAPI instead if the targeted computers are running Windows 7.) Ticket lifetime applies only to Remote Assistance invitations sent by e-mail or file transfer. The default ticket lifetime when Group Policy is not being used is six hours. If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Solicited RA to work. In an unmanaged environment, this setting can also be configured using the Remote tab of the System CPL in Control Panel. This policy is also supported on Windows XP Professional and Windows Server 2003. |
| Offer Remote Assistance | Enabling this policy allows designated Helpers to use Offer RA to offer assistance to users of targeted computers. Disabling this policy or leaving
it Not Configured prevents Offer RA from being used to offer assistance to users of targeted computers. If the policy is Enabled, you can further configure whether Helpers can view or control the Users' computers, and you must specify a list of Helpers who are allowed to Offer RA to the users of the targeted computers. Helpers can be either users or groups and must be specified in the form domain_name\username or domain_name\groupname. If this policy is Enabled, you must also enable the Remote Assistance exception in Windows Firewall to allow Offer RA to work. (In Windows 7, the Remote Assistance exception is open by default for the domain firewall profile.) This policy is also supported on Windows XP Professional and Windows Server 2003. See the Explain tab of this policy setting for more details. |
| Allow Only Vista Or Later Connections | The default Windows 7 invitation file includes an XP-specific node for backward compatibility. This node is not encrypted and allows Windows XP
computers to connect to the Windows 7 computer that created the ticket. Enabling this policy causes all Remote Assistance invitations generated by users of targeted computers to not include the XP node, thereby providing
an additional level of security and privacy. Disabling this policy or leaving it Not Configured leaves information such as IP address and port number unencrypted in Remote Assistance invitations This policy setting applies
only to Remote Assistance invitations sent using e-mail or file transfer and has no effect on using IM to solicit assistance or on using Offer RA to offer assistance. In an unmanaged environment, this setting can also be configured by clicking Advanced from the Remote tab of the System Properties dialog box. This policy is supported only on Windows Vista and later platforms. |
| Customize Warning Messages | Enabling this policy causes a specified warning to be displayed on targeted computers when a Helper wants to enter Screen Sharing state or Control
Sharing state during a Remote Assistance session. Disabling this policy or leaving it Not Configured causes the default warning to be displayed in each instance. If the policy is Enabled, you can further specify the warning message to be displayed in each instance. This policy is supported only on Windows Vista and later platforms. |
| Turn On Session Logging | Enabling this policy causes Remote Assistance session activity to be logged on the targeted computers. For more information, see the section titled "Remote
Assistance Logging" earlier in this tutorial. Disabling this policy causes Remote Assistance auditing to be disabled on the targeted computers. The default setting is Not Configured, in which case Remote Assistance auditing
is automatically turned on. This policy is supported only on Windows Vista and later platforms. |
| Turn On Bandwidth Optimization | Enabling this policy causes the specified level of bandwidth optimization to be used to enhance the Remote Assistance experience over low-bandwidth
network connections. Disabling this policy or leaving it Not Configured allows the system defaults to be used. If the policy is Enabled, you must specify the level of bandwidth optimization you want to use from the following options:
This policy is supported only on Windows Vista and later platforms. |
Note In Windows XP, members of the Domain Admins group are granted Helper privileges implicitly even if they are not added to the Helpers list of the Offer Remote Assistance policy setting. This is no longer the case in Windows 7 and Windows Vista, where the Domain Admins group must now be added explicitly to the Helpers list to grant them Helper privileges for Offer RA.
In this tutorial:
- Supporting Users with Remote Assistance
- Understanding Remote Assistance
- Remote Assistance vs. Remote Desktop
- Improvements to Remote Assistance in Windows 7
- How Remote Assistance Works in Windows
- Remote Assistance Operational States
- User vs. Helper Functionality
- Remote Assistance and NAT Traversal
- Remote Assistance and IP Ports Used
- Remote Assistance and Windows Firewall
- Remote Assistance and the Secure Desktop
- Remote Assistance Logging
- Purpose of Remote Assistance Session Logging
- Session Log Path and Naming Convention
- Using Remote Assistance in the Enterprise
- Using Remote Assistance in the Corporate Help Desk Environment
- Other Possible Remote Assistance Usage Scenarios
- Interoperability with Remote Assistance in Windows Vista
- Interoperability with Remote Assistance in Windows XP
- Implementing and Managing Remote Assistance
- Initiating Remote Assistance Sessions
- Initiating Remote Assistance from the GUI
- Initiating Remote Assistance from the Command Line
- Managing Remote Assistance Using Group Policy
- Configuring Remote Assistance in Unmanaged Environments
- Additional Registry Settings for Configuring Remote Assistance