Microsoft KB Archive/301527

= How to configure a computer to receive Remote Assistance offers in Windows Server 2003 and in Windows XP =

Article ID: 301527

Article Last Modified on 12/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional

-



This article was previously published under Q301527





INTRODUCTION
This article describes how to configure a computer that is running Windows XP or Windows Server 2003 to receive Remote Assistance offers.

The Remote Assistance tool can be configured to enable an expert user to start a Remote Assistance session by using the Offer Remote Assistance feature. The Remote Assistance session lets the expert user help a novice user.

This feature requires the computer of the expert user and the computer of the novice user to be members of the same domain or members of trusted domains. Domains are used in corporate networks for security. Domains are typically managed by a network administrator. The Offer Remote Assistance feature is not a practical option for most home-based networks.

For more information about Remote Assistance, click the following article numbers to view the articles in the Microsoft Knowledge Base:

300546 Overview of Remote Assistance in Windows XP

308013 How to use the &quot;Offer Remote Assistance&quot; policy setting

Requirements
To configure the computer of the novice user to accept Remote Assistance offers, you must make sure that the following requirements are met:
 * Group Policy for the computer of the novice user must be configured to enable Remote Assistance offers.
 * The computers of the novice and expert users must be members of the same domain or members of trusted domains.
 * Both computers must have Windows XP or Windows Server 2003 installed.

To configure the Group Policies for the Remote Assistance tool, you need a list of expert users from which the computers of the novice users can accept Remote Assistance offers. This list must contain Domain User groups and Domain User accounts.

Note Experts who use Offer Remote Assistance will be unable to connect to a novice user's computer when Solicited Remote Assistance is disabled on the novice user's computer. (This problem does not occur on computers that are running Windows XP with Service Pack 2.)

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

826088 If the Solicited Remote Assistance policy is disabled, you cannot offer assistance to a Novice computer

In a domain environment, the Group Policy that is used to configure Remote Assistance is usually deployed from the Active Directory directory service. You do this by linking a group policy object (GPO) to an organizational unit (OU) in which the novice user's computer resides.

The following steps outline this configuration and assume that the OU structure is already present. As an alternative procedure, you can use the local policy on each novice user's computer. This policy is available through GPEdit.msc. However, this procedure requires much more administrative overhead, and we do not recommend it.

How to configure the Offer Remote Assistance policy setting
 Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in. Right-click the OU in which the novice user's computer resides, and then click Properties. On the Group Policy tab, click New, and then enter a name for the newly created GPO. On the Group Policy tab, select the newly created GPO, and then click Edit. In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, and then click Remote Assistance. In the details pane of the Group Policy Object Editor, click Enabled for the Offer Remote Assistance policy. Under Permit remote control of this computer, select one of the following options: <ul> Allow helpers to only view the computer.</li> Allow helpers to remotely control the computer.</li></ul>

These options correspond to the actions that you want an expert user to take.</li> Click Show.</li> Click Add to add domain user accounts or domain user groups.

Note These entries should take one of the following formats: <ul>  \ </li>  \ </li></ul>

For example, the entry might be &quot;contoso\Domain Admins.&quot;</li> Click OK to close the Show Contents dialog box, and then click OK to close the Offer Remote Assistance Properties dialog box.</li> Close the Group Policy Object Editor.</li></ol>

Important Use caution when you populate the properties of the Offer Remote Assistance Group Policy because you cannot verify the domain accounts that you enter. We recommend that you extensively test this policy setting before you perform a large policy rollout.

Note The Offer Remote Assistance policy is not available in Windows XP Home Edition.

Note Remote Assistance uses DCOM. In Windows XP and in Windows Server 2003, the DCOM entry is located in the following registry subkey:

The String value of the DCOM entry is EnableDCOM = Y. If this value is set to &quot;N,&quot; or if this value is missing, Remote Assistance will not work.

How to configure Windows Firewall for offer-based Remote Assistance
<ol> Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in.</li> Right-click the OU in which the novice user's computer resides, and then click Properties.</li> On the Group Policy tab, click New, and then enter a name for the newly created GPO.

Or, you can skip this step and go to step 4. In this case, use the policy that you created in the &quot;How to configure the Offer Remote Assistance policy setting&quot; section.</li> On the Group Policy tab, select the GPO, and then click Edit.</li> In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.</li> In the details pane of the Group Policy Object Editor, click Enabled for the Windows Firewall: Define program exceptions policy.</li> Click Show to display the Show Contents dialog box.</li> <li>Click Add to add the following exceptions: <ul> <li>%WINDIR%\SYSTEM32\Sessmgr.exe:*:Enabled:Remote Assistance</li> <li>%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance</li> <li>%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice</li></ul> </li> <li>Click OK to close the Show Contents dialog box, and then click OK to close the Windows Firewall: Define program exceptions Properties dialog box.</li> <li>In the details pane of the Group Policy Object Editor, click Enabled for the Windows Firewall: Define port exceptions policy.</li> <li>Click Show to display the Show Contents dialog box.</li> <li>Click Add to add the following exception:

&quot;135:TCP:*:Enabled:Offer Remote Assistance&quot;

</li> <li>Click OK to close the Show Contents dialog box, and then click OK to close the Windows Firewall: Define program exceptions Properties dialog box.</li> <li>Close the Group Policy Object Editor.</li></ol>

How to configure the policy to enable Remote Connections

 * 1) Log on to a domain controller or an administrative workstation as an administrator of the domain, and then open the Active Directory Users and Computers snap-in.
 * 2) Right-click the OU in which the novice user's computer resides, and then click Properties.
 * 3) On the Group Policy tab, click New, and then enter a name for the newly created GPO.

Or, you can skip this step and go to step 4. In this case, use the policy that you created in the &quot;How to configure the Offer Remote Assistance policy setting&quot; section.
 * 1) On the Group Policy tab, select the GPO, and then click Edit.
 * 2) In the navigation pane of the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Terminal Services.
 * 3) In the details pane of the Group Policy Object Editor, click Enabled for the Allow users to connect remotely using Terminal Services policy.
 * 4) Click OK to close the Allow users to connect remotely using Terminal Services Properties dialog box.
 * 5) Close the Group Policy Object Editor.

Additional considerations
Remote assistance relies on full network connectivity between the expert user's computer and the novice user's computer over the following network ports:
 * TCP port 135
 * TCP port 3389
 * All TCP ports that are greater than 1024

If port filtering exists for any of these ports between the two computers, Remote Assistance will not work.

For more information about how to restrict the ports that are required for RPC, click the following article number to view the article in the Microsoft Knowledge Base:

300083 How to restrict TCP/IP ports on Windows 2000 and Windows XP

Keywords: kbhowtomaster kbenv KB301527

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.