Why you need Support Assist
The short answer is that there will always be users who need Help Desk assistance.
Take the following scenarios:
- End users who are not allowed to install software at all (both Run As Admin and Admin Sessions disabled).
- End users who don't know where to get the software they need to use.
- End users who are not IT savvy enough to self-service.
- End users who refuse to take on the responsibility of installing software on their work computer, knowing they will be audited.
An example of the first scenario could be in Customer Relations, where users do not need to install software by default.
On the off chance that they do, they have to call your Help Desk. If the request is accepted by the Help Desk, a Help Desk employee will help using screen sharing with the end user.
Let's take this scenario and say Customer Relation employee, Jim, calls Paul at the Help Desk to assist.
There are a couple of ways the problem could be solved without the Support Assist feature, with or without Admin By Request:
- Paul could have a local administrator account to all computers. However, this is an absolute security no-no and there is no auditing.
- You could have Microsoft's Local Administrator Password System (LAPS) in place, but this also lacks proper auditing and doesn't work without a LAN or VPN connection.
- Jim and Paul could agree to use the Admin By Request feature Run As Admin and use Jim's credentials, but then Jim gets audited for Paul's changes.
- Paul could log on and use Run As Admin, but then Paul gets audited for Jim's request and furthermore, Jim cannot see Paul executing the request.
Ideally, Paul should execute the request with Jim watching and the auditing clearly showing that Jim was requesting the change and Paul was executing.
If you have a change management or ticking system, you would also want a reference to document this change.
This is exactly what the Remote Assist feature does. You can see clearly in the Auditlog that Paul executed Jim's change request with the reference (Trace No) 32794713:
How the Support Assist feature works
When Paul needs to help Jim, he clicks the system tray icon and navigates to -> About -> Connectivity -> Support sign-in.
The reason this is not a right-click tray menu is that there is no reason to invite users to use it; this is explained further down.
When Paul clicks this button, he would see the Windows Security "Run as different user" dialog box::
Once the credentials are entered, Jim is logged in to Windows and Paul is logged in to Admin By Request.
A timer similar to the Admin Session timer starts with the purpose of ensuring that that if Paul forgets to sign out, Jim is aware of this.
Jim cannot use his credentials as long as Paul is signed in to Admin By Request..
Is it dangerous if a user finds and clicks this button? No. Think of Support Assist this way:
For Paul, it is essentially the same as logging in to Windows: whatever Admin By Request settings are in effect for Paul are also in effect when he uses Support Assist.
For example, if Paul is not allowed to start an Admin Session, he is also not allowed to while using Support Assist.
Think of Support Assist as a shortcut to logging in to Windows and starting Admin By Request.
If someone who is not from the Help Desk uses this feature, nothing is achieved as this would be the same as if this user was logging in to Windows.
If you have questions that haven’t been answered on this page, please contact us using the chat or the contact menu at the top of the page.
TIP! This blog
also goes through Support Assist from a more practical perspective.