Specifies whether or not a support person or IT administrator (the "expert") can offer remote assistance to this computer ...

"Specifies whether or not a support person or IT administrator (the "expert") can offer remote assistance to this computer without a user explicitly requesting it first via a channel, e-mail, or Windows Messenger. If you use Windows Firewall in your organization, depending on the kind of operating system installed on the computer, you might also need to configure certain firewall policies for Offer Remote Assistance to work.

Using this policy setting, an expert can offer remote assistance to this computer.

The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user is still given a chance to accept or deny the connection (giving the expert view-only privileges to the user's desktop), and thereafter the user has to explicitly click a button to give the expert the ability to remotely control the desktop, if remote control is enabled.

If you enable this policy setting, Remote Assistance can be offered to users logged on to the computer. You have two options for how experts, or "helpers," can provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." In addition to making this selection, when you configure this policy setting you also specify the list of users or user groups that will be allowed to offer remote assistance. These are known as "helpers."

To configure the list of helpers, click "Show." This opens a new window where you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:

\ or

\

For all the computers in your organization, add the following entry to the policy setting "Windows Firewall: Define port exceptions":

135:TCP:*:Enabled: Offer Remote Assistance

For all the computers, add the following entries to the policy setting "Windows Firewall: Define program exceptions":

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Offer Remote Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled:Remote Assistance – Windows Messenger and Voice

For the computers running the Windows Server 2003 Service Pack 1 (SP1) operating system in your organization, enable the policy setting "Windows Firewall: Allow Remote Desktop Exception".

For computers running the Windows XP Service Pack 2 (SP2) and Windows XP 64-bit Service Pack 1 (SP1) operating systems, add the following entry to the policy setting, "Windows Firewall: Define program exceptions":

%WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled: Remote Assistance

Note: Enabling the "Allow Remote Desktop Exception" policy setting will work for computers running all versions of Windows on which this policy setting is supported, but it will leave port 3389 constantly open. By configuring a program exception for Sessmgr.exe, port 3389 will be opened and closed dynamically on computers running the Windows Server XP SP2 and Windows XP 64-bit SP1 operating systems. However, the Sessmgr.exe exception will not work for the Windows Server 2003 SP1 operating system; instead, the "Allow Remote Desktop Exception" policy setting must be configured.

If you disable or do not configure this policy setting, users or groups cannot offer unsolicited remote assistance to this computer."