The Issue: When trying to connect from a Windows 7 Enterprise computer to another Windows 7 Enterprise computer using the Advanced Help Desk Option it hangs at "attempting to connect" and the user never receives the accept connection prompt. Whats strange is that on the target computers machine the msra.exe process is initiated when the "expert" computer attempts to make the connection, but again the target computer never pops up with the accept prompt. The Setup: We are currently running a domain environment with windows 2008 servers and have captured a windows 7 image (using sys prep) and deployed that image to computers on our network. We have setup the appropriate users in the offer remote assistance groups. We have disabled all firewalls on the computers. Additional Information: To test our network environment and GPO's we have installed an out of the box windows 7 enterprise os on 2 computers and placed them in the same location in AD as other computers on the network. These vanilla Win 7 boxes can send/receive remote assistance requests (still using the advaned helpdesk option) just fine and without any issues. Also, these vanilla Win 7 machines can send a request to the captured windows 7 computers and those computers are getting the accept connection prompt. But when these captured windows 7 computers attempt to send a remote assistance request to the vanilla windows 7 machines those computers are not getting the accept prompt. So to sum this up... - Sending from Captured Win 7 to Captured Win 7 = no accept prompt, but msra.exe in task manager - Sending from Vanilla Win 7 to Vanilla Win 7 = accept prompt and works just fine - Sending from Captured Win 7 to Vanilla Win 7 = no accept prompt, but msra.exe in task manager - Sending from Vanilla Win 7 to Captured Win 7 = accept promp and works just fine - All computers have the same resultant set of gpo's, all apart of the same domain/subnet, firewalls have all been disabled (although the appropriate ports have been enabled through gpo's).

What do you mean by the ports have been enabled? If the firewall is off, then the ports shouldn't be able to be blocked or allowed... What anti-virus are you running?

Thank you for the response Allen and I apologize for the confusion. The firewall is off on the machines so you are absolutely correct that the ports opened/closed is irrelevant. I should have thrown an "as a side note" before the port information. I was simply meaning that when the firewall is turned on the correct ports are open and I get the same results as when the firewall is turned off. Symantec is installed on the captured windows 7 image, but is disabled when testing remote access. No antivirus is installed on the vanilla windows 7 machines. As an update, I just attempted a full uninstall of the symantec antivirus from a captured windows 7 image and still experience the same issue.

Just to test, uninstall symantec from the machines and use the removal tool provided by them. Then try to connect again.

Wow, very fast response! :) I did attempt to do a full uninstall of symantec and was still unable to connect from the captured windows 7 computer.

do you know anything else that is different between the computers?there must be something interfering... I know this sounds stupid, but just verify that the remote assistance boxes are checked.

I don't know what else could be different that would cause this particular issue, but I absolutely agree with you that something has to be different between the systems. And no worries on the request, at this point double/triple checking even the basics might be what it takes to resolve this. I did confirm under the remote settings that remote access is enabled and the appropriate users/groups are setup as helpers.

How about trying to use remote desktop to check and see if we can get any kind of remote access. Since you are running Enterprise you can do that.

My apologies, thats something I should have mentioned before. All other domain network connectivity seems to be available, including access to shared folders and remote desktopping between machines. Also, it does appear the machines are in some way communicating between eachother when attempting to establish a remote assistance connection as the target computer does have the msra.exe application in the task manager as soon as the expert computer attempts to establish the connection. Its just that when a captured windows 7 computer is the one attempting to connect no accept prompt is displayed on the target computer.

That is very weird... Try this as a test: Use an invitation file sent via email. See if you can connect that way.

Just attempted that and the results are the same for all systems: - Sending from Captured Win 7 to Captured Win 7 = no accept prompt, but msra.exe in task manager - Sending from Vanilla Win 7 to Vanilla Win 7 = accept prompt and works just fine - Sending from Captured Win 7 to Vanilla Win 7 = no accept prompt, but msra.exe in task manager - Sending from Vanilla Win 7 to Captured Win 7 = accept promp and works just fine

That is very odd... Can you provide a list of software on the computer? Also, from one of the computers that aren't allowing the remote assistance, post the output of netstat -a

Installed Applications: Vanilla Windows 7, no installed applications Captured Windows 7, Adobe, Java, and Office. Netstat results: Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 #ComputerName#:0 LISTENING TCP 0.0.0.0:445 #ComputerName#:0 LISTENING TCP 0.0.0.0:3389 #ComputerName#:0 LISTENING TCP 0.0.0.0:5357 #ComputerName#:0 LISTENING TCP 0.0.0.0:49152 #ComputerName#:0 LISTENING TCP 0.0.0.0:49153 #ComputerName#:0 LISTENING TCP 0.0.0.0:49154 #ComputerName#:0 LISTENING TCP 0.0.0.0:49174 #ComputerName#:0 LISTENING TCP 0.0.0.0:49193 #ComputerName#:0 LISTENING TCP 0.0.0.0:51350 #ComputerName#:0 LISTENING TCP #.#.#.125:139 #ComputerName#:0 LISTENING TCP #.#.#.125:445 #ComputernameRemotedConnectedFrom#:54830 ESTABLISHED TCP #.#.#.125:3389 #ComputernameRemotedConnectedFrom#:59841 ESTABLISHED TCP #.#.#.125:54876 #DCName#:epmap ESTABLISHED TCP #.#.#.125:54877 #DCName#:49155 ESTABLISHED TCP [::]:135 #ComputerName#:0 LISTENING TCP [::]:445 #ComputerName#:0 LISTENING TCP [::]:3389 #ComputerName#:0 LISTENING TCP [::]:5357 #ComputerName#:0 LISTENING TCP [::]:49152 #ComputerName#:0 LISTENING TCP [::]:49153 #ComputerName#:0 LISTENING TCP [::]:49154 #ComputerName#:0 LISTENING TCP [::]:49174 #ComputerName#:0 LISTENING TCP [::]:49193 #ComputerName#:0 LISTENING TCP [::]:51350 #ComputerName#:0 LISTENING UDP 0.0.0.0:123 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:56631 *:* UDP #.#.#.125:137 *:* UDP #.#.#.125:138 *:* UDP #.#.#.125:1900 *:* UDP #.#.#.125:59944 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:58256 *:* UDP 127.0.0.1:59945 *:* UDP 127.0.0.1:60721 *:* UDP 127.0.0.1:62116 *:* UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:4500 *:* UDP [::]:5355 *:* UDP [::]:56632 *:* UDP [::1]:1900 *:* UDP [::1]:59943 *:* UDP [fe80::c57d:bde9:9267:2d35%11]:1900 *:* UDP [fe80::c57d:bde9:9267:2d35%11]:59942 *:*

Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:3389 #ComputerName#:0 LISTENING This would be the remote desktop... As a test, try to disable remote desktop and only allow remote assistance.

Same results unfortunately.

very odd... Are you sure that windows firewall is off?

I believe it is yes. I am disabling it from the control panel -> Security -> status, then turning it off. I also visibly see the notification balloon inform me it is turned off and that I am no longer protected.

Then yeah, it is off... Are there any third party programs on the computer that do the same function?

not that I'm aware of no. Just to double check I went through installed programs and a list of services on the machine. As a side note, I also confirmed the msra.exe file on all machines were of the same version number. Don't know if this even changes from machine to machine, but figured it couldn't hurt to check.

Alright... I'm starting to think it is a Group Policy issue... Perhaps check this article http://support.microsoft.com/kb/301527. It is for XP/Server 2003, but should work with 7/server 2008

I've also been thinking it may be a group policy issue, possibly something enforced on the captured image that is not on the vanilla image. I have compared the resultant set of policies though and didn't notice any differences (that I was aware of at least). Having said that I did reference the article you mentioned and unfortunately it didn't resolve the issue. Just to ensure I didn't miss anything here are the following items I confirmed/updated: - Ensured the Allow remote assistance policy gpo is configured appropriately with the necessary users listed as helpers (also when sending/receiving remote assistance requests I am using the same account) - Ensured the EnableDCOM regestry setting is set correctly to "Y" and not "N" - Ensured the appropriate exceptions were added to the firewall (although I do disable the firewall completely when testing) - I did not see the Terminal Services Section mentioned in the last part mentioning how to enable remote connections (possibly something removed/moved in server 08), but I have configured similiar settings elsewhere and have confirmed the check box to enable remote connections is selected for all computers I have been testing.

Perhaps try to disable UAC temporarily and see if that helps at all. Is Enable Solicited Remote Access enabled?

Enable Solicited (and Unsolicited Remote Access) is enabled. Disabling UAC (from the computer -> policies -> windows settings -> security -> local policy -> security options) and same results.

Very weird... There must be an error in the config or a program interfering... what other programs do you have installed?

No other programs that I'm able to see through the program files and no different services listed between the machines.

The imaged computers don't have any other software installed? Then it must be something from group policy... I"ll have to look on my server 2008 R2 when I get by the machine...

Alright... make sure that Offer Remote Assistance is enabled, Solicited remote assistance is enabled, and then try to turn on Allow only Vista or later connections. Try this under the computer configuration instead of user configuration. Make sure that the group policy is updated.

I do have to say how much I appreciate your determiniation in trying to resolve this issue. :) I did ensure the offer remote assistance is enabled, for both solicited and unsolicited remote assistance, I also ensured only vista or later connections was turned on. I then performed a gpupdate /force from the computers to update the group policy. Unfortunately still the same issue. I'm not sure what else could be going on here...

I'm not sure either... there is only one more thing i can think of, do you have separate VLANs implemented on your network? Perhaps post the output of ipconfig /all from one of the machines that works and then one that doesn't work.

I did take a look the ipconfig /all of the computers as well as the switch they are all connected to. No seperate vlans, the computers can all communicate to eachother as well. Remote desktop eachother and even when attempting a remote assistance connection the msra.exe process is intiated under the task manager of the target computer. So I know its at least getting that far, its just no prompt is ever displayed.

Perhaps check out this link: http://windows.microsoft.com/en-us/windows7/Windows-Remote-Assistance-frequently-asked-questions?SignedIn=1

Thank you for providing link, unfortunately the solutions it included didn't resolve the issue.

I'm sorry to say that I don't know any other things that can be causing it... There has to be something on the image that is different from the normal install machines...

No apologies needed, you gave a lot of very helpful troubleshooting steps and I appreciate you taking the time to work with me on the issue. I definitely agree with you that something impactful is different on the image, its just a matter of what. I will keep working on it from my, but if there are any additional things I should consider I'm all ears.

Hi, Have you checked this Group Policy setting? Computer Configuration --> Administrative Templates --> System --> Remote Assistance --> Offer Remote Assistance --> EnabledKim Zhou TechNet Community Support

Thank you for the suggestion. I did just confirm that setting is enabled with the appropriate groups and users configured to offer remote assistance.

Hi, Actually remote assistance isn't supported with FIPS enabled, so please double confirm whether the FIPS is enabled or not. You can disable FIPS via computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing group policy. In addition, please also refer the this KB:http://support.microsoft.com/kb/811833 Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Peterson, I really appreciate that information, especially right when I was about to give up on fixing remote assistance. Sometimes gpo's we are unfamiliar with can impact programs in unexpected ways. I will commit this bit of knowledge to memory, but again thank you very much for the fix! :) Also, I appreciate the additional troubleshooting and assistance everyone else provided as well. Definitely a very helpful community. Austin