This chapter covers remote support tools and techniques, a critical topic for the CompTIA A+ Core 2 (220-1102) exam. Remote support enables IT professionals to troubleshoot and resolve issues on end-user devices without being physically present, saving time and reducing downtime. This topic appears in roughly 10-15% of Operational Procedures questions, and you must know the features, security considerations, and appropriate use cases for each tool. We will explore remote desktop protocols, third-party tools, command-line options, and best practices for secure remote support.
Jump to a section
Imagine you are a locksmith who needs to fix a lock on a door inside a secure building. The building has a strict security guard at the entrance who only allows entry to people on a pre-approved list. You are not on the list, but the building manager trusts you. The manager can either give you a temporary badge that lets you walk in (like a VPN), or they can stand at the door, describe what you tell them, and relay your instructions to fix the lock (like remote desktop sharing). Alternatively, the manager could install a special camera and robotic arm that you control remotely from your van (like a remote access tool). Each method has trade-offs: the temporary badge gives you full access but could be abused; the relay method is slow and error-prone; the robotic arm requires expensive equipment. In IT, remote support tools work similarly: VPNs grant network-level access, screen-sharing tools let you see and control but require a user present, and dedicated remote access tools (like TeamViewer or RMM) provide persistent, unattended access with authentication and logging. The key is matching the tool to the level of trust, security, and automation needed.
What is Remote Support and Why It Exists
Remote support refers to any technology that allows an IT technician to connect to and control a user's computer from a different location. The primary goal is to diagnose and fix problems without a site visit, which reduces mean time to repair (MTTR) and support costs. For the 220-1102 exam, you need to understand the different categories of remote support tools, their security implications, and when to use each.
Remote Desktop Protocol (RDP)
RDP is Microsoft's proprietary protocol for remote desktop access, built into Windows. It uses TCP port 3389 by default. RDP allows a client to connect to a remote Windows machine and see the full graphical desktop. The connection is encrypted using TLS or CredSSP (Credential Security Support Provider) starting from Windows Vista/2008. RDP supports network-level authentication (NLA), which requires the user to authenticate before a session is established, reducing the attack surface.
Key features tested on the exam:
RDP is available in Windows Pro, Enterprise, and Education editions—not in Windows Home.
By default, RDP is disabled; you enable it via System Properties > Remote tab.
Remote Desktop Connection (mstsc.exe) is the client.
RDP can be configured to allow connections only from specific IP addresses via Windows Firewall.
Group Policy can enforce NLA and session timeouts.
Security considerations:
RDP is a common attack vector; it should never be exposed directly to the internet without a VPN or RD Gateway.
Use strong passwords and enable NLA.
Limit the number of concurrent sessions (default is 2 for administrative purposes, but can be increased with RD Licensing).
Third-Party Remote Support Tools
These tools are often used when RDP is not available (e.g., Windows Home) or when you need cross-platform support. Common examples include: - TeamViewer: Uses a unique ID and password for each session. It can be used for unattended access with a permanent password. It uses AES-256 encryption and is free for personal use. - AnyDesk: Similar to TeamViewer, uses a 9-digit address. Employs TLS 1.2 encryption. - VNC (Virtual Network Computing): Uses RFB (Remote Framebuffer) protocol. Typically uses port 5900. VNC is platform-independent but less secure; it often requires a VPN or SSH tunnel for encryption. - Splashtop: Uses a streamer on the host and a client. It offers high performance and is popular for remote desktop in business. - Remote Utilities: Uses a host and viewer model, with an ID-based connection.
Exam focus: Know the default ports (3389 for RDP, 5900 for VNC, 80/443 for web-based tools). Understand that third-party tools often bypass firewalls by using outbound connections to a relay server, making them easier to deploy in restrictive networks.
Remote Monitoring and Management (RMM)
RMM is a category of software used by managed service providers (MSPs) to remotely monitor and manage multiple endpoints. Features include remote control, patch management, scripting, and alerting. Examples: ConnectWise Automate, Kaseya, NinjaRMM. RMM agents are installed on endpoints and communicate with a central server. The exam may ask about RMM in the context of remote support for business environments.
Command-Line Remote Support Tools
SSH (Secure Shell): Primarily for Linux/Unix, but also available on Windows via OpenSSH (optional feature). Uses TCP port 22. Provides encrypted command-line access. For the exam, know that SSH is a secure alternative to Telnet (port 23, unencrypted).
Telnet: Unencrypted, rarely used today. Still tested as a legacy protocol.
Remote PowerShell (WinRM): Uses HTTP (5985) or HTTPS (5986). Allows remote management of Windows machines via PowerShell cmdlets. Requires proper configuration of WinRM (Enable-PSRemoting).
Security Best Practices for Remote Support
Principle of Least Privilege: Only grant the access needed for the task. For example, don't give full admin rights if a standard user session suffices.
Authentication: Use strong passwords, multi-factor authentication (MFA), or certificate-based authentication.
Encryption: Ensure all remote connections are encrypted. RDP uses TLS; third-party tools should use at least AES-128.
Session Logging: Log all remote sessions for audit trails.
Time-Limited Access: Use one-time passwords or session timeouts to limit exposure.
Firewall Rules: Restrict inbound RDP to specific IP addresses or use a VPN.
Consent: For attended support, the user should always be aware and consent to the session.
How Remote Support Tools Interact with Related Technologies
VPN: A VPN creates an encrypted tunnel to the corporate network, allowing RDP or other remote tools to work as if the technician is on the local LAN. VPNs are often used when direct exposure of RDP to the internet is prohibited.
RDP Gateway: Acts as a proxy, allowing RDP connections to internal machines without a VPN. It uses HTTPS (443) to tunnel RDP traffic.
Firewall: Remote support tools must be allowed through firewalls. For RDP, open port 3389 inbound. For third-party tools, they often use outbound connections to a relay server, so only outbound HTTP/HTTPS (80/443) is needed.
Group Policy: Can enforce RDP settings, NLA, session timeouts, and client restrictions.
Remote Support Techniques
Unattended vs. Attended Support: Unattended support (e.g., RDP with saved credentials, TeamViewer with permanent password) allows access without a user present. Attended support requires the user to be at the computer to grant permission (e.g., TeamViewer one-time session).
Screen Sharing: The technician can see the user's screen; often combined with remote control.
File Transfer: Many tools allow transferring files between technician and user.
Chat: Built-in chat for communication during support.
Reboot and Reconnect: Some tools can survive a reboot and automatically reconnect.
Common Remote Support Scenarios on the Exam
A user cannot connect to the internet. You use RDP to access their machine and troubleshoot network settings.
A user has a Windows Home edition. You cannot use RDP, so you use TeamViewer or Quick Assist.
A remote office needs support. You use an RMM agent to connect without user intervention.
You need to run a command on a Linux server. You use SSH.
Quick Assist (Windows 10/11)
Quick Assist is a built-in Windows tool for remote assistance. It allows a user to share their screen with a helper via a security code. It uses HTTPS and is firewall-friendly. It is available in all Windows editions. The exam may ask about Quick Assist as an alternative to third-party tools for ad-hoc support.
Remote Desktop Web Client
Allows RDP access via a web browser, useful for environments where installing a client is not possible. It requires RD Gateway and RD Web Access.
Troubleshooting Remote Support
Connection fails: Check firewall rules, ensure the service is running (TermService for RDP), verify credentials.
Slow performance: Reduce color depth, disable wallpaper, use lower resolution.
Authentication errors: Enable NLA, check if the user account is allowed (Remote Desktop Users group).
License issues: RDP requires appropriate licenses for more than two concurrent sessions.
Exam-Specific Numbers and Defaults
RDP default port: 3389 TCP
VNC default port: 5900 TCP
SSH default port: 22 TCP
Telnet default port: 23 TCP
WinRM HTTP: 5985, HTTPS: 5986
RDP available in: Windows Pro, Enterprise, Education (not Home)
RDP maximum concurrent sessions without RD Licensing: 2
Quick Assist: Uses HTTPS (443)
TeamViewer: Uses outgoing connections on 80, 443, and 5938
Conclusion
Remote support is a vital skill for A+ certified professionals. You must be able to choose the appropriate tool based on the operating system, network environment, security requirements, and whether the support is attended or unattended. The exam will test your knowledge of default ports, edition limitations, and security best practices.
Identify the Support Scenario
Determine whether the support is attended or unattended, the OS edition (Home vs Pro), network restrictions, and the level of access needed. For example, if the user is present and willing to grant permission, you can use Quick Assist or a one-time TeamViewer session. If the user is remote and not available, you may need RDP (if Pro) or an RMM agent. This step sets the foundation for tool selection.
Choose the Appropriate Tool
Based on the scenario, select a tool. For Windows Pro, RDP is often the first choice. For Windows Home, use Quick Assist or a third-party tool like TeamViewer. For cross-platform, VNC or SSH may be suitable. For managed environments, use RMM. Consider security: avoid exposing RDP to the internet without a VPN. The exam expects you to know which tool works with which OS edition.
Establish the Connection
For RDP, the technician uses mstsc.exe and enters the IP or hostname. The client initiates a TCP connection to port 3389. The server responds with a certificate for TLS encryption. The user authenticates via NLA. For third-party tools, the user runs the client and provides a session ID or code to the technician. The tool connects via a relay server if direct connection fails. For SSH, the technician uses an SSH client to connect to port 22, authenticating with password or key.
Perform Troubleshooting or Maintenance
Once connected, the technician can view the desktop (RDP, VNC, TeamViewer) or command line (SSH). They can run diagnostic tools, edit settings, transfer files, or reboot the system. If the connection drops, some tools (like RMM) can automatically reconnect. The technician should communicate with the user if attended. All actions should be logged for audit.
Terminate the Session Securely
After completing the task, the technician should log off or disconnect. For RDP, closing the client ends the session (or disconnects, leaving the session running). For best security, log off the user account. For third-party tools, click 'End Session'. Ensure that any saved credentials or permanent access are revoked if no longer needed. The exam emphasizes the importance of closing remote sessions to prevent unauthorized access.
Enterprise Scenario 1: MSP Supporting SMB Clients
A managed service provider (MSP) supports 50 small businesses, each with 10-30 workstations. They deploy an RMM agent (e.g., ConnectWise Automate) on every machine. The agent runs as a service and communicates outbound over HTTPS (443) to the RMM server, bypassing most firewalls. When a client reports an issue, the technician opens the RMM console, selects the computer, and initiates a remote control session. The RMM uses a proprietary protocol over TLS. The technician can also run scripts, push patches, and monitor performance. Common problems: agents go offline if the machine is off or network is down; the technician must wait for the agent to reconnect. Scaling: The RMM server must handle thousands of concurrent sessions; load balancing is used. Misconfiguration: If the agent's outbound port is blocked, the machine becomes unmanageable. The MSP uses a backup VPN for critical clients.
Enterprise Scenario 2: Corporate IT Supporting Remote Employees
A company with 500 remote employees uses Windows 10 Enterprise laptops. IT enables RDP with NLA and restricts inbound RDP to the corporate VPN IP range. Employees connect to the VPN first (using SSTP or IKEv2), then IT uses RDP to access the laptop. For users without admin rights, IT uses Remote Assistance (Windows built-in) or Quick Assist for one-time issues. The helpdesk uses a ticketing system that integrates with RDP shortcuts. Performance: RDP over VPN can be slow due to encryption overhead; they enable RemoteFX for graphics acceleration. Security: They disable RDP on laptops when not in use via Group Policy. They also log all RDP connections. A common issue: users forget to connect to VPN first, resulting in failed RDP attempts. IT educates users to always connect VPN before requesting support.
Scenario 3: Cross-Platform Support in a Mixed Environment
A university IT department supports Windows, macOS, and Linux machines. For Windows, they use RDP (Pro) or Quick Assist (Home). For macOS, they use Apple Remote Desktop (ARD) or VNC. For Linux, they use SSH for command-line and VNC for GUI. They also use TeamViewer as a universal fallback because it works on all platforms. The challenge: each tool has different security settings. They enforce a policy that all remote support must be encrypted, so VNC is only used over SSH tunnel. They use a central logging server to collect session logs from all tools. Misconfiguration: A technician left a VNC session open without a password, leading to a security incident. Now they enforce mandatory passwords and session timeouts.
What the 220-1102 Exam Tests
The CompTIA A+ Core 2 exam objective 4.6 covers "Given a scenario, use remote support technologies, tools, and best practices." Expect 2-4 questions on this topic. The exam focuses on:
Identifying the correct tool for a given OS edition (RDP for Pro, Quick Assist/TeamViewer for Home).
Knowing default ports: RDP (3389), VNC (5900), SSH (22), Telnet (23).
Understanding security best practices: enable NLA, use VPN, limit access, log sessions.
Differentiating between attended and unattended support.
Recognizing that RDP is not available in Windows Home.
Knowing that Quick Assist is a built-in Windows tool for remote assistance.
Understanding that third-party tools often use outbound connections to bypass firewalls.
Common Wrong Answers and Why Candidates Choose Them
Choosing RDP for a Windows Home machine: Candidates see 'remote desktop' and assume it works on all Windows. Wrong. RDP is only in Pro/Enterprise/Education. The exam will explicitly state 'Windows 10 Home' to trap you.
Selecting Telnet over SSH for security: Telnet is unencrypted. Candidates may think it's fine for internal use. The exam tests that SSH is the secure alternative.
Opening port 3389 to the internet without VPN: This is a security risk. Candidates may think it's okay if they have a strong password. The exam expects you to recommend a VPN or RD Gateway.
Assuming all remote support tools require inbound ports: Third-party tools like TeamViewer often use outbound connections. Candidates may think they need to open inbound ports.
Confusing Quick Assist with Remote Assistance: Quick Assist is the newer tool in Windows 10/11; Remote Assistance is older but still exists. The exam may use either term.
Specific Numbers and Terms That Appear Verbatim
Port 3389 (RDP), port 5900 (VNC), port 22 (SSH), port 23 (Telnet).
Windows 10 Home: cannot be the host for RDP.
Network Level Authentication (NLA) must be enabled for security.
Remote Desktop Users group must contain the user.
Quick Assist requires a Microsoft account for the helper.
TeamViewer uses AES-256 encryption.
Edge Cases and Exceptions
RDP can be used to connect to a Windows Server OS from a client OS, but licensing may be required for multiple concurrent sessions.
VNC can be used on any OS but is inherently insecure; it should be tunneled over SSH.
SSH is available on Windows 10/11 as an optional feature (OpenSSH Server/Client).
Remote PowerShell (WinRM) may be tested as a remote management tool, not just remote desktop.
How to Eliminate Wrong Answers
If the scenario mentions Windows 10 Home, eliminate RDP as a host option.
If security is emphasized, eliminate Telnet and unencrypted VNC.
If the user is not present, eliminate tools that require user interaction (Quick Assist, one-time TeamViewer).
If the network is highly restricted, choose a tool that uses outbound connections (TeamViewer, RMM).
Always check the OS edition first—this is the most common trap.
RDP uses TCP port 3389 and is only available on Windows Pro, Enterprise, and Education editions.
VNC uses TCP port 5900 and is platform-independent but insecure without encryption.
SSH uses TCP port 22 and provides encrypted command-line access.
Telnet uses TCP port 23 and is unencrypted; never use it for secure communication.
Quick Assist is a built-in Windows tool for attended remote assistance, using HTTPS.
Third-party tools like TeamViewer often bypass firewalls by using outbound connections.
Always enable Network Level Authentication (NLA) for RDP to reduce attack surface.
Remote support sessions should be logged and time-limited for security.
Windows Home cannot act as an RDP host; use Quick Assist or third-party tools instead.
For unattended support, use RDP (with VPN) or RMM agents, not one-time tools.
These come up on the exam all the time. Here's how to tell them apart.
RDP
Built into Windows Pro/Enterprise/Education
Uses TCP port 3389 (inbound)
Requires firewall rules to allow inbound connections
Supports NLA for enhanced security
Limited to Windows-to-Windows (though clients exist for other OS)
Third-Party Tools (TeamViewer, AnyDesk)
Cross-platform (Windows, macOS, Linux, mobile)
Often use outbound connections to relay servers (ports 80/443)
Bypass restrictive firewalls easily
May offer end-to-end encryption (e.g., AES-256)
Can be used on Windows Home edition
Mistake
RDP is available on all Windows editions.
Correct
RDP host functionality (allowing remote connections) is only available in Windows Pro, Enterprise, and Education editions. Windows Home can only initiate RDP connections to other machines, not accept incoming ones.
Mistake
VNC is secure because it uses a password.
Correct
VNC by default transmits data (including passwords) in plaintext unless encrypted via an SSH tunnel or VPN. The RFB protocol does not mandate encryption. Always use VNC over an encrypted tunnel.
Mistake
Remote support tools always require opening inbound firewall ports.
Correct
Many third-party tools (TeamViewer, AnyDesk, RMM agents) initiate outbound connections to a relay server, so no inbound ports are needed. Only tools like RDP and VNC (direct) require inbound ports.
Mistake
Quick Assist is the same as Remote Desktop.
Correct
Quick Assist is a remote assistance tool that allows a helper to view or control a user's screen with permission. It is not a full remote desktop solution like RDP, and it uses a different protocol (HTTPS).
Mistake
Telnet is acceptable for remote command-line access if the network is internal.
Correct
Telnet sends all data, including credentials, in cleartext. Even on internal networks, it poses a security risk. SSH should always be used instead.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Windows 10 Home does not support incoming RDP connections. You can, however, use RDP from a Windows 10 Home machine to connect to another computer that supports RDP (e.g., Pro). For remote support of Windows Home, use Quick Assist, TeamViewer, or another third-party tool.
The default port for RDP is TCP 3389. To change it, modify the PortNumber value in the registry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. You must also update the Windows Firewall rule. Changing the port can help reduce automated attacks.
Quick Assist is the newer remote assistance tool introduced in Windows 10, replacing the older Windows Remote Assistance. Quick Assist uses a simpler interface with a security code and works over HTTPS. Remote Assistance (msra.exe) is still available but is being phased out. Both require user consent.
By default, VNC is not secure. The RFB protocol transmits data, including the password, in cleartext unless encryption is added. To secure VNC, tunnel it over an SSH connection or use a VPN. Some VNC implementations offer built-in encryption (e.g., TightVNC with VeNCrypt), but it is not universal.
Yes, Windows 10 and 11 include an optional OpenSSH Client and Server feature. You can install it via Settings > Apps > Optional Features. The SSH client is also available in PowerShell. SSH provides encrypted command-line access to remote systems.
NLA requires the user to authenticate before a full RDP session is established, reducing the risk of denial-of-service attacks and credential theft. It uses CredSSP (Credential Security Support Provider) and is enabled by default on newer Windows versions. NLA is recommended for all RDP connections.
Use a tool that initiates an outbound connection to a relay server, such as TeamViewer, AnyDesk, or an RMM agent. These tools typically use HTTPS (port 443) to connect, which is almost always allowed outbound. Alternatively, set up a VPN to the remote network and then use RDP or VNC.
You've just covered Remote Support Tools and Techniques — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?