Deploying HoloLens 2 to External Clients with Remote Assist

This guide helps IT professionals with the following goals deploy Microsoft HoloLens 2 devices in their organization:

  1. Cloud connect HoloLens 2 devices
  2. Loan HoloLens 2 devices to external clients for use
  3. Secure loaned devices

This guide will provide general HoloLens 2 deployment recommendations that is applicable to most HoloLens 2 deployment scenarios and common concerns that customers have when deploying Remote Assist for external use.

Scenario Description

For the purpose of this document, Contoso Company wants to ship a HoloLens 2 device to an external client's plant for short-term or long-term use. When the client needs assistance servicing machinery, the client will log into the HoloLens 2 device using credentials provided by Contoso Company and use Remote Assist to contact Contoso Company's experts.

Learn more about Remote Assist here.

Requirements for this Scenario

  1. Azure AD
  2. Mobile Device Manager - such as Intune
  3. Remote Assist License
    1. Buy Remote Assist
    2. Trial Remote Assist

Common Concerns

How to ensure that external clients do not have the ability to communicate with one another

Since Remote Assist HoloLens to HoloLens calls are not supported, clients are able to search for, but are unable to, communicate with one another. To further restrict who clients can search for and call, Information barriers can restrict who a client can communicate with. Another option to consider is using Scoped Directory Search

Note

Since single sign on is enabled, it is important to disable the browser using WDAC. If an external client opens the browser and uses the web version of Teams, the client will have access to call/chat history.

How to ensure that clients do not have access to company resources

There are two options to consider.

The first option is a multi-layer approach:

  1. Only assign licenses that the user requires. If you do not assign OneDrive, Outlook, SharePoint, Yammer, etc. to the user, he/she will not have access to those resources. The only licenses the users will need is Remote Assist, Intune, and AAD licenses to begin.
  2. Block apps (such as email) that you don’t want clients to access (See How to restrict apps).
  3. Do NOT share usernames nor password with clients. To log into the HoloLens 2, an email and numerical PIN is required.

The second option is to create a separate tenant that hosts clients (see Image 1.1).

Image 1.1

Service Tenant Image

How to restrict apps

Kiosk Mode and/or WDAC (Windows Defender Application Control) are options for restricting applications.

How to manage passwords

  1. Remove password expiration. However, this increases the chance that that an account will be compromised. NIST password recommendation is change passwords every 30-90 days.
  2. Extend the password expiration for HoloLens 2 devices to exceed 90 days.
  3. The devices should be returned to Contoso to change the passwords. However, this can cause issues if the devices are expected to be in the client's plant for 90+ days.
  4. For devices that are sent to multiple clients, reset passwords before shipping the device to clients.

How to ensure that clients do not have access to chat history

Remote Assist clears chat history after each session. However, the chat history will be available for the Microsoft Teams user.

Note

Since single sign on is enabled, it is important to disable the browser using WDAC. If a external client opens the browser and uses the web version of Teams, the client will have access to call/chat history.

General Deployment Recommendations and Instructions

We recommend the following for HoloLens 2 deployment Steps:

  1. Use the latest HoloLens OS release as your baseline build.

  2. Assign user-based or device-based licenses:

    1. User-based and device-based licenses both follow the following steps:
      1. Create a group in AAD and add members for HoloLens/RA users.
      2. Assign device-based or user-based licenses to this group.
      3. (Optional) You can target groups for MDM policies.
  3. Devices should be AAD joined to your tenant, Auto Enrolled, and configured through Auto Pilot.

    1. Please note that the first user on the device will be the device owner.
    2. Please note that if the device is AAD joined, the user that performed the join is made device owner.
    3. For more, see Device Owner.
  4. Tenant lock the device so that it can only joined your tenant.

    1. Additional Link: Tenant lock CSP.
  5. Configure kiosk using global assigned access to here.

  6. We recommend disabling the follow (optional) capabilities:

    1. Ability to put the device into developer mode here.
    2. Ability to connect the HoloLens to a PC to copy date disable USB.

      Note

      If you don’t want to disable USB but want the ability to apply a provisioning package to the device using USB, follow the instructions listed here.

  7. Use WDAC to allow or black apps on the HoloLens 2 device.

  8. Update Remote Assist to the latest version as part of the setup. There are two options to do this:

    1. This can be done by going to Windows Microsoft Store --> Remote Assist --> and Update App.
    2. Enable auto updates using the ApplicationManagement/AllowAppStoreAutoUpdate CSP and keep the device plugged in to receive updates.
  9. Disable all settings pages except the network settings to allow users to connect to guest networks at client sites.

  10. Manage HoloLens Updates

    1. Option to control OS updates or allow to flow freely.
  11. Common Device Restrictions.