In this article, we’ll consider the peculiarities of configuration and use of the remote connection to the desktops of client computers with System Center Configuration Manager 2012. Usually, the remote management is used for remote administration or customer support using HelpDesk services. Remote support user can view and interact with a user desktop.
SCCM 2012 offers three tools for remote connection to user desktops:
- Remote Control is a SCCM feature, which allows to connect and interact with a user session. It is possible to disable the notification that the user’s session is viewed by the administrator. Remote desktop connection is available even if there is no user session on a computer (connection directly to the console). The client - CmRcViewer.exe
- Remote Assistance is a standard Windows feature, and the user has to confirm the remote connection of the administrator to the session. If the user is not logged on, you won’t be able to connect using RA. The client is msra.exe
- RDP client allows to connect to a session using RDP ( mstsc.exe)
How to Configure Remote Connection to SCCM 2012 Clients
The settings of the remote connection to SCCM clients are configured in the client device policy. Edit the existing (e. g., Default Settings) client policy or create a new one.
In Client Settings window, go to Remote Tools section. By default remote connections are disabled.
To let the clients accept the incoming remote connections, check Enable Remote Control on client computer and set firewall profiles to make the connection using Remote Tools possible.
Let’s consider the main customizable settings:
- Users can change policy or notification settings in Software Center – allows users to change remote connection and notification policies
- Allow Remote Control of an unattended computer - sets if it is possible to connect to a computer with a locked screen or without user session
- Prompt user for Remote Control permission – if a user must confirm permission for a remote connection to the computer
- Grant Remote Control permission to local Administrators group – specifies if Remote Control permission has to be given to local Administrators group
- Access level allowed – shows the level of access to the user session (View only or Full Control)
- Permitted viewers -the list of users or groups having Remote Control permission
- Show session notification icon on taskbar – sets if an icon of session connection has to be displayed on the taskbar
- Show session connection bar – is a more prominent notification of session connection as a separate bar
- Play a sound on client – play the sound notifications on the remote user connection/disconnection
- Manage unsolicited Remote Assistance settings – management of RA settings if a user has not initiated a connection request
- Manage Remote Desktop settings – RDP settings
- Allow permitted viewers to connect by using Remote Desktop connection – allow users connect using RDP
- Require network level authentication on computers that run Windows Vista operating system and later versions – specifies if the computers running Windows Vista or higher have to pass NLA authentication
Usually, the settings are selected according to the Remote Control policy used in the company. As a rule, it is better to ask a user permission on remote connection and display a notification if the session is active.
- Prompt user for Remote Control permission: True
- Show session notification icon on taskbar: True
- Play a sound on client: Begging and end of session
To allow certain users and groups to connect to user desktops, click Set Viewers and add the names of users/groups to the list.
SCCM Client Configuration
After getting the policies (by default, during 60 minutes), a local security group ConfigMgr Remote Control Users is created on SCCM clients, and this group is given the corresponding DCOM permissions. Remote Controll settings, determined by the SCCM policy, are located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control branch of the registry.
If the remote users are allowed to connect using RDP, ConfigMgr Remote Control Users group is also added to Allow log on through Remote Desktop Services policy (Local Security Policy > User Rights Assignment).
The permission is also set in RDP-tcp IP connection properties.
The corresponding rules appear in the firewall policies:
SCCM documentation says that the following ports have to be opened for Remote Control:
- TCP – 135
- TCP – 2701
- TCP – 2702
- UDP – 2701
- UDP – 2702
How to Use Remote Control
So, after the SCCM policy is configured, and clients have received it, you can try to connect to a user computer.
To do it, run SCCM 2012 Manager, select the computer you want to connect to and select Start-> Remote Control in the dropdown menu.
The Remote Control window with connection log appears.
On the user side, a window with the remote control request has to appear.
Remote Application Logs
The information about all Remote Control sessions is saved in log files stored both on the side of the server and the client:
- SCCM Site server — [System Drive]\Users\[UserName]\Documents\Remote Application Logs
- SCCM client — [System Drive]\Users\[UserName]\Documents\Remote Application Logs