In this article we will show you how to configure and use remote desktop connection by using System Center Configuration Manager 2012. Remote control is normally using for remote administration, technical support with HelpDesk services. You can easily see and interact with remote desktop.
For remote connection to user’s workstations SCCM 2012 requires three tools:
- Remote Control — SCCM functionality, involves the ability to connect and interact with the user session. You can disable an alert that the session is browsing by administrator. Remote desktop connection to a computer is possible in the absence of a computer user session (direct connection to the console). Client — CmRcViewer.exe
- Remote Assistance — a standard feature of Windows. The user confirms the remote connection of administrator to the session. If the user is not logged on the machine, RA connection is impossible. Client — msra.exe
- RDP client — connection in a separate session with RDP protocol. Client — mstsc.exe
Setting up a remote connection to the SCCM 2012 clients
You can configure the remote connection settings through the client policy. Edit the existing (Default Settings, for example) or a new client policy.
In the Client Settings window go to the Remote Tools section. By default, remote connections are disabled.
If you want to enable this option, just put the tick on Enable Remote Control on client computer. Also, you need to specify the firewall profiles for which you want to allow the connection via Remote Tools.
Let’s consider the main settings on client computers:
- Users can change policy or notification settings in Software Center — whether users can change the policy of the remote connection and the notifications.
- Allow Remote Control of an unattended computer — whether it is possible to connect to a computer with a locked screen or without the user’s session.
- Prompt user for Remote Control permission — whether the user must confirm permission for a remote connection to the computer.
- Grant Remote Control permission to local Administrators group — whether to grant the remote control permission to the local administrators group members.
- Access level allowed — access level to the user’s session (view-only or full control).
- Permitted viewers — a list of users and groups with the remote control permissions.
- Show session notification icon on taskbar — whether to display the icon of active connection in the notification bar.
- Show session connection bar — the active connection notice on a separate panel.
- Play a sound on client — special sound about user connection/disconnection.
- Manage unsolicited Remote Assistance settings — RA settings control, when the user did not initiate the connection request.
- Manage Remote Desktop settings — RDP settings control.
- Allow permitted viewers to connect by using Remote Desktop connection — whether users, defined in this policy, connect via RDP
- Require network level authentication on computers that run Windows Vista operating system and later versions — whether to require a mandatory NLA authentication for computers that run Vista or later versions.
Usually the settings are selected according to the remote control policy. In that case, user should request permission for a remote connection and display an icon of active connection in notification bar.
- Prompt user for Remote Control permission: True
- Show session notification icon on taskbar: True
- Play a sound on client: Begging and end of session
If you want to allow specific users and groups to connect to user’s desktops, just click on the Set Viewers button and add the group/user names to the list.
SCCM client configurations
After receiving the policy (by default in 1 hour) creates the local security group. This group also is known as ConfigMgr Remote Control Users. This group has the appropriate DCOM permissions. Remote control settings are located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\ClientComponents\Remote Control.
If remote users are allowed to connect on RDP, you have to add ConfigMgr Remote Control Users group to Allow log on through Remote Desktop Services policy (Local Security Policy> User Rights Assignment).
Also, you have to give permission in the PDP-Tcp properties.
After that, you will see the appropriate rules in the firewall policies.
SCCM documentation is specified, that remote control is only possible when the following ports are open:
- TCP – 135
- TCP – 2701
- TCP – 2702
- UDP – 2701
- UDP – 2702
Using Remote Control
So, if the SCCM remote connection policy is configured and the clients have received it, you can try to connect to the user’s computer.
You have to run Configuration Manager 2012, choose the computer to which you want to connect, and from the context menu select Start -> Remote Control.
You will see the Remote Control window, which displays the connection log.
After that, user will see the window, which indicates a connection request to its desktop.
Remote connection logs
Information about all remote connections is maintained with special logs that are stored on the server side and on the client side:
- SCCM server — [System Drive]\Users\[UserName]\Documents\Remote Application Logs
- SCCM client — [System Drive]\Users\[UserName]\Documents\Remote Application Logs