Configuration Manager 2012 CEP Remote Control session summary

After a period without any Community Evaluation Program session, another session was held today. This time Eric Orman presented the latest information about the Remote Control feature in Configuration Manager 2012.

Like mentioned earlier the gold (CTRL-ALT-DEL) key is back! Woho! The feature is rewritten from scratch because of security issues like there where in SMS 2003 and earlier. Let’s see what’s there

Ability to send CTRL-ALT-DEL keystroke to host device

  • Switch users during an active session
  • Control a locked desktop
  • Access the secure desktop (SAS Secure desktop)
  • Ability to access winlogon screen
  • Ability to handle UAC prompts

Granular client agent settings at a collection level

  • Allows specifying different Remote Control client agent settings for different groups of machines using collections
  • Includes:
    • Remote Desktop and Remote Assistance
    • Permitted viewers list
    • Remote Control is integrated with the Software Center.

Client Agent Settings changed

There are two new settings for client agent settings:

  1. “Allow remote control of unattended computers”
  2. “Grand remote control permissions to local administrator group”

The following setting is changed

  • Default value new “false” for “Users can change policy or notification settings in Software Center”

New: Firewall exception rules (in RC build)

New in the RC Build of Configuration Manager 2012 are the Firewall exception rule for port 2701 (TCP). The exception rule is tied to the  Remote Control agent. When the agent is disabled the exception rule is also disabled. The rule can be configured via the client settings.

New: ability to lock the keybord and mouse of the controlled host

When the users perform CTRL-ALT-DEL to disconnect sessions while controlling the host, the desktop will lock to ensure security. The user cannot take over the session like in earlier versions.

Sent CTRL-Alt-Del and lock keybord / mouse features

New: Role based access (RBAC) control integration

  • Specific “Remote Tools” RBA Persona installed by default.
  • Controls “Show me” behavior enabling IT-Pro’s and systems that are in their security scop to run:
    • Remote Control
    • Remote Assistance
    • Remote Desktop
  • Security scope is defined as a system collection
  • IT Pro’s determine what machines are in a collection, assigned the collection to a security scope which is then assigned to “Remote Tools” persona.

Improved: High visibility notification “session  connection bar”

  • Provides  the end user a higher notification than previous SMS/Configuration Manager  products
  • Similar  experience to other Microsoft platforms such as LiveMesh and Remote Desktop Connection (Terminal Services
  • Contextual  test in notification bas that allows user to know how they are being remote  controlled.

Notification bar

Contextual notifications:

  • Full control: “Connected with”
  • Locked Keyboard and Mouse: “Controlled bny”
  • View Only: “Viewed by”

Severed connection

If the  network connection from the host machines becomes disabled or disconnected, the active session will lock the screen and secure the desktop.

What’s Improved in Remote Control:

  • Copy / paste of files or data is fully supported.
  • FQDN support is added, but it is still also using netbios when connecting to a host.
  • Browse the AD option in Permitted Viewers list (instead of txt files which is still supported)
  • Add a shortcut to start menu for Remote Control Viewer

New: Remote Control service:

When the remote control agent is enabled, the service will always run, if it is disabled the service will be disabled. The only way to start the Remote Control service is by enabling the Remote Control feature.

If the service is killed or disabled manually, a health service will start the service again. Remediation will occur. Nice!

New: Multi Monitor support

Remote Control will be able to control a multi monitor host, any size of monitors are supported.

Multi-monitor support

New: Single cursor design:

  • Configuration Manager 2012 uses single cursor design in which the host (end users) mouse  cursor is not rendered back to the viewer. Earlier versions used dual cursor  design.

What’s persisted:

  • Support within an active Remote Desktop session, so you are able to remotely control  VDI sessions.

Auditing of Remote Control

Auditing of remote control sessions is still supported by using the reporting feature (2  reports). It is reported by the viewer in the Configuration Manager 2012 Console and reported to the provider.

Supported platforms for Remote Control:

  • Viewer:  Windows XP (32bits), Vista (32/64), Windows 7 (32/64), Windows Server 2008 R2  (64)
  • Client (Host): Windows XP (32/64), Vista (32/64), Windows 7 (32/64), Windows Server 2003 (32/64), Windows Server 2008 (32/64), Windows Server 2008 R2 (64)

Hardware requirements:

Recommended:

  • Intel  P4, 3ghz, 1gb RAM, 2006 and newer video cards
  • Native  screen resolution 1280×1024
  • Defined as industry average by 2011
  • Recommended system requirements provides optimal user experience

Minimum Bandwidth

  • 128kbps up/down for good user experience

Multi-monitor support up to 8192/8192 resolution

Mirror Driver versus Screen scraper

No mirror  driver is used anymore, Configuration Manager is using screen scraper. If  something is changed, only the changed bitmaps are sent to the remote session.

Mirror driver Screen scraper
Driver installation Required Not needed
Bandwidth Low Lower
CPU utilization Lower Medium
Application compat issues Yes None
Aero glass Not supported Supported
ClearType Supported, causes  increased bandwidth Supported, no impact  on bandwidth
Bandwidth usage for GDI heavy scenarios Higher Low
Screen mispaints More Less
Mirror driver  servicing Required Not required
RDS support Not for XP and Windows Server 2003 All supported  platforms
Chipset / Graphics  driver compat. Less Yes

 

Optimizing performance

  • Screen  scraper limits the ability to tweak settings to improve performance
  • The only methods to optimize and increase performace are:
    • Reduce  screen resolution of host system
    • Disable  aero
    • Ensure  proper video card driver is installed.

Keyboard shortcuts

Overview keybord shortcuts

Compatibility

The Remote  Control feature in Configuration Manager 2012 is not compatible with previous  versions of SMS/Configuration Manager Remote Tools. Like mentioned earlier, the  feature is completely rewritten. It is based on the same platform as Office  Communicator 2007 R2 / Lync and LiveMesh Remote Desktop.

Security

The feature  is FIPS compliant, the goal is that the feature is certified when Configuration  Manager 2012 will be released. User authentication utilized SPNEFO authentication  protocol with Kerberos if available or NTLM for workgroups or non-trusted AD
forests. It uses Secure Communication Encryption with AES+SHA1, and 128 bit AES  key.

Comparison chart

Comparison chart

The  documentation about Configuration Manager 2012 is also updates lately, so check  it out if you want! http://technet.microsoft.com/en-us/library/gg682062.aspx

Another great feature which is embedded into Configuration Manager 2012, I can’t wait until RC is coming up.. ;)

Till next  time.

Peter

Comments