After a period without any Community Evaluation Program session, another session was held today. This time Eric Orman presented the latest information about the Remote Control feature in Configuration Manager 2012.
Like mentioned earlier the gold (CTRL-ALT-DEL) key is back! Woho! The feature is rewritten from scratch because of security issues like there where in SMS 2003 and earlier. Let’s see what’s there
Ability to send CTRL-ALT-DEL keystroke to host device
- Switch users during an active session
- Control a locked desktop
- Access the secure desktop (SAS Secure desktop)
- Ability to access winlogon screen
- Ability to handle UAC prompts
Granular client agent settings at a collection level
- Allows specifying different Remote Control client agent settings for different groups of machines using collections
- Remote Desktop and Remote Assistance
- Permitted viewers list
- Remote Control is integrated with the Software Center.
Client Agent Settings changed
There are two new settings for client agent settings:
- “Allow remote control of unattended computers”
- “Grand remote control permissions to local administrator group”
The following setting is changed
- Default value new “false” for “Users can change policy or notification settings in Software Center”
New: Firewall exception rules (in RC build)
New in the RC Build of Configuration Manager 2012 are the Firewall exception rule for port 2701 (TCP). The exception rule is tied to the Remote Control agent. When the agent is disabled the exception rule is also disabled. The rule can be configured via the client settings.
New: ability to lock the keybord and mouse of the controlled host
When the users perform CTRL-ALT-DEL to disconnect sessions while controlling the host, the desktop will lock to ensure security. The user cannot take over the session like in earlier versions.
New: Role based access (RBAC) control integration
- Specific “Remote Tools” RBA Persona installed by default.
- Controls “Show me” behavior enabling IT-Pro’s and systems that are in their security scop to run:
- Remote Control
- Remote Assistance
- Remote Desktop
- Security scope is defined as a system collection
- IT Pro’s determine what machines are in a collection, assigned the collection to a security scope which is then assigned to “Remote Tools” persona.
Improved: High visibility notification “session connection bar”
- Provides the end user a higher notification than previous SMS/Configuration Manager products
- Similar experience to other Microsoft platforms such as LiveMesh and Remote Desktop Connection (Terminal Services
- Contextual test in notification bas that allows user to know how they are being remote controlled.
- Full control: “Connected with”
- Locked Keyboard and Mouse: “Controlled bny”
- View Only: “Viewed by”
If the network connection from the host machines becomes disabled or disconnected, the active session will lock the screen and secure the desktop.
What’s Improved in Remote Control:
- Copy / paste of files or data is fully supported.
- FQDN support is added, but it is still also using netbios when connecting to a host.
- Browse the AD option in Permitted Viewers list (instead of txt files which is still supported)
- Add a shortcut to start menu for Remote Control Viewer
New: Remote Control service:
When the remote control agent is enabled, the service will always run, if it is disabled the service will be disabled. The only way to start the Remote Control service is by enabling the Remote Control feature.
If the service is killed or disabled manually, a health service will start the service again. Remediation will occur. Nice!
New: Multi Monitor support
Remote Control will be able to control a multi monitor host, any size of monitors are supported.
New: Single cursor design:
- Configuration Manager 2012 uses single cursor design in which the host (end users) mouse cursor is not rendered back to the viewer. Earlier versions used dual cursor design.
- Support within an active Remote Desktop session, so you are able to remotely control VDI sessions.
Auditing of Remote Control
Auditing of remote control sessions is still supported by using the reporting feature (2 reports). It is reported by the viewer in the Configuration Manager 2012 Console and reported to the provider.
Supported platforms for Remote Control:
- Viewer: Windows XP (32bits), Vista (32/64), Windows 7 (32/64), Windows Server 2008 R2 (64)
- Client (Host): Windows XP (32/64), Vista (32/64), Windows 7 (32/64), Windows Server 2003 (32/64), Windows Server 2008 (32/64), Windows Server 2008 R2 (64)
- Intel P4, 3ghz, 1gb RAM, 2006 and newer video cards
- Native screen resolution 1280×1024
- Defined as industry average by 2011
- Recommended system requirements provides optimal user experience
- 128kbps up/down for good user experience
Multi-monitor support up to 8192/8192 resolution
Mirror Driver versus Screen scraper
No mirror driver is used anymore, Configuration Manager is using screen scraper. If something is changed, only the changed bitmaps are sent to the remote session.
|Mirror driver||Screen scraper|
|Driver installation||Required||Not needed|
|Application compat issues||Yes||None|
|Aero glass||Not supported||Supported|
|ClearType||Supported, causes increased bandwidth||Supported, no impact on bandwidth|
|Bandwidth usage for GDI heavy scenarios||Higher||Low|
|Mirror driver servicing||Required||Not required|
|RDS support||Not for XP and Windows Server 2003||All supported platforms|
|Chipset / Graphics driver compat.||Less||Yes|
- Screen scraper limits the ability to tweak settings to improve performance
- The only methods to optimize and increase performace are:
- Reduce screen resolution of host system
- Disable aero
- Ensure proper video card driver is installed.
The Remote Control feature in Configuration Manager 2012 is not compatible with previous versions of SMS/Configuration Manager Remote Tools. Like mentioned earlier, the feature is completely rewritten. It is based on the same platform as Office Communicator 2007 R2 / Lync and LiveMesh Remote Desktop.
The feature is FIPS compliant, the goal is that the feature is certified when Configuration Manager 2012 will be released. User authentication utilized SPNEFO authentication protocol with Kerberos if available or NTLM for workgroups or non-trusted AD
forests. It uses Secure Communication Encryption with AES+SHA1, and 128 bit AES key.
The documentation about Configuration Manager 2012 is also updates lately, so check it out if you want! http://technet.microsoft.com/en-us/library/gg682062.aspx
Another great feature which is embedded into Configuration Manager 2012, I can’t wait until RC is coming up..
Till next time.