True Control Center Installation Guide
Remote Manage Requirements
Direct link to topic in this publication:
Remote Manage Requirements for the Cireson Control Center
This section details the requirements for the Remote Manage feature of the Cireson Control Center to work.
In this article
Overview of Remote Manage
The Remote Manage feature of the Control Center allows you to perform various Remote Actions on a computer as though you are physically sat in front of the computer.
Remote Manage actions use PowerShell Remoting, which in turn relies on Windows Remote Management (WinRM) version 3.0 or later, which needs to be installed and enabled on both the computer initiating the Remote Action and the target machine on which the Remote Action is being performed.
When a Remote Manage action is performed for a domain-joined computer, the Control Center uses the NetBIOS computer name which in turn utilizes the Kerberos authentication protocol.
Administrator Computer Requirements
This section details the requirements for the administrator computer from which the Remote Manage Actions will be performed:
- WinRM version 3.0 or later is installed if the computer is running Windows 7. Windows 8.x/10 already include WinRM as part of the operating system.
- WinRM is enabled as detailed in the "Enabling WindowsRM" topic of this section.
- The administrator's computer needs to be domain-joined. Remote Manage Actions cannot be invoked from a computer in a workgroup.
- The relevant version of the Remote Server Administration Tools (RSATs) for the operating system of the administrative computer should be installed.
- If the ConfigMgr Remote Control action is going to be invoked, the correct version of the ConfigMgr console needs to be installed that corresponds to the ConfigMgr site server the console will route the connection through.
To perform certain Remote Manage actions, the Analyst performing the task must have the Cireson Application Launcher tool installed locally. Installation of the Cireson Application Launcher is covered in "Appendix E – How to install the Cireson App Launcher" of the "Cireson Control Center User Guide."
The correct firewall ports must be opened and scoped properly to allow the machine that will invoke the Remote Manage Actions to connect to the SMS Provider. RPC (dynamic ports) are used to establish connections from the administrator's computer to the SMS Provider. Remote Manage uses the same ports to connect to the SMS Provider as the ConfigMgr console. Both the ConfigMgr console and Remote Manage use RPC to connect to the SMS Provider, so the appropriate ports should be opened to allow for RPC connections. RPC communication is initiated over port 135 and dynamic ports are used for the duration of the session.
Target Computer Requirements
This section details the requirements for the target computers on which the Remote Manage Actions will be performed:
- The target computer needs to be running Windows 7, Windows 8.x, or Windows 10
- The target computer needs to be domain-joined. Remote Manage Actions cannot be performed on computers in a workgroup.
- WinRM version 3.0 or later is installed on computers running Windows 7. Windows 8.x/10 already include WinRM as part of the operating system.
- WinRM is enabled as detailed in the "Enabling WindowsRM"" topic of this section.
- The appropriate firewall rules should be enabled for other services, such as File/Printer sharing, Remote Event Viewer, Remote Computer Management, RDP, etc.
As the Windows Remote Management (WS-Management) service is not enabled and is set to start manually by default, attempting to invoke any Control Center Remote Manage Actions on a computer will fail as the computer is not "listening" for the request.
To enable and start the Windows Remote Management (WS-Management) service:
- On a single computer - You can enable WinRM by running the Winrm quickconfig command. This will set the Windows Remote Management (WS-Management) service to automatically start and open the firewall ports required for PowerShell Remoting/WinRM i.e. HTTP: 5985 and HTTPS: 5986.
- On multiple computers - You can create a package/script to enable WinRM based on the above command, or leverage Group Policy (the preferred method).
- Use PSEXEC to Remotely Enable on Client Machines
In order to successfuly run a Remote Manager Action on a remote computer, the user performing the action will require the following:
- The Manage Global Right as detailed in the "Global Rights" topic of the "'Security Rights' tab" section of the "Cireson Control Center User Guide."
- Permissions to connect to and read from the ConfigMgr site via the SMS Provider.
- If the Remote Manage Action involves working with collection membership, then the user performing the action must have the same collection permissions as an administrator with the built-in security role Application Administrator in order to display collections and add/remove resources for the targetted user/computer.