SCCM remote control failed to do Handshake in Server. An existing connection was forcibly closed by the remote host Error 80072746

You can use Configuration Manager remote control to remotely administer, provide assistance, or view any client computer in the hierarchy. You can use the remote control to troubleshoot hardware and software configuration problems on client computers and to provide support. Configuration Manager supports the remote control of all workgroup computers and domain-joined computers that run supported operating systems for the Configuration Manager client.

Before you begin to use the remote control, ensure that you review the information in the following articles:

Prerequisites for remote control

Configuring remote control

Recently, a colleague of mine troubleshooting an office 365 issue on the end-user device and trying to do remote sessions using Microsoft Teams. Although Teams application has a desktop sharing feature, sometimes it behaves very weirdly.He had issues with desktop sharing sessions using teams so the alternative approach is SCCM remote control tool.

I did a blog post on how to deploy SCCM remote control tools on user device without installing SCCM console, please refer this blog post for more information http://eskonr.com/2018/08/how-to-deploy-sccm-remote-control-bits-standalone-to-clients-without-configmgr-console-being-installed/

You can create a package and deploy the SCCM remote tools to users who are need of it.

When he tried remote control to the user device, it failed with access denied error.

To capture the error details etc., I reproduce the issue and the following is the output of remote control (error snippet is below).

image

The remote control log (CmRcService.log) on the client located at C:\windows\ccm\logs shows the following error details:

image

Session denied: The remote user is not authorized to perform remote control on this system.

Disconnecting the connection.  An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to do Handshake in Server. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

Failed to validate Security requirement. An existing connection was forcibly closed by the remote host. (Error: 80072746; Source: Windows)

The following are the basic checklist for remote control troubleshooting:

1. Check the firewall port 2701 from the device that you run configuration manager console/sccm remote control tools (source) for remote control to the destination device.

2. Check if the remote control client settings with relevant user groups (permitted viewers) deployed to the client device.

How do you check what remote control settings with user groups added to the device?

When you deploy multiple client settings to the same device, user, or user group, the prioritization and combination of settings are complex. To view the client settings, you can use Resultant Client Settings.

From the SCCM Console, right-click on the device and choose client settings—>Resultant Client Settings

image

From the resultant client settings , remote tools, remote control is enabled with permitted viewers who can use the remote tools feature.

image

Both the above checklist are working. now we move on to the client troubleshooting.

When the remote control feature is enabled on the client-side, there will be policy downloaded on the client and remote tools will be enabled. This can be seen from the configuration manager applet.

image

There is also a registry key and local security group called 'ConfigMgr Remote Control Users' that will get created when you enable remote control tools using device client settings.

Registry location for SCCM remote control: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control

image

Local security group: ConfigMgr Remote Control Users

Permitted viewers of the remote control and remote assistance that you added in client settings will be added to both registry and local security group.

In my case, only the registry key was updated with permissions (PermittedViewers) however the local security group was empty.

image

To fix this issue, we can either add the permitted viewers using GPO or compliance baseline using SCCM.

After adding the user group to the configmgr remote control users group, issue was resolved.

To find the root cause, we can simply create new client settings and increase the priority of the client setting, deploy to client device and monitor the log (CmRcService.log).

How do we find the device that have this issue and fix it with automation?

Following is the simple powershell script to find the devices that have no members added to 'ConfigMgr Remote Control Users' . This can be used to create configuration item and deploy to all devices.

if ((Get-LocalGroupMember "ConfigMgr Remote Control Users").count -ge 1)
{
write-host "Compliant"
}
else
{
write-host "Non-complaint"
}

If compliant then atleast 1 group is member of remote control users, if non-compliant then the group is empty.

you can alter this script to query registry as well.

In order for me to fix the issue, i have created the following powershell script and deploy using compliance baseline method.

This script will check if the permitted group (configured in client setting) is not member then add the group else exit the script and report to sccm with status.

Discover script:

#Discover
If(Get-LocalGroupMember "ConfigMgr Remote Control Users"| where {$_.name -like "eskonr\SCCM-remote-control-users"})
{write-host "Compliant"}
else{write-host "Non-Compliant"}

Remediation script:

#Remediate
Add-LocalGroupMember -Group "ConfigMgr Remote Control Users" -Member "eskonr\SCCM-remote-control-users"

Create configuration baseline and deploy to collection to receive these changes.

When you deploy the configuration baseline, the detection script will run and detect if the group is sec group is member of remote control group or not, if non-complaint then run the remediation script and run the detection script once again to make sure the remediation meet compliant status or not.

You can monitor the compliance baseline information using DcmWmiProvider.log

image

Reference:

Remotely administer a windows client computer https://docs.microsoft.com/en-us/configmgr/core/clients/manage/remote-control/remotely-administer-a-windows-client-computer

configuration baselines https://docs.microsoft.com/en-us/configmgr/compliance/deploy-use/create-configuration-baselines

Leave a Reply