Configmgr 2012 allow admins to specify the Client Settings at collection level to control the behavior and functionality of the clients.
You can create as many number of Custom Client Device/User settings (9999) which you can apply onto collections(Device/User).
What happens if client is member of multiple collections that have client settings ? All the Custom Client settings that you create are chosen with the priority. Higher the priority(1) will take over the settings with lower priority(10000).
If you are going to have multiple client agent settings,focus attention else you will see undesired results.
By Default,Configmgr will Configure default client settings at Hierarchy Level with priority 10000 (low) which is applied to every User and Device.To know more about Client Settings refer TechNet http://technet.microsoft.com/en-us/library/gg682067.aspx
Now,lets jump into the subject line. After the Configmgr 2012 Installation ,Default Client settings is configured with necessary changes,in this case,Remote tools is configured ‘Permitted viewers of remote control and remote assistance’ with AD security groups allowing users, who are member of this AD security group can do Remote control from Configmgr.
These settings(remote Control) will be then applied to every Client (both workstations and servers) in next policy interval.what happens when this is applied ?
It will create Local security group called ‘ConfigMgr Remote Control Users’ by providing necessary DCOM permissions to this group.You can verify the remote control properties via wmi or registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control)
so far so good ,but recently I had requirement from server Team to deny the remote control on servers --the other way,Remote control is not allowed using Configmgr.
The course of action would be ,to create custom device settings and disable the remote tools ? I have done this but after sometime,server team comeback saying,there are still AD security groups part of local group.
Disabling the remote tools will deny user to do remote control from configmgr but you are also supposed to remove the entries from both registry and local Security Group for server team 
.
Simply Disabling the Remote tools will not help you in this case,so I have to test with different options to meet the server guys requirement and below goes for you.
Case 1: Disable ‘Enable Remote control On clients’ without removal of permitted viewers ?---In this case,remote tools will be disabled on the client but you will have both security groups from registry and Local group(ConfigMgr Remote Control Users).
Case 2: Disable ‘Enable Remote control On clients’ with removal of permitted viewers ?—In this case,remote tools will be disabled on the client by removing the entries from registry but not from Local group(ConfigMgr Remote Control Users).
Case 3:Enable ‘Enable Remote control On clients’ with removal of permitted viewers ? In this case,Remote tools will be enabled but it will delete the entries from both registry and as well local Group (ConfigMgr Remote Control Users).
Note: I am not describing about other remote tool options here like ‘Manage remote desktop settings’ ,’Play sound on client’ etc.
I chosen option 3 in this case .
Questions via comments section(Leave a Reply).