Configuration Manager Remote control for CMG Connected devices

Microsoft released Configuration Manager Technical preview build 2009 with some cool features applicable to cloud management gateway.

This technical preview is for lab purpose ONLY and can be installed on 3 successive build versions which are from 1906,1907 and 1908.

The latest active baseline version available is 2007 and can be downloaded from the Evaluation Center.

If you want to build lab, download the baseline version (2007) and then do in-console update to latest preview build 2009.

The following features are available with Configuration Manager technical preview build 2009:

• Cloud management gateway with Azure VM scale set

Cloud management gateway deployments now use the Azure virtual machine scale set, which introduces support for Azure Cloud Solution Provider subscriptions.

• Deploy an operating system over CMG using boot media

An admin can now reimage devices on the Internet over cloud management gateway using boot media

• Improved Windows Server device restart experience for non-administrator accounts

Administrators can now allow low-rights users to perform Configuration Manager initiated restarts for Windows Server.

• Improvements to in-console notifications

You now have an updated look and feel for in-console notifications. Notifications are more readable and the action link is easier to find. Additionally, the age of the notification is displayed to help you find the latest information. If you dismiss a notification, that action is now persistent for a user across consoles.

• Notifications for devices no longer receiving updates

To help you manage security risk in your environment, you will be notified in-console about devices with operating systems that are past the end of support date and that are no longer eligible to receive security updates.

• Remote control anywhere using Cloud Management Gateway

An admin or helpdesk operator can now connect to a client via remote control over the Internet via cloud management gateway.

• View Collection Relationships

You can now view dependency relationships between collections in a graphical format. Limiting, include, and exclude relationships are shown.

• Wake machine at deployment deadline using peer clients on the same remote subnet

When you enable 'Send wake-up packets' on a deployment, the site will now identify another client that's awake on the same remote subnet. The awake client then sends a wake on LAN request (magic packet).

Configuration Manager Technical Preview 2009 :

Technical preview 1909 site version:5.00.9030.1000

Client version (1909):5.00.9030.1000

One of most requested feature in the recent times after the cloud management gateway introduced is the Remote control for internet connected devices.

Remote control for CMG connected devices was first introduced in technical preview version 1906 which is now improved.

Prerequisites for remote control over CMG connected devices:

1. You need to enable the remote tools in the client settings and add the user or group as permitted viewer for remote control.
2. Update the configuration manager client to the latest version (1909)
3. The client needs to be online

What are the authentication methods used in the remote control of internet device?

• A valid PKI client certificate
• Azure Active Directory (Azure AD)
• Token-based authentication

The above authentication methods aren't unique to remote control. If you properly configure clients to communicate with a CMG, HTTPS management points, or sites with enhanced HTTP, then they already use a supported authentication method.

Now lets test the remote control over internet connected device.

I have a device (Win10-11) that is on the internet is ONLINE and connected to CMG:

Right click on the device and select the remote control.

select the option to Connect via CMG or HTTPS MP for any of the following scenarios:

• CMG
• HTTPS management point
• Enhanced HTTP site
• Address: The target address of the client. To connect using CMG, you must use the FQDN. You can't use the hostname or IP address.
• Connect via CMG or HTTPs MP: This option allows for fallback from a TCP direct connection to use the CMG service.
• Server name: The CMG service name to which the current user and target client can connect.
• HTTPS port: If needed, change the default port from 443.
• Verify server certificate revocation: If the CRL DP location isn't accessible for the current user, disable this option for testing purposes.
• Azure environment: This option will prompt for sign in with your Azure AD credentials. Then, select the Azure environment for that user.
• Click OK to connect. Remote control will attempt a direct connection first, then fallback to CMG for connection.
• Please make sure the fully qualified domain name (FQDN) of the applicable service for CMG or https MP.

In my case, the CMG is using public cert and is CMTPTP1.eskonr.com.

If you are using the certs from CA, then you will have something like CMTPTP1.cloudapp.net.

When you click on Ok, it will prompt for Azure AD authentication and follow the remote-control settings on the target device.

Authentication:

If the user is permitted to view the remote control of the device and the device is online,

The end-user receives a pop-up to approve or deny the remote control request.

Finally, we can do a remote control for CMG connected device just like we do it for corporate network-connected devices.

Troubleshooting:

How to troubleshoot the remote-control issues for internet connected devices?

When you perform a remote control, there is cmrcviewer.log under %temp% folder

If any non-permitted user is trying to perform a remote control, it will be tracked in the ccm_sts log located on the management point logs.

Following is the log that shows Koneti\eswar is not permitted viewer to perform remote control of the device.

When I authenticated the Azure AD with different user (Eswar.koneti) who have permissions to remote control, it works.

If the device is Offline in the console, and you try to do remote control, you will see the following screen:

There are many other cool features available in this release.

Happy testing!