| Remote Control for Ivanti Endpoint Manager |
|---|
Product Help Documentation |
Notice:Any E-Learning content is available by default to Members who have a minimum support agreement at the Professional level.
This article is not a comprehensive list of documents and issues. You can continue to search the rest of the community or the portion specific to the Remote Control if this page hasn't helped.
Question
What platforms support Screen Blanking Driver?
Answer
Windows XP
Windows Server 2003
All other operating systems following these two no longer support the blanking driver.
Windows XP and Server 2003 Legacy Agent cannot use remote control.
After the legacy agent is installed, Landesk Remote Control Service is not installed. Check the agent install log, there is error related to missing file called normaliz.dll.
On the affected XP/2003, navigate to C:\Windows\System32, check if there is a file called "normaliz.dll". If not, copy and paste the attached normaliz.dll to that folder and rerun the legacy agent installer.
What is Legacy agent: This involves installing an agent from a previous version of LANDESK on the OS and using it with current code. New features are not available and limited support is available for this method of device management.
With the release of LANDesk Management Suite 2016.3 SU3, and Ivanti Endpoint Manager 2017.x, we have upgraded our hash encryption algorithms to use SHA-256 hashes for the pass-through Authentication Token. This change to the algorithm prevents older agents from being able to decrypt the token, causing the following errors for both HTML and Legacy remote control.
Error when using HTML Remote Control:
Authentication Failed, Invalid Credentials or No rights to Remote Control
Error when using Legacy Remote Control:
The signed rights document was not valid. Authentication failed.
Updating the agent to match the core version will resolve the issue, as the newer agent will be able to decrypt the authentication token.
It has always been the position of Ivanti Support that Agents should be updated as quickly as possible after the core server has been upgraded. Although this is an inconvenience, it is working as designed and is expected Ivanti admins will work to upgrade their agents as quickly as possible to return to full functionality.
There is a workaround for HTML Remote Control that can be used when the agent cannot be updated in a timely fashion, or at all.
When presented with the authentication error, click OK, and you will be prompted for your credentials. Enter your credentials in manually and, provided you have the necessary access, it will successfully initiate the remote control session.
*** There is no work around for Legacy RC. To remote control an older agent, you will need to use HTML RC.***
During the install of the LANDesk remote control feature, the LANDesk Virtual Smart Card reader will be installed. This may cause authentication issues in some environments, including those using SSO.
Use the following command to create a batch file, or a LANDesk custom script, that can be deployed to affected machines. This command will remove the smart card reader from the system.
"%LDMS_LOCAL_DIR%\..\lddevcon.exe remove LDRemoteSC"
Unable to remote control machines. You will see the following message in the remote control window:
Login Failed. You must provide valid credentials for a user in the "Remote Control Operators" group on the remote machine.
In the remote control settings, "Manage remote control users and groups" is checked by default.
Unchecked the box "Manage remote control users and groups" in remote control settings in the agent configuration.
Unable to talk to core, authentication fails.
Note: If you are unable to install the telnet client in order to test connectivity, this can be done with powershell and is very easy to run when you use the batch file from the EndPoint Manager (EPM) Tool . The EPM Tool can also ,make it really easy and quick to recreate the COM+ objects.
Background:
Once some desktop computers which have installed agent can't access the core server in intranet, it will switch to gateway mode automatically, If administrator can't remote control the client machine if the client machine is gateway mode, It administrator need to change the gateway mode to direct mode, then It administrator can remote control this client machine in intranet.
Configuration steps:
When trying to remote control the client machine, the menu is grayed out.
1. Ping the client machine from core successfully
2. Telnet client machine at 9535 and 4343 port successfully
3. Is the Core server in a Domain, and the client machine is in WORKGROUP? Join the client to the domain, then can the client be remote controlled successfully?
4.Do your DNS server records match your DHCP server?
5. Can you open the following URL from core to client: http://clientIP:9595/allowed/ldping, and http://clientName:9595/allowed/ldping
If the clientIP URL can open as XML page, but the cilentName URL cannot access. You can go to the resolution below.
1. Check the Network adapter settings on client machines:
2. Check the DHCP server settings to add 045 options:
LDMS 9.5
LDMS 9.6
Description
When remote control to client machine, the windows will starts minimized and can't be open in full screen. Even double click the Isscntr.exe to launch the remote control, the remote control window can't open.
Cause
The window is opened unsuccessfully one time for some reason. Then the window remembered last setting of windows size.
Resolution
There is a registry key can control the windows size. Need to modify and reboot the core server. Do NOT copy this to your core server.
[HKEY_USERS\S-1-5-21-3461657420-2590047586-3954473000-1140\Software\LANDesk\Instant Support Suite Console\Container]
"style"=dword:00000003
"style"=dword:00000001, normal size
"style"=dword:00000003, maximized size
*The string value 'S-1-5-21-3461657420-2590047586-3954473000-1140' here need to be modify with you own.
Apply
LDMS 9.5, LDMS 9.6 and later
Env:
LDMS 95 SP2 Francais
Description:
Vous demarrez une prise en main a distance HTML5 et votre clavier Azerty n'est pas mappe.
Vous vous retrouvez avec un clavier Qwerty
Comment avoir un clavier AZERTY ?
Simplement en modifiant les parametres de langues et regions (voir image ci-dessous)
Cette action devra etre effectuee pour toute nouvelle session.
The purpose of this document is to show how to trust a certificate so that when you are using the new HTML5 Remote Control you do not get the security warning. We have also attached the certificate that is to be trusted.
Adding certificates to the Trusted Root Certification Authorities store for a domain
Domain Admins is the minimum group membership required to complete this procedure.
To add certificates to the Trusted Root Certification Authorities store for a domain
1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
2. After the Installation Results page shows that the installation of the GPMC was successful, click Close.
3. Click Start, point to Administrative Tools, and then click Group Policy Management.
4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.
5. Right-click the Default Domain Policy GPO, and then click Edit.
6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
7. Right-click the Trusted Root Certification Authorities store.
8. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.
The certificate for LDMS 9.6 and 9.6 SP1 can be found at C:\Program Files\LANDesk\ManagementSuite\rchtml5.cer
They can be found at this link as well… http://technet.microsoft.com/en-us/library/cc754841.aspx#BKMK_managedomain
This now has the certs required for 9.5, 9.5 SP1, and 9.5 SP2.
NOTE: If you would like to show the FQDN (ie. https://MachineName.domain:4343) instead of the short name (eg. https://MachineName:4343), Be sure that when you sign into the console, it is using the FQDN for the Core server
This document applies to LDMS 9.0 and 9.5
Some customers want to use local Windows Authentication to authenticate their remote control sessions via LANDesk. This might also be the case if the to be remote controlled device is not member of a domain (standalone) or not part of any trusted domain (untrusted) to the domain within the administrator and/or the LDMS core resits.
The usual configuration within the LANDesk Agent configuration would look like similar to this
On the to be remote controlled device there are some local account added to the “Remote Control Operators” group (here LDAdmin and the local administrator).
But every time the customer wants to connect to the machine the “Credentials Required” window keeps popping up. And no successful remote control session can be established.
The issuser.log (in the LDClient directory) does show entries which imply that the user has established a successful remote control session.
These entries might look similar to this one:
Start Remote Control Initiated from W2K3-CITRIX-EN by user \, Security Type: Windows NT
The cause of this was that the local machine was set to only accept network connection authenticated by NTLMv2 within the local group policy for “Network security: LAN Manager authentication level Properties”.
The solution is to set the authentication level to “Send LM & NTLM – use NTLMv2 session security if negotiated”
Description: When trying to remote control machines the remote control viewer only get's black screen. On the agents you sometimes get a Visual C++ Runtime error.
In the Application Event Log getting error:
Type: Error
Source: Application Error
Event ID: 1000
Event Time: 03/11/2011 6:34:13 AM
User: n/a
Computer: HOSTNAME
Description:
Faulting application name: rcgui.exe, version: 9.0.2.38, time stamp: 0x4ca31c26
Faulting module name: ntdll.dll, version: 6.1.7600.16695, time stamp: 0x4cc7ab86
Exception code: 0xc0000005
Fault offset: 0x00032a00
Faulting process id: 0x818
Faulting application start time: 0x01cbdfe89bbc0d84
Faulting application path: C:\PROGRA~2\LANDesk\LDClient\rcgui.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: de787d70-4bdb-11e0-bc17-0050568e1eb4
Cause: Beyond Trust has seen this issue with some of their customers and LANDesk. PBWD will load the DLLs when the process executable starts, to enable detection if elevated rights are needed, and whenever other items are set to detect. After PBWD unloads from the process, some programs have problems with this. The two from LANDesk that has issues with this are rcgui.exe and issclipexec.
Resolution: BeyondTrust is aware of this conflict. It can be resolved by having at least client version 4.9.1 and creating the following registry string value:
HKLM\SOFTWARE\Policies\BeyondTrust\PrivilegeManager
ExcludedProfilerApps=C:\PROGRA~2\LANDesk\LDClient\rcgui.exe;C:\PROGRA~2\LANDesk\LDClient\issclipexec.exe
Or you can create the following batch job to send out to your machines:
reg add "HKLM\SOFTWARE\Policies\BeyondTrust\PrivilegeManager" /v "ExcludedApps" /d "C:\Program Files\LANDesk\LDClient\issuser.exe;C:\PROGRA~1\LANDesk\LDClient\issuser.exe;C:\Program Files\LANDesk\LDClient\rcgui.exe;C:\PROGRA~1\LANDesk\LDClient\rcgui.exe" /f
The Remote Control client intercepts the key combination Ctrl+Shift+Backspace and passes to the application listening for keystrokes only the Backspacekey even if the device is not currently subject to a remote control session.
This represents a problem if the user is using an application that uses this particular combination to perform some particular tasks
Contact the support and ask for the patch CR51966
The patch is available for LD9 SP2 and LD 8.8 SP4
Problem
When remote controlling a target device, the LANDesk Remote Control Viewer window shows a distorted image instead of the target device's screen.No error message is displayed in the viewer or the target device.
Cause
Resolution
Open a new incident with LANDesk Technical Support to request patch RC-48366
Affected Products
LANDesk Management Suite 8.8
LANDesk Management Suite 9.0
After remote controlling a computer, when we end session, the station locks and the user has to unlock their desktop.
Change the Lock the remote computer when the session ends setting.
To do this follow these steps:
Attempting to remote control a machine results in a message in the connection log that says:
Unable to find the remote control web service on "."
The user is prompted for credentials. Any combination fails to authenticate.
Custom tool was calling the isscntr.exe without the -s switch.
The -s"corename" switch is required for Integrated Security so a certificate exchange may take place. The -s switch is not required for Local Template or NT Security.
Change the tool or shortcut to reflect the -s"coreserver" switch or use Local Template or NT Security for authentication.
Description
During a remote control session you are not able to send Ctrl-Alt-Del
Cause
This is controlled through the "software Secure Attention Sequence" policy.
This can either be set through a domain policy or local policy.
When set to Disabled, you will not be able to send Ctrl-Alt-Del remotely.
Solution
There are two ways of setting the needed group policy setting, depending on whether the remote computer is connected to a domain or is a member of a workgroup. Please follow the appropriate section depending on your setup.
Domain Procedure (change domain group policy setting)
If the remote computer is connected to a domain, the domain administrator can enable this group policy setting for subdomains or for the entire domain. Please follow these steps:
Important: Only a domain administrator can modify the domain group policy
Important: The domain group policy overrides the local group policy. If the domain group policy is not set, you can use local group policy setting mentioned in the next section.
You have now enabled the sending of Ctrl-Alt-Del on all computers that are connected to the domain you selected in step 3.
Workgroup procedure (change local group policy setting)
If the remote computer is a member of a workgroup or is connected to a domain with no domain group policy set, you should follow these steps:
You have now enabled the sending of Ctrl-Alt-Del on the remote computer.
