Description

When a remote control session is started to a client machine ISSCNTR.exe responds with the following status error:

"The remote computer is not managed by your server"

Cause

This issue is most commonly caused by device's with a corrupted, or mismatched DeviceID in the Inventory Database.  You can try verifying that the core server can "ldping" the target machine by opening a web browser and going to the following page:

http://machine-name:9595/allowed/ldping

This should return an XML document with the client's DeviceID.

Resolution

1. Delete the device Name from the Core Server device listing.
2. Run a Full Inventory scan from the client Machine using the /F and /SYNC switches:

"C:\Program Files\Landesk\LDClient\LDISCN32.EXE" /NTT=%server%:5007 /S="%server%" /I=HTTP://%server%/ldlogon/ldappl3.ldz /NOUI /NOCD /F /SYNC

Once the full inventory scan has finished and is processed by the Core server, the client machine will show back up in the device listing and remote control will no longer reply with the error.

Problem

When you attempt to legacy remote control a machine after upgrading to 2017.3, you may see the following error:

"Authentication failed because a certificate was not found on the remote computer".

Cause

We changed the Remote Control certificate to SHA256 in 2017.1 and older agents are unable to decrypt the certificate. Click here for more detail.

We see this issue more often with customers who upgrade from 9.6 to 2017.3, but this can affect anyone upgrading from previous versions of LANDesk to Ivanti 2017.x

Solution

Upgrade your agents by clicking Rebuild all under Tools>Configuration>Agent Configuration. Once that completes, right click your agent configuration and choose schedule agent deployment.

Non-Supported workaround

You may be able to get the older clients to function again if you replace the following file with the one from %LDMS_HOME%ldlogon on the core server.

C:\Program Files (x86)\LANDesk\LDClient\issuser.exe

NOTE: This is a non-supported workaround meaning that support will not assist with this and wont be able to help if this breaks the agent. Please continue at your own risk. The better solution is to reinstall the agent.

Description

With the release of LANDesk Management Suite 2016.3 SU3, and Ivanti Endpoint Manager 2017.x, we have upgraded our hash encryption algorithms to use SHA-256 hashes for the pass-through Authentication Token. This change to the algorithm prevents older agents from being able to decrypt the token, causing the following errors for both HTML and Legacy remote control.

Error when using HTML Remote Control: 

Authentication Failed, Invalid Credentials or No rights to Remote Control

Error when using Legacy Remote Control:

The signed rights document was not valid. Authentication failed.

Solution

Updating the agent to match the core version will resolve the issue, as the newer agent will be able to decrypt the authentication token.

It has always been the position of Ivanti Support that Agents should be updated as quickly as possible after the core server has been upgraded. Although this is an inconvenience, it is working as designed and is expected Ivanti admins will work to upgrade their agents as quickly as possible to return to full functionality.

Workaround

There is a workaround for HTML Remote Control that can be used when the agent cannot be updated in a timely fashion, or at all.

When presented with the authentication error, click OK, and you will be prompted for your credentials. Enter your credentials in manually and, provided you have the necessary access, it will successfully initiate the remote control session.

*** There is no work around for Legacy RC. To remote control an older agent, you will need to use HTML RC.***

When you remote control from a remote console and it lauches the remote viewer, you are missing the remote execute (Run bar) as well as the file transfer icon.

Cause:

This is caused by the issftran.dll and issftran64.dll are missing from the remote control install package.

Solution:

Copy the issftran.dll and issftran64.dll from the ManagementSuite directory from your core machine to the ManagementSuite directory on your console machine.

When you then launch the remote viewer, you will again have the remote execute and file transfer options.

Issue

You are remotely controlling a client computer using the Landesk legacy console.

You need to transfer some files to the computer but when you click the "file transfer" option, the "Landesk Remote Control" window shows a blank screen.

No logical volume seems to be detected on the remote client device.

Cause

This is a known issue that is currently being addressed by our engineering team.

Please note that this issue only occurs when doing a remote control session from a legacy remote console.

A bug report has already been opened for this issue: TFS 282932 - File Transfer UI is blank

Workaround

Customers experiencing this issue are advised to use the HTML5 remote control.

They may also initiate the remote control directly from the core server as only remote consoles are affected by this issue.

Environment:

This is found in LANDesk Management Suite version 9.6 Service pack 2

Error message:

"Unable to find the remote control web service on <CORE SERVER>"

"Failed short session connection to gateway (3)"

Cause:

1. This happens when the certificate bound to HTTPS on the core becomes corrupt, missing, or expired.

2. This error can also happen when using the remote control viewer to remote control devices without a core server to authenticate to.

Solution / Workaround:

Solution 1:

On your core, open the IIS manager.

On the left, find the "Default Web Site" entity.

Right click it and choose "Edit Bindings" from the list.

In the new window, edit the 443 binding. Change the certificate to one that looks like: "LANDesk Secure Token Server"

Reset IIS

If the certificate is already set to the "LANDesk Secure Token Server". This means that you have a bad certificate:

Open your client connectivity settings and look under "Core information". Note which certificates are being used.

If there are many certificates in here, you may need to verify the core name on the certificate and .0 files by opening them in notepad. Check the .crt and .cer expiration dates by double clicking them.

Navigate to \Program Files\LANDesk\Shared Files\Keys and compare to "Core certificates the client will trust". Move the certificates and .0 files that are not in client connectivity (With the exception of LANDesk_CommandsWS) to a new folder. NOTE: File path may vary

Navigate to \Program Files\LANDesk\ManagementSuite\ldlogon and move the .0 files that are not in client connectivity to a new folder. NOTE: File path may vary

Navigate to \Program Files (x86)\LANDesk\Shared Files\cbaroot\certs and move the .0 files that are not in client connectivity to a new folder. NOTE: File path may vary

Solution 2:

Add the LANDesk core server name to "Type the authentication core server name:" in the remote control viewer before attempting to remote control.

Solution 3:

Make sure that when you ping the CSA name from the core, it is trying to resolve to the internal IP address of the CSA.

Solution 4:

When .NET Framework 4.0 is installed it is not "Enabled" by default in IIS 7, you have to "allow" it in IIS 7 manager. Open up ISAP and CGI restrictions under your server name and enable both entries for .NET Framework 4.0. Make sure that you also update the application pools to .net v4.

Problem

Unable to talk to core, authentication fails.

Solution

1. Ensure that the agent in question responds to an LDPing or telnet on port 9595.
   1. If not there is something wrong with the agent.
2. Shut down both of the "LANDesk" COM+ components. Now, start them both. If you get an error message, please reboot the core server. If that doesn't help, try this: How to rebuild the LANDesk COM+ Objects
3. The "Identity" should be set to a user who has read access to the domain and local admin rights on all client machines.
4. If you continue to have COM+ object issues after removing and recreating them, please try making the change explained here. It does work on more than Server 2008. A COM+ application may stop working on Windows Server 2008 when the identity user logs off – Distributed Services Suppor… .

Note: If you are unable to install the telnet client in order to test connectivity, this can be done with powershell and is very easy to run when you use the batch file from the EndPoint Manager (EPM) Tool . The EPM Tool can also ,make it really easy and quick to recreate the COM+ objects.

Issue:

• After upgrading the core server to 2017.3, or applying an SU to 2017.3, remote control may fail for users not in the "LANDesk Administrators" group. The following error(s) may be presented:
  • "The signed rights document was not valid. authentication failed."
  • "You do not have rights to access the remote computer."

Cause:

• The 2017.3 Core uses different access for the folder "C:\Program Files\LANDesk\Shared Files\keys".

Resolution:

• Add the local group "LANDesk Management Suite" to "C:\Program Files\LANDesk\Shared Files\keys" with "Read & Execute" permissions on the core server.
  
  • "List Folder Contents" and "Read" permissions may resolve the issue.

Problem:

Right-clicking machine and selecting HTML remote control through LDMS doesn't do anything. No errors, no pop-ups or any other indicators.

How to Fix:

1. In an internet browser, go to https://IPofMachine:4343. - Testing IP and port verifies communication over port.
2. In an internet browser, go to https://NameOfMachine:4343. - Testing DNS instead of IP as this is what the Core uses.
   1. If you get a prompt that "HTML5 is required for this application", proceed to next step. Otherwise skip to step 3.
   2. Click the Settings (Gear) icon in IE 11, select Compatibility View Settings
   3. Uncheck the "Display intranet sites in Compatibility View". You should now see the login screen. Login credentials are your LANDESK credentials.

     3. Download another browser for testing with (Firefox or Chrome). Make sure to set the new browser as the default browser. After browser completes install, try selecting HTML Remote Control through LDMS again. This should pull up the HTML Remote Control in the new browser.

Many organizations use the web console exclusively to provide an easy way to get to remote control for their technicians.  If that is the sole purpose of using the web console you can simply install the remote control viewer as a standalone application.  You can accomplish this by following these steps.

1 - Locate the file ENURCSetup.exe on the core server.  By default it is under C:\inetpub\wwwroot\common.

2 - Install the package manually on one machine. Note: It says it is an installer for Mozilla Firefox users, but it will work just fine with IE or as a standalone viewer

3 - Find the file isscntr.exe (usually located under Program Files or Program Files (x86)\LANDesk\ManagementSuite

4 - Create a shortcut for isscntr.exe and modify it to have the following command line options: -sServerName -c"remote control" where ServerName is the name of the core server.

5 - Name the shortcut something like "Remote Control Viewer" or "LANDesk Remote Control"

6 - Put the shortcut you created and ENURCSetup.exe in the same folder to be used for a software distribution package

7 - Create a new batch file in the same folder and add the following lines:

ENURCSetup.exe -v"-q"

copy /y NameOfShortcut.lnk "C:\Documents and Settings\All Users\Start Menu\Programs\LANDesk\NameOfShortcut.lnk"

Note: modify both the name of the shortcut and the location you would like to copy it to.  The example above assumes the shortcut is called NameOfShortcut and it will be copied to LANDesk folder under the All Programs listing for all users.

8 - Deploy the package to the technicians' machines.

The technician can now use the shortcut that was created for standard remote control tasks.

The technician will need to specify the machine name or the IP Address of the machine they are attempting to connect to.

Information about the command line options that are available:

-s indicates the server to use for authentication.  This is required for Integrated or Certificate Based security only.

-c indicates what you would like to do upon connection.  Valid options include -c"chat" -c"remote control" -c"file transfer" and -c"reboot"

Note: You can specify more than one option with -c.  For example, you can use -c"chat" and -c"remote control" to open both the remote control viewer and the chat window automatically upon connection.

-a specifies a target.  This can be used in two scenarios.  One is if you remote control the same device very often and would like a shortcut to connect exclusively to that machine.  The second is to create a shortcut for Gateway remote control.  -agsb://GatewayNameOrIp specifies that you would like to connect to the Gateway for a remote control session.

Description:

A custom message will not display with using the option 'ask permission to use all features at one time',  Customer usually wants to display a custom message, if so, The option 'ask permission to use all features at one time' need to be unchecked.

Resolution:

Remote control sessions have different messages displayed, the 'display a custom message' option needs to be enabled and the a custom message added to the appropriate options in the drop down menu without using the option 'ask permission to use all features at one time'.

Using a Custom message for Remote Control:

1. Open Remote control settings panel

2. Select Permission settings

3. Choose End user must grant permission and must be logged in

4. Check on Display a custom message

5. Select Remote control

6. Type the custom message in the blank field

7. Uncheck option for Ask permission to use all features at one time

• Windows Remote Control
  • General Information
  • Implementation and Access
  • Stand Alone Access
  • Current Features
  • Upcoming Features and Current Limitations

Windows Remote Control

General Information

     With the release of 2018.1, HTML5 remote control as it was in previous versions has been removed. It is being replaced with a new version of HTML Remote Control. The product has been redesigned from the ground up to offer a smoother more secure method. This version will have features added as the product evolves. This document will go over some of the highlights and features of the new method.

Implementation and Access

     Accessing the new version from the console will be very similar to before. It is simply in the right-click menu of a device. If you are managing a device with an older agent, it will still initialize the connection to the older version. If you are controlling a 2018 agent it will launch the new viewer that is used as the updated interface.

Stand Alone Access

• RCViewer.exe can be executed off-core
  • File located in the ManagementSuite Directory; %LDMS_HOME%
• Access viewer via browser HTTPS://Corename/RemoteControl
  • Client port 44343
  • Core port 443

Current Features

     The initial release includes the following capabilities:

• KVM (keyboard\video\mouse) for on network devices
  • Supports international keyboards
    • Now sends Unicode characters so the key pressed is the key received
    • Currently Windows only
• WinPE 32 and 64-bit access
• Scaling
  • Fit to window or client native (up to 1920x1920)

• Single Sign-On via Console
• No SSL certificate error presented
• Supports multiple connections to client
• Minimal alerting but documents access
• Remote Control Session notifications
  • Green border
  • Movable with a click+drag
  • Always on top

• Permission Required notifications
  • If second session connects will prompt again. Disables all remote input

• Copy and Paste (text only)
  • Bi-Directional (source to client, client to source)

Upcoming Features and Current Limitations

     The following features will be released in Service Updates:

• CSA
• File Transfer
• Remote Execute
• Chat
• Idle timeout
• User not logged in Auditing
• Display will scale down if resolution higher than 1920x1920
• Unable to send CTRL+ALT+DEL

Remote Control WS ( WebSockets ) reports Failed to Connect. Target machine is a Windows 7 workstation with the Ivanti Endpoint Manager ( EPM ) version 2018.1 Agent for Windows installed. Target Windows 7 workstation does not have an HTML5 web browser installed, and the only web browser installed is a Microsoft Internet Explorer version 8.0.

SOLUTION

A. Uninstall the EPM version 2018.1 Agent for Windows from a target Windows 7 workstation using %LDMS_HOME%ldmain\uninstallwinclient.exe -- see document How to uninstall the Ivanti / LANDESK Agent for Windows - How to uninstall the Ivanti / LANDESK Agent for Windows

B. On a target Windows 7 workstation install an HTML5 web browser. Suggestion -- test the web browser on https://html5test.com

C. Install / reinstall the EPM version 2018.1 Agent for Windows on a target Windows 7 workstation where now an HTML5 web browser is installed.

You will / should be able to Remote Control WS to the target Windows 7 workstation.

REFERENCE

About EPM 2018.1 WS Remote Control

Remote Control certificate - is it possible to replace the Ivanti / LANDESK certificate used for Remote Control ?

It is not possible to replace the Ivanti / LANDESK certificate used for Remote Control with another certificate.

Remote Control HTML / HTML5 reports Unable to contact device. Device is not registered on a configured CSA.Target machine is a Windows 7 workstation with the Ivanti Endpoint Manager ( EPM ) version 2018.1 Agent for Windows installed. Target Windows 7 workstation does not have an HTML5 web browser installed, and the only web browser installed is a Microsoft Internet Explorer version 8.0.

SOLUTION

Step 1 of 3 -- Uninstall the EPM version 2018.1 Agent for Windows from a target Windows 7 machine using %LDMS_HOME%ldmain\uninstallwinclient.exe -- see document How to uninstall the Ivanti / LANDESK Agent for Windows - How to uninstall the Ivanti / LANDESK Agent for Windows

Step 2 of 3 -- On a target Windows 7 workstation install an HTML5 web browser. Suggestion -- test the web browser on https://html5test.com

Step 3 of 3 -- Install / reinstall the EPM version 2018.1 Agent for Windows on a target Windows 7 workstation.

You will / should be able to Remote Control HTML the target Windows 7 workstation.

Description

During a remote control session you are not able to send Ctrl-Alt-Del

Cause

This is controlled through the "software Secure Attention Sequence" policy.

This can either be set through a domain policy or local policy.

When set to Disabled, you will not be able to send Ctrl-Alt-Del remotely.

Solution

There are two ways of setting the needed group policy setting, depending on whether the remote computer is connected to a domain or is a member of a workgroup. Please follow the appropriate section depending on your setup.

Domain Procedure (change domain group policy setting)

If the remote computer is connected to a domain, the domain administrator can enable this group policy setting for subdomains or for the entire domain. Please follow these steps:

Important: Only a domain administrator can modify the domain group policy

Important: The domain group policy overrides the local group policy. If the domain group policy is not set, you can use local group policy setting mentioned in the next section.

1. Login to the remote computer as the domain administrator.
2. Click the Start Windows button, select Run, type gpmc.msc and press enter.
3. In the left section, select the desired domain, then right-click and choose Create a GP) in this domain, and link it here.
4. Right-click the new GPO and select Edit.
5. In the left section, please navigate to: Computer Configuration - Administrative Templates - Windows Components - Windows Logon Options
6. In the right section, please double-click on the Disable or Enable software Secure Attention Sequence policy and click on Enabled.
7. Set the policy option to Services.
8. Click OK and close the Group Policy Object Editor.

You have now enabled the sending of Ctrl-Alt-Del on all computers that are connected to the domain you selected in step 3.

Workgroup procedure (change local group policy setting)

If the remote computer is a member of a workgroup or is connected to a domain with no domain group policy set, you should follow these steps:

1. Login to the remote computer as a local or domain administrator.
2. Click the Start Windows button, select Run, type gpedit.msc and press enter.
3. In the left section, please navigate to: Computer Configuration - Administrative Templates - Windows Components - Windows Logon Options
4. In the right section, please double-click on the Disable or Enable software Secure Attention Sequence policy and click on Enabled.
5. Set the policy option to either Service or Services and Ease of Access applications.
6. Click OK and close the Group Policy Object Editor.

You have now enabled the sending of Ctrl-Alt-Del on the remote computer.

Environment

LANDesk Provisioning
Target machine booting in UEFI mode and loading WinPE x64

Problem/Issue/Symptoms

From the core server it's not possible to remote control the device while it's running WinPE.
The remote control menu for the device in the Management Console is greyed out.

Cause

At the moment, the LANDesk remote control feature is not available on WinPE x64.

Solution

The feature will be implemented in a future release of the LANDesk Management Suite.

Issue

You have deployed the Landesk remote control agent to some devices.

In the remote control settings, you have the "end-user must grant permissions" option enabled.

You need to change some settings in the Landesk agent configuration and decide to schedule and run an "update to agent settings" for the same devices and agent configuration.

However, when you initiate a remote control to one of these client computers, the device will not prompt anymore for permission, even if the "end-user must grant permissions" option is still checked in the remote control agent settings.

Cause

The settings for remote control behaviour are in the Window Registry under HKLM\Software\Intel\LANDesk\WUSER32 (32 bits) or HKLM\Software\Wow6432Node\Intel\LANDesk\WUSER32 (64 bits)

When an "update to agent settings" task is run, the value of the "Single Permission and key Permission Required" is automatically set to 0, which disables the prompt for end-user permissions.

Workaround

If you still want to be able to update the Landesk agent settings on the managed nodes without losing the "end-user must grant permissions" setting, please make sure to run a "new agent deployment" task instead of selecting a "scheduling an update to agent settings" task.

As a second workaround, you can also manually set the registry value to "2" on the client computers and then restart the Landesk remote control service (issuser.exe).

This should successfully restore the  "end-user must grant permissions" option on the client machines.

Description

Attempting to remote control a machine results in a message in the connection log that says:

Unable to find the remote control web service on "."

The user is prompted for credentials. Any combination fails to authenticate.

Cause

Resolution

Command line for Regular Remote Control