SCCM 2012 – Firewall for Remote Access

SCCM 2012 – Firewall for Remote Access
4 (80%) 3 votes

Hi All,

SCCM gives you the ability to remote access to client machines. This is not new as this feature has been there for quite a while.

Interesting is that SCCM gives you 3 options for remote access:
1- Remote Tools (Remote Control). This is a “SCCM feature”
2- Remote Assistance: This is a “Windows Feature” and what SCCM does is to set local GPO to allow/block access
3- Remote Desktop: This is also a “Windows Feature” and again, SCCM only set local GPO to allow/block access.

What is really interesting here is what happen “behind” the scenes regarding firewall.

When you open the client settings for remote access, the 1st option is to enable/disable and also configure the firewall. There are many people that think that once you enable, SCCM will enable the firewall for all 3 options..but unfortunately this does not happen.

The only rule SCCM does manage is the Remote Tools rule, you can see this on the Windows Firewall with Advanced Security -> Inbound Rules. There is a rule called “System Center 2012 R2 Configuration Manager” (as you can see below)

once you navigate, you’ll see that SCCM will allow the program C:\Windows\CCM\RemCtrl\CmRcService.exe to connect via TCP 2701 allowing Remote Tools to work, but what about Remote Desktop and Remote Assistance?

Well..this is something that you need to do yourself and based on this, i’ve created a Compliance Settings to allow the Remote Desktop rule, well, not actually allowing specific program, but allowing incoming connection to port 3389…

and how to do it:
1- Create a new CI (or change an existing CI) and Settings, add a new settings like:
Name: Firewall Rule discovery & remediation
Settings Type: Script
Data type: boolean
Discovery script – language: Powershell


Remediation Script – language: Powershell


once done, create a new Compliance Rule that will check if the value returned by the Firewall Rule discovery & remediation is equal TRUE (as you can see below)

Once done, create a new baseline and deploy it to a device collection, once it is evaluated, a new Firewall Rule will be created allowing incoming connection to port 3389 for the Domain Profile

%d bloggers like this: