After deploying an ConfigMgr site successfully the first thing regarding managing client is to define your client agents.

Client Agents are features that are running in the ConfigMgr client. ConfigMgr has 10 client agents:

• Hardware Inventory client agent
• Software Inventory client agent
• Advertised Programs client agent
• Computer client agent
• Desired Configuration Manager Client agent
• Mobile Device client agent
• Remote Tools client agent
• Network Access Protection client agent
• Software Metering client agent
• Software Update client agent

For each client agent you can enable or disable them and define several feature configurations. For example on the Software Inventory client agent you can specify which types of files should be inventoried or on the Remote Tools client agent that permissions from the logged on user are required when taking over the screen.

Those settings are site-wide which means they will apply to every system that has a ConfigMgr client and is currently belonging to that site including desktops and servers.

Especially for servers you don’t want that permissions are required since no user is logged on to grant those.

The client agents settings are delivered to the client when they are receiving their policy from the Management Point. So without building a new site for the servers can you override these settings?

Yes we can!

You can create your own local policy which overrides the site settings. To create the override we need to define a new policy instance in a Managed Object Format (MOF) file.
MOF files can be created in a normal text editor like notepad.exe. The following steps will help you in creating a custom local policy.

First scenario is to override the ‘Ask for permission when an administrator tries to access the client’ setting part of the Remote Tools Client Agent.

The following code is what the ConfigMgr client receives from the Management Point (AAA is the sitecode in this example):

instance of CCM_RemoteToolsConfig
{
PolicyID = "{GUID value}";
PolicyVersion = "x";
PolicySource = "SMS:AAA";
PolicyRuleID = "{GUID Value}";
PolicyInstanceID = "{GUID value}";
Enabled = TRUE;
ComponentName = "SmsRemoteTools";
Type = 1;
RemoteToolsEnabled = TRUE;
AllowChat = TRUE;
AllowClientChange = FALSE;
AllowFileTransfer = TRUE;
AllowReboot = TRUE;
AllowRemoteExecute = TRUE;
AllowTakeover = TRUE;
AllowViewConfiguration = TRUE;
AlwaysVisible = FALSE;
AudibleSignal = TRUE;
CompressionType = 2;
ControlLevel = 2;
DefaultProtocol = "TCP/IP";
IndicatorType = 0;
PermissionRequired = 1;
UseIDIS = TRUE;
VisibleSignal = TRUE;
DisableToolsOnXP = TRUE;
ManageRA = TRUE;
EnableRA = TRUE;
AllowRAUnsolicitedView = TRUE;
AllowRAUnsolicitedControl = TRUE;
ManageTS = FALSE;
EnableTS = FALSE;
EnforceRAandTSSettings = TRUE;
PermittedViewers = NULL;
};

Note the PermissionRequired settings is set to 1 which states that permissions are required when running Remote Tools.

To override this setting open notepad.exe on the system you want the override for and add the following code to it:

#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\requestedconfig")
[CCM_Policy_PartialPolicy(true)]

instance of CCM_RemoteToolsConfig

{
// Header properties
PolicyID = "1";
PolicySource = "local";
PolicyVersion = "1";
PolicyRuleID = "1";
PolicyInstanceID = "1";

Type = 1;

// Data properties
[CCM_Policy_Override(TRUE)]

PermissionRequired = 0;
};

As you can see PermissionRequired is now set to 0 so disabled.

Save the file as custom_remotetools.mof (where .mof is the file extension) on the c:\ drive or other easy to find location. In this example I use the C:\ drive.

To combine this code with the settings in WMI the MOF file needs to be compiled. This can be done with the tool called mofcomp.exe which is located under %windir%\system32\wbem

To use the tool open a command prompt and type the following command followed with pressing enter:

%windir%\system32\wbem\mofcomp.exe custom_remotetools.mof

Now the MOF file is compiled and the site wide settings are overridden by the settings specified in the custom_remotetools.mof file. Repeat these steps on the systems the override is required.

Other scenario is to disable the entire Remote Tools Client agent. This is can be done with same steps only you should now use this code in the MOF file:

#pragma namespace("\\\\.\\root\\ccm\\policy\\machine\\requestedconfig")

instance of CCM_RemoteToolsConfig
{
// Header properties
PolicyID = "1";
PolicySource = "local";
PolicyVersion = "1";
PolicyRuleID = "1";
PolicyInstanceID = "1";
Type = 1;
PermissionRequired = 0;
};

Code source: http://msdn.microsoft.com/en-us/library/cc146756.aspx