Can Symantec Endpoint Protection (SEP) or Symantec Endpoint Protection Manager (SEPM) be installed or managed through Remote Desktop?
Symptoms
Installation or management of Symantec Endpoint Protection components through Remote Desktop (RDP) while not in console mode may not complete correctly. Sections of the SEP and/or SEPM interface may show partial or no information. After installing SEPM there are Java -1 errors or the first three tabs in the SEPM may be missing or blank. Some Symantec services may not stop or the installation of the ODBC connector may fail. Clients may check into the SEPM sporadically or not at all. Client machines may or may not get policy or LiveUpdate content.
RDP sessions that are not in console mode do not allow access to the console registry on the remote computer. This is a security feature implemented by Microsoft to keep users from impacting the computer directly by accessing registry values. These sessions create a temporary session file that includes the user's session registry and file structure. This is cached on the server until a predetermined time set by the administrator or removed during server maintenance. This may disable the ability of the SEPM to start Symantec services critical to functionality. Alternatively, once started, those services may fail for no apparent reason. The Symantec services related to IIS require a console session to allow for proper installation and configuration.
Configuring Remote Desktop for Full Control
The following steps will enable console-level Remote Desktop on Microsoft Windows Servers.
1. Click Start and then click Run.
2. Enter the command: gpedit.msc
3. Expand Administrative Templates in the left pane, under Computer Configuration.
4. Expand Windows Components.
5. Click on Terminal Services in the left pane.
6. Double-click Sets rules for remote control of Terminal Services user sessions in the right pane.
7. Click Enabled on the Setting tab.
8. Click Full Control with user's permission in the Options box and then click OK.
Note: It is not recommended to leave this configuration in place permanently as it could become a security issue. This could provide unauthorized users access to the console, the registry and give them full permissions.
Opening a remote Console Session
The following steps describe how to open a console session directly through Remote Desktop.
Note: Anyone connected to this session will be logged out and removed from the session. If the server is on but no one is logged in locally, your connection will be forced into a non-console session.
1. Click Start and then click Run.
2. Enter the command: mstsc -v:servername /f -console
RDP 6.1 has removed the console switch and replaced it with admin. See Technical Information for more information. To get the console session with 6.1, type the following: mstsc -v:servername /f -admin
Shadowing the Console Session
Similar to opening a console session, you can also choose to shadow the console session. This method allows you to control a console session that is already in use.
The following steps describe how to shadow the console session.
1. Click Start and then click Run.
2. Enter the command: mstsc -v:servername /f
3. Once connected, click Start and then click Run (within the RDP session.)
4. Enter the command: shadow 0
You should see the following message: “Your session may appear frozen while remote control approval is being negotiated. Please wait.”
The user controlling the remote console session should see the following message: “Domain\User is requesting to control this session remotely. Do you accept?”
If the remote user accepts the connection then a shadow of the console session is negotiated.
To disconnect the shadow session, press CTRL + *. You will then be returned to the original non-console session.
Verifying the Console Session
The following steps describe how to verify that you are connected to the console session.
1. Click Start and then click Run.
2. Enter the command: query console or qwinsta
3. The current session will be prefixed with ">"
4. If the current session ID is not 0 (Zero) then you don't have full access to the console registry.
NOTE: The value SESSIONNAME can be misleading... a mstsc session name will always be of the form "rdp-tcp#XX" even when using the /console or /admin switch.
Technical Information
RDP 6.1 is a recommended download.
Additionally, when using RDP 6.1 and connecting to a machine with RDP 6.0, running a SET in CMD will display the following:
Session = RDP TCP # X USERNAME SESSION ID
If session ID is O, this is shadowing console. If you run a QWINSTA in CMD you will get more detailed session information. Our install must be done through shadow of console (SESSION 0) or Console Session ONLY.