Files
claudetools/.claude/memory/reference_rmm_deploy_via_screenconnect.md
Howard Enos e0e3dd0d82 sync: auto-sync from HOWARD-HOME at 2026-07-03 17:00:12
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-03 17:00:12
2026-07-03 17:01:38 -07:00

2.1 KiB

name, description, metadata
name description metadata
reference_rmm_deploy_via_screenconnect Best channel to mass-deploy the GuruRMM agent to client workstations = ScreenConnect send-command (not DC remote-exec)
type
reference

To push the GuruRMM agent onto a client's existing machines, the reliable channel is ScreenConnect send-command (Backstage), NOT remote-exec from the domain controller.

Discovered 2026-07-03 deploying to Instrumental Music Center (see projects/gps-rmm-audit/tracker.md). Remote-exec FROM the DC to Win10/11 workstations fails on default client settings:

  • WMI/Win32_Process over DCOM -> "RPC server unavailable" (DCOM firewalled on clients)
  • schtasks /S -> connects over SMB but Win11 rejects the task definition from an older (Server 2016) DC ("The request is not supported")
  • New-PSDrive/sc.exe admin-share from SYSTEM context -> access/parse failures
  • WinRM is off by default on workstations

What works cleanly: ScreenConnect. ACG endpoints already run the SC agent, and send-command runs on the guest as SYSTEM — no credentials, no firewall fight, no DA-password-in-logs concern. Pattern (via the [[screenconnect]] skill):

  1. GetSessionsByName with the EXACT hostname -> sessionID (no list-all method; must query by exact name).
  2. Build the site installer one-liner: irm 'https://rmm.azcomputerguru.com/install/<SITE-CODE>/windows'|iex (site code from the client's vault gururmm-site-*.sops.yaml).
  3. Encode it: powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand <base64-UTF16LE> (avoids all quoting; no /TR length limit like schtasks).
  4. send-command --session <id> --command "<that>" --confirm. Online guests install + enroll in ~1-3 min; offline guests QUEUE in SC and install on reconnect.
  5. Verify via GuruRMM /api/agents (hostname appears under the client, status online).

Note iconv is absent in this Git-Bash — compute the base64 with py -c "import base64; ...". Related: [[project_av_migration_bitdefender_to_edr]] (same channel can push the Datto EDR agent + remove Bitdefender once RMM is on).