Centralized Windows Event Log

Another feature many administrators don’t know about, is the centralization of Windows Event Logs.
This allows you as administrator to view all related Event Log information on your Admin PC.
This is based on a documentation from Microsoft.

  1. Create a new Security Group (Domain Local) with the name “IT-RemoteManagement” and join all computer accounts that should be allowed to read the eventlog (not user accounts).
  2. Create a new GPO named “CentralizedEventLogClients” and bind it to all your clients (e. g. your domain)
    • Enable “Allow remote server management through WinRM” (Computer, Policies, Administrative Templates, Windows Components Windows Remote Management (WinRM), WinRM Service) and enter a “*” into the IPv4 and IPv6 filters.
    • Change the parameters of the “Windows Remote Management (WS-Management)” service to start automatically (Computer, Policies, Windows Settings, Security Settings, System Services)
    • Enable the Incoming Firewall Rule (Computer, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security – LDAP*, Inbound Rule, Right-click and select “New Rule…”, Predefined: “Windows Remote Management”, the one where Profile equals “Domain, Private”, Allow the connection, Finish, Right-click the created rule and go to the “Advanced” tab in the Settings to remove the selection of “Private”)
    • Add “C:\Windows\System32\cmd.exe” with the Parameter “winrm quickconfig -q” as Startup script if the above didn’t work (sometimes the listener is not created…)
    • Add the IT-RemoteManagement Group to the local group “Event Log Readers Group” (Computer, Preferences, Control Panel Settings, Local Users and Groups, Right-click, New, Local Group, Groupname: “Event Log…”, check both check boxes to remove all existing members, add the Group “IT-Remote…”, in the other tab select “remove element if…”, select yes and close the dialog with OK)
  3. Create another Policy named “CentralizedEventLogIT” and assign it to the computers of your supporters
    • Startup script: “C:\Windows\System32\cmd.exe”, argument: “wecutil qc -q:True”
    • Set the Eventlog collection service to start automatically
  4. Now your supporters can create there subscriptions (watched events) by clicking on “Subscriptions” in there local Event Log viewer.

Unsolicited Remote Assistance

Yes it is possible to make the Remote Assistance somewhat usable.

– It’s free
– I recommend setting it up as a backup (If e.g. TeamViewer servers are down again).
– UAC Prompts are not visible to you
– Supporter needs to be local Administrator
– Only Local and Routed Networks (e.g. no NAT)

First you need to make a new Domain Local Group named “Remotesupport” and add all your Supporters (the Globlal Group of there teams) to it.
Make a new Policy (on DC) and name it “Unsolicited Remote Assistance”.
Go to the Directory “Computer Configuration\Policies\Administrative Templates\System\Remote Assistance”.
Enable the Policy “Configure Solicited Remote Assistance” with default settings.
Enable the Policy “Configure Offer Remote Assistance”, click on “Show…” and enter “\Remotesupport”.
The last step you have to go is linking it under your Domain (or OU) it should apply to.

Allow in your Windows Firewall:
– TCP 135
– %systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
– %systemroot%\system32\Raserver.exe
– %systemroot%\system32\sessmgr.exe
You can add this to the “Unsolicited Remote Assistance” policy if you use the Windows Firewall (“Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Inbound Rules”)

Now all your remote support team has to do is opening “msra.exe /offerra” and entering the Client IP or Hostname.

If you really depend on being able to see the UAC prompt you can lower your device security to the bare minimum by disabling the Secure Desktop:
Seriously don’t do it. That allows Malware running with user Privileges to log your keystrokes.
I warned you.
Ok, I think you really want to do it, so I won’t stop you from enabling the Policy (“Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop”)
My recommendation: Put this setting in a separate policy and enable it as needed (e.g. your primary remote assistance application fails). Normally applying a policy can take up to 15 Minutes. Just run “winrs -r:HOSTNAME gpupdate /force” as Administrator to force apply them immediately.