The Security Munger runs more frequently when a change to the registry occurs through Client Component Installation Manager (CCIM). This does not mean every registry change on the client registry, but rather every SMS-related registry change pushed down to the client through CCIM.
The Security Munger is responsible for managing all client-side security settings. You configure these settings in the first four tabs (General, Security, Policy, and Notification) of the Remote Tools Client Agent Properties dialog box. This includes lock-down mode (which prevents clients from changing their settings), the Windows NT Permitted Viewers list, all visual and audible indicators, request for permission dialog boxes, and the level of Remote Control allowed for each client in the site.
The Security Munger places values from either the Combined Sites or User Settings registry keys into the base Remote Control registry key, from which the client-side Remote Control Agent operates (for more information, see “Registry Keys and Client Settings”).
In its simplest state, the Security Munger passes settings from the Combined Sites registry key into the base Remote Control key and confirms that no additional transactions need to take place (that is, no new setting changes have been passed down from a site administrator).
In its more complex state, the Security Munger determines that new values have been passed down from at least one of the sites of which the client is a member. It then initiates a reconciliation of all settings across the multiple sites. The reconciliation is a set of AND and OR comparisons to determine the most secure combinations of settings from multiple sites.
For example, site ABC might dictate that the user must grant permission before an administrator can take remote control of a client. Site XYZ has no such requirement. The Security Munger must resolve this difference in security settings. In this case, the Security Munger will reconcile the conflicting requirements to the most secure setting. The client’s Combined Sites key will reflect the change to Permission Required as being enabled for the client.
Similarly, if a client is a member of 10 sites, all but one of which permit File Transfer to the client, File Transfer will not be permitted on the client. Although the majority dictates File Transfer should be allowed, the Security Munger reconciles the conflicting settings in favor of the most secure policy.
%Windir%\MS\SMS\Clicomp\Remctrl\Rcclicfg
from the command line or from Windows Explorer. If site-wide changes do not seem to take effect, reset the value in the Last Changed At key in the client registry for each site you want to refresh the site settings from. For example: examine the
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\Remote Control\Combined Sites\<Site_code>
registry node and reset the Last Changed At value to 0. Run the Security Munger again. A Last Changed At value of 0 will force a full security reconciliation to take place.