Hello,
I'm writing this post to get information regarding behavior described below; if it's by design or not.

Test Environment Description

Standalone SCCM server with two Client Settings policies: Default Client Settings & My Custom Policy.
The first one is not used (not deployed to anyone), the second one is deployed to Collection A with Client 1 as member.
My Custom Policy is configured to enable Remote Tools with Permitted Viewers DOMAIN\RCGroup.

Client 1 get the policy: Remote Control is enabled and local ConfigMgr Remote Control Users group is populated with DOMAIN\RCGroup.

Behavior: If I remove manually DOMAIN\RCGroup from ConfigMgr Remote Control Users group on Client 1, then, that group isn't added again (even after Machine Policy Retrieval and Evaluation Cycle).
But if some changes are made on My Custom Policy at server side, then the group appears again in local ConfigMgr Remote Control Users group after Machine Policy Retrieval and Evaluation Cycle.

Note: This behavior occurs also on Microsoft Virtual Labs (lab name: Managing Clients with Microsoft System Center 2012 R2 Configuration Manager).

Is that described above a normal behavior ? I mean, if I remove members from local ConfigMgr Remote Control Users group manually, then SCCM client doesn't re-add them until I made some changes to client policy on server side....?

Thank you very much.

Bye,

First note that Default Client Settings is automatically deployed to all users and devices -- there is no way to change this and there is nothing for you to do to deploy it -- that's why it's called "Default".

As for normal, I don't doubt that that is normal behavior but can't say I've tested it explicitly and can almost guarantee that it's not publically documented. I'd suggest filing feedback on connect.microsoft.com as I can see how this behavior isn't expected and could also cause issues.

As a side note though, if your users have admin permissions to do something like this, you've got much, much bigger issues and problems that should be keeping you up at night.

Hello Jason,
so Default Client Settings is always deployed; Remote Control tool is disabled on it, but enabled on My Custom Policy. 
So don't you think it is a normal behavior ? Do you still suggest to open a cause issue at connect.microsoft.com ?

Bye,
Luca

so Default Client Settings is always deployed; Remote Control tool is disabled on it, but enabled on My Custom Policy. 

Correct, that's where the priority of the settings package comes in: the default client settings package has a priority of 10,000 and thus all custom policies override settings in the default client settings package (on a section by section basis) on systems where the customer settings package is deployed to.

Yes, this sounds like it's normal behavior -- not necessarily what one would expect but that doesn't make it not normal. Filing a design change request on connect will cause it to be entered directly into the product team's change tracking system and it is something they always follow up on and they will be able to give you a definitive answer. So yes, I would suggest filing this.

Hello Jason,
so I expect My Custom Policy is applied as last; and will re-populate local ConfigMgr Remote Control Users group with permitted viewers during next Machine Policy Retrieval and Evaluation Cycle, but it isn't. The only way to solve it is to re-deploy SCCM client to Client 1 from SCCM Console.

Mmm there is something strange I think.

Isn't it ? I opened a support ticket at Microsoft.

Hello,
behavior described on my first post is "by design" (confirmed by Microsoft):

1. If members are removed manually from local ConfigMgr Remote Control Users group, they won't be added again after Machine Policy Retrieval and Evaluation Cycle.
2. If local ConfigMgr Remote Control Users group is removed, it won't be added again after Machine Policy Retrieval and Evaluation Cycle.

To fix points above it's necessary (chose one):

• Modify SCCM policy on server side, so it will be re-applied.
• Re-deploy SCCM client
• Reparir SCCM client
  

Bye,