To get you up and running with Right Click Tools Enterprise as quickly as possible, you'll first install the Right Click Tools Console Extension (aka Right Click Tools in Standalone mode). The Tools will be available in ConfigMgr—for users with Local Administrator permissions on target devices—while the prerequisites and permissions for other Recast components and/or products are being put in place.
Beginning with Recast Software Version 5.9.2503, you can install Right Click Tools, add the Right Click Tools browser extension, and run actions from within the Intune Admin Center on a device where no Configuration Manager console is present.
NOTE: When you enter your ConfigMgr site details during or after Right Click Tools installation (instructions below), you'll be able to run actions that require ConfigMgr information.
Run the Right Click Tools Installer
Make sure any Configuration Manager console installed on the device is closed before opening the installer.
To install the Right Click Tools console extension, double-click the .msi file to open the Recast Console Extension installer you downloaded from the Recast Portal.
Choose Installation Type
To choose a Right Click Tools installation type, click Right Click Tools Enterprise Standalone. Then click Next.
Add Configuration Manager Site Information
If you are installing Right Click Tools in order to use the browser extension on a device with no ConfigMgr console installed, you will need to add site information for the Configuration Manager console in your environment.
To add ConfigMgr site information:
1. Enter the SMS Provider and Site Code.
2. Click Test ConfigMgr Connection. 
TIP: At this point, you can also choose to Skip Site Configuration. Please be aware that Right Click Tools that require Configuration Manager site information will be inoperable until you provide ConfigMgr site details.
To add ConfigMgr site information after Right Click Tools installation:
1. Open the Windows Start menu and select the Configure Recast Console Extension application.
2. On the ConfigMgr tab, add the SMS Provider and Site Code. If Right Click Tools is installed on a shared device, you'll need to add ConfigMgr site information for each user of the Configure Recast Console Extension application.
Import License
To download your Recast license:
1. Sign into your Recast Software account by entering your Recast Portal Email address and Password.
2. Click Download License. Expiration and Device Count details will appear in the right-hand column.
TIP: If the computer with your Configuration Manager console does not have internet access, click Browse for License to search the filesystem for a license file exported from the Recast Portal.
Initiate Installation
Once you have filled in all the necessary information, click Install. When the installation completes, you can click Finish to close the installer.
Silent install without Recast Management Server
If you have not installed Recast Management Server, you will need to use the LICENSEPATH=
C:\ProgramData\Recast Software\Licenses if you already have Right Click Tools installed on a device.
msiexec.exe /i "Right Click Tools.msi" /qn LICENSEPATH=".\License\my.license"Task 1A (Optional): Set Up Configuration Manager for Right Click Tools
When Right Click Tools is run in Standalone mode, some actions will not work without Remote Registry or Remote WMI enabled. We recommend that you bypass the need to enable Remote Registry and Remote WMI by deploying and using Recast Agents on your devices to elevate permissions.
If, however, the installation and configuration of your Recast Management Server isn't planned for the short term and you want access to all the Right Click Tools in Standalone mode, you can start the Remote Registry service, create firewall rules for Remote Registry, Remote WMI, and ICMP Echo, and configure the Interactive Command Prompt.
Recast Management Server software can be installed on its own server or on the primary Configuration Manager server.
Run the Recast Management Server Installer
After downloading Recast Management Server from the Recast Portal, run the installer and follow its prompts.
IIS
To configure IIS:
1. On the IIS Configuration page, change the Server Name only if the client is going to use a DNS alias.
2. Set the IIS Port. The default IIS Port is TCP 444, to prevent conflicts when Recast Management Server is installed on Configuration Manager servers. The IIS Port can be changed to 443, or any open TCP port, to suit your environment.
Certificates
Recast Management Server requires a certificate for secure communication with Right Click Tools and any Recast Proxies.
To configure a certificate:
On the Certificate Configuration page, we recommend that you Use an Existing IIS Certificate issued by a trusted Certificate Authority (CA). If you choose to Generate a Self-Signed Certificate, you must import the Recast Management Server self-signed certificate to the Trusted Root Certificate Authorities store on devices running Right Click Tools, Recast Agent, or Recast Proxy.
CERTIFICATE NOTES:
- The certificate subject name (or a subject alternative name) should match the server name in the URL that Right Click Tools and Recast Proxies are pointed toward.
- Right Click Tools will prompt for any untrusted certificates and add them to an allowed list.
- The certificate can be changed later by editing the Binding in IIS Manager.
SQL Server
There are two types of permissions that will allow the Recast Management Server installer to automatically create the SQL database with all the necessary permissions:
- The user account running the installation can be assigned a SysAdmin role in the SQL instance. If the user account has permission to connect remotely, use the Test SQL Connection button to check connectivity to the SQL Server during the install. After the RMS installer creates the database, the SysAdmin permission can be removed.
- The computer account of the Recast Management Server can be granted db_creator permissions. In this case, check the Skip SQL Connection Test box.
SQL SERVER NOTES:
- The default SQL Server Port Number is 1433.
- A fully licensed version of SQL is strongly recommended to avoid the 10GB storage limitation of SQLExpress.
- After the SQL database is created, set the database recovery model to simple to prevent storage issues.
- Remote SQL Server: The computer account of Recast Management Server will need db_owner permissions to create the database on the remote device. If the account running the Recast Management Server installer does not have permission to create a SQL database, the database administrator can pre-create the RecastManagementServer database and manually give the computer account db_owner permissions.
- Local SQL Server: The IIS AppPool\Recast Management Server account will need db_owner permissions to create the database on the local device. Alternatively, the database administrator can pre-create the database and give the IIS AppPool\Recast Management Server account db_owner permissions to the database. The IIS AppPool\Recast Management Server account will not exist until after the installation completes, so the permissions will need to be given after installation.
Import License
You can download and import your Recast licenses when installing Recast Management Server.
To download your Enterprise license:
1. On the Import License page, enter your Recast Portal email address and password.
2. Click Download License. The license information will appear in the right-hand column.
NOTE: If your server does not have internet access, click Browse for License to browse the filesystem for a license file that has been exported from the Recast Portal.
Proxy
If the Recast Proxy is being installed on a server other than the Recast Management Server, install the Proxy separately after Recast Management Server installation.
NOTE: Proxy configuration is optional for Privilege Manager where Active Directory or Microsoft Entra ID objects are not used to target rules.
To configure the proxy during RMS installation:
On the installer's Proxy Configuration page, enter the service account Domain, Username, and Password and click Test Credentials to verify service account details.
TIP: If you haven't already set up the required proxy permissions, remove any information from the text fields, select Test ConfigMgr Connection and the Skip ConfigMgr Verification checkbox, and click Next.
Domain
To configure your domain:
1. On the Domain Configuration page, enter the Domain Name.
2. Click Test Domain Connection to verify that the service account has access to read from your domain.
Configuration Manager
NOTE: Configuration Manager does not need to be set up for Privilege Manager.
To set up your Configuration Manager for the proxy:
1. On the Configuration Manager Configuration page, enter the following information:
- Name of the site server that has your SMS Provider role
- Site Code
- Name of the SQL Server where your Configuration Manager SQL database is located
- SQL Database name
NOTE: You can skip the Configuration Manager Configuration page during Recast Management Server or Recast Proxy installation by removing any information from the text fields, selecting Test ConfigMgr Connection and the Skip ConfigMgr Verification checkbox, and clicking Next.
2. Click Test ConfigMgr Connection to check that the service account has access.
MBAM
MBAM configuration is only required for a separate MBAM Server. If you are using the ConfigMgr-integrated BitLocker or AD, you can skip this section. MBAM also does not need to be configured for Privilege Manager or Application Manager.
To configure MBAM:
1. Tap Click Here to Configure MBAM.
2. Add your Administration URL and SQL Server information.
3. Click Test MBAM Connection to verify that the service account has access to MBAM.
Initiate RMS Installation
Once you have filled in all the necessary information, click Install at the bottom of the MBAM Configuration page.
When the installation is complete, open the Recast Management Server by navigating to https://ServerFQDN:Port in a web browser (Chrome, Edge, or Firefox are recommended).
When asked to sign in, enter the username and password for the account used to install the Recast Management Server.
Installation Log Location
To check the installation logs for Recast Management Server and Recast Proxy (when installed together), navigate to C:\Users\user account running the install\AppData\Local\Temp
NOTE: The log is named something like Recast_Management_Server_2022*****.log
After installing your Recast Management Server, you'll need to assign roles to users and configure a Recast Proxy to manage tasks.
Assign Roles to Users
Add an Active Directory User or User Group
To add an AD user or user group:
1. In your Recast Management Server, navigate to Administration > Permissions.
2. Click Add User or Add Group.
3. In the window that opens, search for your AD name or AD user group and click the Add button.
NOTE: You can include a wildcard (*) to facilitate your search.
Wildcard examples:- John Connor returns strings that match exactly
- John C* returns strings beginning with 'John C', such as 'John Connor', 'John Connors', and 'John Cranston'
- *Connor returns strings ending with 'Connor', such as 'John Connor' and 'Carol O'Connor'
- *Support* returns strings that include 'Support' plus whatever is on the left and right, such as 'Customer Support Team' and 'Enterprise Support Group'
Assign a User a Role
Each user must be assigned at least one role. To assign Right Click Tools permissions using a role template, see Custom Role Templates for Right Click Tools.
To assign a user an Administrator's role:
1. On the Permissions page, click the Edit icon to the right of the user.
2. Under Role Assignments, select Administrators.
3. If desired, add a limiting rule that restricts user permissions to a set of devices by enabling Limit this user to specific objects and selecting a Service Connection.
4. Click Save.
NOTE: Beginning with Recast Software Version 5.9.2502.2105, you no longer have to set a Refresh Interval to repopulate your limiting rules (formerly known as scopes). The scheduled Discovery Sync will keep your service connection data up to date.
NOTE: For Application Manager, the user account running the Recast Proxy requires the TaskScheduler > StartTaskByName permission in RMS prior to running the initial setup. You can grant the permission using the default Administrator role, or by a creating custom role.
Configure a Recast Proxy to Manage Tasks
A Recast Proxy can be used to manage a number of tasks within Right Click Tools, such as allowing access to web dashboards, scheduling Recast Builder actions and Kiosk Manager actions. You'll also require a Recast Proxy to collect warranty information with Endpoint Insights.
To set up a proxy to manage tasks, you must authorize the proxy in the Recast Management Server (if necessary), create a Recast Proxy route, order the routes to match your priorities, and add service connections.
Authorize a Recast Proxy
By default, the Recast Management Server automatically authorizes any proxy installed in the same domain as the Recast Management Server. Proxies installed in other domains must be approved manually, unless you've edited the default setting to approve all proxies automatically.
Create a Recast Proxy Route
To create a Recast Proxy route:
1. In your Recast Management Server, navigate to Administration > Routes.
2. In the main window, click Create.
3. Set route Type to Recast Proxy.
4. Select your proxy computer name with service account from the drop-down.
5. Set the Role to Administrators.
6. Click Submit.
Reorder Routes
By default, new routes appear at the bottom of the table on the Routes page.
- To make actions run using a Recast Proxy route that is lower in the list, you must move that route above the Console Extension route in the table, as the first route to be successfully matched will be used.
- If you only need your proxy to populate scopes, and you don't want to run any actions using that proxy, you can leave your proxy route at the bottom of the table.
Changes to the route order are saved automatically.
Add Service Connections
Add service connections in your Recast Management Server so that the Recast Proxy can query the third-party services.
Service Connection Types:
- ActiveDirectory: Required for Right Click Tools web dashboards
- AzureActiveDirectory (Entra ID): Required for Privilege Manager and the Entra ID BitLocker Recovery Keys tool
- MEMCM (Microsoft Endpoint Manager Configuration Manager): Required for Application Manager and Right Click Tools web dashboards
- MBAM (Microsoft BitLocker Administration and Monitoring): Optional for BitLocker web dashboard
To add a service connection:
1. On the RMS Service Connections page, click Add Service Connection.
2. Select a connection Type: ActiveDirectory, MEMCM, MBAM, AzureActiveDirectory (Entra ID).
3. Name the new connection and add details associated with the connection type, such as the Tenant ID, Client ID, and Client Secret key.
4. Select a Proxy Computer Name and Proxy User Name from the drop-down lists.
5. Click the Confirmed check box to ensure that the service connection is available for use.
6. Click Submit.
During installation, Endpoint Insights completes the following tasks:
- Imports SQL Server Reporting Services (SSRS) reports, Power BI Report Server (PBRS) report sets, and Power BI desktop report sets
- Imports client settings to extend the hardware inventory
- Creates a Configuration Manager application for Recast Agent
- Via Configuration Manager methods (API), creates warranty details to allow the warranty date to be stored in the ConfigMgr database
NOTE: Once Recast Management Server and Endpoint Insights are installed, you may be tempted to kick off an Endpoint Insights warranty scan on the RMS Warranty page. Because Endpoint Insights relies on Recast Agent and Configuration Manager hardware inventory, you'll need to wait for Recast Agent software to be deployed to your end clients and for the next hardware inventory cycle to return inventory. The default hardware inventory setting within Configuration Manager is 7 days. It's recommended to reduce that to daily. For additional information, see ConfigMgr Inventory Cycle Recommendations.
Run the Endpoint Insights Installer
After downloading Endpoint Insights from the Recast Portal, run the installer and follow its prompts.
To install Endpoint Insights:
1. Under Recast Management Server Configuration, enter the Server Name and Server Port.
2. Click Test Connection. When connected, click Next.
3. Make sure Recast Management Server is not installed remains unchecked.
4. Click Install.
5. Enable Allow Telemetry data to allow the collection of the operating system version, the ConfigMgr version, and the SQL Server version during Endpoint Insights Setup (optional). Click Next.
NOTE: Once Endpoint Insights Setup is complete, EI does not continue to collect usage data.
The Endpoint Insights System Checks will run and report any issues with installing Endpoint Insights in your environment.
If MIF Size displays as an issue, you can increase the MIF size. To learn more, see Change the Maximum File Size of a MIF.
6. On the options page, you can set the following Endpoint Insight options.
- Select Configure hardware inventory to import ER settings to upgrade from Enhansoft Reporting to Recast Endpoint Insights.
- Select Create Application to automatically create the Recast Agent application in Configuration Manager. (This can be left unchecked if you are planning to deploy the Recast Agent using Application Manager.)
- Select Create Reports to create the reports that display data collected by Endpoint Insights.
- De-select Do not create RBA reports only if your organization does not require role-based access on the Endpoint Insights reports.
- Enter a SSRS Reader Group to give an Active Directory group access to read SSRS reports.
- To leave the SSRS Reader Group field blank, click No when prompted.
- You can add the SSRS Reader Group later by re-running the EI setup.
7. Verify that the Reporting Services Connection String, Report Folder and SQL Port are correct for your environment. Click Next.
8. De-select any report categories to exclude from this installation. Click Next.
When setup completes, configure Asset Intelligence in your Configuration Manager to ensure that all data is returned to Endpoint Insights.
For Application Manager to work within your Configuration Manager Console, you'll need to set up Distribution Point Groups and Collections in your ConfigMgr environment. You also have the option to set up an Application Root Folder.
Set Up Distribution Point Groups
Application Manager targets application content to distribution point groups. You must have or create at least one distribution point group in Configuration Manager before installing Application Manager. You might want to include all distribution points in your distribution point group, but in larger environments it's possible to include only distribution points used for application media distribution. You can use existing distribution point groups in Application Manager.
To create a new distribution point group:
1. In your Configuration Manager console, navigate to Administration > Distribution Point Groups.
2. In the upper left-hand corner, click Create Group.
3. In the window that opens, specify a Name for the distribution point group.
4. On the Members tab, select the distribution points where content should be distributed by Configuration Manager when new applications are created by Application Manager and click OK.
Set Up Collections
Device and user collections are used as a deployment target in Application Manager's deployment processes. You can create collections in your Configuration Manager console by navigating to Assets and Compliance > Device Collections or User collections.
If you are using Application Manager to deploy all your selected applications to all of your devices, which is most common, you only need two collections — Pilot & Production.
Create an Application-Specific Collection
To deploy an AM-created application to only those devices containing a previous version of the application, you can create application-specific collections in Configuration Manager by using queries. After the collection is created, add it to an application-specific deployment process in Application Manager.
- In addition to deploying an application to an application-specific collection as a Required deployment, you can also create an Available deployment for the rest of your devices.
- If the newly created collection is not visible in Application Manager, navigate to the Deployment Processes page in RMS and click the Refresh icon on the Add Collection side panel.
To configure an application-specific query for a collection:
1. On the Membership Rules page in the device or user collections wizard, add a query rule to a collection.
2. Under Query Rule Properties, click Edit Query Statement.
3. On the Criteria tab, add new criteria and select Installed Software > Product Name. Add the application name to the Value field with percentage symbols around it (%APPLICATION%).
Example queries for application-specific collections
You can also use our example queries as listed below. Add a WQL query by selecting Show Query Language in the Query Statement Properties window.
TIP: You can determine an application's exact product name in your Configuration Manager console by selecting a device with the application installed and going to Resource Explorer > Installed Software.
Mozilla Firefox
select * from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Firefox x64"
Google Chrome
select * from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Google Chrome (64-bit)"Adobe Reader DC
select * from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Adobe Acrobat Reader DC (64-bit)"If the product name includes a version
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName like "<product name>%"
Set Up An Application Root Folder (optional)
Application Manager will create a folder structure for Configuration Manager in Software Library > Application Management > Applications. You can specify the root folder name created under Applications. All applications added by AM will be created under this root folder with the following structure: Publisher > Application name. By default, the root folder name is Application Manager, but you can change this in the deployment process settings.
Next Up — Complete your initial Application Manager setup then do Task 6: Deploy Recast Agents Using Application Manager
For Application Manager to work with Intune, you'll first need to do the following within the Microsoft Azure portal:
- Create the Entra ID App Registration to be used with Application Manager
- Add client secret
- Grant the application API permissions
Create the Entra ID App Registration
To create the app registration:
1. Log into https://portal.azure.com using your Azure credentials with full admin rights.
2. Search for App registrations.
3. On the App registrations page, click New registration.
4. Give the application a meaningful display Name. You can change the name later.
5. As the Supported account type, select Accounts in this organizational directory only (Recast Software only - Single tenant).
6. Click Register.
7. In the Overview pane that opens, copy the Application (client) ID and Directory (tenant) ID. You'll need to enter these later in your Recast Management Server.
Add Client Secret
1. On the App registrations page, under Manage, click Certificates & secrets.
2. On the Client secrets tab, add a New client secret.
3. Add a client secret Description (for example. Application Manager service), choose when the secret Expires, and click Add.
NOTE: You must create a new client secret before the current one expires and change the client secret for your Recast Management Server service connection.
TIP: Schedule a support ticket, task or calendar entry before the expiry time to perform these actions.
DO NOT navigate away from the page before completing the next step!
4. Copy the client secret value to a clipboard and save it to a secure location. You will not be able to see the client secret after navigating away from the page. You will need to specify the client secret whenever you modify Entra ID details in Application Manager, for example, if you want to change the display name of the Entra ID tenant).
Add API Permissions for the Application
To add API permissions:
1. On the App registrations page, under Manage, click API Permissions.
2. Select Add a permission.
3. On the Microsoft APIs tab, click Microsoft Graph.
4. Add the following permissions:
| Application permissions | DeviceManagementApps.ReadWrite.All | Read and write Intune apps |
| DeviceManagementConfiguration.Read.All | Read Intune device configuration and policies, permission only required to specify application categories in AM deployment processes | |
| GroupMember.Read.All | ||
| Device.Read.All | ||
| Delegated permissions | User.Read |
5. Click Grant admin consent for [Tenant Name].
Once the Entra ID App Registration is done and you have the Application (client) ID, Directory (tenant) ID and Client secret available, you can then add a service connection from your Recast Management Server to Entra ID for Application Manager.
A Recast Agent is installed on a computer and runs actions on that computer as the local system account. A Recast Agent should be deployed on each device you want to run actions against. After deploying Recast Agents, you can configure them to run Right Click Tools actions or for Fast Channel Support. You can also use the same Recast Agent for Endpoint Insights and Privilege Manager.
To learn more, see Recast Agents and Recast Agent Gateways.
Prerequisites for Deploying Recast Agents:
- If deploying 5000+ Recast Agents, follow the 503.2 IIS Error instructions before proceeding.
- If your Recast Management Server is using a self-signed certificate, you must first import the certificate into the Trusted Root Certificate Authorities Store on all devices that will have Agents.
Deploy Agents with Application Manager
We recommend deploying Recast Agents using Application Manager. Your Right Click Tools Enterprise license alone gives you access to Application Manager to deploy Recast Agents. In the absence of Application Manager licensing, only the Recast Agent and Right Click Tools applications will be available in the AM software catalog.
TIP: Alternatively, you can choose to deploy Recast Agents by downloading and running the Agent installer.
Prerequisites for Deploying Agents using Application Manager:
- Recast Management Server is running Recast Software version 5.4 or later, as that version introduces Application Manager in RMS.
- Required proxy permissions for Application Manager are in place
To deploy the Recast Agent application with Application Manager:
1. If you haven't already done so, complete your initial AM setup, skipping the Setup Wizard's Define Deployment Processes step.
2. Add a deployment process for the 'Recast Agent' application.
3. On the Deployment Process Details page, click the Settings cog to open your Global Deployment Process settings.
4. On the Advanced tab, set Additional Installation Parameters:
- Silent Agent Install: Add the RCTENTERPRISESERVER=https://<RMS URL>:<Port> parameter to your install string, substituting the URL and port number for your Recast Management Server.
- Connect Recast Agents to a specific Agent Gateway: Add the AGENTGATEWAY=https://<AG URL>:<Port> parameter to your install string, substituting the URL and port number for your Agent Gateway
NOTE: Adding these parameters in Application Manager's deployment settings enables deployed Recast Agents to connect to your Recast Management Server, verify that the certificate used by the RMS is trusted, and successfully enroll with the RMS. Recast Agents are required to enroll with the RMS before they can communicate with a Recast Agent Gateway and be used to run actions.
Agent Deployment Video Walkthrough
See Recast Application Deployment with Application Manager on our YouTube channel.