Proxy Permissions for Right Click Tools,

Proxy Permissions for Right Click Tools, Insights & Patching

Last Modified on 03.26.26

Access web dashboards and trends Schedule Builder actions Schedule kiosk profile application	Local admin access on the server where the proxy is being installed Read permissions in Active Directory db_datareader in the Configuration Manager SQL server database Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)
Run actions as a service account	Local admin access on any device that actions will be run against Read/Write permissions in Active Directory (Write only required to delete devices from AD) Appropriate ConfigMgr Security Role for intended actions in the Configuration Manager console (Full Administrator for all actions) Permission to MBAM, if applicable
Elevate permissions	Local admin access on all devices managed by Right Click Tools
Add or remove from collections	Permission to modify a collection in Configuration Manager configmgr collection > modify permission
Run actions over Fast Channel	Permission to run scripts in Configuration Manager If using Read-only Analyst in ConfigMgr as your base security role, also grant the following privileges: Collection > Run Script = Yes SMS Scripts > Read = True
Run Intune- and Entra-Focused Tools	Add permissions specified for each action to Graph API permissions Access to the necessary external domains: https://login.microsoftonline.com - for Entra ID authentication https://graph.microsoft.com - to connect to the Microsoft Graph REST API

To collect warranty information

Local admin access on the server where the proxy is being installed
Read permissions in Active Directory
db_datareader in the Configuration Manager SQL server database
Read-only access to the Configuration Manager console (Read-only Analyst security role in ConfigMgr)

NOTE: These permissions match those required to access web dashboards and trends in Right Click Tools

Internet access for the proxy account in order for the Recast Management Server to reach our API at https://warranty.recastsoftware.com over TCP 443

To collect warranty information if RMS is installed on a server other than your ConfigMgr SQL database

Add proxy account to the SMS_SiteSystemToSiteServerConnection_MP_<YourSiteCode> local group on that server, allowing it to read/write to your inboxes\auth\ddm.box

Collect warranty information for devices managed in Intune and view that information on the Warranty Information dashboard

Add Application permission to Graph API permissions: DeviceManagementManagedDevices.Read.All

Configuration Manager Integration	Grant any of the following built-in roles/role combinations to the proxy account: Full Administrator Operations Administrator Application Administrator and Compliance Settings Manager Application Administrator and Read-only Analyst Grant modify permissions to the SMB share (UNC path) that will be used to store downloaded applications Access to the necessary external domains. See System Requirements.
Intune Integration	Grant modify permissions to the SMB share (UNC path) that will be used to store downloaded applications Access to the necessary external domains. See System Requirements.
Software Updates in ConfigMgr	Add proxy account as a member of the WSUS Administrators on the server where WSUS connected to ConfigMgr is located Add proxy account as a member of the local Administrators group on the WSUS server. If security policies does not allow this, you can work around the requirement by granting the proxy account full control over specific items that allow package publishing. Install the RSAT Windows Server Update Services Tools feature on the Recast Proxy server and restart the Recast Proxy service. PowerShell command: `Install-WindowsFeature -Name UpdateServices-RSAT -IncludeAllSubFeature`

NOTE: Group Managed Service Accounts (gMSAs) are not currently supported.

Proxy Permissions for Right Click Tools, Insights & Patching