offer an installer without the remote access features
Specifically: This is for security purposes FURTHER than just the checkbox.
Ideally, offer a separate or way to build the installer / application without any of the remote access libraries. This should NOT only be just disabling it from listening on ports, but also from any dll or library involved.
My concern is that an adversary could determine this and leverage local exploits to elevate their permissions on the machine. (maybe they only had guest access prior and used the machine to elevate to local SYSTEM or whatever access we give the app when installing so it can hook into the Fx keys / usb deviceid. At system it can just wait for an admin to log in and grab the key that way).
Auditors will question this at some point, and being able to just say 'we have the vnc module completely disabled and removed from our installer making it a non issue' (vs. 'vnc is disabled by a checkbox and not listening on any ports')