Agentless Patch Scanning Prerequisites

Version 10

    Purpose

     

    This article provides agent-less patch scanning prerequisites for Shavlik Protect.

     

    Description

     

    The following criteria must be met to ensure a successful patch scan:

    • You must be an administrator on the targeted machine.
    • Credentials must be provided for the targeted machine.
    • The console machine must be capable of obtaining the patch database XML file, either from a location on the Internet (via http or https) or from another specified location (either on the local machine or from a specified network location).
    • You must have local administrative rights on the remote machine and be able to logon to this machine from the workstation performing the scan.
    • The credentials you supply must have access to the control panel on the target machine. If control panel access is disabled through group policy, Protect will be unable to connect to the target machine.
    • File and Print Sharing must be enabled.
    • The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on the remote machine.
    • The remote machine must be running the Server service.

    The Workstation service is not required to be started on the remote machine.

    • The remote machine must be running the Remote Registry service.

    The remote registry service is disabled by default on Windows Vista & 7 machines. You must enable the remote registry service (either manually or via group policy) before performing remote scans of Windows Vista/7 machines.

    • The %systemroot% share (usually C$ or similar) must be accessible on the remote machine.

     

    Scanning Windows Machines

    • For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:

     

    Scanning Machines on a Domain

      • Join the machines to a domain and then perform the scan using domain administrator credentials, or

     

    Scanning Machines in a Workgroup

      • If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
        1. Click Start, click Run, type regedit, and then press Enter.
        2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

        1. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
          • On the Edit menu, point to New, and then click DWORD Value.
          • Type LocalAccountTokenFilterPolicy and then press Enter.
          • Right-click LocalAccountTokenFilterPolicy and then click OK.
          • In the Value data box, type 1, and then click OK.
          • Exit Registry Editor.

    In some instances, exporting/importing this registry key will not correctly fix the issue. If you imported this key via a .reg file, and you continue getting access denied messages, try deleting the registry value and manually entering it using the steps above.

    For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/951016

     

    Special note regarding Simple File Sharing

     

    When Simple File Sharing is enabled, remote administration and remote registry editing does not work as expected from a remote computer and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative privileges.

     

    On Windows XP Professional or later operating systems, go to the following Microsoft Knowledge Base article to learn more about this feature and how to disable Simple File Sharing:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;304040

     

    If you are running Windows XP Home Edition, Simple File Sharing cannot be disabled (Microsoft states that it is as designed) so remote scanning will not work on this operating system.

     

    Additional Information

     

    • This information can be found within the Protect Help:
      • Help > Contents > Agentless Patch Management Tasks > Performing Patch Scans > Scanning Prerequisites
    • If you receive a scan error message, refer to the following document for assistance troubleshooting: http://community.shavlik.com/docs/DOC-2159

     

    Affected Product(s)

     

    Shavlik Protect 9.x