Prepping a Core Server to Meet Patch Scanning Requirements

Version 4

    Purpose

     

    The purpose of this document is to show some useful commands you can use to finish getting an out of the box core server ready to test agentless scanning/deployment with Protect.

     

    Description

     

    Ports/Firewall

     

    You will need to create exceptions in Windows Firewall to meet the Port Requirements for Shavlik Protect.

     

    An easy way to test is with the firewall disabled.

    To disable Windows firewall:

    netsh advfirewall set allprofiles state off

     

    Best practice is to create port exceptions, which you should be able to accomplish with some of the other firewall commands:

    Netsh Commands for Windows Firewall with Advanced Security

     

    If you have any other 3rd party or hardware firewalls work with your network team to ensure the port requirements are met.

     

    Services

     

    A few services are required to perform agentless scan and deployment tasks, including:

    • Remote Registry
    • Windows Update (Cannot be disabled, but can be set to Manual start-up)
    • Server
    • Workstation

     

    By default the Server and Workstation services should be running, but Remote Registry and Windows Update services may need to be enabled and set to a different start-up type.

    Below are some examples to show how you can do this:

    -Note that there are other ways to perform this as well, including via GPO.

     

    Turn on Remote Registry service:

    sc start remoteregistry

     

    Set the Remote Registry service to Automatic (Optional):

    sc config remoteregistry start=auto

     

    Set Windows Update service to Manual start-up:

    sc config wuauserv start=demand

     

    Other service controller commands:

    Sc Commands

     

    Ensure you've checked the full prerequisites list for scanning or deployment below, and you should be all set as long as Windows is activated. Protect will scan and deploy to a core server just as it would any other system. It's not seen as a different version of Windows in Protect. The only difference is that there's no Windows UI besides command line. These commands will obviously work on a regular Windows OS as well.

     

    Additional Information

     

    Full Patch Scanning Prerequisites

    Full Patch Deployment Prerequisites

     

    Affected Product(s)

     

    Shavlik Protect, All Versions