Prepping a Core Server to Meet Patch Scanning Requirements

Version 4



    The purpose of this document is to show some useful commands you can use to finish getting an out of the box core server ready to test agentless scanning/deployment with Protect.






    You will need to create exceptions in Windows Firewall to meet the Port Requirements for Ivanti Patch for Windows Servers (Formerly Shavlik Protect).


    An easy way to test is with the firewall disabled.

    To disable Windows firewall:

    netsh advfirewall set allprofiles state off


    Best practice is to create port exceptions, which you should be able to accomplish with some of the other firewall commands:

    Netsh Commands for Windows Firewall with Advanced Security


    If you have any other 3rd party or hardware firewalls work with your network team to ensure the port requirements are met.




    A few services are required to perform agentless scan and deployment tasks, including:

    • Remote Registry
    • Windows Update (Cannot be disabled, but can be set to Manual start-up)
    • Server
    • Workstation


    By default the Server and Workstation services should be running, but Remote Registry and Windows Update services may need to be enabled and set to a different start-up type.

    Below are some examples to show how you can do this:

    -Note that there are other ways to perform this as well, including via GPO.


    Turn on Remote Registry service:

    sc start remoteregistry


    Set the Remote Registry service to Automatic (Optional):

    sc config remoteregistry start=auto


    Set Windows Update service to Manual start-up:

    sc config wuauserv start=demand


    Other service controller commands:

    Sc Commands


    Ensure you've checked the full prerequisites list for scanning or deployment below, and you should be all set as long as Windows is activated. Protect will scan and deploy to a core server just as it would any other system. It's not seen as a different version of Windows in Protect. The only difference is that there's no Windows UI besides command line. These commands will obviously work on a regular Windows OS as well.


    Additional Information


    Full Patch Scanning Prerequisites

    Full Patch Deployment Prerequisites


    Affected Product(s)


    Shavlik Protect, All Versions