Before applying changes, F-Secure recommends that you discuss all potential changes to the Group Policy with your network administrator. For more information about Group Policy, refer to your Microsoft documentation on Group Policy deployment.
The following summarizes the requirements for enabling authenticated scanning for Windows:
- A user account must meet one of the following requirements:
- An Active Directory user account added to the local administrators group (recommended)
- Built-in administrator user account
- Local user account added to local administrators group with Admin Approval Mode disabled
- Windows configuration requirements (preferably managed via GPOs)
- Inbound network traffic to the RPC Endpoint Mapper
- Inbound network traffic to the RPC Dynamic Ports
- Inbound network traffic to TCP 445 (SMB / CIFS) and TCP 135 (RPC)
- Optional (only required to check for vulnerabilities in third-party software):
- Enable Remote Registry Service (or allow the scan node to start the service automatically during the scan)
- Grant read access to registry keys
- Optional (only required when a Windows Updates database file is used for scanning):
- The network share name ADMIN$ must point to %SystemRoot% (e.g. C:\Windows). Use the net share command to verify this.
Note: During the scan, the scan node will copy the database file to the %SystemRoot%\Temp\MBSA\Cache\ folder and delete it once the scan has completed.
- The network share name ADMIN$ must point to %SystemRoot% (e.g. C:\Windows). Use the net share command to verify this.