Lansweeper pulls Windows computer data from WMI (Windows Management Instrumentation), a management infrastructure built into Windows operating systems. The initial connection to a client machine is made over TCP port 135. By default, Windows then sends the WMI data over random ports in the 1025-5000 or 49152-65535 range. In order to remotely scan Windows computers, you must ensure that the machines' firewalls are properly configured to allow all WMI traffic. Opening specific ports is not enough, as traffic is sent over random ports as previously mentioned.
This article specifically explains how to configure Windows Firewall, also known as Windows Defender Firewall, for remote scanning of Windows computers. Windows Firewall has a remote administration setting you can enable to allow WMI traffic. The easiest way to enable this setting for all of your domain computers is using group policies.
Configuring Windows Firewall visually
To configure Windows Firewall on your client machines to allow WMI traffic, do the following:
- Open the group policy editor for your client machines.
- Browse to one of the sections listed below. Which one you have depends on your OS.Computer Configuration\Administrative Templates\Network\Network Connections\Windows Defender Firewall\Domain ProfileComputer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
- Right-click one of the settings listed below and choose Edit. Which one you have depends on your OS.Windows Defender Firewall: Allow inbound remote administration exceptionWindows Firewall: Allow inbound remote administration exceptionWindows Firewall: Allow remote administration exception
- Select the Enabled option to enable the group policy.
- In the options under Allow unsolicited incoming messages from these IP addresses, enter your Lansweeper scanning server's IP address and hit OK. Alternatively, submit the * wildcard to allow traffic from all IP addresses.
- Wait for your policy to take effect on your client machines, which may take several hours. Alternatively, run the below command on your machines to force the group policy to apply.gpupdate /force
- Verify whether your policy is correctly applied. You can do this by running the below command on a machine.netsh firewall show state
Configuring Windows Firewall through commands or scripts
If you prefer to configure Windows Firewall through commands or scripts, you can either:
- Run the commands below in an elevated Command Prompt on the client machine. These commands will run successfully on both older and newer operating systems. They may generate deprecation warnings on newer operating systems but are functional there as well.call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
- Download (right-click and Save Link As) and run this script in an elevated Command Prompt on the client machine. This ensures that DCOM, Windows Firewall and other settings are correct. You can open the script in a text editor to review its contents, before executing in Command Prompt.