Configuring Windows Firewall for agentless scanning of computers

Lansweeper pulls Windows computer data from WMI (Windows Management Instrumentation), a management infrastructure built into Windows operating systems. The initial connection to a client machine is made over TCP port 135. By default, Windows then sends the WMI data over random ports in the 1025-5000 or 49152-65535 range. In order to remotely scan Windows computers, you must ensure that the machines' firewalls are properly configured to allow all WMI traffic. Opening specific ports is not enough, as traffic is sent over random ports as previously mentioned.

This article specifically explains how to configure Windows Firewall, also known as Windows Defender Firewall, for remote scanning of Windows computers. Windows Firewall has a remote administration setting you can enable to allow WMI traffic. The easiest way to enable this setting for all of your domain computers is using group policies.

If scanning a Windows computer remotely fails due to a firewall or other issue, you can always scan it using the LsAgent or LsPush scanning agent instead. Because they scan locally, the scanning agents are immune to almost all scanning errors, including access denied and firewall errors.

 

Configuring Windows Firewall visually

To configure Windows Firewall on your client machines to allow WMI traffic, do the following:

  1. Open the group policy editor for your client machines.
  2. Browse to one of the sections listed below. Which one you have depends on your OS.
    Computer Configuration\Administrative Templates\Network\Network Connections\Windows Defender Firewall\Domain Profile
    Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
    Windows Firewall Domain Profile
  3. Right-click one of the settings listed below and choose Edit. Which one you have depends on your OS.
    Windows Defender Firewall: Allow inbound remote administration exception
    Windows Firewall: Allow inbound remote administration exception
    Windows Firewall: Allow remote administration exception
    allow inbound remote administration exception
  4. Select the Enabled option to enable the group policy.
    allowing inbound remote administration exception
  5. In the options under Allow unsolicited incoming messages from these IP addresses, enter your Lansweeper scanning server's IP address and hit OK. Alternatively, submit the * wildcard to allow traffic from all IP addresses.
    allow unsolicited incoming messages from these IP addresses
  6. Wait for your policy to take effect on your client machines, which may take several hours. Alternatively, run the below command on your machines to force the group policy to apply.
    gpupdate /force
  7. Verify whether your policy is correctly applied. You can do this by running the below command on a machine.
    netsh firewall show state
    remote admin mode enabled

Configuring Windows Firewall through commands or scripts

If you prefer to configure Windows Firewall through commands or scripts, you can either:

  • Run the commands below in an elevated Command Prompt on the client machine. These commands will run successfully on both older and newer operating systems. They may generate deprecation warnings on newer operating systems but are functional there as well.
    call netsh firewall set service RemoteAdmin enable
    call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
  • Download (right-click and Save Link As) and run this script in an elevated Command Prompt on the client machine. This ensures that DCOM, Windows Firewall and other settings are correct. You can open the script in a text editor to review its contents, before executing in Command Prompt.

Related Articles