You must meet the following requirements when installing the Security Controls console and performing actions on client machines.
•If you install the console on a domain controller that uses LDAP certificate authentication, you may need to configure the server to avoid conflict issues between the SSL certificate and the Security Controls program certificate.
•If you install the console on two or more machines that share a database, all of the console machines must have unique security identifiers (SIDs) in order to prevent user credential problems. Machines are likely to have the same SIDs if you make a copy of a virtual machine or if you ghost a machine.
•The console machine should be as fully patched as possible prior to installing Security Controls.
•Minimum: 2 processor cores 2GHz or faster
•Recommended: 4 processor cores 2GHz or faster (for 500 - 2500 seat license)
•High performance: 8 processor cores 2GHz or faster (for 10000+ seat license)
•Agentless Patch assessment: 8+ processor cores 2GHz or faster
•Minimum: 2GB of RAM
•Recommended: 4GB of RAM (for 500 - 2500 seat license)
•High performance: 16GB of RAM (for 10000+ seat license)
•Minimum 1024 x 768 screen resolution
•Recommended 1280 x 1024 or higher
•500 MB for application
•10GB minimum, 100GB or more recommended for patch repository
Operating System (one of the following)
•Windows Server 2019 family, excluding Server Core and Nano Server (64-bit)
•Windows Server 2016 family, excluding Server Core and Nano Server (64-bit)
•Windows Server 2012 family R2 Cumulative Update 1 or later, excluding Server Core (64-bit)
•Windows Server 2012 family, excluding Server Core (64-bit)
•Windows Server 2008 family R2 SP1 or later, excluding Server Core (64-bit)
•Windows 10 Pro, Enterprise or Education Edition (64-bit)
•Windows 8.1 Cumulative Update 1 or later, excluding Windows RT (64-bit)
•Windows 7 SP1 or later, Professional, Enterprise, or Ultimate Edition (64-bit)
Note: It is recommended to use the latest available version where possible.
•Use of a Microsoft SQL Server database [SQL Server 2008 or later]. SQL Server 2008 will not be supported in future releases.
If you do not have a SQL Server database, the option to install SQL Server Express Edition will be provided during the prerequisite software installation process.
•Recommended: Microsoft SQL Server 2016 SP1 or higher.
•Minimum Size: 30GB
•Medium Size: (500 - 2500 seat license) 30-60GB
•Enterprise Size: (10000+ seat license) 60-100GB
SQL High Availability
If set up in accordance with Microsoft best practices, SQL mirroring is supported by Security Controls.
A witness server is required for automatic failover. Without the witness a manual changeover is required.
SQL mirroring is supported on SQL Server 2012 and 2014 but not SQL Express edition.
•Use of Microsoft SQL Server 2008 or later
•Microsoft .NET Framework 4.7.2 or later
•Microsoft Visual C++ Redistributable for Visual Studio 2013 (required for scanning offline VMs)
•Microsoft Visual C++ Redistributable for Visual Studio 2015-2019
Management Framework 5.1
Windows Account Requirements
In order to access the full capabilities of Security Controls, you must run under an account with administrator privileges
•You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used by Security Controls to download patch content from third-party vendors.
For the complete list of URLs that you should add, see:
•When performing an asset scan of the console machine, Windows Management Instrumentation (WMI) service must be enabled and the protocol allowed to the machine. In Windows Firewall, on Windows XP/Windows 2003 machines the service is called Remote Administration, and on more recent Windows machines the service is called Windows Management Instrumentation (WMI)/Remote Administration.
See the Languages list on the Display Options dialog.
Operating Systems (32- and 64-bit versions of any of the following)
•Windows XP Professional (Note: Can deploy patches to Windows XP family SP3 or later)
•Windows XP Embedded
•Windows Server 2003, Enterprise Edition (Note: Can deploy patches to Windows Server 2003 family SP2 or later)
•Windows Server 2003, Standard Edition
•Windows Server 2003, Web Edition
•Windows Server 2003 for Small Business Server
•Windows Server 2003, Datacenter Edition
•Windows Vista, Business Edition
•Windows Vista, Enterprise Edition
•Windows Vista, Ultimate Edition
•Windows 7, Professional Edition
•Windows 7, Enterprise Edition
•Windows 7, Ultimate Edition
•Windows Server 2008, Standard
•Windows Server 2008, Enterprise
•Windows Server 2008, Datacenter
•Windows Server 2008, Standard - Core
•Windows Server 2008, Enterprise - Core
•Windows Server 2008, Datacenter - Core
•Windows Server 2008 R2, Standard
•Windows Server 2008 R2, Enterprise
•Windows Server 2008 R2, Datacenter
•Windows Server 2008 R2, Standard - Core
•Windows Server 2008 R2, Enterprise - Core
•Windows Server 2008 R2, Datacenter - Core
•Windows 8 Pro
•Windows 8 Enterprise
•Windows 8.1 Enterprise
•Windows Server 2012, Foundation Edition
•Windows Server 2012, Essentials Edition
•Windows Server 2012, Standard Edition
•Windows Server 2012, Datacenter Edition
•Windows Server 2012 R2, Essentials Edition
•Windows Server 2012 R2, Standard Edition
•Windows Server 2012 R2, Datacenter Edition
•Windows 10 Pro
•Windows 10 Enterprise
•Windows 10 Education
•Windows Server 2016, Essentials Edition
•Windows Server 2016, Standard Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)
•Windows Server 2016, Datacenter Edition (excluding Nano Server; Server Core supported with 32-bit subsystem)
•Windows Server 2019 family (excluding Nano Server; Server Core supported with 32-bit subsystem)
Virtual Machines (offline virtual images created by any of the following) Only applicable for Patch Management
•VMware ESXi 5.0 or later (VMware Tools is required on the virtual machines). Note: v5.0 and 5.1 are deprecated from version 2019.1
•VMware vCenter (formally VMware VirtualCenter) 5.0 or later (VMware Tools is required on the virtual machines)
•VMware Workstation 9.0 or later
•Remote Registry service must be running
•Simple File Sharing must be turned off
•Server service must be running
•NetBIOS (TCP 139) or Direct Host (TCP 445) ports must be accessible
•Windows Update service must not be disabled; rather, it must be set to either Manual or Automatic in order to successfully deploy patches. In addition, the Windows Update setting on each target machine (Control Panel > System and Security > Windows Update > Change settings) should be set to Never check for updates.
Note: If using Windows 10 or Windows Server 2016 you can disable the Update service by selecting Disable Configure Automatic Updates in the Group Policy Editor. Please refer to Microsoft Help for guidance on other methods to disable the service.
Products Supported (for patch program)
•See https://www.ivanti.com/en-US/support/supported-products for the current list
Disk Space (for patch program)
•Free space equal to five times the size of the patches being deployed
Supported Languages (for patch program)
See the Patch View download status indicator language list on the Display Options dialog.
An NTFS file system is required on agent machines.
•500 MHz or faster CPU
•Minimum: 256MB RAM
•Recommended: 512MB RAM or higher
•50 MB for Security Controls Agent client
•Minimum: 2GB or more for patch repository
Operating Systems (any of the following except home editions)
•Windows 7 SP1 or later
•Windows 8 family, excluding Windows RT
•Windows 10 family
•Windows Server 2008 R2, SP2 or later with SHA-2 support.
•Windows Server 2012 family
•Windows Server 2012 family R2
•Windows Server 2016 family
•Windows Server 2019 family
•Workstation service must be running
•Compatible Tested platforms: https://community.ivanti.com/docs/DOC-46829
All vendor-supported Server, Workstation, Client and Computer Node variants of the following systems (64-bit only).
•CentOS/Red Hat Enterprise Linux 6 (the libicu package is required)
•CentOS/Red Hat Enterprise Linux 7 (the libicu package is required)
In order to perform a push install of an agent from the Security Controls console to a Linux machine, you can connect to the machine using either the root account or passwordless sudo access. For security reasons, using sudo access is the recommended best practice. To implement sudo access, you must manually log on to each Linux machine as root, invoke visudo and then do the following:
•Add the following command to the file.
<installUser> ALL=(ALL) NOPASSWD: /bin/sh /tmp/ivanti-[A-Za-z0-9][A-Za-z0-9][A-Za-z0-9][A-Za-z0-9]/install.sh *
This command uses sudo (super user do) to grant root privileges to the console so that it can do a push install of an agent to the Linux machine.
•In the file, look for a line that reads
Defaults requiretty and if it exists, change it to
This bypasses a known operating system bug by disabling the
requiretty flag for every user on the machine, enabling sudo to run from means other than just a login session. If you prefer, you can disable the flag for just the install user by changing it to
This flag is not set in the most current versions of Red Hat and CentOS.
If you choose not to use either root or sudo access from the console to your Linux machines, you can manually install an agent on each machine.
If your Linux machines reside in a disconnected environment, you may want to perform the disconnected configuration steps at the same time that you configure each machine for sudo access.
These are the default port requirements. Several of the port numbers are configurable.
|Inbound Ports (Basic NAT Firewall)|
|TCP 80||TCP 135||
|TCP 443||TCP 3121||TCP 4155||TCP 5120||TCP 5985|
||X||X (For listening agents)||X (for comms to console for agentless deployments)||X (For WinRM protocol)|
|Outbound Ports (Highly Restricted Network Environment)|
|TCP 443||TCP 3121||TCP 5120||UDP 9|
|Client System||X (For Agents||X||X (For Cloud Agents)||X (For Agents and Deployment Tracker)|
|Console System||X||X||X (For Cloud Sync)||X (for comms to client for agentless deployments)||X (For
•Chrome communications to the Enterprise Appstore via Port 3001. This can be changed via the BrowserAppStorePort custom setting.
•The Chrome Extension, once loaded, communicates with the AC Engine via port 3000. This can be changed via the BrowserCommsPort setting.
Was this article useful?
Copyright © 2019, Ivanti. All rights reserved.