Patch Scanning Prerequisites

The following criteria must be met to ensure a successful patch scan:

When scanning your local (console) machine

  • You must be an administrator on your local machine.
  • Credentials must be provided for the local machine. See Supplying Credentials for details.
  • The machine must be capable of obtaining the data definition file, either from a location on the Internet (via http or https) or from another specified location (either on the local machine or from a specified network location).
  • The local machine’s Workstation service must be started.

    • The Server service is not required to be started on the local machine.

When scanning a remote machine, you must meet all the requirements for the local scan above, plus the following:

  • You must have local administrative rights on the remote machine and be able to logon to this machine from the workstation performing the scan.
  • Credentials must be provided for the target machines. See Supplying Credentials for details.
  • The credentials you supply must have access to the control panel on the target machine. If control panel access is disabled through group policy, Security Controls will be unable to connect to the target machine.
  • File and Print Sharing must be enabled.
  • The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on the remote machine.
  • The remote machine must be running the Server service.

    • The Workstation service is not required to be started on the remote machine.

  • The remote machine must be running the Remote Registry service.

    • The remote registry service is disabled by default on Windows machines. You must enable the remote registry service (either manually or via group policy) before performing remote scans of Windows machines.

  • The %systemroot% share (usually C$ or similar) must be accessible on the remote machine. For information about how to create a temporary system drive share if none exists, see Scan Options.
  • All drives where applications are installed must be accessible on the remote machine.
  • For machines using Windows operating systems that use User Account Control, you must either:
    • Join the machines to a domain and then perform the scan using domain administrator credentials, or
    • If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
  1. Click Start, click Run, type regedit, and then press Enter.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
    1. a. On the Edit menu, point to New, and then click DWORD Value.
    2. b. Type LocalAccountTokenFilterPolicy and then press Enter.
  4. Right-click LocalAccountTokenFilterPolicy and then click OK.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor.

    7. For more details on disabling UAC remote restrictions, see Microsoft Learn (opens in a new window).