In order to read details about Windows guests as part of the guest OS scan or connect to Windows to run workflow steps, vCommander® must be able to access WMI information for those guests.

The fastest way to configure each guest to make this information available is to use group policy to configure their Domain Profile. This article describes how to set the policy for your guests.

Once you make the changes, the policy must be updated on each device before the settings will be used. The policy will be updated whenever a user logs into the Domain from the VM, or you can update the policy manually by executing the command gpupdate /force from the command line on the guest.

GPO settings described here are based on average network deployments, but your network may have more stringent security requirements which some of the settings may not meet. Please make sure to consult with all invested parties before making any changes to group policy.

Important: Because there is no way to predict what organizational units (OUs) exist on any Domain, this article is written to defaults only. Depending on your environment and configuration, you may have to apply policy against objects other than those listed here. When applying policies, always make sure they are enabled minimally so as not to introduce any security concerns or conflcit with other policies.

You do not have to create a new Group Policy Object; editing any current object will have the same effect, providing there are no conflicts between multiple policies.

1. For Windows 2008 or 2003, click Start and navigate to Administrative Tools > Group Policy Management.For Windows 2012, use the Windows key to bring up the Start page and select Group Policy Management. Alternatively, issue the command gpmc.msc from the Run dialog ( + R).
2. Expand Forest.
3. Expand Domains.
4. Expand the Domain in which the guests you will be scanning are located.
5. Right-click Group Policy Objects and select New.
6. In the Name field, type vCommander Guest OS Scan Policy.
   
   
   
7. Click OK.

 

Next, create the firewall policy.

1. Under Group Policy Objects, right-click vCommander Guest OS Scan Policy and select Edit.
2. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
   
   
3. Right-click Inbound Rules and choose New Rule.
4. Choose Custom and click Next.
   
   
5. Leave All programs selected and cick Next.
   
   
6. Set Protocol Type to TCP. Set Local Port to RPC Dynamic Ports. Click Next.
   
   
   
7. On the Scope page, you can restrict the rule to particular local or remote IPs. If you are a high-security environment, restrict the rule to the vCommander server address as the allowed remote IP. You should restrict the rule to any local addresses, as these settings will be applied to many machines, which will not share addresses. Click Next.
   
   

   

   
   
8. Leave Allow the connection selected and click Next.
   
   
9. Choose the profiles for which the rule will be enabled, and click Next.
   
   
10. Provide a meaningful Name and Description and click Finish.
    
    

If your security does not allow for the WMI dynamic ports to be used, you can restrict the WMI operations to known ports and open them. 

https://support.microsoft.com/en-us/help/908472/how-to-configure-rpc-to-use-certain-ports-and-how-to-help-secure-those

See Also

---

• Configuring Windows for Guest OS Scans and Workflow Steps (suitable for workgroup VMs)
• Guest OS Scans and/or Workflow Steps Fail After Embotics vCommander™ Service Account Change
• Auditing Guest OS Scan Failures