Summary
Starting with Windows XP Service Pack 2, the Windows Firewall is one of many security-focused features added to Windows. The Windows firewall, which is fully enabled by default, will not allow remote installation of the Express Client or an inventory on demand when either is requested through the Express Administrative Console. This technical note describes which firewall settings must be changed to allow the installation or inventory.

Enabling Remote Express Client Installation and On-demand Inventory
If you using the Express Administrative Console to:

• install the Express Client using client deployment or
• request an inventory on demand

you must change two firewall settings on the client to allow deployment or inventory to run.

The Windows Firewall configuration is not the same for every version of Windows. Depending on the version of Windows that is installed on the client machine, you need to run commands specific to that version of Windows to change firewall settings. Windows XP Service Pack 2 includes a workstation-level firewall which is enabled by default.

Run the following commands on a Windows XP SP2 machine to configure the firewall to accept a remote client installation or inventory on demand: Please note that the scope and profile parameters can be modified as desired.

Note: Once the client is installed, you may re-enable the firewall if you are only doing scheduled inventories.

Note: In Windows XP there is not an option in the Exceptions tab of the Windows Firewall window to allow Remote Administration.

Run the following commands at a command prompt on a Windows Vista or Server 2008 machine to configure the firewall to accept a remote client installation or inventory on demand: Note: It may be necessary to explicitly run cmd.exe as Administrator in order to successfully run the netsh commands.

Alternatively, you can also enable these exceptions in the Windows Firewall Settings window. Under the Exception tab, check File and Printer Sharing and Remote Administration.

Run the following commands at a command prompt on a Windows Server 2008 R2 machine to configure the firewall to accept a remote client installation or inventory on demand: Note: It may be necessary to explicitly run cmd.exe as Administrator in order to successfully run the netsh commands.

Alternatively, you can also enable these exceptions in the Windows Firewall with Advanced Security window. Select the Advanced Settings option in the Windows Firewall Control Panel. In the Windows Firewall with Advanced Security window, select Inbound Rules on the left, sort by the Profile column in the Domain profile section, and enable the Remote Administration (NP-In) rule.

Run the following commands at a command prompt on a machine running Windows 7, Windows 8, or Windows Server 2012 to configure the firewall to accept a remote client installation or inventory on demand: Note: It may be necessary to explicitly run cmd.exe as Administrator in order to successfully run the netsh commands.

Alternatively, you can also enable these exceptions in the Windows Firewall with Advanced Security window. Select the Advanced Settings option in the Windows Firewall Control Panel. In the Windows Firewall with Advanced Security Window, select Inbound Rules on the left, sort by the Profile column in the Domain profile section, and enable the File and Print Sharing (NB-Session-In) and Windows Management Instrumentation (WMI-In).



For more information on Windows XP SP2, see Microsoft's XP SP2 article "Resources for IT Professionals". You may also want to read Microsoft Knowledge Base Article 875357 which discusses troubleshooting XP SP2 firewall issues including the netsh command.

For more information on the netsh advfirewall firewall command, see Microsoft Knowledge Base Article 947709 which discusses how to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista.