BatchPatch uses a combination of Windows Management Instrumentation (WMI) and PsExec to access remote computers, plus ICMP for pinging. If you need to use BatchPatch in an environment where your remote computers have Windows Firewall enabled, here’s what you need to do to make everything work. (For specific information about port requirements, please see BatchPatch Port Requirements)
In general, if you’re using Windows firewall and you encounter any issues that you need to troubleshoot, it is a good idea to enable logging so that you can troubleshoot any potential issues. This link explains how to do that: Enable logging for Windows firewall
Note, if desired you can apply a scope or IP address range to the rules you create below so that the rules only allow inbound connections from a computer with a particular IP address. This enables you to run BatchPatch from a particular computer so that only that BatchPatch computer’s IP address can utilize the firewall rules you create. After you create the firewall rules described in the tutorial below, optionally use this tutorial to apply an IP address range to the scope for each firewall rule you create.
Using Group Policy to Configure the Windows Firewall:
It is sufficient to use Group Policy to allow “Remote Administration” and “File and Printer Sharing” on the remote computers. See screenshot:
Configuring the Windows Firewall Directly on Target Computers:
If Group Policy is not an option and you instead need to manually adjust the remote computer settings, here’s how:
When the remote system is Windows 7/2008R2, Windows 2012/2012R2, Windows 10/2016:
Go to Control Panel > Windows Firewall > Allow an app or feature, and then check the boxes for “File and Printer Sharing” and “Windows Management Instrumentation (WMI)” and then click “OK.”
When the remote system is Windows 2012 Core (no GUI) or Windows 2016 Core (no GUI):
At a PowerShell prompt use the following two commands:
enable-netfirewallrule -displaygroup "file and printer sharing" enable-netfirewallrule -displaygroup "windows management instrumentation (wmi)" |
When the remote system is Windows 2008 (non-R2):
Go to Control Panel > Windows Firewall > Change Settings >Exceptions > check the box for “File and Printer Sharing” and “Remote Administration” and then click “Apply” or “OK.”
When the remote system is Windows 2003:
1. Go to Control Panel > Windows Firewall >Exceptions > check the box for “File and Printer Sharing” and then click “OK.”
2. Open a command prompt and type:
netsh firewall set service type = remoteadmin mode = enable |