GROUP POLICY CHANGES

GROUP POLICY CONFIGURATION FOR ENABLING WMI

Note: All the settings enlisted below are for applying Group Policy to the Desktops OU. We will be making changes to your clients Group Policies, based on Microsoft best practice recommendations. Please review the attached list of Group Policy changes... Some of these settings are specific to Windows XP and may not be applicable for earlier version. 1. Configuring the Windows Firewall The Windows Firewall needs to be configured to allow Onsite Manager to discover and Monitor Domain Member devices. Following this procedure will automatically make the Changes to all Domain Members. Using the Group Policy Editor, configure the following for Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile Windows Firewall: Allow ICMP exceptions Select Enabled Select Allow inbound echo request Windows Firewall: Allow file and printer sharing exception Select Enabled Select Allow unsolicited incoming messages from local subnet Windows Firewall: Allow remote administration exception Select Enabled Select Allow unsolicited incoming messages from local subnet Windows Firewall: Allow Remote Desktop exception Select Enabled Select Allow unsolicited incoming messages from local subnet 2. Enabling Remote Access Computer Configuration > Administrative Templates >Windows Components >Terminal Services Select Enabled and apply 3. Disabling Simple file sharing In the Group Policy Editor on a domain controller: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts Set this policy to Classic - local users authenticate as themselves. 4. Configuring Windows Services for Domain Members Onsite Manager requires that several Windows services be running on the monitored devices in order for monitoring to be successful. The Policy being updated will not start the Windows services; however, as a policy update may be received while the device is up and logged into the Domain. The services will not be started until either manually started by a user or during the boot process. These changes will only affect the startup for services when the device is joined to the Domain. Using the Group Policy Editor, configure the following for

NETENRICH CONFIDENTIAL

GROUP POLICY CHANGES

Computer Configuration > Windows Settings > Security Settings > System Services Windows Management Instrumentation (WMI) Select Startup Type: Automatic Remote Registry Select Startup Type: Automatic Remote Procedure Call (RPC) Select Startup Type: Automatic Windows Firewall/Internet Connection Sharing (ICS) Select Startup Type: Automatic Background Intelligent Transfer Service (BITS) Select Startup Type: Manual BITS are only required by Managed Workplace if the Site uses Patch Management. 5. Configuring Microsoft Updates for Domain Members Managed Workplace does not use GPO settings to define the update server to managed Clients, so any WSUS policies that are in place on the Domain will interfere with normal operations of Patch Management. Disabling all WSUS policies will allow Managed Workplace to operate normally. The Policies are collected in this location: Computer Configuration > Administrative Templates > Windows Components >Windows update 6. Firewalls Any other firewalls such as Symantec or Trend running on local desktops should be either disabled or configured in the similar way as Windows firewall settings listed in this document.

NETENRICH CONFIDENTIAL