Fortinet black logo

Administration Guide

Operating system parameters - Windows

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:993701
Download PDF

Operating system parameters - Windows

The table below contains an alphabetical list of possible Configuration Parameters that can be used when setting up scans for Windows Operating Systems. A subset of these parameters is available for each version of this operating system.

Note

Default parameter values are entered and updated automatically by the scheduled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Settings

Parameter

Description

Allowed Editions

Select the allowed editions. Options are Home Basic, Home Premium, Business, Enterprise, Ultimate, and Starter.

Critical / Security Updates Label

The Critical / Security Updates Label that displays on the results page.

Critical / Security Updates Web Address

The URL for the web page where Windows-Server-2008 Critical / Security Updates information can be located and downloaded. Supply a local or Internet URL to display in the Failed Policy Results window if the host fails the scan.

Custom Scans

Any custom scans that have been created are shown.

Disable Bridging

When selected, disables bridging on the host.

Disable Internet
Connection Sharing

When selected Internet Connection Sharing is disabled on the host.

Edition Label

Enter a label. This label appears in the Results page information to identify which scan the host failed.

Edition Web Address

The URL for the web page where the specific edition information can be located and downloaded. Supply a local or Internet URL to display in the Failed Policy Results window if the host fails the scan.

Enable Automatic Updates

See the enable automatic updates parameters table below.

Enable Windows
Firewall

When selected, the Windows Firewall is enabled.

Force DHCP

Requires write access to the registry if done through the dissolvable agent.

Note

Do not enable Force DHCP on policies that will be used for VPN clients. Enabling this setting can cause the host to continuously lose its VPN connection.

Label

Enter a label. This label appears in the Results page information to identify which scan the host failed.

Prohibit Home Edition

When selected, prohibits Windows-XP Home Edition.

Require All Critical Updates

When selected, all Critical Updates are required for the host.

Require Critical Updates

When selected, Require Critical Updates must be enabled on the host.

Note

FortiNAC leverages the Windows Update tool to check for Critical Updates and Security Updates during an operating system scan. The host must be able to connect to the Microsoft Windows Update web site and any other associated sites.

Note

In the event that the local WSUS server is unreachable, FortiNAC does not revert to using the Microsoft update servers. FortiNAC will not generate events when a host fails to contact the WSUS server because it occurs on the endpoints and not on FortiNAC. However, a local event log entry is created for hosts that fail to connect to the WSUS server.

Require Security Updates

When selected will Require Security Updates to be enabled on the host.

Require Service Pack

When the checkbox labeled "Require Service Pack" is selected a text field displays. Enter the numeric value for the Service Pack Level.

SCCM Evaluation Label

The SCCM Evaluation label that is displayed in scan results to indicate that the SCCM Evaluation was triggered for the host.

Service Pack Label

The Service Pack Label that displays on the results page.

Service Pack Level

The required Service Pack Level. Enter the numeric value.

Select the Operator to apply to the definition value found on the host: greater than, equal to, or both.

Service Pack Web Address

URL for the web page where Service Pack information can be located and downloaded. Supply either a local or Internet URL. This URL is displayed in the Failed Policy Results window if the host fails the scan.

Trigger SCCM Evaluation

When selected, an upgrade is forced on the host from the SCCM controller. This ensures all hosts on the network are up-to-date.

Requires Agent Version 4.0.3 or greater.

Note

This option is available for Windows 7, 8, 10, Windows-Server-2012, Windows-Server-2008-R2, and Windows-Server-2012-R2.

Edition Label

The Updates Label that displays on the results page.

Validate Edition

When enabled, only those editions of Windows that are selected in FortiNAC are permitted. When disabled, all/any edition of the selected Windows operating systems will be allowed, such as Windows Vista N or Windows Vista K.

Web Address

The URL for the web page where Windows operating system information can be located and downloaded. Supply either a local or Internet URL. This URL is displayed in the Failed Policy Results window if the host fails the scan.

Enable automatic updates parameters

When this option is checked for the selected operating system, it enables Automatic Updates on the host by modifying the registry. Additional configuration options appear once the box is selected. Use CAUTION when changing any of the Auto Update Settings. It is recommended that you are familiar with these options before you make any changes.

Parameter

Description

Auto Update Web Address

Web address used for Windows update. The default is sma/windowsupdates.jsp.

Apply as a Policy
(users can't modify)

Select True or False. Default = True.

If this option is enabled, users of hosts running the selected version of Windows can no longer set Windows Update Parameters for their own hosts. Registry keys for those settings are set by FortiNAC and are locked. Changing this option to False does not remove the lock from the registry keys. The keys must be deleted to restore user access to Windows Update settings. Keys are as follows:

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

RescheduleWaitTime

Time to wait between the time Automatic Updates starts and the time it begins installations, where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes).

Note

This setting only affects host behavior after the hosts have updated to the SUS SP1 client version or later.

NoAuto
RebootWithLoggedOnUsers

Select True or False. Default = False.

If set to true, Automatic Updates does not automatically restart a computer while users are logged on. Note: This setting affects host behavior after the hosts have updated to the SUS SP1 host version or later.

NoAutoUpdate

0 = Automatic Updates is enabled.

1 = Automatic Updates is disabled.

Default = 0

AUOptions

1 = Keep my computer up to date has been disabled in Automatic Updates.

2 = Notify of download and installation.

3 =Automatically download and notify of installation.

4 = Automatically download and schedule installation.

AUState

0 = Initial 24-hour timeout (Automatic Updates doesn't run until 24 hours after it first detects an Internet connection.)

1 = Waiting for the user to run Automatic Updates

2 = Detection pending

3 = Download pending (Automatic Updates is waiting for the user to accept the pre-downloaded prompt.)

4 = Download in progress

5 = Install pending

6 = Install complete

7 = Disabled

8 = Reboot pending (Updates that require a reboot were installed, but the reboot was declined. Automatic Updates will not do anything until this value is cleared and a reboot occurs.)

ScheduledInstallDay

0 = Every day.

1 - 7 = The days of the week from Sunday (1) to Saturday (7).

ScheduledInstallTime

The time of day in a 24-hour format (0-23).

UseWUServer

Select True or False

Use or not use a server that is running Software Update Services instead of Windows Update.

WUServer

http://<server>

This value sets the SUS server by HTTP name (for example, http://IntranetSUS).

WUStatusServer

http://<server>

This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).

Note

If you configure the scan to enable Automatic Updates and an error occurs (for example, a network or permission error) so that the scan cannot perform the update, then the scan might fail.

Operating system parameters - Windows

The table below contains an alphabetical list of possible Configuration Parameters that can be used when setting up scans for Windows Operating Systems. A subset of these parameters is available for each version of this operating system.

Note

Default parameter values are entered and updated automatically by the scheduled Auto-Def Updates. If the values have been manually edited, the Auto-Def Updates will not override those changes.

Settings

Parameter

Description

Allowed Editions

Select the allowed editions. Options are Home Basic, Home Premium, Business, Enterprise, Ultimate, and Starter.

Critical / Security Updates Label

The Critical / Security Updates Label that displays on the results page.

Critical / Security Updates Web Address

The URL for the web page where Windows-Server-2008 Critical / Security Updates information can be located and downloaded. Supply a local or Internet URL to display in the Failed Policy Results window if the host fails the scan.

Custom Scans

Any custom scans that have been created are shown.

Disable Bridging

When selected, disables bridging on the host.

Disable Internet
Connection Sharing

When selected Internet Connection Sharing is disabled on the host.

Edition Label

Enter a label. This label appears in the Results page information to identify which scan the host failed.

Edition Web Address

The URL for the web page where the specific edition information can be located and downloaded. Supply a local or Internet URL to display in the Failed Policy Results window if the host fails the scan.

Enable Automatic Updates

See the enable automatic updates parameters table below.

Enable Windows
Firewall

When selected, the Windows Firewall is enabled.

Force DHCP

Requires write access to the registry if done through the dissolvable agent.

Note

Do not enable Force DHCP on policies that will be used for VPN clients. Enabling this setting can cause the host to continuously lose its VPN connection.

Label

Enter a label. This label appears in the Results page information to identify which scan the host failed.

Prohibit Home Edition

When selected, prohibits Windows-XP Home Edition.

Require All Critical Updates

When selected, all Critical Updates are required for the host.

Require Critical Updates

When selected, Require Critical Updates must be enabled on the host.

Note

FortiNAC leverages the Windows Update tool to check for Critical Updates and Security Updates during an operating system scan. The host must be able to connect to the Microsoft Windows Update web site and any other associated sites.

Note

In the event that the local WSUS server is unreachable, FortiNAC does not revert to using the Microsoft update servers. FortiNAC will not generate events when a host fails to contact the WSUS server because it occurs on the endpoints and not on FortiNAC. However, a local event log entry is created for hosts that fail to connect to the WSUS server.

Require Security Updates

When selected will Require Security Updates to be enabled on the host.

Require Service Pack

When the checkbox labeled "Require Service Pack" is selected a text field displays. Enter the numeric value for the Service Pack Level.

SCCM Evaluation Label

The SCCM Evaluation label that is displayed in scan results to indicate that the SCCM Evaluation was triggered for the host.

Service Pack Label

The Service Pack Label that displays on the results page.

Service Pack Level

The required Service Pack Level. Enter the numeric value.

Select the Operator to apply to the definition value found on the host: greater than, equal to, or both.

Service Pack Web Address

URL for the web page where Service Pack information can be located and downloaded. Supply either a local or Internet URL. This URL is displayed in the Failed Policy Results window if the host fails the scan.

Trigger SCCM Evaluation

When selected, an upgrade is forced on the host from the SCCM controller. This ensures all hosts on the network are up-to-date.

Requires Agent Version 4.0.3 or greater.

Note

This option is available for Windows 7, 8, 10, Windows-Server-2012, Windows-Server-2008-R2, and Windows-Server-2012-R2.

Edition Label

The Updates Label that displays on the results page.

Validate Edition

When enabled, only those editions of Windows that are selected in FortiNAC are permitted. When disabled, all/any edition of the selected Windows operating systems will be allowed, such as Windows Vista N or Windows Vista K.

Web Address

The URL for the web page where Windows operating system information can be located and downloaded. Supply either a local or Internet URL. This URL is displayed in the Failed Policy Results window if the host fails the scan.

Enable automatic updates parameters

When this option is checked for the selected operating system, it enables Automatic Updates on the host by modifying the registry. Additional configuration options appear once the box is selected. Use CAUTION when changing any of the Auto Update Settings. It is recommended that you are familiar with these options before you make any changes.

Parameter

Description

Auto Update Web Address

Web address used for Windows update. The default is sma/windowsupdates.jsp.

Apply as a Policy
(users can't modify)

Select True or False. Default = True.

If this option is enabled, users of hosts running the selected version of Windows can no longer set Windows Update Parameters for their own hosts. Registry keys for those settings are set by FortiNAC and are locked. Changing this option to False does not remove the lock from the registry keys. The keys must be deleted to restore user access to Windows Update settings. Keys are as follows:

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

RescheduleWaitTime

Time to wait between the time Automatic Updates starts and the time it begins installations, where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes).

Note

This setting only affects host behavior after the hosts have updated to the SUS SP1 client version or later.

NoAuto
RebootWithLoggedOnUsers

Select True or False. Default = False.

If set to true, Automatic Updates does not automatically restart a computer while users are logged on. Note: This setting affects host behavior after the hosts have updated to the SUS SP1 host version or later.

NoAutoUpdate

0 = Automatic Updates is enabled.

1 = Automatic Updates is disabled.

Default = 0

AUOptions

1 = Keep my computer up to date has been disabled in Automatic Updates.

2 = Notify of download and installation.

3 =Automatically download and notify of installation.

4 = Automatically download and schedule installation.

AUState

0 = Initial 24-hour timeout (Automatic Updates doesn't run until 24 hours after it first detects an Internet connection.)

1 = Waiting for the user to run Automatic Updates

2 = Detection pending

3 = Download pending (Automatic Updates is waiting for the user to accept the pre-downloaded prompt.)

4 = Download in progress

5 = Install pending

6 = Install complete

7 = Disabled

8 = Reboot pending (Updates that require a reboot were installed, but the reboot was declined. Automatic Updates will not do anything until this value is cleared and a reboot occurs.)

ScheduledInstallDay

0 = Every day.

1 - 7 = The days of the week from Sunday (1) to Saturday (7).

ScheduledInstallTime

The time of day in a 24-hour format (0-23).

UseWUServer

Select True or False

Use or not use a server that is running Software Update Services instead of Windows Update.

WUServer

http://<server>

This value sets the SUS server by HTTP name (for example, http://IntranetSUS).

WUStatusServer

http://<server>

This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).

Note

If you configure the scan to enable Automatic Updates and an error occurs (for example, a network or permission error) so that the scan cannot perform the update, then the scan might fail.