When planning the systems you want the Windows agent to manage and where you want to install a Windows agent, consider the following:
Only one agent can be installed on each physical or virtual computer.
At least one agent must be installed per WAN. The agent must reside at the remote end of the network so requests between the service and the managed computers are executed over a local area network.
At least one agent must be installed per domain. The agent can manage computers in the same domain by proxy. For more information, see Understanding Management by Proxy.
NOTE:For optimal performance, install at least one agent per 50 managed computers in a domain. Performance might vary depending on processor speeds, memory, locations, and network bandwidth. The size of reports and how frequently you run them also affects performance.
Administrative permissions must be set. Configure the Windows agent service to run with full administrative access to the local computer and domain. For more information, see Permissions Requirements.
To successfully run security checks for Windows patch assessments, ensure that the following programs are running on the endpoint computers that you want to assess:
Windows Update or Automatic Updates service, depending on the operating system
Windows Update Agent 7.4 or later
Secure Configuration Manager does not require specific settings for these Windows services.
(Conditional) When installing the agent on a local computer, the Workstation service must be running.
(Conditional) If you want Secure Configuration Manager to receive and display IPv6 addresses from managed endpoints, the agent computer must be running Windows ServerĀ 2003 or a later operating system. Also, the Windows agent must be set up as a dual-stack host to support both IPv4 and IPv6 addresses. The agent uses IPv4 addresses when communicating with Core Services. For more information about agent operating systems, see Windows Agent Computer Requirements.
(Conditional) If an endpoint uses only an IPv6 address, that endpoint must be managed by Windows proxy. For more information, see Proxy Requirements.
(Conditional) To use the Effective Policy object to audit Group Policy Object (GPO) settings, ensure that your environment meets the following requirements:
The Windows agent computer should run the same operating system as the endpoint computer that the agent monitors. Using computers that run the same operating systems ensures a consistent name and path convention for the reported GPOs. The names and paths for GPOs vary by Microsoft operating system. For example, if you used a computer running Windows Server 2008 to edit and distribute GPOs to a domain controller, you should query all endpoints in that domain from an agent running on a Windows ServerĀ 2008 computer. Otherwise, the names of or paths to reported GPOs on an endpoint computer might not match the names and paths for the same GPOs on the agent computer. For more information, see Match Endpoints to Agents.
The Windows agent computer should run the same operating system as the computer from which you deployed the GPOs to ensure a consistent name and path convention for the reported GPOs.
The Windows agent service account must have Administrative permissions on the endpoint to collect GPO settings information. That is, the service account cannot run as the Local System account on queried endpoints.