At the moment the documentation does not clearly list which ports should be opened on a windows client and which services must be started on this client to allow you to get hardware and software inventories from a client. I have requested this to be enhanced asap.
While waiting for this enhancement I performed some tests to try to identify these prerequisites, therefore this document might not be 100% accurate right away, do not hesitate to comment in this case.
- Remote Procedure Call (RPC) must be started
- Windows Management Instrumentation must be started
- RPC Port Opened on the firewall: 135 TCP (both ways)
This would be the rule "Allow inbound remote administration exception" but I have only tested to add the port at the moment.
- SMB Port Opened on the firewall: 139 TCP (both ways).
This would be the rule "Allow inbound file and printer sharing exception" but I have only tested to add the port at the moment.
- WMI Ports:
Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present.
1. Edit the group policy object you wish to put these settings into.
2. Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.
3. Right-click in the working area and choose New Rule...
4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, Next.
5. There are a number of options here, but I tend to just select one: the (WMI-In) option with the Domain profile value. If you aren't sure what you need, then just remember you can come back and add the others later. Next button.
6. Allow the connection > Finish.
I have linked this here for information purpose but I havn't tested it. This will allow you to only open one port for WMI
A windows administrator account must be set in the Scan Configuration in the console > Active Protocols > Windows (SMB).
This account must have the capability to access to the files, the registry for the software inventory and to WMI for the hardware inventory.
Typically the security team can allow an AUTHORITATIVE SOURCE (Scanner IP Address via ACL) the ability to do a port scan of devices. This can be done at the switch level and/or the End Point level for Anti-Virus solutions/local firewall.