- Step 1 Configure Distribution Point for the Command Line Executable
- Step 2 - Launch Server Manager
- Step 3 - Open Group Policy Management
- Step 4 - Navigate to the Group Policy Object
- Step 5 - Edit the Domain Policy
- Step 6 - Open Scheduled Tasks
- Step 7 - Create a New Scheduled Task
- Step 8 - Configure the Task (for Server 2016)
- Step 9 - Schedule the Task
- Step 10 - Check Scan Progress
- Create a directory under C:\Windows\SYSVOL\domain\scripts on the Domain Controller.
- Download the command line executable for Windows (iscanruntime.exe) and save it to the directory you just created. Be sure to keep the name exactly as it is.
In most cases, this is done by simply clicking the Server Manager icon located at the far left of the task bar at the bottom of your screen.
Navigate to Features > Group Policy Management.
Click Tools in the upper right of the window, then click Group Policy Management.
Click Tools in upper right of window and select Group Policy Management:
Once inside Group Policy Management, navigate to Forest > Domains > Your Domain Name > Default Domain Policy.
Right click on the Default Domain Policy object and select Edit.
The Group Policy Management Editor is displayed:
Right click on Scheduled Tasks, click New, then select from the following options based on your Operating System:
- For Server 2000/2003, select Schedule Task.
- For Server 2008/2008R2 select Schedule Task (Windows Vista or later).
- For Server 2012/2012R2/2016 select Schedule Task (At least Windows 7).
If you have multiple Operating Systems on your domain (e.g. Windows XP, Windows 7 and Windows 10) you must create separate Scheduled Tasks. One for Windows XP/Windows 7 and one for Windows 10.
- On the General tab, click on the Action drop down and select Create…
- Add a descriptive name (this is mandatory).
- Add account to run task (this is mandatory).
- Click on the Configure for: dropdown and select the Operating System that you will deploy task to (i.e. Windows Vista or Windows Server 2008/Windows 7, Windows Server 2008R2).
- Click on the Triggers tab to configure the run-time/schedule of the Scheduled Task.
- Optionally, configure Actions, Conditions, Settings, and Common if desired.
- Click Apply.
- Click OK.
The Configure Task step for both Server 2008/R2 and 2012/R2 has additional options for specific operating systems (e.g. Windows XP or Windows 7) that are not displayed here. While those tasks can be configured to work, you need to consult the provider’s website for details.
The Schedule Task option available when creating a new task in step 7 is pre-configured for Server 2000/2003 and Windows XP machines. You must use Schedule Task with the option in parenthesis (e.g. Schedule Task (Windows Vista or later) to ensure the Schedule Task is configured correctly to deploy to the relevant Operating Systems on the domain (i.e. using the Configure for: dropdown (above)).
- In the Schedule tab, click on the Scheduled Task dropdown and select the option you require.
- Set the Start time.
- Add the settings you need - these vary depending on your selection in the Scheduled Task dropdown.
- Configure any optional settings as required.
- When you have finished, click OK to save your new scan task.
Assuming the steps above have been completed, and your updated GPO has been pushed to all systems, then the scan should be executed at the time you specified in the task.
Manually running GPUPDATE on the Domain Controller and any target systems may speed up the GPO sync process.
To verify the scan is executing properly, log in to the Risk Intelligence Console and navigate to View and Manage - Scan Results to view your scan progress (see View Individual Device Scan Results.
If scans are not being executed at the proper times, then try the following troubleshooting steps:
- Make sure the path specified in the scheduled task is correct. In most cases, it should be in the format of \\server name\path\executable.
- Make sure the systems that have been scheduled to run the task have access to that shared location. You can do this by opening the Run menu (Start / Run, or Windows key + R), then typing in the path to that shared location (minus the file name), and hitting enter. The folder containing the executable should open.
- Make sure the date and time are correct on all systems.
- Open the Event Log on one of the target systems and look for any events related to the Task Scheduler or the scheduled scan.
- Open the local Task Scheduler on a target system. Click on Task Scheduler Library, then look for your scheduled scan in the middle window. If not found, then that could indicate GPO sync issues. If found, it may have a status message that could help to explain any failures.
More information on GPO editing and GPO Schedule Tasks can be found in these Microsoft Articles: