KACE Product Support Question

K2000: USMT and Windows Firewall

07/17/2012 6095 views

I'm testing USMT from the kbox and getting the NT_STATUS_IO_TIMEOUT error when the firewall is enabled on the xp target pc. I've already allowed access to TCP ports 139 and 445 in all profiles from the kbox IP through a gpo and ran gpupdate /force, but still get the error if the firewall is enabled. No problem when the fw is disabled. Simple file sharing is off.

Is another port required?


0 Comments   [ + ] Show comments


All Answers


you can disable the firewall on the xp target.  open a command prompt, do a netstart -a and note the ports inuse, start the USMT running, while it is going do another netstat -a and see what additional ports you are using by comparing to the first netstat command

Answered 07/17/2012 by: SMal.tmcc
Red Belt


D'oh! on the netstat. I found tcp port 1337, plus a couple of dynamic ports opened from the kbox. 1337 appears to be the Mice and Men DNS implementation. Hmmmm.

Answered 07/17/2012 by: tpr
2nd Degree Black Belt

  • maybe the firewall is blocking the program vs the port. have logging enabled and try it and see what the logs say

For XP, I found that adding the Remote Admin exception to my gpo and using the kbox IP fixed the problem. For windows 7, I saw the requirement to disable the uac setting "Run all admins in admin approval". Since that completely breaks UAC and the ability for a non-admin to use the "Run As" option, that's not going to work for us. Is there anything else I can do with the uac in a gpo short of disabling it altogether, and still get usmt to work?

Answered 07/18/2012 by: tpr
2nd Degree Black Belt

  • you can run the loadstate command as administrator.
    this is from the MS point of view

If you are replacing or reimaging from xp to 7 you could do this task manually.  A tech visits the XP machine to be upgraded and runs the Windows Easy Transfer, during that process they also note the software and printers above the normal image on the system and also include any files not in the default locations.  That mig file is then stored on our IT server.  The machine is replaced or reimaged.  The tech names it correctly and joins it to the domain.  either get pushes or installs any extra needed software. The tech then goes to the server and double clicks on the MIG file and brings it to the new machine/image.

Answered 07/18/2012 by: SMal.tmcc
Red Belt

  • Yup, I was just trying to save a visit to the user PC since we're spread out across several buildings.

    Thanks for all the info.
  • Our campus has 6 sites so I know what you mean, I have been remoting my away machines and doing the migration and preping the w7 box in my office with any additional software and mig file. I have then can have a student tech go swap the boxes. I have been doing in place remote upgrades on the same machine, just find someone there to put a sign on the machine and I do it all remotely.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ