--- title: "On-premises Scanner Configuration - Windows" slug: "fortanix-key-insight-on-premises-scanner-configuration-windows" updated: 2026-04-29T05:10:13Z published: 2026-05-15T09:36:57Z canonical: "support.fortanix.com/fortanix-key-insight-on-premises-scanner-configuration-windows" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # On-premises Scanner Configuration - Windows ## 1.0 Introduction This article describes the minimum configuration requirements for successfully scanning keys, certificates, resources, and cryptographic assets in on-premises infrastructure types on the **Windows** platform. It also describes: - Installing the Fortanix On-premises Scanner. - Configuring the scanner through the configuration file parameters. - Executing the Fortanix On-premises Scanner. *For detailed information about each on-premises infrastructure type, refer to*[*Infrastructure Types*](https://support.fortanix.com/docs/on-premises-infrastructure-types)*.* ## 2.0 Scanning Permissions *For detailed information on on-premises connection scanning permissions, refer to*[*On-premises Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-connection-permissions). ## 3.0 Prerequisites The following are the prerequisites to configure an on-premises connection on the Windows platform: - **Server Specifications** - The server hosting the scanner must have **at least** **2 virtual Central Processing Units (vCPUs)** allocated. - The server must have a **minimum of** **8 GB** of **Random Access Memory (RAM)** to support the scanner. - The server should have **at least** **20 GB** of **storage capacity** for temporarily storing scanned data. - **Operating System and Libraries** - Supported operating systems include Windows Server 2016, 2019, 2022, and 2025. The necessary packages are available in `.msi` format. - Ensure that [Non-Sucking Service Manager (NSSM)](https://nssm.cc/) is installed in the Windows system directory (`C:\Windows\System32`) if you are running the scanner as a Windows service. - **Network Requirements** > [!NOTE] > NOTE > > Although inbound connectivity is required, the Fortanix On-premises Scanner itself does not expose any ports externally. - **Outbound (Fortanix On-premises Scanner → External Services)** The Fortanix On-premises Scanner must be allowed to make outgoing connections to: - *armor.fortanix.com* on port 443 - Databases on their configured ports - The following Internet Protocol (IP) range to communicate back to Fortanix Key Insight: IP whitelisting is not mandatory. It is required only if your on-premises environment enforces outbound firewall restrictions. - `216.180.120.0/24` - **Inbound (File System Scanner Agent (Windows)**or**File System and Network Scanner Agent (Linux) → Fortanix On-premises Scanner)** The Fortanix On-premises Scanner must be reachable from the File System Scanner Agent (Windows) or File System and Network Scanner Agent (Linux): - Must accept inbound connections from the File System Scanner Agent’s IP on the configured port. For example, `8080` or `1443`. - Firewall or security group rules must allow this traffic. - The service must bind to `0.0.0.0` or its external or private IP, not just `127.0.0.1`. - **Configuration File** The Fortanix On-premises Scanner requires a configuration file that includes a list of databases, source code, containers, and file systems with their corresponding credentials, as well as the Fortanix DSM on-premises credentials. This configuration file is in plain text, and it is your responsibility to secure the file and its credentials. - **Mixed Mode Authentication**: Ensure that Mixed Mode authentication is enabled in MSSQL if you are using Windows Authentication before starting the scan. Perform the following steps to enable the Mixed Mode: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_OnPrem SQL.png) **Figure 1: Enable Mixed Mode authentication in SQL** 1. Open **Microsoft SQL Server Management Studio (SSMS)**. 2. Right click the server’s name and select **Properties**. 3. Navigate to the **Security** page. 4. Set **Server authentication** to **SQL Server and Windows Authentication mode**. 5. Click **OK**. ## 4.0 On-premises Scanner Installation and Configuration You must install the Fortanix On-Premises Scanner package on a Windows machine to scan databases, source code, file systems, containers, Fortanix DSM on-premises deployments, and CyberArk on-premises keys, resources, and certificates. Perform the following steps to install the Fortanix On-premises Scanner: 1. [Download](https://fortanix.zendesk.com/hc/en-us/articles/30210113068948-Fortanix-Key-Insight-On-Premises-Scanner) and open the Fortanix Key Insight scanner Microsoft installer file (`msi`) file. 2. Review the license agreement and select the check box to accept the terms. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_On-premises MSI File(1).png) **Figure 2: On-premises Windows Installer** 3. Click **Install** to begin the installation. 4. After the installation is complete, click **Finish** to exit the setup wizard. The installer installs the scanner at the default directory, `C:\Program Files\Fortanix\KI\`. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_On-premises Installation Complete.png) **Figure 3: Installation completed** 5. Generate and configure the scanner configuration file as detailed in [*On-premises Scanner Configuration File*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-scanner-configuration-file). 6. Initiate the scanning process as detailed in [*Section 5.0: On-Premises Scanner Execution*](/v1/docs/fortanix-key-insight-on-premises-scanner-configuration-windows#50-onpremises-scanner-execution). > [!NOTE] > NOTE > > - A sample configuration file is available at `C:\ProgramData\Fortanix\KI\Conf\Config.yaml.example`. > - To upgrade the package on Windows, download the latest installer (`.msi`) and run it. The installer automatically replaces the previous version and no manual uninstallation is required. ## 5.0 On-premises Scanner Execution ### 5.1 As a Windows Service (Using NSSM) Perform the following steps to run the scanner as a Windows service using NSSM: 1. Run the following command to install the service using NSSM: ```bash nssm.exe install FortanixKIService "[INSTALLFOLDER]FortanixKiScanner.exe" ``` Here, replace `[INSTALLFOLDER]` with your scanner installation directory. For example, `C:\Program Files\Fortanix\KI`. 2. Run the following command to set the configuration file location: ```bash nssm.exe set FortanixKIService AppParameters "start --config-file " ``` Here, replace `<path_to_config_file>` with the full path to your configuration file. 3. Run the following command to start the service: ```bash nssm.exe start FortanixKIService ``` 4. Run the following command to verify the status of the service: ```bash nssm.exe status FortanixKIService ``` ### 5.2 Manual Run > [!NOTE] > NOTE > > The scanner command in this section requires the configuration file to be named `config.yaml`. If you are using the provided example file (`config.yaml.example`), copy or rename it to `config.yaml` before running the scanner. After configuring the Fortanix On-premises Scanner, perform the following steps to execute it: 1. Open the command prompt and run the following command to navigate to the scanner installation directory: ```powershell cd "C:\Program Files\Fortanix\KI" ``` 2. Run the following command to run the Fortanix On-premises Scanner: > [!NOTE] > NOTE > > Recommended guidelines: > > - Run `FortanixKiScanner.exe` from `C:\Program Files\Fortanix\KI`. > - Keep `config.yaml` in `C:\ProgramData\Fortanix\KI\Conf`. ```powershell FortanixKiScanner.exe start --config-file < path-to-config.yaml> ``` Where, `<path-to-config.yaml>` is the full path to your scanner configuration file. For example: `C:\ProgramData\Fortanix\KI\Conf\config.yaml`. > [!NOTE] > NOTE > > - Restart the scanner after modifying the configuration file for changes to take effect. > - If a scan is interrupted or closed before completion, then the next scan strats from the beginning. > - To stop the Fortanix On-premises Scanner running in Command Prompt, press **Ctrl + C** in the same console window. ## 6.0 Additional References After configuring the Fortanix On-premises Scanner, refer to the following: - [*Getting Started with On-Premises Connection*](https://support.fortanix.com/docs/fortanix-key-insight-getting-started-with-on-premises-connection)*for guidance on onboarding an on-premises connection in Fortanix Key Insight.* - [*On-Premises Connection Troubleshooting*](https://support.fortanix.com/docs/fortanix-key-insight-on-premises-connection-troubleshooting)*for guidance on troubleshooting steps for common issues encountered while configuring and running Fortanix Key Insight in on-premises environments.* The Fortanix On-premises Scanner is a configuration component installed within an organization’s local infrastructure. It is designed to scan, analyze, and manage sensitive cryptographic data using Fortanix Key Insight. The scanner identifies keys, certificates, and compliance information within on-premises systems. It supports both Linux and Windows platforms, allowing for flexible and secure deployment and visibility across different environments.