This article covers the installation of the PII Scanner Server component on Windows. The server hosts the web-based administrative interface, manages scan jobs and PII detection rules, and coordinates scanning agents. Complete this installation before deploying any PII Scanner Agents.
Step 1 โ Run the installer:
Locate the installation package:
LTA_PII_Scanner.msi
If the file was downloaded from the internet:
- Right-click the MSI file
- Select Properties
- Click Unblock if present
- Click Apply
Right-click the MSI file and select Install. Follow the installation wizard prompts to complete the installation.
By default, the application installs to:
C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner
What the installer does:
During installation the MSI automatically:
- Installs the server application binaries into the LTA_PII_Scanner folder
- Creates and registers a Windows Service named LTA_Scanner configured to start automatically
- Creates the following supporting folders:
| Folder | Purpose |
| python | Python runtime support |
| data | SQLite database storage |
| logs | Application log files |
| user | User configuration files |
- Runs a PowerShell certificate creation script that generates a self-signed TLS certificate
- Adds a Start Menu shortcut for LT Auditor-MP PII Scanner
SSL certificate generation:
During installation a PowerShell script automatically:
- Creates a self-signed certificate in the local machine certificate store
- Exports scanner.pfx for server use
- Exports scanner.cer for distribution to agent machines
- Sets the machine environment variable LTASCANNER_CERT_PASSWORD with the certificate password
- Writes installation logging to install.log
Both certificate files are stored in the certs folder within the installation directory:
C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner\certs
For production deployments, replace the auto-generated self-signed certificate with a certificate issued by a trusted Certificate Authority. See the production certificate replacement steps below.
Default ports:
The server binds to the following ports by default:
| Protocol | Port | URL |
| HTTP | 52765 | http://0.0.0.0:52765 |
| HTTPS | 52766 | https://0.0.0.0:52766 |
[Your administrator should confirm these ports are not already in use on the server and that inbound firewall rules are in place for both ports.]
Step 2 โ Verify the service is running:
After installation completes, confirm the LTA_Scanner Windows Service is running:
sc query LTA_Scanner
The service should show as Running.
Alternatively verify via the Services console (services.msc):
- Locate LTA_Scanner
- Confirm the status shows Running
If the service is not running, review the installation logs for errors:
C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner\install.log
And review the application logs:
C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner\logs\scanner-*.log
Step 3 โ Verify the web interface is accessible:
After confirming the service is running:
- Open a browser on the server
- Navigate to:
- Confirm the PII Scanner login page appears
Step 4 โ First time login:
On first access, log in using the default administrator credentials displayed on the login page:
| Field | Value |
| Username | admin |
| Password | TempP@ssw0rd!2025 |
On successful first login, the system forces an immediate password change before access is granted.
Change the default password immediately. Refer to the Admin article for user management instructions.
Replacing the self-signed certificate for production:
For production deployments, replace the auto-generated certificate with a CA-issued certificate:
- Obtain a CA-issued certificate in .pfx format
- Replace the existing scanner.pfx in the certs folder:
C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner\certs
- Update the LTASCANNER_CERT_PASSWORD environment variable with the new certificate password:
[System.Environment]::SetEnvironmentVariable(
“LTASCANNER_CERT_PASSWORD”,
“<new-password>”,
“Machine”
)
- Restart the LTA_Scanner service to apply the new certificate:
Restart-Service LTA_Scanner
Data and log locations:
| Location | Purpose |
| data\scanner.db | SQLite database โ contains all server configuration and job data |
| logs\scanner-*.log | Rolling application log files |
| certs\scanner.pfx | Server TLS certificate |
| certs\scanner.cer | Public certificate for agent distribution |
| install.log | Installation log |
Back up the SQLite database (data\scanner.db) regularly. This file contains all PII Scanner Server configuration including PII classes, targets, clients, jobs, and schedules.
Server configuration:
The server is configured through appsettings.json in the installation directory. Key configuration values include:
| Setting | Description |
| Server:Http:Url | HTTP binding URL and port |
| Server:Https:Url | HTTPS binding URL and port |
| Server:Https:Certificate | Path to the TLS certificate file |
| Server:BindAddress | Network interface to bind to |
| Server:UseHttps | Enable or disable HTTPS |
After modifying appsettings.json, restart the LTA_Scanner service to apply changes:
Restart-Service LTA_Scanner