Discovering Windows hosts by using PowerShell

PowerShell is a cross-platform command line shell and scripting language. In BMC Discovery, you can use PowerShell to perform an in-depth discovery of Windows hosts. PowerShell performs host discovery by connecting to the host's PowerShell API over HTTPS (by default) and by using a PowerShell specific credential. PowerShell discovery runs scripted commands in the same way as in UNIX and Linux discovery.

The information returned from a Windows host by PowerShell is the same as other Windows discovery methods.

PowerShell is also used in an experimental feature to discover Windows hosts in AWS that uses SSM discovery.

Windows host discovery by using PowerShell

PowerShell discovery requires a valid PowerShell credential for the host to be discovered. BMC Discovery looks for open PowerShell ports on the target host. If open PowerShell ports are available, BMC Discovery attempts to connect to the PowerShell API over https and uses the PowerShell credential to log in.

This can all be accomplished from the appliance, without the need for a Windows proxy or a BMC Discovery Outpost. PowerShell discovery always tries to use a valid PowerShell credential directly from the appliance, before attempting discovery from BMC Discovery Outpost or proxy.

PowerShell can be used over HTTP, and the content returned is encrypted. Using HTTP with Basic authentication makes it possible for credentials to be compromised. We recommend you use NTLM (Negotiate) authentication.

PowerShell discovery can also discover hosts that use Windows Just Enough Administration (JEA). To discover hosts that use Windows JEA, you must configure JEA on the target hosts. For more information about configuring JEA, see Additional JEA configuration. You must also enable JEA in the credential, and specify the JEA Endpoint. For more information, see Adding-credentials.

PowerShell discovery from Windows proxies and BMC Discovery Outposts

When you use a PowerShell credential for discovery and one of the following events occurs, discovery proceeds through a BMC Discovery Outpost or a BMC Discovery Windows AD proxy:

The scope or IP access of the appliance does not permit the appliance to scan the IP address.
Discovery using PowerShell fails.

For PowerShell discovery, the BMC Discovery Windows AD proxy does not issue discovery commands and return processed results. It acts as a proxy, simply forwarding the PowerShell commands to be run on the target host, and returning the raw results to the BMC Discovery appliance or BMC Discovery Outpost that initiated the scan.

When you use discovery in Record/Playback mode for PowerShell discovery, this is done in the Windows AD proxy.

Credential proxies are not used for PowerShell discovery. Credential proxies are given a credential from BMC Discovery or BMC Discovery Outpost and they would simply repeat the discovery attempt by using the credential that has already failed.

For Windows discovery, PowerShell is now the preferred method of discovering Windows hosts, if a PowerShell credential is available, it is used in preference to any other Windows credential. Where a PowerShell credential is not available, the BMC Discovery Outpost or proxy runs the PowerShell commands using the existing Windows AD credentials, and falls back to trying WMI and RemQuery if a PowerShell request fails. Many PowerShell commands access WMI objects, so it is important that WMI is available and can be used by PowerShell.

The order of precedence for Windows discovery methods is:

Powershell > WMI > RemQuery > SNMP

PowerShell cmdlets

PowerShell commands are referred to as cmdlets. When additional software is installed on a Windows host, such as Exchange, often additional Exchange-related cmdlets are installed into PowerShell on that host, and are available for PowerShell discovery. However, additional cmdlets might require additional permissions.

PowerShell versions

Windows Remote Management was introduced in Server 2003 SP1. Windows Remote Management should work with PowerShell versions 3 and 4. Windows Remote Management does work in PowerShell version 5 which is the version that we recommend. PowerShell version 5 is a requirement for Windows host discovery by using JEA and PowerShell.

BMC Discovery supports PowerShell 3.0 or later. This is equivalent to Windows Server 2012 or later. Where RemQuery runs powershell.exe on a target host, earlier PowerShell versions might provide usable results.

How to discover Windows hosts by using PowerShell

The following video (03:39) provides an introduction to discovering Windows hosts by using PowerShell.

https://youtu.be/VmEZu1zdD2U

Before you begin

The target hosts that you intend to discover must have the Windows Remote Management (WS-Management) service running. The service is enabled by default on modern Windows Server OSs, and you need not make any additional configuration on the target. However, for desktops, or where the WS-Management service is disabled, you must run the Windows Remote Management service. To run the Windows Remote Management service, perform one of the following steps:

- Start the Windows Remote Management (WS-Management) service using a domain-wide policy, or for individual hosts, start the service using the following PowerShell cmdlet:
  Enable-PSRemoting
- Open the Windows Control Panel, access the Services tool, search for the Windows Remote Management (WS-Management) service, right-click the service, and select Start.

When discovery is initiated directly from the appliance, and the appliance is not in the AD Domain, you should also check the following:

Authentication uses AD, so by default only domain hosts can connect. You can add BMC Discovery appliances by IP address by using the following cmdlet:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "x.x.x.x"
where "x.x.x.x" is the IP address of the BMC Discovery appliance or BMC Discovery Outpost. For more information, see these Microsoft resources:
- Microsoft.PowerShell.Core - Enter-PSSession
- PowerShell - about_Remote_Troubleshooting

By default, only Administrator, or permitted accounts using JEA can connect by using PowerShell remoting. For Windows Server 2012 and later, you can enable individual user accounts to connect by adding them to the Remote Management Users group. Adding users can also be managed by using a Group policy.

Additional configuration for discovery by using JEA

Windows JEA enables administrators to permit non-administrator users to execute specific cmdlets (commands) and external processes, without granting them full administrative privileges. By using JEA in BMC Discovery, you can discover Windows hosts without providing credentials with full administrator access.

JEA is supported for the following credential types:

PowerShell
Active Directory Windows proxy

Windows host discovery by using JEA and PowerShell requires the following:

PowerShell 5.0 or Windows Management Framework 5.1 must be installed on the target Windows hosts.
JEA must be configured on the target Windows hosts. The following parameters must be specified in the JEA session configuration file:
language = 'FullLanguage'
session type = 'Default'

See the Microsoft article Registering JEA Configurations - PowerShell for more information.

To add the JEA endpoint name to Active Directory Windows proxy hosts

If you are using Active Directory Windows proxies, you must add the JEA endpoint name in the registry on the proxy hosts. To do this:

On the Windows proxy host, add the following String Value registry key:
- Create the String key at: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\BMC Software\Atrium Discovery Proxy\<proxy_name>where <proxy_name> is the name of the proxy.
- The key name is: CommandLine.
- The key value is: "--powershell-jea-enabled --powershell-jea-config <name-of-configuration>"where <name-of-configuration> is the JEA Endpoint Name
Restart the Windows proxy service.
View the tw_svc_winproxy.log and verify the the proxy starts with JEA enabled.

To verify that a target was discovered by using JEA

To verify that a target was discovered by using JEA, perform one of the following steps:

Log in to the target Windows host and verify that a new log/transcript file is present in the Transcripts folder. Transcription should be enabled and the directory set in the host's session configuration file by using the TranscriptDirectory parameter.
In the UI, open the DiscoveryAccess-page for the scanned Windows target host and verify that the "PowerShell" protocol was used for discovery.

Troubleshooting

Cannot discover a host by using PowerShell

If you cannot discover a host that you expect to by using PowerShell, it is possible that the Windows Remote Management (WS-Management) service is not running. Verify this for the host by using the following PowerShell command on your local Windows host:

Enter-PSSession -ComputerName DISC-QA03.test.lab -Credential DOMAINNAME\Administrator

PowerShell authentication in systems with FIPS enabled

NTLM is based on MD5 and RC4 whose use is not permitted by FIPS. We recommend that you use a BMC Discovery Outpost and for authentication, select Negotiate.

Cannot discover a host by using JEA

If you are using JEA, confirm that it is correctly configured on the target host. Confirm that the session configuration file has the following parameters defined:

language = 'FullLanguage'
session type = 'Default'

Windows discovery using PowerShell creates discovery and session logs to aid troubleshooting, though the session logs only contain the PowerShell Output stream. Further troubleshooting information is provided in Troubleshooting-PowerShell-discovery-issues.

Known issue

If the connection is lost when the PowerShell script is running, the script might be unable to resume, and fails to time out. This issue is being tracked on the PowerShell GitHub project.