Discovering Windows hosts with PowerShell

PowerShell is a cross-platform command line shell and scripting language. In BMC Helix Discovery, you can use PowerShell to perform an in-depth discovery of Windows hosts. PowerShell performs host discovery by connecting to the host's PowerShell API over HTTPS (by default) using a PowerShell specific credential. PowerShell discovery runs scripted commands in much the same way as UNIX and Linux discovery.

PowerShell is also used in an experimental feature to discover Windows hosts in AWS that uses SSM discovery.

Windows host discovery by using PowerShell

PowerShell discovery requires a valid PowerShell credential for the host to be discovered.  

BMC Helix Discovery looks for open PowerShell ports on the target host. If open PowerShell ports are available, BMC Helix Discovery attempts to connect to the PowerShell API over https and uses the PowerShell credential to log in. PowerShell can be used over HTTP, and the content returned is encrypted. Using HTTP with Basic authentication would make it possible for credentials to be compromised. We recommend you use NTLM (Negotiate) authentication.

PowerShell discovery from BMC Discovery Outposts

PowerShell discovery proceeds through a BMC Discovery Outpost. For Windows discovery, PowerShell is now the preferred method of discovering Windows hosts. Where a PowerShell credential is available, it is used in preference to any other Windows credential. Where a PowerShell credential is not available, the BMC Discovery Outpost runs the PowerShell commands using the existing Windows AD credentials, and falls back to trying WMI and RemQuery if a PowerShell request fails. Many PowerShell commands access WMI objects, so it is important that WMI is available and can be used by PowerShell.

The order of precedence for Windows discovery methods is:

  • Powershell > WMI > RemQuery > SNMP

When you use discovery in Record/Playback mode for PowerShell discovery, this is done in the BMC Discovery Outpost.

The information returned from a Windows host by PowerShell is the same as existing Windows discovery methods, it is simply another access method.

PowerShell cmdlets

PowerShell commands are referred to as cmdlets. When additional software is installed on a Windows host, such as Exchange, often additional Exchange-related cmdlets are installed into PowerShell on that host, and are available to PowerShell discovery. However, additional cmdlets might require additional permissions.

To configure target hosts

The target hosts that you intend to discover must have the Windows Remote Management (WS-Management) service running. The service is enabled by default on modern Windows Server OSs, so you should not need to undertake any configuration on the target. However, for desktops, or where the WS-Management service is disabled, you must run the service.

To run the service, either:

  • Start the Windows Remote Management (WS-Management) service using a domain-wide policy, or for individual hosts, you can start the service using the following PowerShell cmdlet:

  • Alternatively, open the Windows Control Panel, access the Services tool, search for the Windows Remote Management (WS-Management) service, right-click the service, and select Start.

You should also check the following:

  • Ensure that Windows Remote Management is allowed by the Windows Firewall.
  • Authentication uses AD, so by default only domain hosts can connect. You can add BMC Discovery Outposts by IP address using the following cmdlet:

    Set-Item WSMan:\localhost\Client\TrustedHosts -Value "x.x.x.x"

    where "x.x.x.x" is the IP address of the BMC Discovery Outpost. See these Microsoft resources for more information:

  • By default, only Administrator accounts can connect by using PowerShell remoting. For Windows Server 2012 and later, you can enable individual user accounts by adding them to the Remote Management Users group. Adding users can also be managed using a Group policy. 

See the following video (03:39) which explains how you can discover Windows hosts by using PowerShell.

PowerShell versions

Windows Remote Management was introduced in Server 2003 SP1. Windows Remote Management should work in PowerShell versions 3 and 4, but we recommend PowerShell version 5.

BMC Discovery supports PowerShell 3.0 or later. This is equivalent to Windows Server 2012 or later. Where RemQuery runs powershell.exe on a target host, earlier PowerShell versions might give usable results. 


If you cannot discover a host that you expect to by using PowerShell, it is possible that the Windows Remote Management (WS-Management) service is not running. You can check this for the host by using the following PowerShell command on your local Windows host:

Enter-PSSession -ComputerName DISC-QA03.test.lab -Credential DOMAINNAME\Administrator

You are prompted for the password.

Known issue

If the connection is lost when the PowerShell script is running, the script might be unable to resume, and fail to time out. This issue is being tracked on the PowerShell GitHub project.

Was this page helpful? Yes No Submitting... Thank you