WMI Discovery & Profiling
Windows Management Instrumentation (WMI) isan industry-standard technology for accessing management information in an enterprise environment. It provides users with information about the status of local and remote Windows computer systems, providing discovery, profiling, and reporting with values retrieved from WMI-enabled devices.
Port Discovery Requirement
Device Profile Discovery depends on Port Discovery. Be sure to enable Port Discovery before using Device Profiling.
FIPS Requirement
Starting from Asset Manager 4.8, FIPS is required to be disabled for WMI functionality.
If FIPS is enabled, this may be a reason as to why WMI isn't working as expected. To disable FIPS using the CLI, run the commands: system fips disable and then system reboot
Also, we recommend that your Active Directory credentials be read-only, unique, and non-expiring.
The return values from WMI-enabled devices enhance the following aspects of Asset Manager:
- Discovery
- Profiling
- Services - Identifies installed/running services such as Windows Defender, HBSS/McAfee Agent, and Tanium Agent
- Install status
- Enabled/disabled status
- Last-scan time
- Version
Device attributes discovered through WMI Discovery will augment that device's profile. Also, notifications pertaining to the profiling of WMI-responsive Windows devices are expected to be made available at about the same time.
About WMI
Some basics on WMI Discovery in Asset Manager Enterprise Edition:
- WMI Discovery relies on port 135 to function; port 135 must be responsive in order to generate targets for WMI. When your company's Active Directory administrator is asked to create a new user with WMI permissions (or give WMI permissions to an existing user), the admin will need to enable port 135 in the company's Active Directory Firewall Rules Group Policy.
- WMI access is credentialed with proper DCOM and UAC settings provided by your Windows Domain Controller administrator. This means that your system administrator will need to manually input or import WMI credentials to a collector's WMI configuration. It also means that every device in the WMI-configured zone will be tested using every credential. Asset Manager WMI Discovery tries credentials in the order they are provided and uses the first one that works.
- The overhead on the Asset Manager system of testing many credentials against each device may be significant. WMI queries take ~ 800ms per WMI responsive device (per credential). Asset Manager runs 10 threads at a time so, in aggregate, the Asset Manager system can handle approximately 10 WMI responders per second.
- Your company's users with domain admin level authorization will have WMI-access to all devices on the domain by default.
- It is recommended the user "Asset Manager" be made a domain admin, unique to Asset Manager, and non-expiring in order to configure WMI security settings globally, domain-wide.
- Windows Domain Admin level access is recommended because each Windows machine has its own setting and there is no standard Windows AD group policy setting one can apply to allow WMI access for non domain admin users.
- If adding Windows Domain Admin Users to Asset Manager is not permitted, then you can resort to a power shell script to create a non-admin, read only user. Here are some online documents (see related links) that lists the steps you can take to create a script that contains the appropriate security descriptors. The documents also explain how to subsequently place the script into a Windows AD GPO as a startup script and have your computers get the updated security settings at boot time.
- The Asset Manager system prioritizes the testing of WMI credentials in the top-down order in which they are listed. Asset Manager encrypts the WMI credentials before storing them in its database. Cloud and SNMP credentials are encrypted in the same way.
Considerations
In configuring WMI Discovery, the following are recommendations and things to keep in mind:
- We recommend that you create one collector for each set of WMI credentials and set the CIDR range in Discovery Spaces to contain only devices that will respond successfully to those credentials: This will minimize the amount of time it will take to scan the networkThis will minimize the chance the WMI credential can be locked out (TIP: Increase the account lockout threshold) This will enable you to optimize the rescan interval for WMI.
- We recommend that you setup a specific Active Directory account for use with Asset Manager and WMI Discovery. This will enable you to tailor the permissions and settings of the account to minimize access and make it read-only.
- Expiration of Windows credential—Be aware that if the Windows credentials expire, the Asset Manager system won't be able to retrieve data.
- WMI attributes expire after 14 days; all other device attributes expire after 2 days.
WMI Dashboards
On the Asset Manager main menu, in Dashboards, the are two WMI dashboards available: WMI Summary and WMI Troubleshooting
Following is a summary of the widgets on these dashboards:
Browse to Dashboards > WMI and select an option:
WMI Summary
WMI Summary Dashboard Widgets |
Type |
Description |
---|---|---|
WMI Responders by OS |
Summary chart |
Count of WMI Operating Systemsacross all zones |
WMI Responders |
Detail table |
Devicesacross all zones that responded to WMIDiscovery |
Non-Responding WMI Device Summary |
Summary chart |
Count of device-types across all zones that were unresponsive to WMI Discovery |
Non-Responding WMI Devices |
Detail table |
Devices across all zones that were unresponsive to WMI Discovery |
WMI Devices without Security Services Summary |
Summary chart |
Count of WMI-responsive device-typesacross all zones thatdid not report anyWMIservices |
WMI Devices without Security Services |
Detail table |
WMI-responsive device-types across all zones that did not report any WMI services |
WMI Troubleshooting Dashboard Widgets |
Type |
Description |
---|---|---|
WindowsDevices with WMI Port Closed Summary |
Summary chart |
Count of device-typesacross all zones thatwere profiled as Windows, yetdidnot haveport135 open |
WindowsDevices with WMI Port Closed |
Detail table |
Devices across all zones thatwereprofiled as Windows, yetdidnothaveport135 open |
WMI Devices with No WMI Services Summary |
Summary chart |
Count of device-types across all zonesthat were WMI-service responsive, yet did not report any WMI security services |
WMI Deviceswith No WMI Services |
Detail table |
Devices across all zones thatthat were WMI-service responsive, yet did not report any WMI security services |
WMI Troubleshooting Dashboard Widgets |
Type |
Description |
---|---|---|
WindowsDevices with WMI Port Closed Summary |
Summary chart |
Count of device-typesacross all zones thatwere profiled as Windows, yetdidnot haveport135 open |
WindowsDevices with WMI Port Closed |
Detail table |
Devices across all zones thatwereprofiled as Windows, yetdidnothaveport135 open |
WMI Devices with No WMI Services Summary |
Summary chart |
Count of device-types across all zonesthat were WMI-service responsive, yet did not report any WMI security services |
WMI Deviceswith No WMI Services |
Detail table |
Devices across all zones thatthat were WMI-service responsive, yet did not report any WMI security services |
See What Services are Running
You can input the IP address of any WMI-responsive device in a selected zone (or click a link in a WMI dashboard widget) to display a comprehensive list of all services running on the box (e.g., Windows Defender and Tanium status information.)
On the Asset Manager GUI, browse to Search > Device Details.
Input an IP address and zone name.
Click Search and the WMI Services tab.
All services running on the box display. You can see the total number of records that were returned below the table.
Search the Services
You can use the control at the bottom of the results table to page through the results or use the Search bar to filter out all the records that don't match your criteria
A description of each of the table columns follows:
- Name:Unique identifier of the service that provides an indication of the functionality that is managed.
- Started:Indicates whether or not the service is started.
- State:Current state of the base service.
The values are:
* Stopped
* Start Pending
* Stop Pending
* Running
* Continue Pending
* Pause Pending
* Paused
* Unknown
- Status:Current status of the object. Various operational and non-operational statuses can be defined. Operational statuses include: "OK", "Degraded", and "Pred Fail" (an element, such as a SMART-enabled hard disk drive, may be functioning properly but predicting a failure in the near future). Non-operational statuses include: "Error", "Starting", "Stopping", and "Service". The latter, "Service," could apply during mirror-resilvering of a disk, reload of a user permissions list, or other administrative work.
The values are:
* OK
* Error
* Degraded
* Unknown
* Pred Fail
* Starting
* Stopping
* Service
* Stressed
* NonRecover
* No Contact
* Lost Comm
See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service for information from Microsoft on their Win32_Service class.
Accurately Identify All Windows Devices
Use the Attributes tab to check security compliance. You could check, for example, to ensure that all Windows systems are Windows 10 or later.
Run WMI Discovery
This new discovery type in Settings > Zones uses credentials you supply and input manually or import. You can supply WMI credentials
For the User Name field, do not add the domain name. For example, do not use admin@local.net or local.net\bob for the user name portion.
WMI Queries
A description of each WMI query is available in the lower right-hand corner of the Properties panel, under Comment.
WMI Map Highlighting
Asset Manager is able to highlight WMI_OS, WMI_OS_Version, and WMI_OS_ServicePack on its maps. The capability to highlight on a Asset Manager zone map all nodes that have specific services (e.g., Windows Defender, McAfee, Tanium) installed and/or running is planned for development.
Related Links
To create a non-domain admin user with WMI rights, create a script of security descriptors using these procedures:
Forum FAQ: How to deploy WMI namespace security settings via a global policy orchestrator?