Windows Discovery - Security Requirements | v8+
Certero Network Discovery will query the hostname, domain & operating system of Windows computers, which is great for the discovery of non-domain computers that are not covered by your AD connector(s). Successful queries rely on the Certero Endpoint Server and the target Windows devices all being configured with compatible, best-practice security settings for NTLM and SMB client & server. This article explains how to identify issues and troubleshoot your configuration.
Windows Network Discovery Failure
A successfully queried Windows computer looks like this in the Endpoint Server Network Discovery log :
Found computer means that we've determined the operating system, and so the discovery record will appear in the Client Management > Computers data grid. Client Management > Computers only contains records for which we know the operating system, which means we know that they are a computer.
An unsuccessful Windows computer discovery looks like this:
... which might be accompanied with a warning:
In this case, Found ICMP device means that Certero Network Discovery was unable to determine the hostname and operating system, and because we don't know the operating system, the discovery record will appear in the Client Management > ICMP Devices data grid. We're not getting the required Windows discovery information; and this is our problem.
The Found ICMP device log entry will have a hostname appended to it if the IP address can be resolved via DNS.
Security Configuration
As per the opening paragraph, successful Windows Network Discovery requires sensible and compatible configuration of security settings for SMB, NTLM, etc. These settings are not managed by Certero, and because they have evolved over the years, it's not uncommon for organizations to have a mix of old, new, incompatible settings across different parts of the estate, perhaps deployed by Group Policy .
If you're having problems with Windows Network Discovery, we recommend reviewing your security policy environment (e.g. GPO) to ensure that you have a consistent, modern, best-practice deployment of settings across your Windows estate. The key settings to review are SMB server & client configuration , and Windows Local Security Policy .
SMB Configuration
The SMB server configuration to inspect on the target Windows computers is listed using this PowerShell command:
The command to inspect the SMB client settings on the Certero Endpoint Server that's running the discovery is:
The Endpoint Server is the SMB client which is querying the SMB server running on the discovery targets.
Local Security Policy
The local security settings to inspect are found in Security Options as per the following image. The key settings in there are prefixed with Network Security , but there may be more which you need to assess.
Final Words
If you have a mix of old and new policies and/or discovery is working for some Windows computers but not others, it's useful to compare the settings above, side by side, for each case; to understand what you need to change or consolidate.
Certero can't advise what security settings you should be using. You'll need to determine which best-practice configuration and security posture suits your organization.