Windows (WinRM)

Windows Remote Management (WinRM) can be used inventorying Windows-based operating systems in vScope. WinRM is a Microsoft implementation of WS-Management Protocol, Read more, and allows vScope to collect detailed data about Windows resources, such as system hardware, software, and configurations, with more efficiency and security than WMI. WinRM is therefore generally faster and more resilient than WMI, especially in environments with high network latency

Tip

Consider reviewing different options for Windows discovery in the following post before adding WinRM.

---

Requirements

• Permission: Ensure the account used for WinRM discovery has the necessary permissions on the target Windows systems. These settings can be controlled:
  • Using GPO
  • Using local/domain administrator.
• Access: Ensure that the selected port is open on the target machine.

You may want to review different options for Windows Discovery

Adding WinRM vScope

1. Go to Discovery > Credentials.
2. Click Create Credential, and select Windows (WMI).
3. Ensure that “Use WinRM” is enabled under Advanced settings.
4. Configure your Integration Settings by adding the credential details. You can reuse an existing credential, or create a new one from scratch.
5. Select the target to be discovered by this credential and click Create.

Good job! You have now configured Windows OS inventory using WinRM.

---

How it works…

When using WinRM, vScope will pack and send the VBScript to the temp catalog on the target machine. The scripts are then run using a command. The command is encrypted to make it easier to run. After the results of the scripts are collected, the information is sent back to the vScope server and the VBscript in the temp catalog is removed.

How can I change location for WinRM scripts?

vScope uses temporary folders to store scripts during the inventory process. There are two key locations for these temp folders: the vScope server itself and the remote Windows servers (for WinRM-based discovery).

Temp Folders on the vScope Server

To specify a custom temporary folder for storing scripts on the vScope server, add the following lines to the config.ini file, located at C:\vScopeData\configuration\config.ini:

setting discovery.probe.wmi.local_script_folder %TEMP%
setting discovery.probe.wmi.local_script_folder c:\\windows\\temp
setting discovery.probe.wmi.local_script_folder null

If the specified custom path for the temp folder on the vScope server encounters any issues (e.g., access or write permissions), vScope will automatically revert to its default temp folder. Ensure that the custom folder path:

• Exists on the vScope server.
• Has write permissions for the account running the vScope service.

---

Temp Folders on Remote Windows Servers (WinRM Only)

When using WinRM to inventory Windows machines, vScope executes PowerShell scripts in a TEMP folder on each remote machine. By default, this TEMP folder is defined by the $env:temp environment variable, which typically resolves to:

C:\Users{wmi-credential-user}\AppData\Local\Temp

Note

This TEMP folder may be inaccessible to users without Administrator privileges on the target machine. Adjusting permissions or selecting a different TEMP folder can help avoid potential permission issues during inventory scans.

---

Changing the Remote TEMP Folder for WinRM PowerShell Scripts

To specify an alternative TEMP folder location for PowerShell scripts on remote Windows servers, add the following line to the config.ini file on the vScope server:

discovery.probe.wmi.remote_script_folder=[YOUR_DESIRED_PATH]

Replace [YOUR_DESIRED_PATH] with the path you want vScope to use for temporary files on remote servers. This path must:

• Exist on the remote servers where vScope is running inventory tasks.
• Allow write permissions for the user account specified in the WMI credential.
• For example, you could specify:

discovery.probe.wmi.remote_script_folder=C:\CustomTempFolder

Ensuring Permissions

Permissions are crucial for vScope’s inventory process, especially when using a custom temporary folder on remote machines for PowerShell script execution. To ensure the setup runs smoothly:

1. Verify Folder Permissions: Confirm that the specified folder path (C:\CustomTempFolder or your chosen path) grants read and write permissions for the WMI credential user across all target machines. This user must be able to create, read, modify, and delete files within this folder.

2. Testing Access: Manually log in as the WMI credential user on a remote server and attempt to create and delete a test file in the specified TEMP folder. This will help confirm that vScope’s inventory operations won’t encounter permission errors during discovery.

3. Administrative Privileges: If the custom TEMP folder is not accessible due to permissions issues, consider adjusting the user privileges or selecting a different folder that is universally writable by all users, such as C:\Windows\Temp. However, note that using the C:\Windows\Temp folder may require administrative rights on some systems.

4. Check Network Policies: Ensure network policies or group policies do not restrict access to the designated folder path. Some environments may restrict access to certain folders for security reasons, impacting vScope’s ability to write temporary files.

---

Additional Notes

• Folder Clean-up: vScope is designed to remove temporary files after each inventory process. However, regularly check the custom TEMP folder to ensure it does not accumulate unused files, especially if permissions or network issues interfere with cleanup.

• Config File Changes: Any changes to config.ini require a restart of the vScope service on the server for the new settings to take effect.

• Environment-Specific Paths: If you manage a diverse environment with various operating systems or folder permissions, consider using a folder that is consistently available across all systems, or set individual paths in config.ini as needed.