Detect Windows workstations and servers with a local script

In addition to detecting OT devices on your network, use Defender for IoT to discover Microsoft Windows workstations and servers. Same as other detected devices, detected Windows workstations and servers are displayed in the Device inventory. The Device inventory pages on the sensor and on-premises management console show enriched data about Windows devices, including data about the Windows operating system and applications installed, patch-level data, open ports, and more.

This article describes how to configure Defender for IoT to detect Windows workstations and servers with local surveying, performed by distributing and running a script on each device. While you can use active scanning and scheduled WMI scans to obtain this data, working with local scripts bypasses the risks of running WMI polling on an endpoint. Running a local script is also useful for regulated networks that have waterfalls and one-way elements.

For more information, see Configure Windows Endpoint Monitoring.

Supported operating systems

The script described in this article is supported for the following Windows operating systems:

  • Windows XP
  • Windows 2000
  • Windows NT
  • Windows 7
  • Windows 10
  • Windows Server 2003/2008/2012/2016


Before you start, make sure that you have:

  • Administrator permissions on any devices where you intend to run the script
  • A Defender for IoT OT sensor already monitoring the network where the device is connected

If an OT network sensor has already learned the device, running the script will retrieve its information and enrichment data.

Run the script

This procedure describes how to obtain, deploy, and run the script on the Windows workstation and servers that you want to monitor in Defender for IoT.

The script you run to detect enriched Windows data is run as a utility and not as an installed program. Running the script doesn't affect the endpoint.

  1. To acquire the script, contact customer support.

  2. Deploy the script once, or using ongoing automation, using standard automated deployment methods and tools.

  3. Copy the script to a local drive and unzip it. The following files appear:

    • start.bat
    • settings.json
    • data.bin
    • run.bat
  4. Run the run.bat file.

    After the script runs to probe the registry, a CX-snapshot file appears with the registry information. The filename indicates the system name, date, and time of the snapshot with the following syntax: CX-snaphot_SystemName_Month_Year_Time

Files generated by the script:

  • Remain on the local drive until you delete them.
  • Must remain in the same location. Do not separate the generated files.
  • Are overwritten if you run the script again.

Import device details

After having run the script as described earlier, import the generated data to your sensor to view the device details in the Device inventory.

To import device details to your sensor:

  1. Use standard, automated methods and tools to move the generated files from each Windows endpoint to a location accessible from your OT sensors.

    Do not update filenames or separate the files from each other.

  2. On your OT sensor console, select System Settings > Import Settings > Windows Information.

  3. Select Import File, and then select all the files (Ctrl+A).

  4. Select Close. The device registry information is imported and a successful confirmation message is shown

    If there's a problem uploading one of the files, you'll be informed which file upload failed.

Next steps

For more information, see View detected devices on-premises.