Enrich Windows workstation and server data with a local script (Public preview)


This feature is in PREVIEW. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

In addition to detecting OT devices on your network, use Defender for IoT to discover Microsoft Windows workstations and servers and enrich workstation and server data for devices already detected. Same as other detected devices, detected Windows workstations and servers are displayed in the Device inventory. The Device inventory pages on the sensor and on-premises management console show enriched data about Windows devices, including data about the Windows operating system and applications installed, patch-level data, open ports, and more.

This article describes how to use a Defender for IoT Windows-based WMI tool to get extended information from Windows devices, such as workstations, servers, and more. Run the WMI script on your Windows devices to get extended information, increasing your device inventory and security coverage. While you can also use scheduled WMI scans to obtain this data, scripts can be run locally for regulated networks with waterfalls and one-way elements if WMI connectivity isn't possible.

The script described in this article returns the following details about each detected device:

  • IP address
  • MAC address
  • Operating system
  • Service pack
  • Installed programs
  • Last knowledge base update

If an OT network sensor has already detected the device, running the script outlined in this article retrieves the device's information and enrichment data.


Before performing the procedures in this article, you must have:

Supported operating systems

The script described in this article is supported for the following Windows operating systems:

  • Windows XP
  • Windows 2000
  • Windows NT
  • Windows 7
  • Windows 10
  • Windows Server 2003/2008/2012/2016/2019

Download and run the script

This procedure describes how to deploy and run a script on the Windows workstation and servers that you want to monitor in Defender for IoT.

The script detects enriched Windows data, and is run as a utility and not an installed program. Running the script doesn't affect the endpoint. You may want to deploy the script once, or using ongoing automation, using standard automated deployment methods and tools.

  1. Sign into your OT sensor console, and select System Settings > Import Settings > Windows Information.

  2. Select Download script. For example:

    Screenshot of where to download WMI script.

  3. Copy the script to a local drive and unzip it. The following files appear:

    • start.bat
    • settings.json
    • data.bin
    • run.bat
  4. Run the run.bat file.

    After the script runs to probe the registry, a CX-snapshot file appears with the registry information. The filename indicates the machine name and the current date and time of the snapshot with the following syntax: cx_snapshot_[machinename]_[current date time].

Files generated by the script include:

  • Remain on the local drive until you delete them.
  • Must remain in the same location. Don't separate the generated files.
  • Are overwritten if you run the script again.

Import device details

After having run the script as described earlier, import the generated data to your sensor to view the device details in the Device inventory.

To import device details to your sensor:

  1. Use standard, automated methods and tools to move the generated files from each Windows endpoint to a location accessible from your OT sensors.

    Don't update filenames or separate the files from each other.

  2. Sign into your OT sensor console, and select System Settings > Import Settings > Windows Information.

  3. Select Import File, and then select the relevant file.

    Screenshot of where to import WMI script.

View devices applications report

After downloading and running the script, then importing the generated data to your sensor, you can view your devices applications with a custom data mining report.

To view the devices applications:

  1. Sign into your OT sensor console, and select Data mining.

  2. Select + Create report to create a custom report. In the Choose Category field, select Devices Applications. For example:

    Screenshot of creating devices applications custom report.

  3. Your devices applications report is shown in the My reports area.

Next steps

For more information, see Detect Windows workstations and servers with a local script and Import extra data for detected OT devices.