Best practice for disabling windows desktop/laptop in discovery.

Jordan Rhude · ‎02-02-2024

So in our instance we are ingesting the bulk of our computer and some server records from an SCCM , and then use discovery to pull in some server and mostly Network , printer CI's. Recently running discovery has found some PC's while running , and hits it with a pattern/ probe that runs a PowerShell script that is ringing alarm bells for the security team.

So here is the question is it best practice to disable the Windows computer from the discovery configuration console or disable the probe/pattern?
We would like to keep SCCM as the primary source for windows desktop/laptops, while retaining functionality via IRE, SAM, and HAM. Just only pulling the computers via SCCM and not via discovery.

any help is appreciated.

tphillips · ‎02-05-2024

If possible, segment your workstations to their own IP range. Don't use Credential-less discovery. Don't put your Windows Discovery Credential(s) on the workstations. Excluded any IP addresses that are workstations. You might need to update those after each discovery as needed.

Tom

Jordan Rhude · ‎02-06-2024

Yeah that is a good suggestion, but would require a lot of change via our network team. While i agree that would be best practice I'm not sure its an option for us atm.

AJ-TechTrek · ‎02-06-2024

Hi @Jordan Rhude

Please use the Behaviour discovery as well as dont create the Windows Credentials.

Also you can ignore the IP range for Windows and Computer CI.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.

Thanks

AJ

Linkedin Profile:- https://www.linkedin.com/in/ajay-kumar-66a91385/

Jordan Rhude · ‎02-06-2024

That is also a thought I had we had not considered. If we turn the creds off for those CI types the PowerShell scripts would not be able to run on those devices.