https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1116898

This will help

Hi @Amanda35,

As per my understanding , this will help to resolve your issue.

There are couple of reason to fail the DMZ device discovery, if possible provide the error screenshot which will helpful to provide the exact solutions.

1 – Required Ports for Windows Discovery
Windows Discovery in ServiceNow can use either WMI (DCOM) or WinRM.
Which you choose affects the ports you need to open.

A. If using WMI (DCOM)

* TCP 135 → RPC Endpoint Mapper
* TCP 49152–65535 → Dynamic RPC/WMI ports (range can be reduced — see below)
Tip: You can restrict the dynamic RPC port range in Windows via registry or PowerShell to reduce the firewall range to something like 200 ports instead of ~16K. This is common in DMZ setups.

B. If using WinRM (Preferred in DMZ)
* TCP 5985 → WinRM over HTTP
* TCP 5986 → WinRM over HTTPS (recommended if crossing untrusted zones like DMZ)
ServiceNow docs sometimes mention port 8986 because some organizations configure WinRM listeners on non-default ports for security — but if you’re using defaults, it’s 5985/5986.

Other Possible Ports

If you also want Discovery to capture:
* DNS lookups → UDP/TCP 53
* Ping (ICMP) → Allow ICMP echo request/reply between MID and target servers

2 – Credential Requirements
Your local admin account must have the right privileges for the chosen protocol.

A. For WMI:
* Account must be a member of the local Administrators group on the target.
* Remote UAC must be configured to allow local accounts to connect remotely:
Set registry key on target:
H-HK-LM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
* LocalAccountTokenFilterPolicy = 1 (DWORD)
* WMI service must be running (winmgmt).
* Firewall inbound rules must allow Windows Management Instrumentation (WMI-In).

B. For WinRM:
* Enable WinRM on the target:
winrm quickconfig
* If using HTTPS, ensure certificates are installed and bound.
* Account must be in Administrators group or delegated WinRM rights.
* Add MID server IP to WinRM trusted hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "<MID_SERVER_IP>"
*
* Firewall inbound rules must allow Windows Remote Management.

3 – Recommended DMZ Discovery Setup
1. Choose WinRM over WMI if possible — fewer ports to open.
2. Restrict RPC port range if WMI is required.
3. Create Discovery Schedule dedicated to DMZ subnets to isolate scanning.
4. Ensure Credential Affinity so the right local admin account is always tried first.
5. Test connectivity from MID to target before Discovery:
* For WinRM:
winrm id -r:<TARGET_IP> -u:<USER> -p:<PASS>
* For WMI:
Use wbemtest or PowerShell Get-WmiObject.

4 - Specific Mid Server required for DMZ Zone device discovery as per best practices.

Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
 

Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025