PowerShell for Discovery and Service Mapping

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of PowerShell for Discovery and Service Mapping

    ServiceNow MID Servers use PowerShell and PowerShell Remoting to access configuration items (CIs) during horizontal and top-down discovery of Windows servers and applications. PowerShell enables secure, automated communication and administration by leveraging both WMI and WinRM protocols. It is the preferred method for discovery across multiple Windows domains, allowing a single MID Server to authenticate using stored credentials on the ServiceNow instance.

    Show full answer Show less

    Key Features

    • PowerShell Communication: MID Servers establish secure PowerShell Remoting sessions (PSSessions) for WinRM-enabled servers, and send credentialed PowerShell commands for WMI-enabled servers.
    • Discovery Probes and Sensors: When a Windows machine is classified for PowerShell discovery, specific probes such as "Windows - MSSQL" collect detailed information like SQL database catalogs and versions.
    • Script Includes: MID Server script includes generate the necessary scripts for WMIRunner and PowerShell discovery probes, ensuring efficient discovery execution.
    • Credential Management: Discovery uses Windows PowerShell credentials stored in the [discoverycredentials] table or falls back to MID Server service domain administrator credentials if none are found.
    • PowerShell Version Support: Supported PowerShell versions for MID Server discovery include 3.0, 4.0, and 5.0. Version 6.0 is not supported due to removed cmdlets critical for discovery operations.
    • Execution Policies: PowerShell script execution policies must be considered; scripts require signing unless the policy is set to Unrestricted.
    • MID Server Parameters: Optional parameters control PowerShell behavior on MID Servers, and any changes require a service restart to take effect.
    • PowerShell Remoting Framework: Discovery probe developers benefit from a unified PowerShell remote execution framework that enhances stability, consistency, and efficiency when running scripts remotely.

    Practical Implications for ServiceNow Customers

    By configuring MID Servers to use PowerShell and PowerShell Remoting, customers can achieve more reliable and secure discovery of Windows servers, including cross-domain scenarios. PowerShell enables detailed data collection such as database information and active network connections. Proper credential management and PowerShell version compatibility are essential to ensure successful discovery. Customers should verify and configure PowerShell execution policies appropriately to allow discovery scripts to run.

    Understanding and utilizing the provided MID Server parameters and script includes lets customers tailor discovery behavior to their environment. Restarting the MID Server after configuration changes is necessary to apply updates. Leveraging PowerShell discovery optimizes the discovery process, improves data accuracy, and supports comprehensive service mapping in the ServiceNow platform.

    MID Servers use PowerShell and PowerShell Remoting for accessing configuration items (CIs) during horizontal and top-down discovery. Review MID Server parameters and script includes, probe parameters, and credentials for using PowerShell.

    PowerShell is used to control and automate the administration of Windows servers and applications.

    MID Servers can use PowerShell to directly communicate with Windows servers using both WMI and WinRM protocols. For Windows services using the WinRM protocol, the PowerShell process establishes a secure PSSession (PowerShell Remoting session) that stays open until the MID Server finishes querying a Windows server. For Windows servers using the WMI protocol, the PowerShell process sends every PowerShell command with credentials.

    PowerShell is also the preferred method for performing discovery over multiple Windows domains. PowerShell allows a single MID Server to authenticate on servers on different domains using credentials stored on the instance.

    If you do not configure MID Servers to use PowerShell and PowerShell Remoting, MID Servers use WMI.

    How PowerShell Discovery works

    The following descriptions explain how MID Servers use PowerShell to deploy probes.
    Probe and sensor

    When a Windows machine is classified with PowerShell, and an MSSQL instance is detected, a probe called Windows - MSSQL is launched. The probe returns the SQL database catalogs and version to a matching sensor.

    Probe parameter

    The WMI_ActiveConnections.ps1 probe parameter contains a script that runs netstat.exe on a target server when PowerShell is enabled. This script extracts the information on Windows server connections, such as process IDs, ports, and IP addresses.

    Credentials

    Discovery uses Windows PowerShell credentials from the Credentials [discovery_credentials] table or the domain administrator credentials of the MID Server service. If Discovery cannot find PowerShell credentials in the Credentials table of the type (Windows) it uses the login credentials of the MID Server service.

    MID Server Script Includes
    The following script includes were added for PowerShell discoveries. These scripts run on the MID Server to generate the scripts that Discovery uses for WMIRunner and PowerShell.
    • GenerateWMIScriptJS: Generates a Javascript script for the WMIRunner probe.
    • GenerateWMIScriptPS1: Generates a PowerShell script for PowerShell discovery.
    MID Server parameters for PowerShell
    Optional parameters for the MID Server can be found at MID Server parameters for PowerShell. After changing the setting for any parameter, be sure to restart the MID Server service.

    PowerShell version requirements

    MID Servers using PowerShell must be installed on a supported Windows operating system. ServiceNow supports these PowerShell versions:
    Version 3.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    • PowerShell version 3.0 does not support Windows Server 2003.
    Version 4.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    Version 5.0
    • Regular Discovery
    • Application Dependency Mapping (ADM)
    • File-based Discovery
    Note:
    PowerShell version 6.0 is not supported. Many of the cmdlets that discovery relies on have been removed from this version. For example, only cmdlets using WinRM are available for remote operations.

    Windows PowerShell execution policies

    Windows PowerShell has four different execution policies. Customers can set the script execution policies with their group policy settings. For more information, see the Microsoft website for PowerShell documentation.
    • Restricted: No scripts can be run. Windows PowerShell can be used only in interactive mode.
    • AllSigned: Only scripts signed by a trusted publisher can be run.
    • RemoteSigned: Downloaded scripts must be signed by a trusted publisher before they can be run.
    • Unrestricted: No restrictions; all scripts can be run.
    Note:
    If you have any policy other than Unrestricted, the script needs to be signed.