Dear OT-Base Community,
we constantly find ourselfs discussing with security teams when it comes to the winRM configuration on the Windows clients .
The main pain point is that new local administrators have to be created (usually there are only very few clients managed by ActiveDirectory or other client management solutions). In addition, for most OT clients there is no easy way to use LAPS or set up SSL certificates for winRM HTTPS.
So I wondered if there is a way to get by without an administrator. We know that we can't get patch information without an admin, for example. But why is that? Is it not possible to create a user and give him the permissions for the corresponding WMI namespaces? What information is the discovery node looking for exactly? Are there specific WMI namespaces that the discovery node is looking for during an winRM probing?
Does anyone have experience with this?
Please sign in to leave a comment.