Merge pull request #202116 from batamig/device-inventory-improvement

Device inventory improvement

Author: Maggiemouse1

articles/defender-for-iot/organizations/TOC.yml

@@ -53,18 +53,21 @@
         href: concept-supported-protocols.md
 - name: How-to guides
   items:
-  - name: Visualize network assets
+  - name: Visualize devices
+    displayName: assets, network devices
     items:
-    - name: View assets from the Azure portal
-      href: how-to-manage-device-inventory-for-organizations.md
-    - name: View OT assets from a sensor console
-      href: how-to-investigate-sensor-detections-in-a-device-inventory.md
-    - name: View OT assets on a sensor device map
+    - name: Manage device inventory
+      items:
+      - name: Manage device inventory from the Azure portal
+        href: how-to-manage-device-inventory-for-organizations.md
+      - name: Manage device inventory from an OT sensor console
+        href: how-to-investigate-sensor-detections-in-a-device-inventory.md
+      - name: Manage device inventory from an on-premises management console
+        href: how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md
+    - name: View OT device mapping
       href: how-to-work-with-the-sensor-device-map.md
-    - name: View OT assets on a sensor per zone
+    - name: View OT devices per zone
       href: how-to-view-information-per-zone.md
-    - name: View OT assets from an on-premises management console
-      href: how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md
   - name: Manage alerts
     items:
     - name: Manage alerts from the Azure portal
@@ -162,6 +165,8 @@
           href: how-to-manage-individual-sensors.md
         - name: Control OT traffic monitoring
           href: how-to-control-what-traffic-is-monitored.md
+        - name: Detect Windows workstations and servers by script
+          href: detect-windows-endpoints-script.md
         - name: Configure active monitoring
           items:
           - name: Planning and prerequisites
@@ -204,6 +209,8 @@
         href: how-to-troubleshoot-the-sensor-and-on-premises-management-console.md
 - name: Reference
   items:
+  - name: Alert reference
+    href: alert-engine-messages.md
   - name: OT monitoring appliances
     items:
     - name: Overview
@@ -242,11 +249,9 @@
         href: appliance-catalog/hpe-edgeline-el300.md
       - name: Neousys Nuvo-500LP (SMB rugged)
         href: appliance-catalog/neousys-nuvo-5006lp.md
-  - name: Alert reference
-    href: alert-engine-messages.md
-  - name: Work with Defender for IoT APIs
+  - name: Defender for IoT APIs
     href: references-work-with-defender-for-iot-apis.md
-  - name: Work with Defender for IoT CLI commands
+  - name: Defender for IoT CLI commands
     href: references-work-with-defender-for-iot-cli-commands.md
   - name: Frequently asked questions - service
     displayName: FAQ, regulation, internet, connection, hardware, appliances, ports, logs 

articles/defender-for-iot/organizations/detect-windows-endpoints-script.md

@@ -0,0 +1,83 @@
+---
+title: Detect Windows workstations and servers with a local script
+description: Learn about how to detect Windows workstations and servers on your network using a local script.
+ms.date: 07/12/2022
+ms.topic: how-to
+---
+
+# Detect Windows workstations and servers with a local script
+
+In addition to detecting OT devices on your network, use Defender for IoT to discover Microsoft Windows workstations and servers. Same as other detected devices, detected Windows workstations and servers are displayed in the Device inventory. The **Device inventory** pages on the sensor and on-premises management console show enriched data about Windows devices, including data about the Windows operating system and applications installed, patch-level data, open ports, and more.
+
+This article describes how to configure Defender for IoT to detect Windows workstations and servers with local surveying, performed by distributing and running a script on each device. While you can use active scanning and scheduled WMI scans to obtain this data, working with local scripts bypasses the risks of running WMI polling on an endpoint. Running a local script is also useful for regulated networks that have waterfalls and one-way elements.
+
+For more information, see [Configure Windows Endpoint Monitoring](configure-windows-endpoint-monitoring.md).
+
+## Supported operating systems
+
+The script described in this article is supported for the following Windows operating systems:
+
+- Windows XP
+- Windows 2000
+- Windows NT
+- Windows 7
+- Windows 10
+- Windows Server 2003/2008/2012/2016
+
+## Prerequisites
+
+Before you start, make sure that you have:
+
+- Administrator permissions on any devices where you intend to run the script
+- A Defender for IoT OT sensor already monitoring the network where the device is connected
+
+If an OT network sensor has already learned the device, running the script will retrieve its information and enrichment data.
+
+## Run the script
+
+This procedure describes how to obtain, deploy, and run the script on the Windows workstation and servers that you want to monitor in Defender for IoT.
+
+The script you run to detect enriched Windows data is run as a utility and not as an installed program. Running the script doesn't affect the endpoint.
+
+1. To acquire the script, [contact customer support](mailto:support.microsoft.com).
+
+1. Deploy the script once, or using ongoing automation, using standard automated deployment methods and tools.
+
+1. Copy the script to a local drive and unzip it. The following files appear:
+
+    - `start.bat`
+    - `settings.json`
+    - `data.bin`
+    - `run.bat`
+
+1. Run the `run.bat` file.
+
+    After the script runs to probe the registry, a CX-snapshot file appears with the registry information. The filename indicates the system name, date, and time of the snapshot with the following syntax: `CX-snaphot_SystemName_Month_Year_Time`
+
+Files generated by the script:
+
+- Remain on the local drive until you delete them.
+- Must remain in the same location. Do not separate the generated files.
+- Are overwritten if you run the script again.
+
+## Import device details
+
+After having run the script as described [earlier](#run-the-script), import the generated data to your sensor to view the device details in the **Device inventory**.
+
+**To import device details to your sensor**:
+
+1. Use standard, automated methods and tools to move the generated files from each Windows endpoint to a location accessible from your OT sensors. 
+
+    Do not update filenames or separate the files from each other.
+
+1. On your OT sensor console, select **System Settings** > **Import Settings** > **Windows Information**.
+
+1. Select **Import File**, and then select all the files (Ctrl+A).
+
+1. Select **Close**. The device registry information is imported and a successful confirmation message is shown
+
+    If there's a problem uploading one of the files, you'll be informed which file upload failed.
+
+## Next steps
+
+For more information, see [View detected devices on-premises](how-to-investigate-sensor-detections-in-a-device-inventory.md).

articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md

@@ -133,7 +133,7 @@ After activating a sensor, you'll need to apply new activation files as follows:
 |Location  |Activation process  |
 |---------|---------|
 |**Cloud-connected sensors**     | Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active. <br><br>However, you'll also need to apply a new activation file when [updating your sensor software](update-ot-software.md#download-and-apply-a-new-activation-file) from a legacy version to version 22.2.x.        |
-|  **Locally-managed**   |   Apply a new activation file to locally-managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor.     |
+|  **Locally managed**   |   Apply a new activation file to locally managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor.     |
 
 For more information, see [Manage Defender for IoT subscriptions](how-to-manage-subscriptions.md) and [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md).
 
@@ -228,7 +228,7 @@ You can access console tools from the side menu.  Tools help you:
 | -----------|--|
 | Overview | View a dashboard with high-level information about your sensor deployment, alerts, traffic, and more. |
 | Device map | View the network devices, device connections, Purdue levels, and device properties in a map. Various zoom, highlight, and filter options are available to help you gain the insight you need. For more information, see [Investigate sensor detections in the Device Map](how-to-work-with-the-sensor-device-map.md#investigate-sensor-detections-in-the-device-map). |
-| Device inventory | The **Device inventory** displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details. For more information, see [View your device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md).|
+| Device inventory | The Device inventory displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details. For more information, see [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md).|
 | Alerts | Alerts are triggered when sensor engines detect changes or suspicious activity in network traffic that requires your attention.  For more information, see [View alerts on your sensor](how-to-view-alerts.md#view-alerts-on-your-sensor).|
 
 ### Analyze