Skip to main content
- Group managed service accounts (gMSAs) can be used in Device42 as a means to perform credential-less discovery of Windows devices via WMI.
- By using a gMSA, you will not need to store Windows user account credentials in Device42.
- This is achieved by configuring the WDS to run under the gMSA and permissioning the gMSA as you would normally for Windows discovery.
- See Benefits of gMSAs for information on the advantages of using a gMSA.
- You have designated a Windows host to install the Windows Discovery Service (WDS) on.
- Please note that the host must meet the following requirements:
- OS must be at Windows 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro) or above
- OS must be on the latest OS patch level
- Host must be domain joined
- You have administrator privileges to a domain controller in order to create the KDSRootKey (if one does not exist already) and configure the gMSA and/or any related security groups
- On a domain controller, create a KDSRootKey using PowerShell (if one does not exist already): Create the Key Distribution Services KDS Root Key | Microsoft Learn
- Configure the gMSA: Getting Started with Group Managed Service Accounts | Microsoft Learn
- Install the WDS: Windows Discovery Service Installation - Device42 Documentation
- Stop the WDS service
- Open services.msc and look for ‘Device42 Discovery Service’. Right click -> Stop.
- Change the service to log on as the gMSA.
- Right click -> Properties. -> Log On. Change to ‘Log on as’ and browse for the gMSA
- After you have it selected, replace the password fields with ~
- This means that the password must be obtained from AD.
- Start the WDS service
- Right click -> Start.
- Create a new Windows discovery job
- From your Device42 Main Appliance. Navigate to Discovery -> Hypervisors / *nix / Windows -> Add Hypervisors/*nix/win for Autodiscovery
- Select your WDS and ensure you have the option ‘Use Service Account Credentials (only Applies to WDS)’ set to true.