Windows - Configuration Management - Network Scan

What the Windows network scan Worklet does

This Automox Worklet™ runs a discovery scan from a Windows endpoint against one or more subnets supplied in CIDR notation, for example 192.168.1.0/24 or 10.0.0.0/22. The Worklet enumerates every host address in each target subnet, probes 22 well-known TCP ports including FTP (21), SSH (22), Telnet (23), SMTP (25), DNS (53), HTTP (80), POP3 (110), RPCBind (111), MSRPC (135), NetBIOS-SSN (139), IMAP (143), HTTPS (443), SMB (445), SMTPS (587), IMAPS (993), POP3S (995), PPTP (1723), MySQL (3306), RDP (3389), PostgreSQL (5432), VNC (5900), and HTTP Proxy (8080), and records every responding host.

For each responder, the Worklet runs a PTR lookup with Resolve-DnsName and reads the IPv6/IPv4 neighbor table with Get-NetNeighbor to capture the MAC address. Results are emitted as a CSV block to the Automox Activity Log so the data is easy to pipe into a spreadsheet, SIEM, or asset database. Hosts that block ICMP but accept TCP are still discovered, because the scan opens TCP sockets directly and does not depend on ping replies.

The scan is concurrent. The Worklet dispatches background jobs through Start-Job and throttles them with a ThrottleLimit set to the greater of eight or the endpoint's logical processor count. Per-port timeout is gated by the Accuracy parameter: LOW is 100 ms, MEDIUM is 250 ms, HIGH is 500 ms, and EXTREME is 1250 ms. Lower accuracy completes a /24 faster; higher accuracy catches slow or congested hosts at the cost of runtime.

Why scan a network segment from inside the perimeter

Outside-in scanners only see what your edge firewall exposes. An internal scan from a Windows endpoint sees the segment as a lateral attacker would: the print server that still answers on SMB 1, the development jump box with RDP open to the LAN, the IP camera answering on Telnet, the unmanaged Raspberry Pi a contractor left behind. Internal asset visibility is the gap that CIS Controls v8 1.1 and 1.4, NIST 800-53 CM-8, and PCI-DSS 11.2 are written against. Running the scan from a managed endpoint inside the segment closes that gap without standing up a separate scanning appliance.

Use the output to validate firewall rules after a change window, confirm that a network segmentation control is actually segmenting, hunt for rogue endpoints that bypassed onboarding, or build a hardware inventory tied to MAC addresses for access control. The CSV format makes it trivial to diff one week's scan against the next and surface new hosts, new open ports, or hostnames that suddenly fail to resolve.

Scheduling this Worklet on a rotating cohort of endpoints across each VLAN turns the managed fleet into a distributed scanning grid. A laptop on the corporate LAN, a Hyper-V host on the data-center subnet, and a developer workstation on the lab VLAN each scan their own segment from inside the firewall, with no extra appliance to deploy and no service-account credentials in flight. Results flow through the Automox Activity Log into the same audit trail as patching and compliance work, so the network inventory stays attached to the asset of record.

How the Windows subnet scan works

1. Evaluation phase: The Worklet's evaluation script exits 0 by default so the remediation always runs on demand. This pattern lets you trigger the scan from the device or policy page with Run on this Device or Run Policy without flagging the endpoint as non-compliant. The remediation reads the NetworkInput, Ports, Accuracy, and ThrottleLimit parameters, validates the Accuracy value, and derives the per-port socket timeout from it.

2. Remediation phase: If NetworkInput is empty, the Worklet calls Get-NetIPAddress to pick the first unicast IPv4 address with a DHCP or Manual suffix origin, then derives the local subnet from the IP and PrefixLength. Each CIDR string is parsed into network ID, broadcast, subnet mask, and host count, and every host address is enumerated. For each address, the Worklet queues a Start-Job that opens a TcpClient socket against every configured port with the Accuracy-driven timeout, runs Resolve-DnsName against the in-addr.arpa PTR record for the hostname, and pulls the MAC address from Get-NetNeighbor. Each responder is written as a CSV row with columns Hostname, IP Address, MAC Address, Open Ports, and Failed Ports to the Automox Activity Log, prefixed by the header row. The script exits 0 on success and exit 1 only when an invalid Accuracy value is supplied.

Network scan parameters and prerequisites

• Supported on Windows 10, Windows 11, and Windows Server 2016 or later with PowerShell 5.1 or PowerShell 7

• Runs in the Automox agent context with LocalSystem privileges, which is required for Get-NetNeighbor to read the full neighbor cache

• NetworkInput parameter accepts a comma-delimited list of subnets in CIDR notation, for example 192.168.1.0/24,10.10.20.0/23; if blank, the Worklet derives the local subnet from Get-NetIPAddress

• Ports parameter defaults to the 22 well-known TCP ports listed above (FTP through HTTP Proxy); override it to widen or narrow the scan

• Accuracy parameter sets per-port socket timeout: LOW (100 ms), MEDIUM (250 ms), HIGH (500 ms), or EXTREME (1250 ms); raise it on slow links or when probing servers under load

• ThrottleLimit defaults to the greater of 8 or the endpoint's logical processor count; lower it on workstations where user impact matters, raise it on dedicated scanning hosts

• Routing and host firewall rules between the scanning endpoint and the target subnet must permit outbound TCP to the probed ports; the scan only sees what the local network path can reach

• Designed for on-demand execution from the device or policy page; FixNow-compatible for ad-hoc audits and segmentation validation

Expected output and validation steps

After the Worklet completes, the Activity Log for the endpoint contains a CSV block headed Hostname,IP Address,MAC Address,Open Ports,Failed Ports followed by one row per responder. Hosts that did not register an open or failed port are omitted to keep the log readable. Hostname is the PTR record returned by Resolve-DnsName or 'Unknown' if the resolver returns NXDOMAIN. MAC Address is the LinkLayerAddress from Get-NetNeighbor (with hyphens converted to colons) or 'Unknown' if the host is on a different broadcast domain. Open Ports and Failed Ports are quoted, comma-delimited lists so each CSV row stays intact.

Spot-check the output by running Test-NetConnection -ComputerName <ip> -Port 445 against any host the Worklet flagged as having SMB open; the TcpTestSucceeded value should match. Compare the row count against the address space scanned to confirm the throttle and accuracy settings are not silently dropping responders. For PTR coverage, run Resolve-DnsName -Name <ip> -Type PTR against a sample of 'Unknown' hostnames to confirm the resolver, not the Worklet, is the failure point. For MAC coverage, run Get-NetNeighbor -IPAddress <ip> from an elevated PowerShell session and confirm the same neighbors appear; entries age out of the cache, so a host that responded but did not generate enough traffic to seat in the neighbor table will register as 'Unknown' on a subsequent scan. Pipe the CSV into Import-Csv for analysis, diff successive scans with Compare-Object on the IPAddress column to surface new or missing hosts, or load it into a SIEM and alert on net-new entries in segments that should be static. For audit evidence, capture the Automox policy run identifier alongside the CSV and store both with the policy run record.