What are the purposes of Inventory vs. Discovery?

I'm not clear on the differences and purposes of Domain Inventory vs. Subnet Discovery. Which one populates managed computers? Is there a way to restrict what each one scans? Is there a way to restrict the results?

Find more posts tagged with

network_inventory

discovery_scans

patch_manager

Accepted answers

LGarvin

Managed Computers is populated by the Managed Computer Inventory task.

See this blog post for more details:

Patch Manager Managed Computers Node Explained

Is there a way to restrict what each one scans? Is there a way to restrict the results?

These two tasks are completely different processes.

Inventory scans by computer name, enumerating a domain, OrgUnit, Workgroup, WSUSTargetGroup, or PMComputerGroup container to get that list of computer names.
The other scans as sequential list of IP Addresses as defined in the Discovery Task dialog.

The results of an Inventory task are defined by the Inventory Configuration Editor.

The results of a discovery task are defined by the Discovery Task dialog.

All comments

LGarvin

Managed Computers is populated by the Managed Computer Inventory task.

See this blog post for more details:

Patch Manager Managed Computers Node Explained

Is there a way to restrict what each one scans? Is there a way to restrict the results?

These two tasks are completely different processes.

Inventory scans by computer name, enumerating a domain, OrgUnit, Workgroup, WSUSTargetGroup, or PMComputerGroup container to get that list of computer names.
The other scans as sequential list of IP Addresses as defined in the Discovery Task dialog.

The results of an Inventory task are defined by the Inventory Configuration Editor.

The results of a discovery task are defined by the Discovery Task dialog.

bbrehart

So what's the purpose of Discovery? Do we even need it?

LGarvin

Great question, Brian.

Discovery is a tool. You use it if/when you need it.

A couple of things Discovery is great for:

Discovery has the ability to perform a TCP port scan.
How many workstations have IIS installed and port 80 open to the entire enterprise?
Discovery, because it enumerates in-use IP Addresses across an entire address range has the ability to identify devices/systems on the network that ought not to be
Patch Manager requires RPC/WMI connectivity. A TCP port scan can be used proactively to ensure those services are accessible, or it can be used as a diagnostic tool to help troubleshoot failing RPC/WMI connections.
With creative use of scheduled discovery tasks and scheduled reporting tasks, you could even build automated notifications as to when devices/systems appear on a network.

Some of these examples, of course, are better served by other tools, e.g. IPAM, UDT, LEM and if you have such tools, they're likely preferable to doing this with Patch Manager ... but lacking those tools, the capability still exists.

In addition, one request we hear from time to time is: I want to deploy this update (or perform some task) on the systems at this site. If that organization already has a geo-based OrgUnit structure in place, or site-based WSUS Target Groups, this is a fairly trivial objective to achieve, but in reality, most don't. A Discovery task of a site's IP subnet can be used to produce a list of the Windows hostnames currently active on that subnet, which can be used via reporting to create a Patch Manager Computer Group, and then the update deployment (or other task) can be targeted to that Patch Manager Computer Group, which is effectively "the Windows systems currently active in a defined IP subnet".