Windows Discovery and Service Mapping Limitations Due to ASR Policy RestrictionsIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Windows Discovery and Service Mapping are impacted by security restrictions that block PsExec-based remote execution. Guidance on security-compliant alternative approaches in ServiceNow, including whether ACC can replace or complement current agentless Discovery and Service Mapping capabilities. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1. What are the possible alternative approaches or configurations that can be adopted to replace or complement the existing agentless Discovery and Service Mapping, considering ASR policy restrictions? Given that Microsoft Defender ASR policies are blocking PsExec, the recommended direction is to adopt a hybrid approach rather than look for a full like-for-like replacement of agentless Discovery in all cases. The most suitable ServiceNow-native option is to use Agent Client Collector for Visibility (ACC-V) on the Windows servers impacted by ASR. This allows ServiceNow to collect infrastructure and application-related data directly from the host through the agent, without relying on the blocked remote execution method. A practical approach would be: Use ACC-V for Windows servers where ASR prevents agentless Discovery.Continue using traditional agentless Discovery where it is still permitted and remains effective.Use ACC-backed Service Mapping for supported application/service mapping scenarios on agent-managed servers.Validate application patterns and use cases individually, especially for business-critical services. This hybrid model is generally the most secure and realistic approach, because it reduces dependency on blocked remote execution methods while allowing existing Discovery capabilities to remain in place where still supported. 2. Will implementing ACC provide complete coverage equivalent to the current agentless Discovery and Service Mapping, including infrastructure discovery, dependency mapping, and application/service visibility? ACC can provide strong coverage, but it should not be considered a complete one-to-one replacement for all agentless Discovery and Service Mapping capabilities. ACC is well suited to provide: Host-level infrastructure visibility for servers where the agent is installedOS and system data collectionRunning process and software visibilityApplication visibility and supported dependency mapping scenariosService Mapping support for supported patterns and supported server-based use cases However, there are some important limitations: ACC only covers systems where the agent is deployedIt does not replace broad agentless discovery of unmanaged devices or systems where no agent can be installedSome pattern operations and use cases supported in agentless methods may not be supported in ACC-based executionFor that reason, not every existing Discovery or Service Mapping scenario will have exact functional parity under ACC So, the correct expectation is that ACC is a strong complementary solution and, for ASR-impacted Windows servers, often the best replacement path available. However, it is not a universal substitute for every current agentless Discovery and Service Mapping capability. Recommendation Our recommendation would be to position ACC as the primary approach for Windows servers affected by ASR, while maintaining a hybrid Discovery and Service Mapping model for the wider environment. This will provide the best balance between security compliance, operational coverage, and platform capability.