VMware Requirements
DMC is compatible with the following on-premises implemented versions and later.
| vSphere Version |
|---|
| vSphere 6.0 and above |
Network Requirements
DMC requires network access to target vCenter(s) within the scope of discovery.
| Source | Destination | Ports | Purpose |
|---|---|---|---|
| Jump Box | vCenter Servers | 443 (HTTPS) | API communication for discovery |
| Jump Box | ESXi Hosts | 443 (HTTPS) | Transfer Guest VM discovered metrics |
Windows VM Prerequisites
PowerShell Remoting must be enabled on Windows VMs to allow DMC to run PowerShell commands over WinRM connections.
Enable Powershell Remoting
Open Powershell
Open PowerShell as Administrator on each Windows VM
Run Command
Run the following command:
Enable-PSRemoting -forceEnable AllowRemoteShellAccess
In order to allow DMC to successfully collect guest information please ensure that AllowRemoteShellAccess is enabled in WinRM Configuration
Set-WSManInstance -ResourceURI winrm/config/winrs -ValueSet @{AllowRemoteShellAccess="true"}. This enables the WinRM service and configures the necessary firewall rules for remote PowerShell connections.
PowerShell Constrained Mode
DMC does not support PowerShell constrained mode. This feature must be disabled on Windows VMs to allow DMC to collect the required system information.
To disable PowerShell constrained mode:
Check Current Status
Run the following command to check if constrained mode is enabled:
$ExecutionContext.SessionState.LanguageModeDisable Constrained Mode
If the output shows “ConstrainedLanguage”, run the following command to disable it:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachineCheck UAC Token Filtering
Run the following command to check if UAC token filtering is enabled:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicyIf the value is 0, UAC token filtering is enabled and may prevent DMC from collecting data. Set the value to 1 to disable filtering:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fCredential Requirements
To ensure DMC can perform discovery the following permissions are required.
vCenter Access
| Account | Minimum Required Permissions | Reason |
|---|---|---|
| vCenter Admin Account | Read-only access to VMs, Hosts, and Datastores. Guest Operations execution role. Access to retrieve performance metrics |
Required to collect virtual infrastructure metadata, execute lightweight guest operations, and retrieve VM performance data without impacting environment stability. |
Guest OS Credentials
| OS | Credentials Needed | Permissions Required | Reason |
|---|---|---|---|
| Windows VMs | Domain Admin or Local Admin, with Interactive Login Rights | Read system settings, software inventory, network stack, and processes. | Enables collection of system settings, software inventory, active processes, and network dependencies to assist with environment assessment. |
| Linux VMs | Root or Sudo-enabled user | Installed packages, active processes, and network connections. | Enables collection of system settings, software inventory, active processes, and network dependencies to assist with environment assessment. |
Windows VM Access Requirements
| Account | Minimum Required Permissions | Reason |
|---|---|---|
| Domain Admin or Local Admin | Interactive Login Rights | Required to collect system settings, software inventory, active processes, and network dependencies to assist with environment assessment. |
| Remote Management Users | Group membership | Enables WinRM connections for remote data collection |
| Performance Monitor Users | Group membership | Allows performance data collection |
| Performance Log Users | Group membership | Enables performance logging access |
Verify Group Membership: Being a Local Admin or Domain Admin may not automatically include membership in the Remote Management Users, Performance Monitor Users, or Performance Log Users groups. Verify that your Windows VM Access account is a member of all required groups before running DMC discovery.
UAC Filtering Note: Sometimes, even after adding the account to the right groups, it may not return the needed data because of UAC filtering. To fix this, give the user account the right permissions on the CIMV2 namespace and its sub-namespaces on the target server. For infomation how to troubleshoot UAC filtering please see here
user/domain or user@domain.com format for Windows VMs; both styles are supported.Least Privilege Guest OS Account Setup
If a customer wishes to set up a Least Privilege account, the following roles must be configured.
Without vCentre Administrator account DMC cannot assess the health of the VMware environment. We recommend that a vSphere administrator checks the environment’s health before running DMC, as a safety precaution.
Customers can review VMware’s vSphere Health via:
🔗 View vCenter Server Health Status
Roles required for Least Privilege vCenter Permissions
| Role | Note |
|---|---|
| VirtualMachine.GuestOperations.Query | Allows DMC to query guest OS-level info such as file system and processes. |
| VirtualMachine.GuestOperations.Execute | Enables DMC to run lightweight commands inside the VM for inventory checks. |
| VirtualMachine.GuestOperations.Modify | Required for actions like copying files or scripts into the VM during discovery. |
| Read Only access to vCenter | Grants visibility into vSphere objects like VMs, hosts, clusters, and tags — essential for inventory mapping. |
Least Privilege Guest OS Account Setup
Windows VM Accounts
For Windows VMs, you can create a least-privileged Windows user account:
Required Group Memberships:
| Group | Purpose | Alternative |
|---|---|---|
| Remote Management Users | Enables WinRM connections | WinRMRemoteWMIUsers_ |
| Performance Monitor Users | Allows performance data collection | Required |
| Performance Log Users | Enables performance logging access | Required |
Required permissions: The account needs these permissions so DMC can create a CIM connection with the server and collect configuration and performance data from the required WMI classes.
Additional Requirements:
- For Windows Server 2008 and 2008 R2, ensure that WMF 3.0 is installed on the servers.
Linux VM Accounts
You need a user account that has sudo permissions to execute specific commands with NOPASSWD on the Linux VMs you want to discover.
This account helps collect configuration and performance data, perform software inventory (find installed applications), and enable agentless dependency analysis using SSH.
Required sudo access (NOPASSWD):
| Command | Purpose | Full Path |
|---|---|---|
| netstat or ss | Network connection analysis | /usr/bin/netstat, /usr/bin/ss |
| ps | Process information | /usr/bin/ps |
| ls | File system listing | /usr/bin/ls |
Sudoers file entry example:
username ALL=(ALL) NOPASSWD: /usr/bin/netstat, /usr/bin/ss, /usr/bin/ps, /usr/bin/lsssh-keygen command with the following algorithms:
| Algorithm | Support Details |
|---|---|
| RSA | Full support for RSA key pairs |
| DSA | Full support for DSA key pairs |
| ECDSA | Full support for ECDSA key pairs |
| ed25519 | Full support for ed25519 key pairs |