The Windows connection manager allows you to scan (additional) nodes agentlessly using WinRM and remote PowerShell. In essence, it is a connection proxy that provides for a single point of management, configuration, logging and updating. A single connection manager can scan several thousand remote nodes using WinRM.

System Requirements

  • A Windows virtual machine to install the connection manager. Recommended specs: Windows 2012, 8GB, 4 Core.
  • .NET framework version 4.5.2 or higher
  • Microsoft Visual C++ 2015 Redistributable package (for Windows CM v4.19.0 and higher) - linked on UpGuard Download Site
  • PowerShell (Windows Management Framework) version 3 or higher installed on both the connection manager and the target nodes.
  • WinRM to be enabled in your environment. Each target node that you wish to scan agentlessly will need to have port 5985/5986 exposed for the connection manager.

Creating a Connection Manager Group

Connection manager groups help you logically organize connection managers and a connection manager group can include one or more connection managers of the same type.

  1. To configure the UpGuard website to communicate with a connection manager click the Discover button on the top toolbar and choose Connection Managers.

  2. Click the Add Group button on the left bar. You will see the following screen:


  3. Give the Connection Manager group a unique name that makes sense to you.

  4. Click the green Add Group button and you will be given an API Key. Copy the key as you will need this during the Windows connection manager installer setup.


Windows Domains

To ease with setup and node scanning, it is highly recommended that a Windows connection manager is installed and registered with the UpGuard appliance for each domain in your environment. These connection managers can be a part of the same connection manager group or different groups corresponding to the different domains in your environment.

Connection managers attempting to issue WinRM requests to machines in a different domain will need to have a TrustedHosts rule configured.

Downloading and Installing

  1. Download and install the latest Windows connection manager to the provisioned virtual machine.
  2. You will be prompted to choose a Configuration Directory. This is where the service, logs and configuration will live.
  3. The Target URL is the URL of your UpGuard Web UI instance. For hosted users, this will look like For on-prem users, this will be the URL of your instance you use to log into UpGuard.
  4. If you are an on-prem user and have either installed a self-signed certificate, or a certifiacte that doesn’t have a cert-chain back to a trusted CA, then you can check the Ignore SSL Certificate Warnings option. All connections between the connection manager and appliance will still be encrypted over HTTPS, however the connection manager not perform any host verification steps. (Hosted users should always leave this unchecked).
  5. You will be prompted for a “Group API Key”. Paste in the key generated for you in step 4. “Creating a Connection Manager Group” (see above). w600
  6. Click next to continue. The connection manager will proceed with the installation process and will attempt to register against the “Target URL” with the “Group API Key” you provided.

Installation Verification

If the connection manager has been successfully installed and registered, you will see the connection manager listed in the connection manager group that you created earlier. This connection manager group can now be used when adding additional nodes to UpGuard. You will also see the UpGuard Service listed in your Services panel.


Registration Failed

The connection manager registration process (a step of the installation process) will fail if a self-signed certificate is detected on the UpGuard website (target URL). This is a security mechanism that prevents the connection manager from being vulnerable to man-in-the-middle attacks. Please contact to speak to a Customer Success Engineer who can guide you through an alternative installation process. Alternatively, if you feel comfortable that your connection is internal only and you are using a self-signed certificate you can ignore the certificate check - see the Adjusting Settings section below.

After Installation

To successfully scan remote systems, the UpGuard connection manager service needs to be configured to run as a service user.

  1. Open the Services management snap-in as an Administrator and locate the UpGuard service in the list.
  2. Right-click the UpGuard service and select ‘Properties.’
  3. Switch to the Log On tab.
  4. Input the credentials for the service user and click ‘OK.’
  5. Restart the UpGuard service.

Also confirm that the Windows Service is configured to automatically start on reboot. While in the properties tab, under General, make sure the Startup type is set to Automatic.



You can update the UpGuard connection manager by installing a new version right over the top of an existing install.

  1. Visit our downloads page to obtain the latest installer.
  2. New versions of the UpGuard connection manager can then be installed in-place.


The UpGuard connection manager can be uninstalled either through “Add/Remove Programs” or via the “UpGuard Uninstaller” link located in the install directory. By default this is C:\Program Files (x86)\UpGuard.

Additional Help

Adjusting Settings When Adding Connection Managers via Command Line

You can adjust the Settings for Connection Managers via appending the following to

upguard -r --target_url=<URL> --api_key=<KEY>

Enable Debug Mode


Disable Debug Mode


Change Timeout Settings when Adding New CMs


30 seconds is the default timeout; change number to the desired amount in seconds.

Ignore SSL Certificate Check

You might see the following error message during Agent or Connection Manager installation if you are using a self-signed certificate or your UpGuard instance’s certificate chain back to a trusted CA isn’t configured correctly:

Error SSL certificate could not be trusted: RemoteCertificateChainErrors

You can ignore this cert check by adding this command line option: