Deploying agents through Group Policy

You can centrally install (or deploy) Agent for Windows onto machines that are members of an Active Directory domain, by using Group Policy.

In this section, you will find out how to set up a Group Policy object to deploy agents onto machines in an entire domain or in its organizational unit.

Every time a machine logs on to the domain, the resulting Group Policy object will ensure that the agent is installed and registered.


Before proceeding with agent deployment, ensure that:

  • You have an Active Directory domain with a domain controller running Microsoft Windows Server 2003 or later.
  • You are a member of the Domain Admins group in the domain.
  • You have downloaded the All agents for Windows setup program. The download link is available on the Add devices page in the service console.

Step 1: Generating a registration token

A registration token passes your identity to the setup program without storing your login and password for the service console. This enables you to register any number of machines under your account. For more security, a token has limited lifetime.

To generate a registration token

  1. Sign in to the service console by using the credentials of the account to which the machines should be assigned.
  2. Click All devices > Add.
  3. Scroll down to Registration token, and then click Generate.
  4. Specify the token lifetime, and then click Generate token.
  5. Copy the token or write it down. Be sure to save the token if you need it for further use.

    You can click Manage active tokens to view and manage the already generated tokens. Please be aware that for security reasons, this table does not display full token values.

Step 2: Creating the .mst transform and extracting the installation package

  1. Log on as an administrator on any machine in the domain.
  2. Create a shared folder that will contain the installation packages. Ensure that domain users can access the shared folder—for example, by leaving the default sharing settings for Everyone.
  3. Start the setup program.
  4. Click Create .mst and .msi files for unattended installation.
  5. Click Specify next to Registration settings, and then enter the token you generated.

    You can change the method of registering the machine in the Cyber Protection service from Use registration token (default) to Use credentials or Skip registration. The Skip registration option presumes that you will register the machine at a later time.

  6. Review or modify the installation settings that will be added to the .mst file, and then click Proceed.
  7. In Save the files to, specify the path to the folder you created.
  8. Click Generate.

As a result, the .mst transform is generated and the .msi and .cab installation packages are extracted to the folder you created.

Step 3: Setting up the Group Policy objects

  1. Log on to the domain controller as a domain administrator; if the domain has more than one domain controller, log on to any of them as a domain administrator.
  2. If you are planning to deploy the agent in an organizational unit, ensure that the organizational unit exists in the domain. Otherwise, skip this step.
  3. In the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers (in Windows Server 2003) or Group Policy Management (in Windows Server 2008 or later).
  4. In Windows Server 2003:

    • Right-click the name of the domain or organizational unit, and then click Properties. In the dialog box, click the Group Policy tab, and then click New.

    In Windows Server 2008 or later:

    • Right-click the name of the domain or organizational unit, and then click Create a GPO in this domain, and Link it here.
  5. Name the new Group Policy object Agent for Windows.
  6. Open the Agent for Windows Group Policy object for editing, as follows:

    • In Windows Server 2003, click the Group Policy object, and then click Edit.
    • In Windows Server 2008 or later, under Group Policy Objects, right-click the Group Policy object, and then click Edit.
  7. In the Group Policy object editor snap-in, expand Computer Configuration.
  8. In Windows Server 2003 and Windows Server 2008:

    • Expand Software Settings.

    In Windows Server 2012 or later:

    • Expand Policies > Software Settings.
  9. Right-click Software installation, then point to New, and then click Package.
  10. Select the agent's .msi installation package in the shared folder that you previously created, and then click Open.
  11. In the Deploy Software dialog box, click Advanced, and then click OK.
  12. On the Modifications tab, click Add, and then select the .mst transform that you previously created.
  13. Click OK to close the Deploy Software dialog box.