Deploying agents through Group Policy

You can centrally install (or deploy) Agent for Windows onto machines that are members of an Active Directory domain, by using Group Policy.

In this section, you will find out how to set up a Group Policy object to deploy agents onto machines in an entire domain or in its organizational unit.

Every time a machine logs on to the domain, the resulting Group Policy object will ensure that the agent is installed and registered.

Prerequisites

Before proceeding with agent deployment, ensure that:

  • You have an Active Directory domain with a domain controller running Microsoft Windows Server 2003 or later.
  • You are a member of the Domain Admins group in the domain.
  • You have downloaded the All agents for Windows setup program. The download link is available on the Add devices page in the service console.

Step 1: Generating a registration token

A registration token passes the identity of an user to the agent setup program without storing the user credentials for the service console. This enables users to register any number of machines under their account without having to log in. For security reasons, tokens have limited lifetime that you can adjust. The default period is 3 days.

To generate a registration token for your account

  1. Sign in to the service console.
  2. Click Devices > All devices > Add.
  3. Scroll down to Registration token, and then click Generate.
  4. Specify the token lifetime.
  5. [Optional] To enable the user of the token to apply and revoke a protection plan on the added machines, select the plan from the drop-down list.

    Note that you will need to run a script that will apply or revoke a protection plan on the added machines. Refer to this knowledge base article for more details.

  6. Click Generate token.
  7. Copy the token or write it down.

    Be sure to save the token if you need it for further use.

You can click Manage active tokens to view and delete the tokens that are generated for your account.

For security reasons, the Active Tokens table does not display full token values.

To generate a registration token on behalf of a user in the tenants that you can manage

  1. Sign in to the service console as a Partner or Customer administrator.

    If you are already signed in to the management console, on the Cyber Protection tab, click Manage service to navigate to the service console.

  2. From the drop-down list in the upper left, select the tenant that contains the user on whose behalf you want to create a token.

  3. Under Devices, click All devices > Add.

    The Add devices dialog opens on the right.

  4. Scroll down to Registration token, and then click Generate.
  5. Specify the token lifetime.
  6. Select the user for whom you want to generate a token.
    Agents registered with the token will be registered under the user account that you select here.
  7. [Optional] To enable the user of the token to apply and revoke a protection plan on the added machines, select the plan from the drop-down list.

    Note that you will need to run a script that will apply or revoke a protection plan on the added machines. Refer to this knowledge base article for more details.

  8. Click Generate token.

  9. Copy the token or write it down.

    Be sure to save the token if you need it for further use.

You can click Manage active tokens to view and delete the tokens that are generated for users that you can manage.

For security reasons, the Active Tokens table does not display full token values.

Step 2: Creating the .mst transform and extracting the installation package

  1. Log on as an administrator on any machine in the domain.
  2. Create a shared folder that will contain the installation packages. Ensure that domain users can access the shared folder—for example, by leaving the default sharing settings for Everyone.
  3. Start the setup program.
  4. Click Create .mst and .msi files for unattended installation.
  5. Click Specify next to Registration settings, and then enter the token you generated.

    You can change the method of registering the machine in the Cyber Protection service from Use registration token (default) to Use credentials or Skip registration. The Skip registration option presumes that you will register the machine at a later time.

  6. Review or modify the installation settings that will be added to the .mst file, and then click Proceed.
  7. In Save the files to, specify the path to the folder you created.
  8. Click Generate.

As a result, the .mst transform is generated and the .msi and .cab installation packages are extracted to the folder you created.

Step 3: Setting up the Group Policy objects

  1. Log on to the domain controller as a domain administrator; if the domain has more than one domain controller, log on to any of them as a domain administrator.
  2. If you are planning to deploy the agent in an organizational unit, ensure that the organizational unit exists in the domain. Otherwise, skip this step.
  3. In the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers (in Windows Server 2003) or Group Policy Management (in Windows Server 2008 or later).
  4. In Windows Server 2003:

    • Right-click the name of the domain or organizational unit, and then click Properties. In the dialog box, click the Group Policy tab, and then click New.

    In Windows Server 2008 or later:

    • Right-click the name of the domain or organizational unit, and then click Create a GPO in this domain, and Link it here.
  5. Name the new Group Policy object Agent for Windows.
  6. Open the Agent for Windows Group Policy object for editing, as follows:

    • In Windows Server 2003, click the Group Policy object, and then click Edit.
    • In Windows Server 2008 or later, under Group Policy Objects, right-click the Group Policy object, and then click Edit.
  7. In the Group Policy object editor snap-in, expand Computer Configuration.
  8. In Windows Server 2003 and Windows Server 2008:

    • Expand Software Settings.

    In Windows Server 2012 or later:

    • Expand Policies > Software Settings.
  9. Right-click Software installation, then point to New, and then click Package.
  10. Select the agent's .msi installation package in the shared folder that you previously created, and then click Open.
  11. In the Deploy Software dialog box, click Advanced, and then click OK.
  12. On the Modifications tab, click Add, and then select the .mst transform that you previously created.
  13. Click OK to close the Deploy Software dialog box.