Endpoint Standard: How to Deploy Windows Sensors using GPO

Endpoint Standard: How to Deploy Windows Sensors using GPO

Environment

  • Endpoint Standard Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Group Policy Object Editor

Objective

How to deploy or install Endpoint Standard Sensors for Windows machines using Group Policy Object (GPO)

Resolution

Create the .MST (Microsoft Installer Transform)
  1. Sign  in to the Endpoint Standard Console and select Endpoints
  2. Select Sensor Options > Download Sensor Kits. Download the CB Defense .MSI file for Windows sensor install
  3. Download Orca.exe from Microsoft
  4. Open MSI with Orca.exe
    • Right click .msi > Edit with Orca
  5. Start a new transform.
    • Click Transform > New Transform
  6. Create additional Property table entries
    1. Under left-hand column Tables > Property
    2. Right click in blank space > Add row
    3. REQUIRED: Company Registration Code
      • Select Property table and enter: COMPANY_CODE (PSC Console > Endpoints Page > Sensor Options > Company Codes)
      • Select Value and enter in the correct Company Code for the sensor version being deployed. The Company Code can be found in Sensor Options on the Endpoints page of the PSC Console
    4. REQUIRED: VDI switch(s) for Virtual Desktops. 
    5. Other optional parameters can be found in Cb Defense: How to Perform an Unattended Installation of the Windows Sensor
  7. Save the new MSI transform property.
    1. Select Transform > Generate Transform
    2. Use an easily recognizable file name to differentiate this MST from others you may create
    3. Save the transform file type as .mst
Automatically create sensor .msi log files via Group Policy
Carbon Black recommends that you create a verbose .msi install log file to help troubleshoot Group Policy installation or upgrade issues.
 
  • To configure Group Policy to automatically create Windows Installer .msi log
  1. Open the Group Policy editor and expand Computer Configuration > Administrative Templates > Windows Components.
  2. Select Windows Installer and double-click Logging or Specify the types of events Windows Installer records in its transaction log depending on the windows version
  3. Select Enabled.
  4. In the Logging textbox, type voicewarmupx
  5. Select Save Changes.
NOTE: The msixxx.log file will be created in the Temp folder of the system volume C:\Windows\Temp\
NOTE: This setting will create an msi install log for all users in the GPO
 
  • To enable Windows Installer .msi log using the registry
  1. Go to registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer.
  2. Set registry value Logging to voicewarmupx
NOTE: If Group Policy is configured to automatically create a Windows Installer .msi log, this registry value voicewarmupx should match whatever is configured in Group Policy 

Deploy sensors using GPO
  1. Select Start > Administrative Tools > Group Policy Management
  2. Select Software settings > Software Installation > New > Package
    • Select the .msi file downloaded in Step 2 of the previous procedure
  3. Under Deployment Method > select Advanced
  4. Add name for package that is easily identifiable (e.g. WinSensor64) 
    • For 32 bit MSI only – in the Deployment tab click Advanced > uncheck make this 32-bit x86 application available to Win64 machines – click OK.
  5. Switch to Modifications tab > click Add
  6. Select the .mst you created in the previous procedure
  7. Select Save 
  8. If you utilize a script to force a reboot to update the policy objects, run that now
    • To verify that sensors are populating correctly, check the console periodically to verify that sensor information is populating and that the sensors are checking in regularly
 

Additional Notes

  • The path of both the CB Defense .msi and .mst files are located on a network share accessible to everywhere in your network and to which everyone has at least read permissions)
  • For a list of optional installation properties, please see the table in Cb Defense: How to Perform an Unattended Installation of the Windows Sensor
  • Active Directory does not support adding in command line parameters. You have to make a batch file to run with it to pass the parameters or package up an edited MSI. On next system restart, a drive is mounted and installation is scheduled. Note that failure rate when using AD is usually higher than with other software management tools.
  • GPO by default installs software on startup, meaning you have to reboot an endpoint for it to be effective. Not every endpoint reboots every night nor does every organization require a reboot on a regular basis. The restart requirement should be considered when deploying sensors via Group Policy.
  • If deploying a script to force a reboot to update the policy objects see CB PSC: Can GPO Software Installation deploy the Sensor without Reboot?
  • We do not recommend using the option Uninstall this application when it falls out of the scope of management.

Related Content


Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Author:
Creation Date:
‎07-15-2016
Views:
16591
Contributors