Browse Docs

Deployment via Active Directory GPO

Using Active Directory Group Policy to Deploy

DefensX Agent installer is an regular MSI package which you can deploy it creating GPO's in Active Directory and attaching that GPO to the computers or user groups which you want to install the DefensX Agent.

Required steps for deploying DefensX via GPO:

  • Download the msi file and put it into a network shared folder

  • Download powershell script from Policies & Groups page in DefensX backend

  • Edit downloaded script and change msi path as a shared UNC path

  • Create a new GPO and set downloaded powershell script to be run at Startup

Important
 The suggested way to install DefensX Agent via GPO is to use a PowerShell Startup script. Even if it is also possible to use a GPO for .msi software packages, it is not recommended because that model requires to create a MST (MSI Transformations) file with ORCA utility coming from Windows Installer SDK and attach prepared MST file in the GPO in order to providing your deployment key and other installation parameters. If you have a specific reason to use MST transformation file method, please contact us.

Download and Locate the MSI File

At the first step, you can downloaded the DefensX Agent Installer msi file from the Policies & Groups page in the backend.

Note
 It is possible to skip this step but in that way, powershell script will try to download msi file from the internet on every installation. So, for the best results it will be good to download msi file and keep it on a publicly available network shared folder in your environment.

After downloading the msi file, you need to copy it to a shared folder like SYSVOL and copy the UNC path of the file which will be needed by the next step. In this document we assume that UNC path of the msi file will be: \\DC-Server1\sysvol\MyDomain\scripts\DefensXInstaller-1.8.45.msi

Downloading the Powershell script

In this step powershell script which automatically created with your deployment settings must be downloaded from Policies & Groups page.

To do this, just click on the RMM button for the deployment group which you want to deploy like below:

1

And click on the Download Powershell Installation Script button:

2

Changing MSI path in the script

In this step you must uncomment the second $Remote_File variable line located in the top of the script and change its content to a UNC path which points to the MSI file in network shared folder like this:

# If you want to deploy via network shared folder, uncomment the next line
$Remote_File = "\\DC-Server1\sysvol\MyDomain\scripts\DefensXInstaller-1.8.45.msi"

and save the ps1 script.

Updated script must be put into a folder which is available for everyone as shared network UNC path. If we take the same example when putting msi file, you can put in a folder like "\\DC-Server1\sysvol\MyDomain\scripts\DefensXInstaller.ps1"

Create the GPO and Setup Powershell Startup Script

On the last step you need to create a new GPO (or modify an existed one) like this:

  • Open Group Policy Management Editor and create a new GPO

  • Edit newly created GPO and go to Computer ConfigurationPoliciesWindows SettingsScripts (Startup/Shutdown)

  • Click on the Startup and select Properties

3

  • go to the PowerShell Scripts tab in the opened dialog

  • click on the Add button to add downloaded powershell script

  • click on the Browse…​ and select the powershell script as UNC path

  • do not enter any Script Parameters and just press the OK button

4

Test and Troubleshooting

If you’ve completed all of the steps above and linked newly created GPO in your Domain, now you can test it on a computer.

The only downside of Startup script based installation method, computers first need to get updated policy first and rebooted later. For testing purposes, you can run gpupdate /force command on the client computer to get newly installed policies and reboot the client computer. On the next boot, it should execute powershell script from the shared network path and install the DefensX Agent according to parameters inside of the script.

If it is not working as expected, you can look at the following checklist for troubleshooting:

  • Is the GPO in effect in your Domain? Is it linked with the correct object which includes the client computer?

  • Did you try to update policies on the client computer with gpupdate?

  • Can you open the script’s UNC path on the client computer?

  • Can you open the msi file’s UNC path on the client computer?

  • Is there any newly created log file as C:\Windows\Temp\DefensXInstaller.log on the client computer? If that so, you can look at the logs inside of it.