Arctic Wolf Agent Installation on Windows - Multiple EndpointsUpdated Feb 16, 2024
Note: When set up correctly, you will have one online non-persistent VDI device. Duplicate offline devices are automatically purged after three days. If duplicate non-persistent VDI devices appear in the Arctic Wolf Unified Portal, install Arctic Wolf Agent for non-persistent VDI instances again.
Arctic Wolf® Agent supports non-persistent virtual desktop infrastructure (VDI) using these VDI solutions:
- VMware Horizon
- Windows Remote Desktop Services
You can use this to create a master template to deploy non-persistent Windows VDI instances. This resolves issues like duplicate Agent UUIDs and allows for better management of non-persistent Windows instances.
Any non-persistent VDI instances created from this template are:
- Identified in the Arctic Wolf Unified Portal with VDI State attributes.
- Not added to scan groups automatically.
- Not updated automatically.
- Deactivated in the Arctic Wolf Portal within three days, rather than 90 days for persistent images.
- Arctic Wolf Agent version 2023-01
- One of these operating systems (OSes):
- Windows 10 or 11
- Windows 2012 R2, 2016, 2019, or 2022
Make sure outbound access is available for ports 443 and 1514
Configure your firewall to allow traffic to Agent DNS hostnames:
- Sign in to the Arctic Wolf Unified Portal.
- Click > Allowlist Requirements.
- Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.
If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:
Configure your security systems to allow the processes listed in Arctic Wolf Agent Processes.
Tip: Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a Windows endpoint, define a rule that applies to this file path:
C:\Program Files\Arctic Wolf Networks\Agent\.
Add the files listed in Arctic Wolf Agent SHA-256 Hash Values to all allowlists.
If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.
See the technical documentation for the security systems that you are configuring for more information.
On the target endpoint system, run this command with administrator permissions to create the initial non-persistent image:
msiexec /i awn-agent.msi VDI_TEMPLATE_IMAGE=1 /l*v install.log
Using the target endpoint system, create a master template that will be used to create non-persistent VDI instances.
Deploy non-persistent instances using the master template.
- To install Sysmon for Agent on Windows, see Install Sysmon on Windows devices. Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the MDR service.
- To install the Agent Containment Driver, see Install the Arctic Wolf Agent Containment Driver on Windows using the Arctic Wolf Unified Portal. Containment is a feature of our MDR service that allows Arctic Wolf to isolate network traffic on the Windows Agent host.