Arctic Wolf Agent Installation on Windows

Updated Nov 28, 2023

Arctic Wolf Agent installation on Windows

Arctic Wolf® Agent is an endpoint security management tool that functions as a component of Managed Detection and Response (MDR) and Managed Risk. For more information, see Arctic Wolf Agent.

You can bulk install Agent on Windows computers your organization using a package manager using Group Policy Management or InTune.

Requirements

Supported operating systems

Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:

  • Windows 10 or newer for 64- and 32-bit systems
  • Windows Server 2016 or newer for 64-bit systems

System requirements

Networking requirements

Download the Agent installer

  1. In the Arctic Wolf Portal, click Accounts > Downloads.

  2. Under Endpoint Agent, select the desired Operating System option.

  3. Click Download Agent.

  4. Note the UUID value. You will need this value for the installation process.

  5. Unzip the Arctic Wolf Agent .zip file and extract the .msi file and the customer.json files into the same folder.

    Caution:

    • Do not make any edits to the customer.json file. Editing this file causes installation errors.
    • Do not save the Agent installer or customer.json to publicly accessible storage. customer.json should be kept confidential.

Install Agent using Group Policy Management

You can install Arctic Wolf Agent on multiple Windows endpoints using Group Policy Management.

Note: Group Policy installation does not currently support VPN-connected endpoints.

To download your Agent installer, visit the Arctic Wolf Portal. To verify that Agent data is reaching Arctic Wolf, contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team.

  1. Create a distribution point
  2. Create a Group Policy Object
  3. Create and assign the Agent package
  4. Verify Agent package assignment

Step 1: Create a distribution point

To deploy Agent through Group Policy, create a distribution point on the publishing server:

  1. Sign in to the server as an administrator user.

  2. Create a shared network folder for the installation files.

  3. In the new window, right-click on the Agent object, and then click Properties.

  4. Click the Security tab.

  5. Select a group or user, and then select the Allow checkbox for Apply Group Policy.

    The policy is applied to the specified groups.

  6. Click OK.

Step 2: Create a Group Policy Object

To deploy or distribute Agent through Group Policy, create the Agent Group Policy Object, also known as a policy:

  1. From the Start menu, open the Group Policy Management application.

  2. In the navigation menu, click Forest: <DomainName>, where <DomainName> is the name of your domain, and then click the Domains folder.

  3. Right-click the domain name. If you:

    • Already have an Arctic Wolf Agent GPO — Select Link an Existing GPO, and then select Edit.
    • Do not have an existing Arctic Wolf Agent GPO — Create a new GPO:
      1. Select Create a GPO in this domain, and Link it here.
      2. In the New GPO dialog box, enter a name for the new GPO.
      3. Verify that the Source Starter GPO menu says (none).
      4. Click OK to create a new GPO.

        Tip: To assign a security group and ensure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.

      5. Right-click the new GPO, and then click Enforced to enable it.

        Tip: Once enabled, a lock appears over the GPO icon in the navigation menu.

      6. Right-click the new GPO, and then select Edit.
  4. In the new window, right-click on the Agent object, and then click Properties.

  5. Click the Security tab.

  6. Select a group or user, and then select the Allow checkbox for Apply Group Policy.

    The policy is applied to the specified groups.

  7. Click OK.

Step 3: Create and assign the Agent package

Create and assign the Agent package per user or per machine:

  1. Open Group Policy Management, right-click the Agent object that you created, and then click Edit.

  2. In Computer Configuration, expand Policies in the navigation pane, and then expand Software Settings.

  3. Right-click Software Installation, and then click New > Package.

  4. In the Open dialog box, type the full UNC path of the distribution point containing the .msi file and select the .msi file to create the Agent package.

  5. Click Open.

  6. Click Assigned, and then click OK.

    The package is added to the Group Policy window.

  7. Close the Group Policy snap-in, and then click OK to exit.

Step 4: Verify Agent package assignment

If the Agent object or policy applies to a client device and is assigned to that device, and the distribution point is accessible, Agent will automatically install silently when that device restarts.

To verify that the Agent object or policy is correctly assigned:

  1. In a terminal, run the following command:

    gpupdate /force

    You should receive a message similar to the following:

    Computer Policy update has completed successfully.
    .
    .
    .
    Certain Computer policies are enabled that can only run during startup.
  2. When prompted, enter Y to restart your device and install Agent.

  3. After your device restarts, navigate to the Arctic Wolf Portal and search the Endpoints table to see if the Agent installed on your device appears.

Note: If the Agent installed on your device does not appear in the Endpoints table within 1-2 minutes of device restart, contact your Concierge Security Team (CST).

Install Agent with Intune

You can install Arctic Wolf Agent on Windows using Microsoft Intune, which is a cloud-based service for mobile device management (MDM). This service lets you manage how employees use company-owned devices, such as laptops.

See the Microsoft documentation for more information.

Requirements

Tip: See the Microsoft documentation for more information about Win32 app management in Microsoft Intune.

Step 1: Install Agent using Intune

  1. Download and install the Intune application packager from Microsoft.

    Tip: See the Microsoft documentation for more information about installing this software.

  2. Install the Microsoft Win32 Content Prep Tool, available on GitHub. This allows you to convert a file to a .intunewin file to upload for distribution.

  3. Run the following command, where:

    • <setup_folder> is the source folder.
    • <source_setup_file> is the filename of the Agent .msi file .
    • <output_folder> is the location for the new .intunewin file.
    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>

Step 2: Add Agent to Intune

  1. In the App information section:
    1. Click Select file to add the .intunewin file.
    2. Enter a description in the Description field.
    3. Enter ArcticWolf in the Publisher field.
  2. In the Program section:
    1. In the Install command field, append msiexec /i <arcticwolfagent-2021-05_01.msi> with /qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS> /l*v scout_install.log, where:

      • <customer_UUID> is your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section.

      • <regional_DNS> is your DNS hostname. To obtain this value, go to the Arctic Wolf Portal IP Addresses page, and then copy the DNS hostname that begins with activate.agent-common.prod from the If you use Arctic Wolf Agent section.

      Include a space before the appended content.

    2. In the Uninstall command field, enter msiexec /x "<GUID>" /q, where <GUID> is the globally unique identifier of the application.

    3. In the Device restart behavior dropdown list, select Determine behavior based on return codes.

  3. In the Requirements section, specify the operating system architecture and minimum operating system.
  4. Create the detection rule:
    1. In the Detection rules section, select Manually configure detection rules in the Rules format dropdown list.
    2. Select File in the Rule type dropdown list.
    3. In the Path field, enter C:\Program Files (x86)\Arctic Wolf Networks\Agent.
    4. In the File or Folder field, enter client.keys.
    5. Select File or folder exists in the Detection method dropdown list.
    6. Verify that the Associated with a 32-bit app on 64-bit clients toggle is set to the default No.
  5. In the Review + create section, add the application.

After deployment, Intune notifies users that the software is updating on their device. You can view the installation status in the Intune portal.

Install Agent using Microsoft System Center Configuration Manager

You can use Microsoft System Center Configuration Manager (SCCM) to manage the deployment of Agent.

We recommend using SCCM only for the initial deployment of Agent and not for updating Agent.

Requirements

Steps

  1. Install Agent using SCCM
  2. Deploy Agent using SCCM
  3. Monitor Agent SCCM deployment

Step 1: Install Agent using SCCM

  1. Download and copy the Agent msi file to a file share location.

  2. In the SCCM console, click Software Library > Application Management > Applications.

  3. Right-click Applications and click Create an Application.

  4. Set these options:

    • Type — Click Windows Installer (*.msi file).
    • Location — Click Browse to navigate to the location of the msi installation file.
  5. Click Next.

  6. On the View imported information page, click Next.

  7. On the General Information page, in the Installation program field, enter this command:

    msiexec /i <downloaded_filename.msi> /qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS>  /l*v scout_install.log

    Replace the following:

    • <downloaded_filename.msi>: the filename of the downloaded Agent install msi file.
    • <customer_UUID>: your customer UUID.
    • <regional_DNS>: your DNS hostname.
  8. In the Install behavior field, select Install for System.

  9. Click Next.

  10. On the Summary page, click Next to complete the configuration.

Step 2: Deploy Agent using SCCM

  1. In the SCCM console, click Software Library > Application Management > Applications.
  2. Right-click the Agent application and click Deploy.
  3. Under Collection, select one or more User Collections from the list.
  4. Click OK.
  5. Click Next.
  6. On the Content page, click Add > Distribution Point.
  7. Select the distribution point where you install the Agent msi file, and then click OK.
  8. Click Next.
  9. On the Deployment Settings page, set these options:
    • Action — Click Install.
    • Purpose — Click Required.
  10. Click Next.
  11. On the Scheduling page, click Installation deadline > As soon as possible.
  12. Click Next.

Step 3: Monitor Agent SCCM deployment

  1. In the Configuration Manager console, click Monitoring > Deployments.

  2. Right-click the Agent deployment, and click View Status.

    The Status Type changes to Success when the deployment has successfully completed.

    Note: The time to complete the deployment varies based on the User Collections selected.

  3. (Optional) Verify that Agent is installed on the target computer:

    1. Open Control Panel > Programs and Features.
    2. Verify that Arctic Wolf Agent is listed.

Windows Agent installation on non-persistent Virtual Desktop Infrastructure

Note: When set up correctly, you should have one online non-persistent VDI device. Offline duplicate devices are automatically purged after three days. If duplicate non-persistent VDI devices appear in the Unified Portal, install Agent for non-persistent VDI instances again. See Install agent for non-persistant VDI instances.

Agent supports non-persistent Virtual Desktop Infrastructure (VDI), which you can use to create a master template to deploy non-persistent Windows VDI instances. This addresses issues such as duplicate agent UUIDs and allows for better management of non-persistent Windows instances.

Non-persistent VDI behavior

Any non-persistent VDI instances created from this template are:

Install Agent for non-persistent VDI instances

Install Agent using the VDI_TEMPLATE_IMAGE=1 switch to create the initial non-persistent image. After the installation is complete, you can use the image to create your master image for VDI instance deployment.

Non-persistent VDI installation requirements

Steps

  1. On the target endpoint system, run the following command as an administrator using an account with administrator privileges:

       msiexec /i awn-agent.msi VDI_TEMPLATE_IMAGE=1 /l*v install.log
  2. Using the target endpoint system, create a master template that will be used to create non-persistent VDI instances.

    Non-persistent instances can be deployed using the master template.

Update an existing non-persistent VDI template

  1. Install Agent using the VDI_TEMPLATE_IMAGE=1 switch.
  2. Redeploy new non-persistent VDI instances using the updated template.

Install persistent VDI instances

Install Agent on Citrix using RDSH or VMware Application Pool environments

Next steps

Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the MDR service. To install Sysmon for Agent on Windows, see Sysmon Installation on Windows.

Containment is a feature of our MDR service that allows Arctic Wolf to isolate network traffic on the Windows Agent host. To install the Arctic Wolf Agent Containment Driver, see Arctic Wolf Agent Containment Driver Installation.

Redeploy the Agent package

To redeploy the Agent package, for example, during an upgrade:

  1. Open Group Policy Management, right-click the Agent object that you created, and then click Edit.
  2. Expand the Software Settings element, per user or per machine, that contains the deployed package.
  3. Expand the Software Installation element that contains the deployed package.
  4. Right-click the package in the right pane of the Group Policy window.
  5. Click All Tasks > Redeploy application.
  6. Click Yes to reinstall the application wherever it is installed.
  7. Close the Group Policy snap-in, and then click OK to exit.

Uninstall Agent

Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.

  1. Open Group Policy Management, right-click the Arctic Wolf Agent object that you created, and then click Edit.
  2. Expand the Software Settings element, per user or per machine, that contains the deployed package.
  3. Expand the Software Installation element that contains the deployed package.
  4. Right-click the package in the right pane of the Group Policy window.
  5. Select All Tasks > Remove, and then select Immediately uninstall the software from users and computers.
  6. Click OK to continue.
  7. Close the Group Policy snap-in, and then click OK to exit.

Agent deactivation

You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.

Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.

Contained Agent deactivation

You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Automatic Agent deactivation and activation

Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.

Deactivate an Agent

If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

  1. Confirm that the Agent is uninstalled from the device.

  2. On the Arctic Wolf Portal, click Endpoint Status.

  3. In the Endpoints table, click Remove offline endpoint on the appropriate device.

    Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.

  4. In the dialog, click Remove Endpoint.

    Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.