Arctic Wolf Agent Installation on Windows

Installation Guide

Updated Jun 8, 2023

Arctic Wolf Agent Installation on Windows

Arctic Wolf Agent installation on Windows Direct link to this section

Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:

You can bulk install Agent on Windows computers your organization using a package manager using Group Policy Management or InTune.

Requirements Direct link to this section

Supported operating systems Direct link to this section

Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:

System requirements Direct link to this section

Networking requirements Direct link to this section

Download the Agent installer Direct link to this section

  1. In the Arctic Wolf Portal, click Accounts > Downloads.

  2. Under Endpoint Agent, select the desired Operating System option.

  3. Click Download Agent.

  4. Note the UUID value. You will need this value for the installation process.

  5. Unzip the Arctic Wolf Agent .zip file and extract the .msi file and the customer.json files into the same folder.

    Caution:

    • Do not make any edits to the customer.json file. Editing this file causes installation errors.
    • Do not save the Agent installer or customer.json to publicly accessible storage. customer.json should be kept confidential.

Install Agent using Group Policy Management Direct link to this section

You can install Arctic Wolf Agent on multiple Windows endpoints using Group Policy Management.

Note: Group Policy installation does not currently support VPN-connected endpoints.

To download your Agent installer, visit the Arctic Wolf Portal. To verify that Agent data is reaching Arctic Wolf, contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team.

  1. Create a distribution point
  2. Create a Group Policy Object
  3. Create and assign the Agent package
  4. Verify Agent package assignment

Step 1: Create a distribution point Direct link to this section

To deploy Agent through Group Policy, create a distribution point on the publishing server:

  1. Sign in to the server as an administrator user.

  2. Create a shared network folder for the installation files.

  3. In the new window, right-click on the Agent object, and then click Properties.

  4. Click the Security tab.

  5. Select a group or user, and then select the Allow checkbox for Apply Group Policy.

    The policy is applied to the specified groups.

  6. Click OK.

Step 2: Create a Group Policy Object Direct link to this section

To deploy or distribute Agent through Group Policy, create the Agent Group Policy Object, also known as a policy:

  1. From the Start menu, open the Group Policy Management application.

  2. In the navigation pane, expand Forest: <DomainName>, where <DomainName> is the name of your domain, and then expand the Domains folder.

  3. Right-click the domain name. If you:

    • Already have an Arctic Wolf Agent GPO — Select Link an Existing GPO, and then select Edit.

    • Do not have an existing Arctic Wolf Agent GPO — Create a new GPO:

      1. Select Create a GPO in this domain, and Link it here.
      2. In the New GPO dialog box, enter a name for the new GPO.
      3. Verify that the Source Starter GPO menu says (none).
      4. Click OK to create a new GPO.
      5. Right-click the new GPO and click Enforced to enable it.

        Tip: Once enabled, a lock appears over the GPO icon in the navigation pane.

      6. Right-click the new GPO and select Edit.
  4. In the new window, right-click on the Agent object, and then click Properties.

  5. Click the Security tab.

  6. Select a group or user, and then select the Allow checkbox for Apply Group Policy.

    The policy is applied to the specified groups.

  7. Click OK.

Step 3: Create and assign the Agent package Direct link to this section

Create and assign the Agent package per user or per machine:

  1. Open Group Policy Management, right-click the Agent object that you created, and then click Edit.

  2. In Computer Configuration, expand Policies in the navigation pane, and then expand Software Settings.

  3. Right-click Software Installation, and then click New > Package.

  4. In the Open dialog box, type the full UNC path of the distribution point containing the .msi file and select the .msi file to create the Agent package.

  5. Click Open.

  6. Click Assigned, and then click OK.

    The package is added to the Group Policy window.

  7. Close the Group Policy snap-in, and then click OK to exit.

Step 4: Verify Agent package assignment Direct link to this section

If the Agent object or policy applies to a client device and is assigned to that device, and the distribution point is accessible, Agent will automatically install silently when that device restarts.

To verify that the Agent object or policy is correctly assigned:

  1. In a terminal, run the following command:

    gpupdate /force

    You should receive a message similar to the following:

    Computer Policy update has completed successfully.
    .
    .
    .
    Certain Computer policies are enabled that can only run during startup.
  2. When prompted, enter Y to restart your device and install Agent.

  3. After your device restarts, navigate to the Arctic Wolf Portal and search the Endpoints table to see if the Agent installed on your device appears.

Note: If the Agent installed on your device does not appear in the Endpoints table within 1-2 minutes of device restart, contact your Concierge Security Team (CST).

Install Agent with Intune Direct link to this section

You can install Arctic Wolf Agent on Windows using Microsoft Intune, which is a cloud-based service for mobile device management (MDM). This service lets you manage how employees use company-owned devices, such as laptops.

See the Microsoft documentation for more information.

Requirements Direct link to this section

Tip: See the Microsoft documentation for more information about Win32 app management in Microsoft Intune.

Step 1: Install Agent using Intune Direct link to this section

  1. Download and install the Intune application packager from Microsoft.

    Tip: See the Microsoft documentation for more information about installing this software.

  2. Install the Microsoft Win32 Content Prep Tool, available on GitHub. This allows you to convert the .msi file to a .intunewin file to upload for distribution.

  3. Run IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>, substituting the following placeholders:

    • <setup_folder> is the source folder.
    • <source_setup_file> is the filename of the .msi file.
    • <output_folder> is the location for the new .intunewin file.

Step 2: Add Agent to Intune Direct link to this section

  1. In the App information section:
    1. Click Select file to add the .intunewin file.
    2. Enter a description in the Description field.
    3. Enter ArcticWolf in the Publisher field.
  2. In the Program section:
    1. In the Install command field, append msiexec /i <arcticwolfagent-2021-05_01.msi> with /qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS> /l*v scout_install.log, where:

      • <customer_UUID> is your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section.

      • <regional_DNS> is your DNS hostname. To obtain this value, go to the Arctic Wolf Portal IP Addresses page, and then copy the DNS hostname that begins with activate.agent-common.prod from the If you use Arctic Wolf Agent section.

      Include a space before the appended content.

    2. In the Uninstall command field, enter msiexec /x "<GUID>" /q, where <GUID> is the globally unique identifier of the application.

    3. In the Device restart behavior dropdown list, select Determine behavior based on return codes.

  3. In the Requirements section, specify the operating system architecture and minimum operating system.
  4. Create the detection rule:
    1. In the Detection rules section, select Manually configure detection rules in the Rules format dropdown list.
    2. Select File in the Rule type dropdown list.
    3. In the Path field, enter C:\Program Files (x86)\Arctic Wolf Networks\Agent.
    4. In the File or Folder field, enter client.keys.
    5. Select File or folder exists in the Detection method dropdown list.
    6. Verify that the Associated with a 32-bit app on 64-bit clients toggle is set to the default No.
  5. In the Review + create section, add the application.

After deployment, Intune notifies users that the software is updating on their device. You can view the installation status in the Intune portal.

Install Agent using Microsoft System Center Configuration Manager Direct link to this section

You can use Microsoft System Center Configuration Manager (SCCM) to manage the deployment of Agent.

We recommend using SCCM only for the initial deployment of Agent and not for updating Agent.

Requirements Direct link to this section

Steps Direct link to this section

  1. Install Agent using SCCM
  2. Deploy Agent using SCCM
  3. Monitor Agent SCCM deployment

Step 1: Install Agent using SCCM Direct link to this section

  1. Download and copy the Agent msi file to a file share location.

  2. In the SCCM console, click Software Library > Application Management > Applications.

  3. Right-click Applications and click Create an Application.

  4. Set these options:

    • Type — Click Windows Installer (*.msi file).
    • Location — Click Browse to navigate to the location of the msi installation file.
  5. Click Next.

  6. On the View imported information page, click Next.

  7. On the General Information page, in the Installation program field, enter this command, where <downloaded_filename.msi> is the Agent install msi file and <customer_uuid> is the customer UUID:

    msiexec /i <downloaded_filename.msi> /qn CUSTOMER_UUID=<customer_uuid> REGISTER_DNS=prod-scout-reg.rootsoc.com  /l*v scout_install.log
  8. In the Install behavior field, select Install for System.

  9. Click Next.

  10. On the Summary page, click Next to complete the configuration.

Step 2: Deploy Agent using SCCM Direct link to this section

  1. In the SCCM console, click Software Library > Application Management > Applications.
  2. Right-click the Agent application and click Deploy.
  3. Under Collection, select one or more User Collections from the list.
  4. Click OK.
  5. Click Next.
  6. On the Content page, click Add > Distribution Point.
  7. Select the distribution point where you install the Agent msi file, and then click OK.
  8. Click Next.
  9. On the Deployment Settings page, set these options:
    • Action — Click Install.
    • Purpose — Click Required.
  10. Click Next.
  11. On the Scheduling page, click Installation deadline > As soon as possible.
  12. Click Next.

Step 3: Monitor Agent SCCM deployment Direct link to this section

  1. In the Configuration Manager console, click Monitoring > Deployments.

  2. Right-click the Agent deployment, and click View Status.

    The Status Type changes to Success when the deployment has successfully completed.

    Note: The time to complete the deployment varies based on the User Collections selected.

  3. (Optional) Verify that Agent is installed on the target computer:

    1. Open Control Panel > Programs and Features.
    2. Verify that Arctic Wolf Agent is listed.

Windows Agent installation on non-persistent Virtual Desktop Infrastructure Direct link to this section

Agent supports non-persistent Virtual Desktop Infrastructure (VDI), which you can use to create a master template to deploy non-persistent Windows VDI instances. This addresses issues such as duplicate agent UUIDs and allows for better management of non-persistent Windows instances.

Non-persistent VDI behavior Direct link to this section

Any non-persistent VDI instances created from this template are:

Install Agent for non-persistent VDI instances Direct link to this section

Install Agent using the VDI_TEMPLATE_IMAGE=1 switch to create the initial non-persistent image. After the installation is complete, you can use the image to create your master image for VDI instance deployment.

Non-persistent VDI installation requirements Direct link to this section

Steps Direct link to this section

  1. On the target endpoint system, run the following command as an administrator using an account with administrator privileges:

       msiexec /i awn-agent.msi VDI_TEMPLATE_IMAGE=1 /l*v install.log
  2. Using the target endpoint system, create a master template that will be used to create non-persistent VDI instances.

    Non-persistent instances can be deployed using the master template.

Update an existing non-persistent VDI template Direct link to this section

  1. Install Agent using the VDI_TEMPLATE_IMAGE=1 switch.
  2. Redeploy new non-persistent VDI instances using the updated template.

Install persistent VDI instances Direct link to this section

Install Agent on Citrix using RDSH or VMware Application Pool environments Direct link to this section

Proceed with Sysmon installation Direct link to this section

Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the Managed Detection and Response service.

Redeploy the Agent package Direct link to this section

To redeploy the Agent package, for example, during an upgrade:

  1. Open Group Policy Management, right-click the Agent object that you created, and then click Edit.

  2. Expand the Software Settings element, per user or per machine, that contains the deployed package.

  3. Expand the Software Installation element that contains the deployed package.

  4. Right-click the package in the right pane of the Group Policy window.

  5. Click All Tasks > Redeploy application.

  6. Click Yes to reinstall the application wherever it is installed.

  7. Close the Group Policy snap-in, and then click OK to exit.

Uninstall Agent Direct link to this section

Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.

  1. Open Group Policy Management, right-click the Arctic Wolf Agent object that you created, and then click Edit.

  2. Expand the Software Settings element, per user or per machine, that contains the deployed package.

  3. Expand the Software Installation element that contains the deployed package.

  4. Right-click the package in the right pane of the Group Policy window.

  5. Select All Tasks > Remove, and then select Immediately uninstall the software from users and computers.

  6. Click OK to continue.

  7. Close the Group Policy snap-in, and then click OK to exit.

Agent deactivation Direct link to this section

You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.

Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.

Contained Agent deactivation Direct link to this section

You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.

You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.

Tip: You can only remove endpoints that have not checked in for 72 hours.

Automatic Agent deactivation and activation Direct link to this section

Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.

Deactivate an Agent Direct link to this section

If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).

Note: You cannot make these changes in the Risk Dashboard.

  1. Confirm that the Agent is uninstalled from the device.

  2. On the Arctic Wolf Portal, click Endpoint Status.

  3. In the Endpoints table, click Remove offline endpoint on the appropriate device.

    Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.

  4. In the dialog, click Remove Endpoint.

    Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.