Arctic Wolf Agent Installation on Windows
Updated Nov 28, 2023- Arctic Wolf Agent installation on Windows
- Requirements
- Download the Agent installer
- Install Agent using Group Policy Management
- Install Agent with Intune
- Install Agent using Microsoft System Center Configuration Manager
- Windows Agent installation on non-persistent Virtual Desktop Infrastructure
- Next steps
- Redeploy the Agent package
- Uninstall Agent
- Agent deactivation
Arctic Wolf Agent installation on Windows
Arctic Wolf® Agent is an endpoint security management tool that functions as a component of Managed Detection and Response (MDR) and Managed Risk. For more information, see Arctic Wolf Agent.
You can bulk install Agent on Windows computers your organization using a package manager using Group Policy Management or InTune.
Requirements
-
Administrator permissions or the ability to perform administrator or root level functions
Supported operating systems
- Windows 11 for 64-bit systems
- Windows 10 Pro, 8.1, 8, and 7 Enterprise for 64-bit and 32-bit systems
- Windows Server 2022, 2019, 2016, 2012 R2, 2012, and 2008 R2 for 64-bit systems
- Windows 11 IoT, Windows 10 IoT, and 8.1 Embedded for 64-bit systems
Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:
- Windows 10 or newer for 64- and 32-bit systems
- Windows Server 2016 or newer for 64-bit systems
System requirements
-
At a minimum, dual-core CPU
-
x64 or x86 processor
-
At a minimum, 2 GB of memory
Notes:
- Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
- Agent does not support ARM architecture.
Networking requirements
-
Ports 443 and 1514 outbound open
-
Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.
Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.
Download the Agent installer
-
In the Arctic Wolf Portal, click Accounts > Downloads.
-
Under Endpoint Agent, select the desired Operating System option.
-
Click Download Agent.
-
Note the UUID value. You will need this value for the installation process.
-
Unzip the Arctic Wolf Agent
.zip
file and extract the.msi
file and thecustomer.json
files into the same folder.Caution:
- Do not make any edits to the
customer.json
file. Editing this file causes installation errors. - Do not save the Agent installer or
customer.json
to publicly accessible storage.customer.json
should be kept confidential.
- Do not make any edits to the
Install Agent using Group Policy Management
You can install Arctic Wolf Agent on multiple Windows endpoints using Group Policy Management.
Note: Group Policy installation does not currently support VPN-connected endpoints.
To download your Agent installer, visit the Arctic Wolf Portal. To verify that Agent data is reaching Arctic Wolf, contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team.
- Create a distribution point
- Create a Group Policy Object
- Create and assign the Agent package
- Verify Agent package assignment
Step 1: Create a distribution point
To deploy Agent through Group Policy, create a distribution point on the publishing server:
-
Sign in to the server as an administrator user.
-
Create a shared network folder for the installation files.
-
In the new window, right-click on the Agent object, and then click Properties.
-
Click the Security tab.
-
Select a group or user, and then select the Allow checkbox for Apply Group Policy.
The policy is applied to the specified groups.
-
Click OK.
Step 2: Create a Group Policy Object
To deploy or distribute Agent through Group Policy, create the Agent Group Policy Object, also known as a policy:
-
From the Start menu, open the Group Policy Management application.
-
In the navigation menu, click Forest:
<DomainName>
, where<DomainName>
is the name of your domain, and then click the Domains folder. -
Right-click the domain name. If you:
- Already have an Arctic Wolf Agent GPO — Select Link an Existing GPO, and then select Edit.
- Do not have an existing Arctic Wolf Agent GPO — Create a new GPO:
- Select Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, enter a name for the new GPO.
- Verify that the Source Starter GPO menu says (none).
- Click OK to create a new GPO.
Tip: To assign a security group and ensure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.
- Right-click the new GPO, and then click Enforced to enable it.
Tip: Once enabled, a lock appears over the GPO icon in the navigation menu.
- Right-click the new GPO, and then select Edit.
-
In the new window, right-click on the Agent object, and then click Properties.
-
Click the Security tab.
-
Select a group or user, and then select the Allow checkbox for Apply Group Policy.
The policy is applied to the specified groups.
-
Click OK.
Step 3: Create and assign the Agent package
Create and assign the Agent package per user or per machine:
-
Open Group Policy Management, right-click the Agent object that you created, and then click Edit.
-
In Computer Configuration, expand Policies in the navigation pane, and then expand Software Settings.
-
Right-click Software Installation, and then click New > Package.
-
In the Open dialog box, type the full UNC path of the distribution point containing the
.msi
file and select the.msi
file to create the Agent package. -
Click Open.
-
Click Assigned, and then click OK.
The package is added to the Group Policy window.
-
Close the Group Policy snap-in, and then click OK to exit.
Step 4: Verify Agent package assignment
If the Agent object or policy applies to a client device and is assigned to that device, and the distribution point is accessible, Agent will automatically install silently when that device restarts.
To verify that the Agent object or policy is correctly assigned:
-
In a terminal, run the following command:
gpupdate /force
You should receive a message similar to the following:
Computer Policy update has completed successfully. . . . Certain Computer policies are enabled that can only run during startup.
-
When prompted, enter
Y
to restart your device and install Agent. -
After your device restarts, navigate to the Arctic Wolf Portal and search the Endpoints table to see if the Agent installed on your device appears.
Note: If the Agent installed on your device does not appear in the Endpoints table within 1-2 minutes of device restart, contact your Concierge Security Team (CST).
Install Agent with Intune
You can install Arctic Wolf Agent on Windows using Microsoft Intune, which is a cloud-based service for mobile device management (MDM). This service lets you manage how employees use company-owned devices, such as laptops.
See the Microsoft documentation for more information.
Requirements
- The system uses Windows 10 version 1607 or later.
- The device is enrolled in Intune and is either:
- Registered with Microsoft Entra ID (formerly Azure AD)
- Joined with Microsoft Entra ID (formerly Azure AD)
- Joined as a hybrid with Microsoft Entra ID (formerly Azure AD)
Tip: See the Microsoft documentation for more information about Win32 app management in Microsoft Intune.
Step 1: Install Agent using Intune
-
Download and install the Intune application packager from Microsoft.
Tip: See the Microsoft documentation for more information about installing this software.
-
Install the Microsoft Win32 Content Prep Tool, available on GitHub. This allows you to convert a file to a
.intunewin
file to upload for distribution. -
Run the following command, where:
<setup_folder>
is the source folder.<source_setup_file>
is the filename of the Agent.msi
file .<output_folder>
is the location for the new.intunewin
file.
IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>
Step 2: Add Agent to Intune
- In the App information section:
- Click Select file to add the
.intunewin
file. - Enter a description in the Description field.
- Enter
ArcticWolf
in the Publisher field.
- Click Select file to add the
- In the Program section:
-
In the Install command field, append
msiexec /i <arcticwolfagent-2021-05_01.msi>
with/qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS> /l*v scout_install.log
, where:-
<customer_UUID>
is your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section. -
<regional_DNS>
is your DNS hostname. To obtain this value, go to the Arctic Wolf Portal IP Addresses page, and then copy the DNS hostname that begins withactivate.agent-common.prod
from the If you use Arctic Wolf Agent section.
Include a space before the appended content.
-
-
In the Uninstall command field, enter
msiexec /x "<GUID>" /q
, where<GUID>
is the globally unique identifier of the application. -
In the Device restart behavior dropdown list, select Determine behavior based on return codes.
-
- In the Requirements section, specify the operating system architecture and minimum operating system.
- Create the detection rule:
- In the Detection rules section, select Manually configure detection rules in the Rules format dropdown list.
- Select File in the Rule type dropdown list.
- In the Path field, enter
C:\Program Files (x86)\Arctic Wolf Networks\Agent
. - In the File or Folder field, enter
client.keys
. - Select File or folder exists in the Detection method dropdown list.
- Verify that the Associated with a 32-bit app on 64-bit clients toggle is set to the default No.
- In the Review + create section, add the application.
After deployment, Intune notifies users that the software is updating on their device. You can view the installation status in the Intune portal.
Install Agent using Microsoft System Center Configuration Manager
You can use Microsoft System Center Configuration Manager (SCCM) to manage the deployment of Agent.
We recommend using SCCM only for the initial deployment of Agent and not for updating Agent.
Requirements
- Your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section.
- Your DNS hostname. To obtain this value, go to the Arctic Wolf Portal IP Addresses page, and then copy the DNS hostname that begins with
activate.agent-common.prod
from the If you use Arctic Wolf Agent section.
Steps
Step 1: Install Agent using SCCM
-
Download and copy the Agent
msi
file to a file share location. -
In the SCCM console, click Software Library > Application Management > Applications.
-
Right-click Applications and click Create an Application.
-
Set these options:
- Type — Click Windows Installer (*.msi file).
- Location — Click Browse to navigate to the location of the
msi
installation file.
-
Click Next.
-
On the View imported information page, click Next.
-
On the General Information page, in the Installation program field, enter this command:
msiexec /i <downloaded_filename.msi> /qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS> /l*v scout_install.log
Replace the following:
<downloaded_filename.msi>
: the filename of the downloaded Agent installmsi
file.<customer_UUID>
: your customer UUID.<regional_DNS>
: your DNS hostname.
-
In the Install behavior field, select Install for System.
-
Click Next.
-
On the Summary page, click Next to complete the configuration.
Step 2: Deploy Agent using SCCM
- In the SCCM console, click Software Library > Application Management > Applications.
- Right-click the Agent application and click Deploy.
- Under Collection, select one or more User Collections from the list.
- Click OK.
- Click Next.
- On the Content page, click Add > Distribution Point.
- Select the distribution point where you install the Agent
msi
file, and then click OK. - Click Next.
- On the Deployment Settings page, set these options:
- Action — Click Install.
- Purpose — Click Required.
- Click Next.
- On the Scheduling page, click Installation deadline > As soon as possible.
- Click Next.
Step 3: Monitor Agent SCCM deployment
-
In the Configuration Manager console, click Monitoring > Deployments.
-
Right-click the Agent deployment, and click View Status.
The Status Type changes to Success when the deployment has successfully completed.
Note: The time to complete the deployment varies based on the User Collections selected.
-
(Optional) Verify that Agent is installed on the target computer:
- Open Control Panel > Programs and Features.
- Verify that Arctic Wolf Agent is listed.
Windows Agent installation on non-persistent Virtual Desktop Infrastructure
Note: When set up correctly, you should have one online non-persistent VDI device. Offline duplicate devices are automatically purged after three days. If duplicate non-persistent VDI devices appear in the Unified Portal, install Agent for non-persistent VDI instances again. See Install agent for non-persistant VDI instances.
Agent supports non-persistent Virtual Desktop Infrastructure (VDI), which you can use to create a master template to deploy non-persistent Windows VDI instances. This addresses issues such as duplicate agent UUIDs and allows for better management of non-persistent Windows instances.
Non-persistent VDI behavior
Any non-persistent VDI instances created from this template are:
- Identified in the Arctic Wolf Unified Portal with VDI State attributes.
- Not added to scan groups automatically.
- Not updated automatically.
- Deactivated in the Arctic Wolf Portal within three days rather than 90 days for persistent images.
Install Agent for non-persistent VDI instances
Install Agent using the VDI_TEMPLATE_IMAGE=1
switch to create the initial non-persistent image. After the installation is complete, you can use the image to create your master image for VDI instance deployment.
Non-persistent VDI installation requirements
- Agent version 2023-01
- Supported operating system:
- Desktop
- Windows 10 or 11
- Server
- Windows 2012 R2, 2016, 2019, or 2022
- Desktop
- VDI solutions:
- VMware Horizon
- Citrix
- Windows Remote Desktop Services
Steps
-
On the target endpoint system, run the following command as an administrator using an account with administrator privileges:
msiexec /i awn-agent.msi VDI_TEMPLATE_IMAGE=1 /l*v install.log
-
Using the target endpoint system, create a master template that will be used to create non-persistent VDI instances.
Non-persistent instances can be deployed using the master template.
Update an existing non-persistent VDI template
- Install Agent using the
VDI_TEMPLATE_IMAGE=1
switch. - Redeploy new non-persistent VDI instances using the updated template.
Install persistent VDI instances
-
For persistent VDI installation, install Agent using the standard command:
msiexec /i awn-agent.msi /l*v install.log
Install Agent on Citrix using RDSH or VMware Application Pool environments
-
For a Remote Desktop Session Host (RDSH) or VMware Application Pool environment, install Agent using the persistent VDI command.
Note: Do not use the
VDI_TEMPLATE_IMAGE=1
switch to install Agent.
Next steps
Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the MDR service. To install Sysmon for Agent on Windows, see Sysmon Installation on Windows.
Containment is a feature of our MDR service that allows Arctic Wolf to isolate network traffic on the Windows Agent host. To install the Arctic Wolf Agent Containment Driver, see Arctic Wolf Agent Containment Driver Installation.
Redeploy the Agent package
To redeploy the Agent package, for example, during an upgrade:
- Open Group Policy Management, right-click the Agent object that you created, and then click Edit.
- Expand the Software Settings element, per user or per machine, that contains the deployed package.
- Expand the Software Installation element that contains the deployed package.
- Right-click the package in the right pane of the Group Policy window.
- Click All Tasks > Redeploy application.
- Click Yes to reinstall the application wherever it is installed.
- Close the Group Policy snap-in, and then click OK to exit.
Uninstall Agent
Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.
- Open Group Policy Management, right-click the Arctic Wolf Agent object that you created, and then click Edit.
- Expand the Software Settings element, per user or per machine, that contains the deployed package.
- Expand the Software Installation element that contains the deployed package.
- Right-click the package in the right pane of the Group Policy window.
- Select All Tasks > Remove, and then select Immediately uninstall the software from users and computers.
- Click OK to continue.
- Close the Group Policy snap-in, and then click OK to exit.
Agent deactivation
You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.
Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.
Contained Agent deactivation
You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.
You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.
Tip: You can only remove endpoints that have not checked in for 72 hours.
Automatic Agent deactivation and activation
Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.
Deactivate an Agent
If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).
Note: You cannot make these changes in the Risk Dashboard.
-
Confirm that the Agent is uninstalled from the device.
-
On the Arctic Wolf Portal, click Endpoint Status.
-
In the Endpoints table, click Remove offline endpoint on the appropriate device.
Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.
-
In the dialog, click Remove Endpoint.
Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.