Arctic Wolf Agent Installation on Windows
- Arctic Wolf Agent installation on Windows
- Requirements
- Download the Agent installer
- Install Agent using Group Policy Management
- Install Agent with Intune
- Install Agent using Microsoft System Center Configuration Manager
- Windows Agent installation on non-persistent Virtual Desktop Infrastructure
- Proceed with Sysmon installation
- Redeploy the Agent package
- Uninstall Agent
- Agent deactivation
Arctic Wolf Agent installation on Windows Direct link to this section
Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:
- Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
- Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.
You can bulk install Agent on Windows computers your organization using a package manager using Group Policy Management or InTune.
Requirements Direct link to this section
-
Administrator permissions or the ability to perform administrator or root level functions
Supported operating systems Direct link to this section
- Windows 11 for 64-bit systems
- Windows 10 Pro, 8.1, 8, and 7 Enterprise for 64-bit and 32-bit systems
- Windows Server 2022, 2019, 2016, 2012 R2, 2012, and 2008 R2 for 64-bit systems
- Windows 11 IoT, Windows 10 IoT, and 8.1 Embedded for 64-bit systems
Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:
- Windows 8.1 or newer for 64- and 32-bit systems
- Windows Server 2012 or newer for 64-bit systems
System requirements Direct link to this section
-
At a minimum, dual-core CPU
-
At a minimum, 2 GB of memory
Note: Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
Networking requirements Direct link to this section
-
Ports 443 and 1514 outbound open
Notes:
- Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.
- If your firewall performs SSL/TLS inspection, allowlist the sensor management IP address and verify that your firewall allows outbound access from that IP address over port 443 to all required IP addresses. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under ****.
Download the Agent installer Direct link to this section
-
In the Arctic Wolf Portal, click Accounts > Downloads.
-
Under Endpoint Agent, select the desired Operating System option.
-
Click Download Agent.
-
Note the UUID value. You will need this value for the installation process.
-
Unzip the Arctic Wolf Agent
.zip
file and extract the.msi
file and thecustomer.json
files into the same folder.Caution:
- Do not make any edits to the
customer.json
file. Editing this file causes installation errors. - Do not save the Agent installer or
customer.json
to publicly accessible storage.customer.json
should be kept confidential.
- Do not make any edits to the
Install Agent using Group Policy Management Direct link to this section
You can install Arctic Wolf Agent on multiple Windows endpoints using Group Policy Management.
Note: Group Policy installation does not currently support VPN-connected endpoints.
To download your Agent installer, visit the Arctic Wolf Portal. To verify that Agent data is reaching Arctic Wolf, contact your Arctic Wolf Customer Success Manager or your Concierge Security® Team.
- Create a distribution point
- Create a Group Policy Object
- Create and assign the Agent package
- Verify Agent package assignment
Step 1: Create a distribution point Direct link to this section
To deploy Agent through Group Policy, create a distribution point on the publishing server:
-
Sign in to the server as an administrator user.
-
Create a shared network folder for the installation files.
-
In the new window, right-click on the Agent object, and then click Properties.
-
Click the Security tab.
-
Select a group or user, and then select the Allow checkbox for Apply Group Policy.
The policy is applied to the specified groups.
-
Click OK.
Step 2: Create a Group Policy Object Direct link to this section
To deploy or distribute Agent through Group Policy, create the Agent Group Policy Object, also known as a policy:
-
From the Start menu, open the Group Policy Management application.
-
In the navigation pane, expand Forest:
<DomainName>
, where<DomainName>
is the name of your domain, and then expand the Domains folder. -
Right-click the domain name. If you:
-
Already have an Arctic Wolf Agent GPO — Select Link an Existing GPO, and then select Edit.
-
Do not have an existing Arctic Wolf Agent GPO — Create a new GPO:
- Select Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, enter a name for the new GPO.
- Verify that the Source Starter GPO menu says (none).
- Click OK to create a new GPO.
- Right-click the new GPO and click Enforced to enable it.
Tip: Once enabled, a lock appears over the GPO icon in the navigation pane.
- Right-click the new GPO and select Edit.
-
-
In the new window, right-click on the Agent object, and then click Properties.
-
Click the Security tab.
-
Select a group or user, and then select the Allow checkbox for Apply Group Policy.
The policy is applied to the specified groups.
-
Click OK.
Step 3: Create and assign the Agent package Direct link to this section
Create and assign the Agent package per user or per machine:
-
Open Group Policy Management, right-click the Agent object that you created, and then click Edit.
-
In Computer Configuration, expand Policies in the navigation pane, and then expand Software Settings.
-
Right-click Software Installation, and then click New > Package.
-
In the Open dialog box, type the full UNC path of the distribution point containing the
.msi
file and select the.msi
file to create the Agent package. -
Click Open.
-
Click Assigned, and then click OK.
The package is added to the Group Policy window.
-
Close the Group Policy snap-in, and then click OK to exit.
Step 4: Verify Agent package assignment Direct link to this section
If the Agent object or policy applies to a client device and is assigned to that device, and the distribution point is accessible, Agent will automatically install silently when that device restarts.
To verify that the Agent object or policy is correctly assigned:
-
In a terminal, run the following command:
gpupdate /force
You should receive a message similar to the following:
Computer Policy update has completed successfully. . . . Certain Computer policies are enabled that can only run during startup.
-
When prompted, enter
Y
to restart your device and install Agent. -
After your device restarts, navigate to the Arctic Wolf Portal and search the Endpoints table to see if the Agent installed on your device appears.
Note: If the Agent installed on your device does not appear in the Endpoints table within 1-2 minutes of device restart, contact your Concierge Security Team (CST).
Install Agent with Intune Direct link to this section
You can install Arctic Wolf Agent on Windows using Microsoft Intune, which is a cloud-based service for mobile device management (MDM). This service lets you manage how employees use company-owned devices, such as laptops.
See the Microsoft documentation for more information.
Requirements Direct link to this section
- The system uses Windows 10 version 1607 or later.
- The device is enrolled in Intune and is either:
- Registered with Azure Active Directory (AD)
- Joined with Azure AD
- Joined as a hybrid with Azure AD
Tip: See the Microsoft documentation for more information about Win32 app management in Microsoft Intune.
Step 1: Install Agent using Intune Direct link to this section
-
Download and install the Intune application packager from Microsoft.
Tip: See the Microsoft documentation for more information about installing this software.
-
Install the Microsoft Win32 Content Prep Tool, available on GitHub. This allows you to convert the
.msi
file to a.intunewin
file to upload for distribution. -
Run
IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>
, substituting the following placeholders:<setup_folder>
is the source folder.<source_setup_file>
is the filename of the.msi
file.<output_folder>
is the location for the new.intunewin
file.
Step 2: Add Agent to Intune Direct link to this section
- In the App information section:
- Click Select file to add the
.intunewin
file. - Enter a description in the Description field.
- Enter
ArcticWolf
in the Publisher field.
- Click Select file to add the
- In the Program section:
-
In the Install command field, append
msiexec /i <arcticwolfagent-2021-05_01.msi>
with/qn CUSTOMER_UUID=<customer_UUID> REGISTER_DNS=<regional_DNS> /l*v scout_install.log
, where:-
<customer_UUID>
is your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section. -
<regional_DNS>
is your DNS hostname. To obtain this value, go to the Arctic Wolf Portal IP Addresses page, and then copy the DNS hostname that begins withactivate.agent-common.prod
from the If you use Arctic Wolf Agent section.
Include a space before the appended content.
-
-
In the Uninstall command field, enter
msiexec /x "<GUID>" /q
, where<GUID>
is the globally unique identifier of the application. -
In the Device restart behavior dropdown list, select Determine behavior based on return codes.
-
- In the Requirements section, specify the operating system architecture and minimum operating system.
- Create the detection rule:
- In the Detection rules section, select Manually configure detection rules in the Rules format dropdown list.
- Select File in the Rule type dropdown list.
- In the Path field, enter
C:\Program Files (x86)\Arctic Wolf Networks\Agent
. - In the File or Folder field, enter
client.keys
. - Select File or folder exists in the Detection method dropdown list.
- Verify that the Associated with a 32-bit app on 64-bit clients toggle is set to the default No.
- In the Review + create section, add the application.
After deployment, Intune notifies users that the software is updating on their device. You can view the installation status in the Intune portal.
Install Agent using Microsoft System Center Configuration Manager Direct link to this section
You can use Microsoft System Center Configuration Manager (SCCM) to manage the deployment of Agent.
We recommend using SCCM only for the initial deployment of Agent and not for updating Agent.
Requirements Direct link to this section
- Your customer UUID. To obtain this value, go to the Arctic Wolf Portal Downloads page, and then copy the UUID value from the Endpoint Agent section.
Steps Direct link to this section
Step 1: Install Agent using SCCM Direct link to this section
-
Download and copy the Agent
msi
file to a file share location. -
In the SCCM console, click Software Library > Application Management > Applications.
-
Right-click Applications and click Create an Application.
-
Set these options:
- Type — Click Windows Installer (*.msi file).
- Location — Click Browse to navigate to the location of the
msi
installation file.
-
Click Next.
-
On the View imported information page, click Next.
-
On the General Information page, in the Installation program field, enter this command, where
<downloaded_filename.msi>
is the Agent install msi file and<customer_uuid>
is the customer UUID:msiexec /i <downloaded_filename.msi> /qn CUSTOMER_UUID=<customer_uuid> REGISTER_DNS=prod-scout-reg.rootsoc.com /l*v scout_install.log
-
In the Install behavior field, select Install for System.
-
Click Next.
-
On the Summary page, click Next to complete the configuration.
Step 2: Deploy Agent using SCCM Direct link to this section
- In the SCCM console, click Software Library > Application Management > Applications.
- Right-click the Agent application and click Deploy.
- Under Collection, select one or more User Collections from the list.
- Click OK.
- Click Next.
- On the Content page, click Add > Distribution Point.
- Select the distribution point where you install the Agent
msi
file, and then click OK. - Click Next.
- On the Deployment Settings page, set these options:
- Action — Click Install.
- Purpose — Click Required.
- Click Next.
- On the Scheduling page, click Installation deadline > As soon as possible.
- Click Next.
Step 3: Monitor Agent SCCM deployment Direct link to this section
-
In the Configuration Manager console, click Monitoring > Deployments.
-
Right-click the Agent deployment, and click View Status.
The Status Type changes to Success when the deployment has successfully completed.
Note: The time to complete the deployment varies based on the User Collections selected.
-
(Optional) Verify that Agent is installed on the target computer:
- Open Control Panel > Programs and Features.
- Verify that Arctic Wolf Agent is listed.
Windows Agent installation on non-persistent Virtual Desktop Infrastructure Direct link to this section
Agent supports non-persistent Virtual Desktop Infrastructure (VDI), which you can use to create a master template to deploy non-persistent Windows VDI instances. This addresses issues such as duplicate agent UUIDs and allows for better management of non-persistent Windows instances.
Non-persistent VDI behavior Direct link to this section
Any non-persistent VDI instances created from this template are:
- Identified in the Arctic Wolf Unified Portal with VDI State attributes.
- Not added to scan groups automatically.
- Not updated automatically.
- Deactivated in the Arctic Wolf Portal within three days rather than 90 days for persistent images.
Install Agent for non-persistent VDI instances Direct link to this section
Install Agent using the VDI_TEMPLATE_IMAGE=1
switch to create the initial non-persistent image. After the installation is complete, you can use the image to create your master image for VDI instance deployment.
Non-persistent VDI installation requirements Direct link to this section
- Agent version 2023-01
- Supported operating system:
- Desktop
- Windows 10 or 11
- Server
- Windows 2012 R2, 2016, 2019, or 2022
- Desktop
- VDI solutions:
- VMware Horizon
- Citrix
- Windows Remote Desktop Services
Steps Direct link to this section
-
On the target endpoint system, run the following command as an administrator using an account with administrator privileges:
msiexec /i awn-agent.msi VDI_TEMPLATE_IMAGE=1 /l*v install.log
-
Using the target endpoint system, create a master template that will be used to create non-persistent VDI instances.
Non-persistent instances can be deployed using the master template.
Update an existing non-persistent VDI template Direct link to this section
- Install Agent using the
VDI_TEMPLATE_IMAGE=1
switch. - Redeploy new non-persistent VDI instances using the updated template.
Install persistent VDI instances Direct link to this section
-
For persistent VDI installation, install Agent using the standard command:
msiexec /i awn-agent.msi /l*v install.log
Install Agent on Citrix using RDSH or VMware Application Pool environments Direct link to this section
-
For a Remote Desktop Session Host (RDSH) or VMware Application Pool environment, install Agent using the persistent VDI command.
Note: Do not use the
VDI_TEMPLATE_IMAGE=1
switch to install Agent.
Proceed with Sysmon installation Direct link to this section
Sysmon is a Microsoft product that provides detailed information about processes, file systems, and network activity. When installed on Windows endpoints, Sysmon helps Agent detect endpoint activity for the Managed Detection and Response service.
- To install Sysmon for Agent on Windows, see Sysmon Installation on Windows.
Redeploy the Agent package Direct link to this section
To redeploy the Agent package, for example, during an upgrade:
-
Open Group Policy Management, right-click the Agent object that you created, and then click Edit.
-
Expand the Software Settings element, per user or per machine, that contains the deployed package.
-
Expand the Software Installation element that contains the deployed package.
-
Right-click the package in the right pane of the Group Policy window.
-
Click All Tasks > Redeploy application.
-
Click Yes to reinstall the application wherever it is installed.
-
Close the Group Policy snap-in, and then click OK to exit.
Uninstall Agent Direct link to this section
Note: When Arctic Wolf Agent is uninstalled, devices and associated risks are removed from the Arctic Wolf Portal and Risk Dashboard.
-
Open Group Policy Management, right-click the Arctic Wolf Agent object that you created, and then click Edit.
-
Expand the Software Settings element, per user or per machine, that contains the deployed package.
-
Expand the Software Installation element that contains the deployed package.
-
Right-click the package in the right pane of the Group Policy window.
-
Select All Tasks > Remove, and then select Immediately uninstall the software from users and computers.
-
Click OK to continue.
-
Close the Group Policy snap-in, and then click OK to exit.
Agent deactivation Direct link to this section
You can deactivate Agents by removing them from the Endpoints table in the Arctic Wolf Portal. We recommend uninstalling Agents before deactivating them. If you deactivate an Agent that is still installed on a system, the endpoint reappears in the Endpoints table the next time that it is Online.
Deactivating an endpoint does not delete existing data from Arctic Wolf internal databases.
Contained Agent deactivation Direct link to this section
You are not required to deactivate Agents if they are contained. We recommend keeping Agents in the Endpoints table until the containment incident is resolved.
You can remove contained endpoints from the Endpoints table once the incident is resolved and the Agent is uninstalled from the device.
Tip: You can only remove endpoints that have not checked in for 72 hours.
Automatic Agent deactivation and activation Direct link to this section
Any devices that were not Online for 90 days are automatically removed from the Endpoints table. The endpoint automatically reappears in the table the next time that Agent detects it as Online.
Deactivate an Agent Direct link to this section
If you are a Managed Risk (MR) customer, you can deactivate devices in the Arctic Wolf Portal. If you cannot access the Arctic Wolf Portal, contact your Concierge Security Team (CST).
Note: You cannot make these changes in the Risk Dashboard.
-
Confirm that the Agent is uninstalled from the device.
-
On the Arctic Wolf Portal, click Endpoint Status.
-
In the Endpoints table, click Remove offline endpoint on the appropriate device.
Tip: You can only remove devices that are Offline. The Agent only identifies devices as Offline if the Agent did not check in with them for 72 hours.
-
In the dialog, click Remove Endpoint.
Note: If you accidentally remove an endpoint, the endpoint automatically reappears in the table the next time that Agent detects it as Online.