Sysmon Installation on Windows - Multiple Endpoints

Updated Feb 12, 2024

Install Sysmon using the Group Policy Management Console

You can install Sysmon on multiple Windows endpoints using the Group Policy Management Console (GPMC).

Requirements

Before you begin

Steps

  1. Prepare the Sysmon Assistant installation package.
  2. Create a distribution point.
  3. Create a Group Policy Object.
  4. Assign the Sysmon Assistant package.
  5. Enable startup policy for the Sysmon Assistant package.

Step 1: Prepare the Sysmon Assistant installation package

Step 2: Create a distribution point

  1. Sign in to the server with administrator permissions.
  2. Create a shared network folder for the SysmonAssistant.msi package.
  3. Set a minimum of Read permissions on the folder to allow access to the distribution package.
  4. Copy the package from Prepare the Sysmon Assistant installation package, and then paste it into the shared folder.

Step 3: Create a Group Policy Object

The ArcticWolfAgent.msi package is deployed or distributed through Group Policy as a Group Policy Object (GPO).

  1. Click Start, and then open the GPMC.

  2. In the navigation menu, click Forest: <DomainName>, where <DomainName> is the name of your domain, and then click the Domains folder.

  3. Right-click the domain name. If you:

    • Already have an Sysmon GPO — Select Link an Existing GPO, and then click Edit.
    • Do not have an existing Sysmon GPO — Create a new GPO:
      1. Select Create a GPO in this domain, and Link it here.

      2. In the New GPO dialog box, enter a name for the new GPO.

      3. Verify that the Source Starter GPO menu says (none).

      4. Click OK.

        Tip: To assign a security group and make sure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.

      5. Right-click the new GPO, and then click Enforced to enable it.

        The GPO is enabled. A lock appears on the GPO icon in the navigation menu.

      6. Right-click the new GPO, and then select Edit.

  4. In the new window, right-click the Agent object, and then click Properties.

  5. Click the Security tab.

  6. Select a group or user.

  7. In the Apply Group Policy section, select the Allow checkbox.

    The policy is applied to the specified groups.

  8. Click OK.

Step 4: Assign the Sysmon Assistant package

You can assign one package on each machine. If the Sysmon Assistant is assigned, it is automatically installed.

  1. Open the GPMC.

  2. Right-click the Arctic Wolf Sysmon object that you created, and then click Edit.

  3. In the navigation menu, click Computer Configuration > Policies > Software Settings.

  4. Right-click Software Installation, and then click New > Package.

  5. In the Open dialog, enter the full Universal Naming Convention (UNC) path of the distribution point containing the MSI file.

  6. Select the MSI file to create the Agent package.

  7. Click Open.

  8. Click Assigned, and then click OK.

    The package is added to the Group Policy window.

  9. Close the Group Policy snap-in, and then click OK to exit.

Note: The assigned package will install when the client computers start, if:

  • Group policy applies.
  • Group policy is applied to the client computer.
  • The distribution point is accessible.

Step 5: Enable startup policy for the Sysmon Assistant package

This step is optional. Arctic Wolf recommends enabling startup policy if you have Sysmon deployment issues. This policy is intended to speed up the process of deploying the Sysmon Assistant package.

  1. Open the GPMC.
  2. Right-click the Sysmon Assistant object that you created, and then click Edit.
  3. In the navigation menu, in the Computer Settings section, expand Policies, and then expand Administrative Templates > System > Logon.
  4. Click Always wait for the network computer startup and logon.
  5. Select Enabled, and then click OK to close the dialog.
  6. In the navigation menu, in the System section, expand Group Policy.
  7. Right-click Specify startup policy processing wait time, and then click Edit.
  8. Select Enabled.
  9. In the Amount of time to wait field, enter 90.
  10. Click OK to save your changes
  11. Close the Group Policy snap-in, and then click OK to exit.

See also