Team: Huntress EDR
Product: Group Policy Management (GPO)
Environment: Windows (on an Active Directory domain)
Summary: Deploy Huntress via GPO in Active Directory (AD) utilizing PowerShell scripts
The preferred GPO deployment method is via a PowerShell startup script. This ensures the latest version of the agent is always downloaded and the account key is only exposed to administrators with access to Group Policy Management.
IMPORTANT: it's imperative the built-in Active Directory Domain Computers AND Domain Controllers security groups have Read & Execute NTFS permissions and Read SMB Share permissions to the script location. Failure to confirm these permissions are correct will result in installation failure. This is due to Active Directory running "Computer Configuration" items in the context of the computer account and not a user account. This is because the installation occurs before a user logon.
Deploying Huntress via PowerShell & GPO
Deploying our PowerShell script via GPO is simple. First, download the script from our github. Create (or modify an existing) GPO in the appropriate hierarchy/OU in Active Directory, noting that in some environments Domain Controllers are not a member of Domain Computers and thus will also need to be in the scope (security filtering). Edit the policy to utilize the computer startup/shutdown script configuration. The "startup script" is the best option because as it installs with SYSTEM (local administrator) privileges before any use logon occurs. The caveat is the system will need to receive the group policy updates and be rebooted before installation will occur. This time frame may vary depending on the size of the domain and time required for Active Directory replication.
The startup script option is located under Computer Configuration | Policies | Windows Settings | Scripts | Startup. The settings required are shown below:
In the Script Name box enter the full path to the location of the downloaded Huntress PowerShell Deployment script. In the Script Parameters section enter:
-acctkey <your_huntress_account_key> -orgkey <huntress_organization_key>
IMPORTANT: A UNC path should be used instead of a mapped drive as mapped drives may not be available before a user logs on to an endpoint.
Once completed, click OK and OK again to apply the changes to the GPO. Remember to wait ample time for group policy / Active Directory replication to occur. For more information on how to force these to take place, research the gpupdate and repadmin commands for Active Directory.