The preferred GPO deployment method is via a PowerShell script. This ensures the latest version of the agent is always downloaded and the account key is only exposed to administrators with access to Group Policy Management.
IMPORTANT: it's imperative the built-in Active Directory Domain Computers security group has Read & Execute NTFS permissions and Read SMB Share permissions to the script location. Failure to confirm these permissions are correct will result in installation failure. This is due to Active Directory running "Computer Configuration" items in the context of the computer account and not a user account. This is because the installation occurs before user logon. The \\Netlogon\ folder is a recommended place to place the Powershell script file to ensure access.
Deploying Huntress via PowerShell & GPO (immediate scheduled task)
Deploying our PowerShell script via GPO is simple. First, download the script from our github. Create (or modify an existing) GPO in the appropriate hierarchy/OU in Active Directory. Edit the policy to utilize the computer scheduled task script configuration. Using an immediate scheduled task we can push this to any linked computers on the next group policy update.
The startup script option is located under Computer Configuration | Preferences | Control Panel Settings | Scheduled Tasks | Right-click and select New->Immediate Task(Win 7 or higher). The settings required are shown below:
On the General Tab:
Enter name as “ Huntress Installer”
Click “ Change user or Group” button, search for “SYSTEM”, click “OK”
Select “ Run whether user logged on or not”
Check “ Run with highest privileges”
In the “ Configure for:” pull down select “Windows 7, Windows Server 2008R2”
On the Actions Tab:
Click “ New”
In the “ Program/script” field type:
In the “ Add argument” field type:
-ExecutionPolicy Bypass -command "& \\\InstallHuntress.powershellv2.ps1 -acctkey <myacctkey> -orgkey <myorgkey> -tags <OPTIONAL_comma_separated_tags>"
Click “ OK” on New Action window and click “OK” on Properties window to close out those dialogues.
IMPORTANT: A UNC path should be used instead of a mapped drive as mapped drives may not be available before a user logs on to an endpoint.
Once this is complete, any linked computers should get the installer pushed to them when the GP policy updates or when using gpudate /force from the command prompt to force that action.
Syntax shown for the Argument seems wrong,
should have the keys embedded after the parameters, no? Like
Please sign in to leave a comment.