7

Resources

Last Update 18 dagen geleden

Whitelist Domain Rules - Microsoft OS and Microsoft Product Patches Whitelist Domain Rules - Third Party Patches Configuring the Service Account for macOS Patch Management on Apple Silicon Configuring Proxy on Agents Deploying SecOps Agent Using Group Policy (GPO)

Deploying SecOps Agent Using Group Policy (GPO)

Satyam

Last Update 5 maanden geleden

 
This article explains how to deploy the SecOps Agent across multiple Windows machines using Active Directory Group Policy (GPO).

For enterprise environments, we recommend script-based deployment instead of MSI-based GPO installation. Startup scripts provide better reliability, flexibility, and silent execution.

Why Use Script-Based GPO Deployment?
Using startup scripts for agent deployment offers the following benefits:
  • Runs with SYSTEM privileges
  • No user interaction required
  • Executes at system startup
  • Suitable for bulk deployments
  • Easier troubleshooting and rollback

    Prerequisites
    • Before proceeding, ensure the following:
    • Active Directory Domain Controller is available
    • Target machines are domain-joined
    • You have Domain Admin privileges
    • SecOps Agent installer and PowerShell script are available
    • Bulk Agent Exported from SecOps Solution Platform and License Key ready

      High-Level Deployment Flow
      • Create an AD security group
      • Create and link a GPO
      • Attach a startup script
      • Scope the GPO to target machines
      • Force policy update and reboot
      • Agent installs automatically

      Step-by-Step Deployment Guide

      Export Bulk Agent from SecOps Solution
      Export Agent in Bulk Mode from SecOps Solution tenant, based on your operating system.You can refer this article for agent export.

      Step 1: Create an Active Directory Security Group

      1. Open Active Directory Users and Computers
      2. Create a new Security Group
      3. Name the group: SecOpsAgentDeployment
      4. Add all target computer accounts to this group
        (This ensures only selected machines receive the SecOps Agent.)


      Step 2: Create a New Group Policy Object (GPO)

      1. Open Group Policy Management
      2. (Server Manager → Tools → Group Policy Management)
      3. Right-click your domain
      4. Select Create a GPO in this domain, and Link it here
      5. Name the GPO, for example: SecOps Agent Deployment
      6. Click OK


        Step 3: Copy Script and Agent to SYSVOL (Important)

        1. Download the powershell script from here.
        2. Copy the following files:
          • SecOps Agent installer
          • PowerShell deployment script

          To the SYSVOL scripts location: \\TestAd.local\SYSVOL\TestAd.local\scripts(Startup scripts must reside in SYSVOL so all domain machines can access them)

            • Before using the PowerShell script below, you must replace the license key with the one exported from your SecOps tenant.
            • If SecOps is deployed on-premise, you must update the BaseUrl as well in the PowerShell deployment script before copying it to SYSVOL. Set the BaseUrl to your central SecOps server IP or domain as configured during the on-premise setup.


            Step 4: Configure the Startup Script in GPO


            1. Right-click the newly created GPO → Edit
            2. Navigate to:

            Computer Configuration
            └─ Policies
            └─ Windows Settings
            └─ Scripts (Startup/Shutdown)
            └─ Startup

            • Click Startup
            • Click Add
            • Select the PowerShell script from the SYSVOL scripts folder
            • Save and close the editor


            Step 5: Scope and Enforce the GPO


            1. Select the GPO
            2. Under Security Filtering:
              • Remove Authenticated Users or Administrators
              • Add SecOpsAgentDeployment
            3. Enable Enforced on the GPO

            This ensures:

            • Only intended machines receive the policy
            • The policy cannot be overridden


            Step 6: Update Policy on Client Machines

            On each target client machine, run: gpupdate /force
            Then restart the system.

            What Happens After Reboot?

            • Startup script executes automatically
            • SecOps Agent installs silently
            • Agent registers with the SecOps platform
            • Device appears in the SecOps dashboard


            No user action is required.

            Best Practices

            • Always use startup scripts, not login scripts
            • Target computer groups, not users
            • Test with a pilot group before full rollout
            • Maintain version control for scripts and installers
            • Enable logging in scripts for troubleshoot


            Looking for Other Deployment Options?
            Depending on your environment, you may prefer a cloud-native or alternative deployment approach.

             

            Was this article helpful?

            0 out of 0 liked this article

            Still need help? Message Us