Using a GPO to deploy Lumu Agent

Deploy Lumu Agent using Group Policy (GPO)

The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server.
If you are interested in getting started with agents, access our Lumu Agent documentation.

Requirements

  1. Active Directory configured on a Windows Server.
  1. The Windows devices to which you want to deploy the Lumu agent are members of your existing Windows Active Directory domain.
This document was created using Windows Server 2016 and Windows 10 Enterprise. 

Download the Installation File

1. To download the agent installation file, go to the Lumu Portal, navigate to the Agents menu, click on the “Windows Client” button, and then select the offline installer you want to deploy using GPO.

Lumu Agent for Windows installers - Lumu PortalFigure 1 - Lumu Agent for Windows installers.

Save the Agent installer file to a network shared folder accessible by all the endpoints you are deploying to (at least read access).

Make sure that all devices to which you are deploying the agent have access to this network shared location.
The following procedures should be performed for each installation group you defined in the Lumu Portal, as each group has a unique activation code.

Create a GPO

2. To create or modify an existing Group Policy Object (GPO) to distribute the Lumu Agent, go to the Windows Server Manager, then navigate to “Tools” > “Group Policy Manager”.

Windows Server Manager DashboardFigure 2 - Windows Server Manager Dashboard.

Navigate to your target domain, right-click “Group Policy Objects” and select New. Type a name for this new policy, and then press “OK”.

Group Policy ManagementFigure 3 - Group Policy Management.

Link your new GPO to the domain that contains the group of devices to which you wish to have the policies applied. For this, right-click your domain in the left pane of the “Group Policy Management”, choose “Link an Existing GPO…”, select the GPO you created in the previous step and click “OK” to complete the process.

Linking an existing GPOFigure 4 - Linking an existing GPO.

Add the devices to which you want to deploy the Lumu Agent in the “Security Filtering” section. Ensure that each GPO contains only the Windows devices related to the Installation Group you created in the Lumu Portal. You are not required to add users, only devices.

GPO Security FilteringFigure 5 - GPO Security Filtering.

Installation Script

3. You can choose to deploy the Lumu Agent using GPO from the .exe or .msi installation file. We provide both scripts below.

Make sure to edit the following variables:
  1. ActivationCode” - add the corresponding activation code of the installation group you created in the Lumu Portal. Example: set ActivationCode="saf4B4G0"
  2. LumuShare” - the path where the Lumu Agent installation file you downloaded in step 1 (.exe or .msi) is located. Example: set LumuShare="\\192.168.1.135\lumu\lum_agent_offline.exe"

Script for .exe

Click here to download the .exe script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group 
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.exe"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. %LocalInstaller% /SP- /VERYSILENT /activationcode=%ActivationCode% /acceptlicense="true" )

Script for .msi

This installation type generates a log file “lumu-agent-installation-output.log” located at the “C:\Temp\” folder that can be useful for troubleshooting purposes.
Click here to download the .msi script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.msi"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. msiexec /i %LocalInstaller% /log "C:\Temp\lumu-agent-installation-output.log" /quiet WRAPPED_ARGUMENTS="/activationcode="%ActivationCode%" /acceptlicense=""true"" " )

Assign the script

The startup script option installs the Lumu Agent with administrative privileges before the boot process gets to the login screen.

4. To assign the installation script to users logging on to the defined workstations, go to the policy from step 2 and click to edit.

Edit the GPOFigure 6 - Edit the GPO.

Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Scripts (Startup/Shutdown)” then right-click in the “Startup” option to select “Properties”.

GPO EditorFigure 7 - GPO Editor.

Once in the startup properties, go to the “Scripts” tab, then click on “Show Files...” to display the directory where the script files are stored in the selected GPO. We recommend that you copy and paste the script .bat file (from step 3) to this directory. Example of path: \\lumu.loc\SysVol\lumu.loc\Policies\{B650E92A-ACC4}\Machine\Scripts\Startup

Startup PropertiesFigure 8 - Startup Properties.

In the next step, click to “Add” and then “Browse” to navigate to the “Show Files” directory and select the .bat file you pasted previously.

Assign installation script in the Startup PropertiesFigure 9 - Assign installation script in the Startup Properties.

Confirm all the following prompt windows to apply the changes to the GPO.

Startup Properties confirmation screenFigure 10 - Startup Properties confirmation screen

The script will run, and the agent will be installed the next time the Windows computer starts.

Remember to wait the appropriate amount of time for the GPO / Active Directory replication to occur. This time frame may vary depending on the domain’s size and the time required for Active Directory replication.

You can follow the installations’ success by checking the devices listed on your Agents’ dashboard in the Lumu Portal.

Agent Dashboard - Lumu PortalFigure 11 - Agent Dashboard - Lumu Portal.

        • Related Articles

        • Lumu Agent for Windows

          A Lumu Agent is an endpoint software program provided by Lumu that is installed on a user's machine. This enables the monitoring of remote devices no matter where they are. The Lumu Agent runs silently while intentionally and continuously collecting ...
        • Lumu Agent

          As we show in our Deployment and Integration guide, organizations can enjoy full compromise visibility with Lumu, independent of whether users connect via VPN or straight to cloud-based applications. The Lumu Agent is an endpoint software program ...
        • Windows 10

          Setting up Lumu on a Windows client device is the configuration recommended for testing purposes as we recommend you configure your server or your router to take the most advantage of the Lumu Continuous Compromise Assessment on your entire network. ...
        • Windows Server

          In this guide, we will walk you through the DNS configuration process for a Windows Server. Setting up Lumu for Continuous Compromise Assessment on a server is the deployment recommended for enterprises with a DNS infrastructure where all the traffic ...
        • Deploy on Azure

          You have the option to deploy Lumu Virtual Appliances as cloud collectors in cloud solutions such as AWS, Azure, and Google Cloud. A Lumu Virtual Appliance (VA) is a virtualized machine that provides all the elements required to collect network ...