Using a GPO to deploy Lumu Agent

Deploy Lumu Agent using Group Policy (GPO)

The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server.
For getting started with agents, access Introduction to Lumu Agents.

Requirements

  1. Active Directory configured on a Windows Server.
  1. The Windows devices to which you want to deploy the Lumu agent are members of your existing Windows Active Directory domain.
This document was created using Windows Server 2016 and Windows 10 Enterprise. 

Download the Installation File

To download the agent file for online installation on Windows, go to the Lumu Portal, navigate to the Agents menu, , then click to download agent, select the “Windows” option and select the online installer.

Lumu Agent for Windows installersLumu Agent for Windows installers

Save the Agent installer file to a network shared folder accessible by all the endpoints you are deploying to (at least read access).

Make sure that all devices to which you are deploying the agent have access to this network shared location.
The following procedures should be performed for each group you create in the Lumu Portal, as each group has a unique activation code.

Create a GPO

To create or modify an existing Group Policy Object (GPO) to distribute the Lumu Agent, go to the Windows Server Manager, then navigate to “Tools” > “Group Policy Manager”.

Windows Server Manager DashboardWindows Server Manager Dashboard

Navigate to your target domain, right-click “Group Policy Objects” and select New. Type a name for this new policy, and then press “OK”.

Group Policy ManagementGroup Policy Management

Link your new GPO to the domain that contains the group of devices to which you wish to have the policies applied. For this, right-click your domain in the left pane of the “Group Policy Management”, choose “Link an Existing GPO…”, select the GPO you created in the previous step and click “OK” to complete the process.

Linking an existing GPOLinking an existing GPO

Add the devices to which you want to deploy the Lumu Agent in the “Security Filtering” section. Ensure that each GPO contains only the Windows devices related to the group you created in the Lumu Portal. You are not required to add users, only devices.

GPO Security FilteringGPO Security Filtering

Installation Script

You can choose to deploy the Lumu Agent using GPO from the .exe or .msi installation file. We provide both scripts below.

Make sure to edit the following variables:
  1. ActivationCode” - add the corresponding activation code of the installation group you created in the Lumu Portal. Example: set ActivationCode="saf4B4G0"
  2. LumuShare” - the path where the Lumu Agent installation file you downloaded in step 1 (.exe or .msi) is located. Example: set LumuShare="\\192.168.1.135\lumu\lum_agent_offline.exe"

Script for .exe

Click here to download the .exe script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group 
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.exe"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. %LocalInstaller% /SP- /VERYSILENT /activationcode=%ActivationCode% /acceptlicense="true" )

Script for .msi

This installation type generates a log file “lumu-agent-installation-output.log” located at the “C:\Temp\” folder that can be useful for troubleshooting purposes.
Click here to download the .msi script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.msi"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. msiexec /i %LocalInstaller% /log "C:\Temp\lumu-agent-installation-output.log" /quiet WRAPPED_ARGUMENTS="/activationcode="%ActivationCode%" /acceptlicense=""true"" " )

Assign the script

The startup script option installs the Lumu Agent with administrative privileges before the boot process gets to the login screen.

To assign the installation script to users logging on to the defined workstations, go to the policy from step 2 and click to edit.

Edit the GPOEdit the GPO

Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Scripts (Startup/Shutdown)” then right-click in the “Startup” option to select “Properties”.

GPO EditorGPO Editor

Once in the startup properties, go to the “Scripts” tab, then click on “Show Files...” to display the directory where the script files are stored in the selected GPO. We recommend that you copy and paste the script .bat file (from step 3) to this directory. Example of path: \\lumu.loc\SysVol\lumu.loc\Policies\{B650E92A-ACC4}\Machine\Scripts\Startup

Startup PropertiesStartup Properties

In the next step, click to “Add” and then “Browse” to navigate to the “Show Files” directory and select the .bat file you pasted previously.

Assign installation script in the Startup PropertiesAssign installation script in the Startup Properties

Confirm all the following prompt windows to apply the changes to the GPO.

Startup Properties confirmation screenStartup Properties confirmation screen

The script will run, and the agent will be installed the next time the Windows computer starts.

It may take several minutes for the GPO / Active Directory replication to occur. This time frame may vary depending on the domain’s size and the time required for Active Directory replication.

You can follow the installations’ success by checking the devices listed on your Agents’ dashboard in the Lumu Portal.

Agent Dashboard - Lumu PortalAgent Dashboard - Lumu Portal

        • Related Articles

        • Lumu Agent for Windows

          The installation of the Lumu Agent for Windows is simple and straightforward. They could be deployed easily to your entire user population through an IT assets management system, thus facilitating their installation and administration. This document ...
        • Configure DNS in Windows Server

          Setting up DNS forwarding on a local server is recommended for enterprises where all the traffic is directed to the internet through a server. For more context on Lumu Deployment scenarios, consult Lumu Deployment and Integration Guide. ...
        • Configure DNS in Windows 10

          Setting up DNS forwarding on a Windows 10 device is the configuration suggested for testing purposes. We recommend you configure your DNS server or your router to take the most advantage of Lumu Continuous Compromise Assessment on your entire ...
        • Introduction to Lumu Agents

          As we show in our Deployment and Integration overview, organizations can enjoy full compromise visibility with Lumu, regardless of users connecting via VPN or straight to cloud-based applications. A Lumu Agent is an endpoint software program provided ...
        • Lumu Agent For macOS

          The installation of the Lumu Agent is simple and straightforward. In this document, we guide you through the installation of the Lumu Agent for macOS via the application and using the terminal. For getting started with agents, access Introduction to ...