Using a GPO to deploy Lumu Agent

Deploy Lumu Agent using Group Policy (GPO)

The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server.
For getting started with agents, access Introduction to Lumu Agents.

Requirements

  1. Active Directory configured on a Windows Server.
  1. The Windows devices to which you want to deploy the Lumu agent are members of your existing Windows Active Directory domain.
This document was created using Windows Server 2016 and Windows 10 Enterprise. 

Download the Installation File

To download the agent file for online installation on Windows, go to the Lumu Portal, navigate to the Agents menu, , then click to download agent, select the “Windows” option and select the offline installer of your choice based on the needs of your deployment.

Lumu Agent for Windows installers Lumu Agent for Windows installers

Save the Agent installer file to a network shared folder accessible by all the endpoints you are deploying to (at least read access).

Make sure that all devices to which you are deploying the agent have access to this network shared location.
The following procedures should be performed for  each group you create in the Lumu Portal, as each group has a unique activation code.

Create a GPO

To create or modify an existing Group Policy Object (GPO) to distribute the Lumu Agent, go to the Windows Server Manager, then navigate to “Tools” > “Group Policy Manager”.

Windows Server Manager Dashboard Windows Server Manager Dashboard

Navigate to your target domain, right-click “Group Policy Objects” and select New. Type a name for this new policy, and then press “OK”.

Group Policy Management Group Policy Management

Link your new GPO to the domain that contains the group of devices to which you wish to have the policies applied. For this, right-click your domain in the left pane of the “Group Policy Management”, choose “Link an Existing GPO…”, select the GPO you created in the previous step and click “OK” to complete the process.

Linking an existing GPO Linking an existing GPO

Add the devices to which you want to deploy the Lumu Agent in the “Security Filtering” section. Ensure that each GPO contains only the Windows devices related to the group you created in the Lumu Portal. You are not required to add users, only devices.

GPO Security Filtering GPO Security Filtering

Installation Script

You can choose to deploy the Lumu Agent using GPO from the .exe or .msi installation file. We provide both scripts below.

Make sure to edit the following variables:
  1. ActivationCode” - add the corresponding activation code of the installation group you created in the Lumu Portal. Example: set ActivationCode="saf4B4G0"
  2. LumuShare” - the path where the Lumu Agent installation file you downloaded in step 1 (.exe or .msi) is located. Example: set LumuShare="\\192.168.1.135\lumu\lum_agent_offline.exe"

Script for .exe

Click here to download the .exe script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group 
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.exe"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. %LocalInstaller% /SP- /VERYSILENT /activationcode=%ActivationCode% /acceptlicense="true" )

Script for .msi

This installation type generates a log file “lumu-agent-installation-output.log” located at the “C:\Temp\” folder that can be useful for troubleshooting purposes.
Click here to download the .msi script file. Save the file with the extension .bat in a network shared folder accessible by all the endpoints.
  1. @echo off
  2. :: Set the activation code of the installation group
  3. set ActivationCode="<activation_code>"
  4. :: Set the shared path of the Agent installation file
  5. set LumuShare="<shared_path>"
  6. ::#####################################################################::
  7. ::###################  Do not change the following lines ######################::
  8. ::#####################################################################::
  9. :: Lumu Service Name
  10. set LocalInstaller="C:\Temp\lum_agent_offline.msi"
  11. set AgentPath="C:\Program Files (x86)\Lumu\Agent\lumu-windows-agent.exe"
  12. :: Check if the installation file already exist, if not, copy it
  13. if not exist %LocalInstaller% (
  14. mkdir C:\Temp\
  15. copy %LumuShare% C:\Temp\ )
  16. :: Check if Lumu Agent is already installed, if not, install it with the defined activation code
  17. if not exist %AgentPath% (
  18. msiexec /i %LocalInstaller% /log "C:\Temp\lumu-agent-installation-output.log" /quiet WRAPPED_ARGUMENTS="/activationcode="%ActivationCode%" /acceptlicense=""true"" " )

Assign the script

The startup script option installs the Lumu Agent with administrative privileges before the boot process gets to the login screen.

To assign the installation script to users logging on to the defined workstations, go to the policy from step 2 and click to edit.

Edit the GPO Edit the GPO

Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Scripts (Startup/Shutdown)” then right-click in the “Startup” option to select “Properties”.

GPO Editor GPO Editor

Once in the startup properties, go to the “Scripts” tab, then click on “Show Files...” to display the directory where the script files are stored in the selected GPO. We recommend that you copy and paste the script .bat file (from step 3) to this directory. Example of path: \\lumu.loc\SysVol\lumu.loc\Policies\{B650E92A-ACC4}\Machine\Scripts\Startup

Startup Properties Startup Properties

In the next step, click to “Add” and then “Browse” to navigate to the “Show Files” directory and select the .bat file you pasted previously.

Assign installation script in the Startup Properties Assign installation script in the Startup Properties

Confirm all the following prompt windows to apply the changes to the GPO.

Startup Properties confirmation screen Startup Properties confirmation screen

The script will run, and the agent will be installed the next time the Windows computer starts.

It may take several minutes for the GPO / Active Directory replication to occur. This time frame may vary depending on the domain’s size and the time required for Active Directory replication.

You can follow the installations’ success by checking the devices listed on your Agents’ dashboard in the Lumu Portal.

Agent Dashboard - Lumu Portal Agent Dashboard - Lumu Portal

        • Related Articles

        • Lumu Agent for Windows

          The installation of the Lumu Agent for Windows is simple and straightforward. They could be deployed easily to your entire user population through an IT assets management system, thus facilitating their installation and administration. This document ...
        • Lumu Agent Collector for Windows Server

          Up until now, the Lumu Agent has been an endpoint software program installed on a user's machine which enables the detection of adversarial activity; however, the compromise detection capabilities of the Lumu Agent are now available for Windows ...
        • Lumu Agent Deployment via Kaseya VSA

          The Lumu Agent can be deployed remotely in corporate environments using an array of tools such as Remote Monitoring and Management software (RMM). This article describes the remote installation procedure of the Lumu Agent for Windows  and macOS   ...
        • Lumu Agent Deployment Via ConnectWise Automate RMM

          The Lumu Agent can be deployed remotely in corporate environments using an array of tools such as Remote Monitoring and Management software (RMM). This article describes the remote installation procedure of the Lumu Agent for Windows [add link] and ...
        • Lumu Agent Deployment via NinjaOne RMM

          The Lumu Agent can be deployed remotely in corporate environments using an array of tools such as Remote Monitoring and Management software (RMM). This article describes the remote installation procedure of the Lumu Agent for Windows and macOS using ...