How To Install Wazuh Agents with PDQ Deploy

If you have anymore than 20 computers you want to install Wazuh Agents on, you’re really going to need a deployment package. Who wants to touch every computer one by one to install an agent? Not me. It’s time to exercise some of those Sys Admin skillz you stored away in the attic and dust off those cob webs.

PDQ Deploy to the rescue. PDQ deploy is an invaluable IT tool, one of the Sys Admins best friends in fact. Today we are going to leverage some of the power of PDQ Deploy to do all the leg work for us with installing Wazuh agents to large amounts of networked windows computers.

Let’s Get The Pre-Reqs Out Of The Way

All your Windows endpoints will need a bit of prep in order for a successful PDQ Deployment ->

– Enable file and printer sharing

– Enable Local Token Filter (Run cmd as admin and copy paste the following cmd) ->

reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v “LocalAccountTokenFilterPolicy” /t REG_DWORD /d 1 /f

What is this local token filter thinga ma jig all about?

When you enable LocalAccountTokenFilterPolicy, you’re essentially allowing full administrative rights to administrators when they access the computer remotely via network connections such as Remote Desktop or network shares. Without this enabled, UAC strips administrative privileges from the administrator’s credentials when they are used remotely, which can lead to authentication problems, especially in scenarios where administrative access is required.

As a best security practice, we do recommend disabling LocalAccountTokenFilterPolicy once you’re done with your deployments.

To disable, simply rerun nearly the same command but just change the 1 to a 0 ->

reg add “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” /v “LocalAccountTokenFilterPolicy” /t REG_DWORD /d 0 /f

While we’re on the topic of best security practices, you may as well plan to revoke admin rights of your deployment user too when you’re done with your deployment job.

Now Back To The Remaining Pre-reqs ->

– Create a local deployment user account that can be used for authentication with PDQ (this user account must have local admin privileges)

– Create a share on your deployment server that will host the Wazuh agent .msi file

– Download the Wazuh agent .msi file and stick it in your share

– Download and install PDQ Deploy 14 day trial (Enterprise mode required)

Yes I know this is quite a bit of prep-work to do across all your Windows endpoints which will basically require more bulk changes in order to make ready for a PDQ Deployment. To accomplish the above Pre-reqs systematically, a walk through on that falls outside the scope of this blog but I recommend you either leverage group policy or PDQ (or both).

Now that you have all your Pre-reqs out of the way, you’re ready to create your Wazuh Agent deployment package. Please skip to the video walk through at this point.

Lastly, here are the relevant commands for your reference…

Install Wazuh Agent ->

C:\wazuh-agent\wazuh-agent-4.7.3-1.msi /q WAZUH_MANAGER=”192.168.10.12″ WAZUH_REGISTRATION_SERVER=”192.168.10.12″

Note: Make sure to replace the IP with your own Wazuh server’s ip and your Wazuh-agent version may be different then mine, so update accordingly.

Restart Wazuh service ->

Restart-Service -Name wazuh

The wazuh-agent folder + agent .msi file that were copied down to your endpoints, is no longer needed after successful deployment. Let’s clean that up with this command ->

Remove-Item -Path “C:\wazuh-agent” -Recurse -Force

Leave a Reply

Your email address will not be published. Required fields are marked *