Installing the PAM360 Agent in Endpoints via Windows Group Policy Objects (GPO)
This document details the steps needed to install the PAM360 Agent in multiple endpoints using Windows Group
Policy Objects (GPO). Click here to download the
PAM360-Agent-Script zip file. Unzip the file and extract the PAM360AgentInstallationScript.ps1 and
PAM360AgentUninstallationScript.ps1 files.
Ensure the below SHA256 value upon downloading the file:
SHA256 Checksum:
Prerequisites
- Refer to the steps detailed in this help page, download the PAM360 agent installation zip from the
PAM360 interface, and copy the Agent Key. Save the key in a secure location—this must be added to the
PAM360 PowerShell script later.
- If you already have agents installed in the endpoints, follow these steps to uninstall the agents in bulk using the
uninstallation script. This script will uninstall both the C++ and C agents.
- Create Domain with all the target machines that need to be included in the GPO to be the endpoints where the
agent is to be installed.
Steps to Create a GPO in the Domain and add Target Machines
- Open Server Manager. In the top right corner, click Tools >> Group Policy
Management.
- Right click the Domain name and click the option Create a GPO in this domain, and Link it
here.
- Enter a name for the new GPO and save - AgentGPO Provide a name for the new GPO, for example: AgentGPO. Now,
click the newly created GPO. Under Scope >> Security Filtering, click
Add. In the Select User, Computer, or Group window, enter the target
machine names or the name of the group name that contains all the target endpoints, or enter the names of
the target machines individually and click OK.
- Switch to the Delegations tab. Right click the group you added and provide full access
permission as shown below.
You
have successfully created a Group Policy and added the target machines where the PAM360 Agent is to be
installed.
Steps to Add the Installation Script and Agent Installation Zip in the GPO
- Now right click the GPO name from the left pane and click Edit settings, delete, modify security. The Group
Policy Management editor window will open.
- Expand the Policies >> Windows Settings folders. Double click
Scripts. In the Scripts window, click Startup and then click
Properties.
- Switch to the PowerShell Scripts tab and click Show Files. The network directory will open up. Copy the path
of the network location.
- Open the extracted PAM360AgentInstallationScript.ps1 file and do the steps as follows:
- Add the network location path copied in the previous step as the source variable. for example -
"\\zylker.com
\SysVol\zylker.com\Policies\{33A6F6BE-4A9E-4CCA-AB5A-7C96E14F2ACB}\Machine\Scripts\Startup\PAM360_WindowsAgent_CS.zip".
- Add a desired destination path, for example, c:\Program Files. This is the location
where the agent will be installed in the target endpoints, so ensure that this path is available in
all the target machines.
- Append the following data beside "./AgentInstaller.exe install $args" as
required:
- If you are installing the agent as a service for password management, self-service privilege
elevation, and zero trust implementation, enter 1,2,3. For example,
./AgentInstaller.exe install $args 1,2,3
- If you are installing the agent as a service for password management, enter
1. For example, ./AgentInstaller.exe install $args 1
- If you are installing the agent as a service for self-service privilege elevation, enter
2. For example, ./AgentInstaller.exe install $args 2
- If you are installing the agent as a service for zero trust implementation, enter
3. For example, ./AgentInstaller.exe install $args 3.
You can also enter a different combination based on your agent installation requirements.
- Now, paste the PAM360 agent PowerShell script file and the Agent installation zip in the GPO network
location.
- Click Add, add the 'PAM360AgentInstallationScript' file name under Script
Name and the Agent installation key copied from PAM360 under Script
Parameters. Click Apply and OK again to save the settings.
- In the GPO editor, expand Administrative Templates in the left pane. Expand the
System folder under it and open Group Policy.
- Under the Group Policy folder, right click Specify workplace connectivity wait time for policy
processing.
- In this window, click the Enabled option. Enter the Amount of time to wait
as 120 seconds. Click Apply and click OK to save the settings.
- The GPO will be applied. Once you restart all the target endpoints, the PAM360 Agent PowerShell script will
be invoked and the agent will be installed in the target machines.
- After successful installation of the agent, disable the startup script for the GPO you created (AgentGPO in
this example). This will ensure that the script is not invoked every time the target machines are restarted.
Troubleshooting Steps
Ensure that the AgentGPO has a higher precedence than the other GPOs. This is to make sure that the other GPOs
don't override the permissions of the AgentGPO.
To check this, click the GPO name, right click the Enforced option and check if it is enabled.