Use a PowerShell Script to Install Windows Agent

Lacework provides the following PowerShell scripts to enable you to download and install the Windows agent:

• The Install-LWCollector.ps1 script downloads the Windows agent MSI package and installs the Windows agent on a host machine.
• The Azure-Deploy-LW-Win.ps1 script downloads the Windows agent MSI package and installs the agent on all Windows VMs in an Azure resource group.

Prerequisites

1. Download the Lacework Powershell Script (powershell.zip file) using the instructions in Download Windows Agent Installer.
2. Unzip the powershell.zip file. The powershell folder that is created contains the following files:
   • Install-LWCollector.ps1
   • Azure-Deploy-LW-Win.ps1

Use Install-LWCollector.ps1 Script to Install Windows Agent on a Host Machine

The Install-LWCollector.ps1 PowerShell script installs the Lacework Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. In addition, the script optionally configures a Windows Defender exclusion for the agent.

note

Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWCollector.ps1 script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the script to exclude the agent from scanning.

Install Windows Agent with config.json Configuration File

1. Create a config.json file on your host using a text editor.

   note

   Do not create the config.json file in the C:\ProgramData\Lacework\ directory where the Windows agent components will be installed.

2. Paste the following into the config.json file:

   {
      "tokens": {
          "accesstoken": "Your_Access_Token"
           },
       "serverurl": "Your_API_Endpoint"
   }

   Where:

   • Your_Access_Token specifies the access token to use with the agent. Obtain the access token using the instructions in Obtain an Access Token for the Windows Agent.

   • Your_API_Endpoint specifies the agent server URL. The default endpoint that the agent communicates with is https://api.lacework.net and the default region is US.

     note

     Please note that serverurl is optional if your Lacework tenant is deployed in the US, but mandatory for other tenants.

     • https://api.lacework.net - US
     • https://aprodus2.agent.lacework.net - US-02 (US)
     • https://api.fra.lacework.net - European Union (EU)
     • https://auprodn1.agent.lacework.net - Australia and New Zealand (ANZ)

3. By default, the agent is automatically upgraded when a new version is available. To disable automatic upgrade, see Automatic Upgrade of Windows Agent.

4. Save the config.json file in the ASCII format and note the location of the file.

5. Open a PowerShell terminal as administrator.

6. Navigate to the directory containing the Install-LWCollector.ps1 script on your host.

7. Run the script using the following command in the PowerShell command line:

   C:\Users\Administrator> .\Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -ConfigPath C:\path\to\config.json -Defender

   Where:

   • C:\path\to\config.json specifies the file path for the config.json file.
   • Agent_MSI_Download_URL specifies the URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
     1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
     2. Go to the release you want to install.
     3. Copy the URL for Lacework Windows Agent MSI Package.
   • The -Defender option excludes the Windows agent from scanning with Windows Defender.

   The config.json file is copied to the C:\ProgramData\Lacework\ directory. You can modify this file to change the settings for the agent. If you modify the file, you must restart the agent for the changes to take effect. For more information, see Restart Windows Agent.

Install Windows Agent without a config.json Configuration File

Instead of specifying configuration parameters for the agent installation in a config.json file, you can specify them directly in the command line.

1. Open a PowerShell terminal as administrator.

2. Navigate to the directory containing the Install-LWCollector.ps1 script on your host.

3. Run the script using the following command in the PowerShell command line:

   C:\Users\Administrator> .\Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -AccessToken Your_Access_Token -ServerURL Your_API_Endpoint -Defender

   Where:

   • Your_Access_Token is the character string that identifies the specific access token to use with the agent. Obtain the access token using the instructions in Obtain an Access Token for the Windows Agent.
   • Your_API_Endpoint specifies your Lacework API server URL, either api.lacework.net (default), aprodus2.agent.lacework.net (for US-02 (US)), api.fra.lacework.net (for European Union (EU)), or auprodn1.agent.lacework.net (for Australia and New Zealand (ANZ)).
   • Agent_MSI_Download_URL specifies the URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
     1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
     2. Go to the release you want to install.
     3. Copy the URL for Lacework Windows Agent MSI Package.
   • The -Defender option excludes the Windows agent from scanning with Windows Defender.

   A config.json file that contains the options you specified in the command line is created in the C:\ProgramData\Lacework\ directory. You can modify this file to change the settings for the agent. If you modify the file, you must restart the agent for the changes to take effect. For more information, see Restart Windows Agent.

Use Azure-Deploy-LW-Win.ps1 Script to Install Windows Agent on Windows VMs in an Azure Resource Group

The Azure-Deploy-LW-Win.ps1 PowerShell script installs the Lacework Windows agent to all Windows VMs it finds in an Azure resource group. It uses the Install-LWCollector.ps1 PowerShell script during the installation process.

1. Open a PowerShell terminal as administrator.

2. Navigate to the directory containing the Azure-Deploy-LW-Win.ps1 script on your host.

3. Run the script using the following command in the PowerShell command line:

   C:\Users\Administrator> .\Azure-Deploy-LW-Win.ps1 -EnableExtensions -Defender

   • If extension operations are disabled on an Azure VM, use the -EnableExtensions option to enable extension operations on the VM and install the Windows agent. If you do not specify this option, the Windows agent is not installed on the VMs on which you have disabled extension operations.
   • Use the -Defender option to exclude the Windows agent from scanning with Windows Defender on the VMs. Note that the Windows agent will be excluded from scanning only on the VMs on which the Defender PowerShell module is installed.

4. Specify the values for the parameters required by the script. Press Enter after you specify the value for each parameter.

   Parameter	Description
   ResourceGroups	The Azure resource group in which you want to install the Windows agent. The agent will be installed on all the Windows VMs in the specified resource group. To specify more than one resource group, enter the name of a resource group and then press Enter.
   InstallScript	The path or URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following: Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install. Go to the release you want to install. Copy the URL for Install-LWDataCollector.ps1 Script.
   Vault	The name of the Azure Key Vault that contains the secret for the Lacework token.
   TokenSecret	The name of a secret in the Azure Key Vault for the Lacework token.
   MSIURL	The URL for downloading the Windows agent MSI package. To obtain the URL, do the following: Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install. Go to the release you want to install. Copy the URL for Lacework Windows Agent MSI Package.