Use a PowerShell Script to Install Windows Agent
Lacework provides the following PowerShell scripts to enable you to download and install the Windows agent:
- The
Install-LWCollector.ps1
script downloads the Windows agent MSI package and installs the Windows agent on a host machine. - The
Azure-Deploy-LW-Win.ps1
script downloads the Windows agent MSI package and installs the agent on all Windows VMs in an Azure resource group.
Prerequisites
- Download the Lacework Powershell Script (powershell.zip file) using the instructions in Download Windows Agent Installer.
- Unzip the powershell.zip file. The powershell folder that is created contains the following files:
- Install-LWCollector.ps1
- Azure-Deploy-LW-Win.ps1
Use Install-LWCollector.ps1 Script to Install Windows Agent on a Host Machine
The Install-LWCollector.ps1
PowerShell script installs the Lacework Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. In addition, the script optionally configures a Windows Defender exclusion for the agent.
note
Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWCollector.ps1
script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the script to exclude the agent from scanning.
Install Windows Agent with config.json Configuration File
Create a config.json file on your host using a text editor.
note
Do not create the config.json file in the
C:\ProgramData\Lacework\
directory where the Windows agent components will be installed.Paste the following into the config.json file:
{
"tokens": {
"accesstoken": "Your_Access_Token"
},
"serverurl": "Your_API_Endpoint"
}Where:
Your_Access_Token
specifies the access token to use with the agent. Obtain the access token using the instructions in Obtain an Access Token for the Windows Agent.Your_API_Endpoint
specifies the agent server URL. The default endpoint that the agent communicates with is https://api.lacework.net and the default region is US.note
Please note that
serverurl
is optional if your Lacework tenant is deployed in the US, but mandatory for other tenants.- https://api.lacework.net - US
- https://aprodus2.agent.lacework.net - US-02 (US)
- https://api.fra.lacework.net - European Union (EU)
- https://auprodn1.agent.lacework.net - Australia and New Zealand (ANZ)
By default, the agent is automatically upgraded when a new version is available. To disable automatic upgrade, see Automatic Upgrade of Windows Agent.
Save the config.json file in the ASCII format and note the location of the file.
Open a PowerShell terminal as administrator.
Navigate to the directory containing the Install-LWCollector.ps1 script on your host.
Run the script using the following command in the PowerShell command line:
C:\Users\Administrator> .\Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -ConfigPath C:\path\to\config.json -Defender
Where:
C:\path\to\config.json
specifies the file path for the config.json file.Agent_MSI_Download_URL
specifies the URL for downloading the Windows agent MSI package. To obtain the URL, do the following:- Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Lacework Windows Agent MSI Package.
- The
-Defender
option excludes the Windows agent from scanning with Windows Defender.
The config.json file is copied to the
C:\ProgramData\Lacework\
directory. You can modify this file to change the settings for the agent. If you modify the file, you must restart the agent for the changes to take effect. For more information, see Restart Windows Agent.
Install Windows Agent without a config.json Configuration File
Instead of specifying configuration parameters for the agent installation in a config.json file, you can specify them directly in the command line.
Open a PowerShell terminal as administrator.
Navigate to the directory containing the Install-LWCollector.ps1 script on your host.
Run the script using the following command in the PowerShell command line:
C:\Users\Administrator> .\Install-LWDataCollector.ps1 -MSIURL Agent_MSI_Download_URL -AccessToken Your_Access_Token -ServerURL Your_API_Endpoint -Defender
Where:
Your_Access_Token
is the character string that identifies the specific access token to use with the agent. Obtain the access token using the instructions in Obtain an Access Token for the Windows Agent.Your_API_Endpoint
specifies your Lacework API server URL, eitherapi.lacework.net
(default),aprodus2.agent.lacework.net
(for US-02 (US)),api.fra.lacework.net
(for European Union (EU)), orauprodn1.agent.lacework.net
(for Australia and New Zealand (ANZ)).Agent_MSI_Download_URL
specifies the URL for downloading the Windows agent MSI package. To obtain the URL, do the following:- Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Lacework Windows Agent MSI Package.
- The
-Defender
option excludes the Windows agent from scanning with Windows Defender.
A config.json file that contains the options you specified in the command line is created in the
C:\ProgramData\Lacework\
directory. You can modify this file to change the settings for the agent. If you modify the file, you must restart the agent for the changes to take effect. For more information, see Restart Windows Agent.
Use Azure-Deploy-LW-Win.ps1 Script to Install Windows Agent on Windows VMs in an Azure Resource Group
The Azure-Deploy-LW-Win.ps1
PowerShell script installs the Lacework Windows agent to all Windows VMs it finds in an Azure resource group. It uses the Install-LWCollector.ps1
PowerShell script during the installation process.
Open a PowerShell terminal as administrator.
Navigate to the directory containing the Azure-Deploy-LW-Win.ps1 script on your host.
Run the script using the following command in the PowerShell command line:
C:\Users\Administrator> .\Azure-Deploy-LW-Win.ps1 -EnableExtensions -Defender
- If extension operations are disabled on an Azure VM, use the
-EnableExtensions
option to enable extension operations on the VM and install the Windows agent. If you do not specify this option, the Windows agent is not installed on the VMs on which you have disabled extension operations. - Use the
-Defender
option to exclude the Windows agent from scanning with Windows Defender on the VMs. Note that the Windows agent will be excluded from scanning only on the VMs on which the Defender PowerShell module is installed.
- If extension operations are disabled on an Azure VM, use the
Specify the values for the parameters required by the script. Press Enter after you specify the value for each parameter.
Parameter Description ResourceGroups The Azure resource group in which you want to install the Windows agent. The agent will be installed on all the Windows VMs in the specified resource group. To specify more than one resource group, enter the name of a resource group and then press Enter. InstallScript The path or URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following: - Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Install-LWDataCollector.ps1 Script.
Vault The name of the Azure Key Vault that contains the secret for the Lacework token. TokenSecret The name of a secret in the Azure Key Vault for the Lacework token. MSIURL The URL for downloading the Windows agent MSI package. To obtain the URL, do the following: - Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
- Go to the release you want to install.
- Copy the URL for Lacework Windows Agent MSI Package.