Windows endpoint

The following steps serve as a guide on how to configure a Windows endpoint agent for automatic enrollment via the agent configuration method:

The ThreatLockDown agent installation directory depends on the architecture of the host:

  • C:\Program Files (x86)\ossec-agent for 64-bit systems.

  • C:\Program Files\ossec-agent for 32-bit systems.

  1. Using an administrator account, modify the ThreatLockDown agent configuration file ossec.conf in the installation directory. For this guide, we are assuming a 64-bit architecture. Hence, C:\Program Files (x86)\ossec-agent\ossec.conf

    • Include the ThreatLockDown manager IP address or DNS name in the <client><server><address> section:

        <client>
          <server>
            <address>MANAGER_IP</address>
            ...
          </server>
        </client>
      

      This will allow the agent to connect to the ThreatLockDown manager and automatically request a key.

    • (Optional) Add enrollment parameters in the <client><enrollment> section.

         <client>
             ...
             <enrollment>
                 <agent_name>EXAMPLE_NAME</agent_name>
                 <groups>GROUP1,GROUP2,GROUP3</groups>
                 ...
             </enrollment>
         </client>
      

    These agent enrollment parameters are optional, and they provide the agent with specific information that should be used during enrollment. Some common enrollment parameters are below:

    • <agent_name>EXAMPLE_NAME</agent_name>: This specifies the name the endpoint should be enrolled as. When this is not specified, it defaults to the endpoint hostname.

    • <groups>GROUP1,GROUP2,GROUP3</groups>: This specifies the group(s) in which the agent should be added. An agent group is a collection of agents that would share the same configuration. This allows the manager to push configuration settings to a set of agents that belong to the same group. The agent enrollment will fail if a non-existent group is specified. Therefore, it is necessary to create the desired group on the manager before using the group parameter. Additional information on agent groups can be found here.

    More optional enrollment parameters and their usage are provided here.

  2. Restart the agent to make the changes effective.

    # Restart-Service -Name wazuh
    
  3. Select the “Endpopints Summary” module to check for the newly enrolled agent and its connection status in the ThreatLockDown dashboard to confirm that enrollment was successful.