I will demonstrate how to set up and run local agent-based scans on tenable.io for Windows devices.
- Azure
- Windows 11 Pro VM
- Tenable.IO
After creating a Windows virtual machine, I will now show you how I go about creating a local-based agent to scan my Windows device. The purpose of this is that in work settings, employees are given devices to work on outside of the office. Instead of having to manually check all of those devices, I can set up an agent that does a self-assessment on the device it's installed on.
Agent groups are used to organize and manage the agents linked to your account. Each agent can be added to any number of groups, and scans can be configured to use these groups as targets.
Go to:
- Settings
- Sensors
- Nessus Agents
- Agent Groups
As you can see, the Agent Group above was created.
- Go to Scanner
- Press New Scan
- Press the Nessus agent
- Then select the Basic Agent Scan Template
This is what it looks like when you get there.
Configurations:
- I selected the group I created in the "agent groups" section.
- Then I named the scan
- For the Scan Type, I am selecting a triggered scan so that when a filename I select ends up in the directory, & the agent discovers it, it will know it's time to scan.
For this scenario, the key file will be
goub.txt
Copy and paste this command from settings in Tenable. This is the code that will be used to install the agent on the VM.
- Settings
- Sensors
- Nessus Agents
- Linked Agents
- Look at the instructions for installing the Agent on Windows Platforms
It should look like this, on the right side of the screen.
Copy and paste the command as seen:
Invoke-WebRequest -Uri "https://sensor.cloud.tenable.com/install/agent/installer/ms-install-script.ps1" -OutFile "./ms-install-script.ps1"; & "./ms-install-script.ps1" -key "58aab372289ac80911e4c5ad40a07b23b5524319f9ff5c010aa50ec625ccf389" -type "agent" -name "" -groups ''; Remove-Item -Path "./ms-install-script.ps1"
Keep this because you will have to edit in the file name & group names.
First, I will open up the Notepad in my VM and paste that command.
It is basically downloading the PowerShell Script from the Tenable Server. It will provide things like the key, agent, agent groups, etc.
I am going to put my agent group's name, which is "Agent-Goub-Win11," that I created, in the spot where it says list of groups.
And now it should say instead:
Invoke-WebRequest -Uri "https://sensor.cloud.tenable.com/install/agent/installer/ms-install-script.ps1" -OutFile "./ms-install-script.ps1"; & "./ms-install-script.ps1" -key "58aab372289ac80911e4c5ad40a07b23b5524319f9ff5c010aa50ec625ccf389" -type "agent" -groups 'Agent-Goub-Win11'; Remove-Item -Path "./ms-install-script.ps1"
I removed the agent from the code since it is not necessarily needed in this scenario.
Here is the installation occurring. It will take a few minutes for the installation to finish.
Now my agent is installed on the VM. Below is a screenshot to confirm it is running in the background.
The commands to create this in PowerShell are
cd \
cd programdata
cd Tenable
cd '.\Nessus Agent'
cd nessus
cd triggers
New-Item -Name goub.xt <---- Trigger File Name
This is what it looks like before I add the file
The scan has started since it was deleted from the trigger folder.
As you can see below, the scan has been activated since it's running in the task manager. This is also confirmed because in my Tenable dashboard, the files are showing as "triggered".
Now I just have to wait for the results once the scan is complete.










