Agent installation instructions - the command to install windows might not work

[gdiazlo]

Wazuh	Elastic	Rev	Security
4.x	7.x	4xxx	-

Description
The command to install an agent displayed by the UI step-by-step guide is:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile wazuh-agent-4.3.0.msi; ./wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='10.0.0.241' WAZUH_REGISTRATION_SERVER='10.0.0.241'

This command, if executed in a powershell in c:\windows\system32 even with administrator privileges, does not work. This seems to be a common scenario.

This command works correctly if it is executed from the user $home directory. We can modify this command by:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.2.6-1.msi -OutFile "$home\wazuh-agent-4.2.6.msi"; Invoke-Expression "$home\wazuh-agent-4.2.6.msi /q WAZUH_MANAGER='wazuh' WAZUH_REGISTRATION_SERVER='wazuh'"

which will use the user $home folder regardless of where it is executed to solve this. But this approach will assume the user $home is defined and writable. Which most of the time should be true.

We should agree with the @wazuh/cicd team and @wazuh/core on this.

[gdiazlo]

We need to update @wazuh/content to reflect the change in the documentation.

[santiago-bassett]

Do we want to use $home? What are other vendors doing?

[okynos]

Hello team,

I have done a research about this problem. We got the following facts:

• The default path in Powershell varies from users vagrant has C:\Windows\System32. Administrator has C:\Users\Administrator
• The vagrant user can't see any new file in System32 folder so it cannot see the MSI.
• The Administrator user cannot see the files downloaded into System32 but it can execute them.
• The System32 folder has special permissions as Windows system points out. It's recommended to avoid working in such directory.
• It's a matter of file occlusion of vagrant user, that doesn't allow such user to launch the installer.
• The same problem exists with another installers like notepad++ MSI file.

Here we have got different traces of working and error installation.
working-trace.txt
error-trace.txt

Recommended command (tested) to set into the Wazuh app:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile C:\wazuh-agent-4.3.0.msi; C:\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'; rm C:\wazuh-agent-4.3.0.msi

I don't recommend the use of $home variable that it could lack in Windows XP or another versions.

Comparison with Chocolatey install:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

[okynos]

Vendors installation

Vendor	Install command	Ref	Notes
CrowdStrike/Falcon	msiexec.exe /i CrowdStrikeInstaller.msi CID=123456qweasdzxc	REF	It lacks of download strategy.
LogRythm	LRSystemMonitor.exe /S /v/qn	REF	It lacks of download strategy.
SumoLogic	SumoCollector.exe -console -q "-Vsumo.accessid=<accessId>" "-Vsumo.accesskey=<accessKey>" "-Vsources=<filepath>"	REF	It lacks of download strategy.
Datadog	start /wait msiexec /qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu" Or Start-Process -Wait msiexec -ArgumentList '/qn /i datadog-agent-7-latest.amd64.msi APIKEY="XXX" SITE="datadoghq.eu"'	REF in cloud app	It lacks of download strategy.
TrendMicro	AcAgentSetup_x86.exe ServerHost=https://10.10.10.42:4343	REF	It lacks of download strategy.
AtomiCorp	Invoke-WebRequest http://<hub_ip>/installers/agent_deployV2.ps1 -Outfile .\agent_deployV2.ps1	REF	⚠️ The only one that include a download strategy, probably it will fail like our command.
Splunk	msiexec.exe /I Splunk.msi SPLUNKUSERNAME=SplunkAdmin SPLUNKPASSWORD=MyNewPassword /quiet	REF	It lacks of download strategy.
FleetDM	No command	REF	It is a deploy tool that manage installation
Osquery	No MSI, No command	REF	Build MSI file and install as usual.
Tanium	SetupClient.exe /ServerAddress={<FQDN/IPaddress>}[,{<FQDN/IPaddress>},...] [/ServerPort=<PortNumber>] [/LogVerbosityLevel=<LogLevel>] [/KeyPath=<FullPath>\[tanium‑init.dat/tanium.pub] [/ReportingTLSMode=[0/1/2]] [/ProxyAutoConfigAddress=<URL/filename.pac>] [/ProxyServers=<FQDN/IPaddress:PortNumber>] [/S] [/D=<DirectoryPath>]	REF	It lacks of download strategy.
SentinelOne	"C:\Users\usr\AppData\Local\Temp\SentinelInstaller.msi" /q /norestart UI=false SITE_TOKEN="51te70k3n"	REF	It lacks of download strategy.
Carbonblack	msiexec /qn /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1	REF	It lacks of download strategy.
Kubernetes	No Command	REF	Download the EXE and add it to the path.
Docker		REF	It lacks of download strategy.
Grafana	No command	REF	It lacks of download strategy.
Elastic	No MSI, No command	REF	Elastic provide ZIPs instead of MSIs, you have to download the ZIP uncompress and install in program files folder.
TripWire	<installer_file> INSTALLDIR=<target_binary_installation_dir>	REF	It lacks of download strategy.

Windows environment variables

Suggested vars:

• %SystemDrive% CMD, PoweShell $env:systemdrive
• %APPDATA% CMD, PowerShell $env:appdata
• %HOMEDRIVE% CMD, PowerShell $env:homedrive
• %HOMEPATH%CMD, PowerShell $env:homepath
• %ProgramFiles% CMD, PowerShell $env:programfiles
• %TEMP%/%TMP% CMD, PowerShell $env:temp
• %USERPROFILE% CMD, PowerShell $env:userprofile

Reference -> https://en.wikipedia.org/wiki/Environment_variable#Microsoft_Windows

Suggested command

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'

⚠️ Take a look at AtomiCorp case ⚠️

[snaow]

In progress. @wazuh/qa testing.

[Machi3mfl]

Solution screenshot

Splunk

[jmv74211]

After the review of this issue wazuh/wazuh-qa#2855, it was determined that the command worked correctly, with the exception of a particular version of Windows 7.

Further investigation was performed at wazuh/wazuh-qa#2869, and it was concluded that the Invoke-WebRequest command was added as of powershell v3 (see This cmdlet was introduced in PowerShell 3.0.)

After installing Windows 7 Service Pack 1 and Service Pack 2, it has been possible to upgrade the powershell version from 2.0 to 5.1, and it has been verified that the command now works correctly.

@fedepacher has yet to check that the command works correctly for powershell v3.0.

In case it works correctly with this version (it should), it is proposed to add a message that PowerShell v3 or higher is required for Windows.

[AlexRuiz7]

PR for Splunk: wazuh/wazuh-splunk#1315

[Desvelao]

Changes

We added the requirement of PowerShell 3.0 or later in these PRs:

• plugin for Kibana: Add powershell version warning #4142
• plugin for Splunk: Add powershell version warning wazuh-splunk#1322

[jmv74211]

After the tests performed by @fedepacher here, we can conclude that on Windows the command:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.3.0-1.msi -OutFile ${env:tmp}\wazuh-agent-4.3.0.msi; msiexec.exe /i ${env:tmp}\wazuh-agent-4.3.0.msi /q WAZUH_MANAGER='xxx.xxx.xxx.xxx' WAZUH_REGISTRATION_SERVER='xxx.xxx.xxx.xxx' WAZUH_AGENT_GROUP='default'

works for powershell versions >= 3.0