We are asked quite often if deploying the osquery agent is possible via Windows Group Policy Objects (GPOs).
While there are many downsides to using GPOs to deploy packages when compared with more comprehensive solutions like Intune or SCCM, it is absolutely possible. It can be a big time saver if no other method is available, and you can’t beat the price!
If you are going to use GPOs, keep in mind the following:
This procedure explains how to deploy the MSI to your systems, and is perfect for testing in a lab environment. In a real environment, we highly recommend using groups that are more restrictive and that only contain the users and computers that should have access to the MSI.
1. Download the MSI package from the Uptycs console under the Configuration page, or get the open source osquery MSI package.
2. Place the MSI in a share that “Authenticated Users” can read (and only read). If needed, create a read-only share on a centralized file server. If you do not already have a read-only share available, create a share called Software_Deployment. At the share level, we let EVERYONE read, and at the NTFS level, Authenticated Users get Read & Execute, List and Read. If creating more restrictive groups, keep in mind that software assigned to users will be read by those users, while software assigned to computers will be read by computer accounts, which will need Read & Execute.
3. Now that the MSI is in our read-only share, in Windows Group Policy Management, Create a Group Policy object, linked to the top OU containing your computers. Give it a name such as “Uptycs-Deploy”. We recommend testing it on a smaller OU before linking it to the top.
4. Edit the GPO. Go to Computer Configuration / Policies / Software Settings / Software Installation. Right click in the right pane and choose New > Package.
5. Browse to the osquery MSI you downloaded using the UNC path of the share we created in the previous steps. (ex: \\servername\software_deployment). Pick the osquery MSI and click Open.
6. Pick the Assigned deployment method.
7. As PCs in the scope of the OU where you applied this GPO update their policies, and eventually reboot, Uptycs will get deployed and it will connect back to the cloud environment.
To test that it is working:
If osquery is present, your GPO is correct, and the share was readable, any other systems will start to get it as GPOs get updated every 90 minutes by default. In many cases, a reboot will be required for the installation to be complete and the service to work. Keep an eye on the Uptycs console or your fleet management tool to see them as they come online. This should usually be only a few seconds after installation completes.
If you pushed the open source osquery package, it will need to be configured. If you pushed a custom package, with configuration embedded in the package, it will automagically start logging data to the configured destination.
Related osquery resources: