Deploying osquery for Windows Using GPO (Group Policy Objects)
We are asked quite often if deploying the osquery agent is possible via Windows Group Policy Objects (GPOs).
While there are many downsides to using GPOs to deploy packages when compared with more comprehensive solutions like Intune or SCCM, it is absolutely possible. It can be a big time saver if no other method is available, and you can’t beat the price!
If you are going to use GPOs, keep in mind the following:
- MSI deployment via GPOs provides little information on the status of the installation. If the installation is successful, osquery will start generating data and sending it to its destination(such as a logging system or Uptycs). If the installation fails for whatever reason (PC shutdown during the installation), the only information about that will be in the local event logs of the PC.
- When deploying software which has auto-update capabilities, it is safer to disable those and push updates via the same GPO, to avoid cases where the old version would overwrite a new one.
- For a GPO to successfully deploy software, the machine must be on the domain, and in some cases, reboot while connected to the corporate network. This makes it harder to deploy on remote systems.
- In this guide, we will create a share to store the MSI. Do not use the Windows sysvol share for this even though it is replicated across all DCs. If you need replication, to deploy osquery to many machines in different offices, you can enable DFS Replication between multiple file servers.
Creating the GPO
This procedure explains how to deploy the MSI to your systems, and is perfect for testing in a lab environment. In a real environment, we highly recommend using groups that are more restrictive and that only contain the users and computers that should have access to the MSI.
1. Download the MSI package from the Uptycs console under the Configuration page, or get the open source osquery MSI package.
2. Place the MSI in a share that “Authenticated Users” can read (and only read). If needed, create a read-only share on a centralized file server. If you do not already have a read-only share available, create a share called Software_Deployment. At the share level, we let EVERYONE read, and at the NTFS level, Authenticated Users get Read & Execute, List and Read. If creating more restrictive groups, keep in mind that software assigned to users will be read by those users, while software assigned to computers will be read by computer accounts, which will need Read & Execute.
3. Now that the MSI is in our read-only share, in Windows Group Policy Management, Create a Group Policy object, linked to the top OU containing your computers. Give it a name such as “Uptycs-Deploy”. We recommend testing it on a smaller OU before linking it to the top.
4. Edit the GPO. Go to Computer Configuration / Policies / Software Settings / Software Installation. Right click in the right pane and choose New > Package.5. Browse to the osquery MSI you downloaded using the UNC path of the share we created in the previous steps. (ex: \\servername\software_deployment). Pick the osquery MSI and click Open.
7. As PCs in the scope of the OU where you applied this GPO update their policies, and eventually reboot, Uptycs will get deployed and it will connect back to the cloud environment.
6. Pick the Assigned deployment method.
To test that it is working:
- Run gpupdate /force in the command line on a PC.
- Reboot it.
- Check Add/Remove programs for Osquery
If osquery is present, your GPO is correct, and the share was readable, any other systems will start to get it as GPOs get updated every 90 minutes by default. In many cases, a reboot will be required for the installation to be complete and the service to work. Keep an eye on the Uptycs console or your fleet management tool to see them as they come online. This should usually be only a few seconds after installation completes.
If you pushed the open source osquery package, it will need to be configured. If you pushed a custom package, with configuration embedded in the package, it will automagically start logging data to the configured destination.
Subscribe for new posts
- Building Your Cyber Security Strategy: A Step-By-Step Guide
- Intro to Osquery: Frequently Asked Questions for Beginners
- Deploying Osquery at Scale: A Comprehensive List of Open Source Tools
- Osquery vs. OSSEC: Which Is Best for Linux Security in 2020?
- Windows Registry & Osquery: The Easy Way to Ensure Users are Secured