Agent-Based Scanning
To perform individual scans on a host-by-host basis, Shield allows users to download and install agents across assets to assess the risks and vulnerabilities on each of those assets. In order to install the agent on each machine, Shield provides a simple PowerShell script execute on each host (or across multiple hosts with a remote monitoring and management tool).
Deployment
There are several ways that users can access the deployment script for agent-based vulnerability scanning. Within the Agents page, users can click New Agent and they will be directed to the Agent deployment page. Additionally, users can navigate directly to the Deployment(Agent-Based) page to access a subscription-specific PowerShell script that can be deployed on a host-by-host basis or deployed to multiple hosts via a preferred remote monitoring and management tool.
Once the agents are deployed, users can navigate back to the Agents and click Refresh Agents to view the newly deployed agents.
Results
Once the agents can be seen in the platform within the Agents page, users can click Refresh Agent Vulnerabilities to sync all of the discovered vulnerabilities and configurations across all of the hosts where an agent is running. All vulnerability and configuration information that has been discovered on an agent-by-agent basis will live within the Internal Network module.
Network Communications
Uninstalling Agents
To uninstall agents from endpoints where it is currently running, users can type in the following commands to remove the Shield Agent and associated service and resources:
msiexec.exe /x ShieldCyberAgent.msi /qn
Troubleshooting
For older operating systems that do not support newer versions of PowerShell and/or cannot download the Shield Cyber Agent MSI file programmatically, the MSI can be downloaded manually and transferred over to the machine and installed with the steps outlined below.
-
Download the latest version of the Shield Cyber Agent MSI here: Shield Cyber Agent MSI
-
Run the commands below or save them to a PowerShell (.ps1) file to execute on the target hosts:
# Set the MSI arguments pointed at the MSI in the correct folder
$msiArguments = '/i "C:\Shield\MSI\Location\ShieldCyberAgent.msi" SHIELD_AGENT_GROUP=ENTER-SUBSCRIPTION-ID-HERE /quiet'
# Start the MSI installation
Start-Process msiexec -ArgumentList $msiArguments -Wait
# Sleep for a second to ensure everything is settled
Start-Sleep -Seconds 1
# Start the ShieldCyberAgent service
Net Start ShieldCyberAgentSvc -Wait
Additional Deployment Methods
Deploy Shield via Microsoft InTune
To deploy the Shield agent via InTune, users can leverage InTune’s PowerShell scripting feature to install the Shield vulnerability collection agent on their desired hosts.
Navigate to Intune
Navigate to https://intune.microsoft.com to access the Intune platform.
Access the device scripting and remediations section within Intune
Navigate to the devices module that on the left-side pane, then access the Scripts and remediations function, and access the Platform scripts tab.
Navigate to the Shield platform & Agent deployment feature
Navigate to the Shield platform within the subscription you are looking to deploy from. Go to the Agents module and select Add Agent and copy the generated PowerShell script to a .ps1 file.
Create Intune PowerShell Script
Select Add from the Intune Platform Scripts section and select Windows 10 and later option. Name the script, add a description, and select Next.
Set scope for devices configured within Intune, Review, & finish
Select the desired group and/or devices that you would like to deploy the Shield vulnerability agent to and select Next. Review all options and then click Add to your Intune PowerShell scripts.
Deploy Shield via GPO
Deployment via Group Policy can be achieved and assigned in several ways including;
- Per-User: If it is assigned on a per-user basis, then it will be installed when the user logs on.
- Per-Machine: If is assigned on a per-machine basis, then it will be installed when the machine starts.
Please follow the steps listed below to install the Shield vulnerability collection agent with Group Policy:
Create a distribution point
- Log onto the server as an Administrator
- Create a shared network folder (which will contain the MSI)
- Set permission on this folder to allow access to the distribution package
- Copy the Shield Cyber Agent MSI (linked here) in the shared folder
Create a batch script to run the MSI
- Copy the following command and insert your subscription ID to a file and name it ShieldCyberAgent.bat
@echo off
msiexec.exe /i \\path\to\shared\folder\ShieldCyberAgent.msi SHIELD_AGENT_GROUP=SUBSCRIPTION-ID /quiet
net start ShieldCyberAgentSvc
- Save the file and insert this into the shared distribution point
Create a Group Policy Object
- Click on the Start button and open Go to Start and open Group Policy Management
- Expand Forest (your forest) > Domains (your domain)
- Right-click on Group Policy Objects and select New -Enter a name for your policy and leave Source Starter GPO as (none)
Configure the Startup Script in GPO
- Double click on your previously created policy
- In the right panel click on the Settings Tab
- You should see Computer Configuration and User Configuration, right-click anywhere in the panel and select Edit
- Expand Computer Configuration > Windows Settings and double click on Scripts
- Right click on Startup and select Properties
- Click Add and select the batch file that you created within the shared location.
- Click Apply and OK to save the GPO to run the script the next time the machine is restarted.