You can manually add Windows endpoints to the Nebula console in several ways. A common method is copying the installer to the endpoint and running the MSI file there. You can also add endpoints via command line or through remote deployment tools.
This article covers the following methods:
- Use a downloaded MSI installer and copy it to the endpoint.
- Command line remote installation for Windows endpoints, which can be run silently.
If you have many endpoints, you can use the installer with other installation methods including:
- Microsoft Endpoint Manager (SCCM & Intune) and Microsoft GPO.
- Remote Monitoring and Management (RMM) solutions such as SolarWinds, Datto and others.
- Deploy using the Discovery and Deployment Tool. For more information, see the Discovery and Deployment Tool Handbook.
A Scan + Report is automatically run by the Endpoint Agent within 30 minutes after being installed to display any threats found on the machine. Use the Actions > Remediate Endpoint(s) on the Endpoints page to clean any threats found. For more information, see Perform actions on endpoints in Nebula.
Use a downloaded installer
To manually install on a Windows endpoint, including on devices with an Advanced RISC Machine Processor (ARM) processor, download the ThreatDown Endpoint Agent installer and run the file from the endpoint. Each installer is pre-configured for your account.
Windows Endpoint Installer Notes
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group. To automatically assign endpoints to a group during installation:
- On the left navigation menu, click Download Center.
- Under the Advanced tools tab, click the Specify group assignment link.
- The Deployment tab has two methods to begin deployment with your Windows users:
- Direct Download: Download the Endpoint Agent installer to your local endpoint.
-
Link Sharing: Copy and share the download link to the Endpoint Agent installer. Links expire after 7 days. Choose from the following options:
- Copy installer link: Contains the download link.
- Copy installer link with instructions: Contains the download link and installation instructions.
Installation process
- On the left navigation menu, click Download Center.
- Select Windows OS or Windows Server from the platform drop-down menu.
- For legacy operating systems (Windows 7, 8, 8.1, and Windows 10 version 1511 or earlier, Windows Server 2008, 2008 R2, 2012, 2012 R2), select Legacy installer. These operating systems no longer receive new ThreatDown features, but continue to receive protection and database updates. We recommend upgrading the device to a supported operating system.
- Specify the installer type from the installer version drop-down menu.
- (64-bit) MSI installer: The default and most commonly used for modern Windows endpoints.
- (32-bit) MSI installer: Use on Windows devices running a 32-bit operating system.
- (ARM) MSI installer: Use on Windows 11 devices like a Surface Pro with an ARM Processor such as Snapdragon.
- Click Start download.
- After you have downloaded the installer, copy it to the endpoint and double-click the file to run the installer.
- When the installation process completes, the Endpoint Agent registers and the endpoint appears in Nebula.
- The Endpoint Agent retrieves policy information from the console, and configures the required agent services to communicate with Nebula. This process takes about 5 minutes until the endpoint is protected and ready to scan.
Command line installation
Another option is to run the installer on the target endpoint using command line. These commands can be run either manually or through automation.
See the commands below if you want to perform a silent installation on a Windows endpoint. The Windows MSI command is shown on multiple lines due to the length of the command. Note: < > denotes a variable but should not be used in commands.
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /q
Windows command line switches
- /i - Run installation. Example:
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /passive - /x - Runs uninstall. Example:
msiexec /x "<fullpath1>\Setup.MBEndpointAgentx.64.msi" /quiet - /quiet or /qn - Optional. Runs silent installation.
- /passive - Optional. Runs installation and shows GUI progress box.
- /lv - Optional. Outputs verbose logs to the specified file. Example:
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /qn /lv %userprofile%\desktop\MBInstallVerbose.txt - /log or /l - Optional. Outputs logs to the specified file. If a software deployment tool is being tested where /log cannot be used, a registry setting can force logging. For more information, see Additional MSI References below.
MSI notes
- The command switches and values must be used in the order shown.
- msiexec must be run as an administrator. This defaults the working directory to C:\windows\system32. Full quoted path names are recommended.
- UNC networked folders are supported, such as \\server\ThreatDown\Setup.MBEndpointAgent.x64.msi
MSIEXEC variables
Variables are optional MSIEXEC properties that may be used with the MSIEXEC command. Variables must come last in the command line but may be in any order.
See the table below for details on the optional MSIEXEC variables.
| Variable | Description |
|---|---|
| APPNOREMOVE |
When Endpoint Protection is running or being installed, two services show in Add/Remove Programs: Endpoint Agent, and service. APPNOREMOVE is a Microsoft variable that hides the Uninstall option for the Endpoint Agent in Add/Remove Programs. The service is not affected and will still display. Use this variable to prevent casual removal of the agent by end users such as students with local administrator rights. |
| GROUP |
If you want to install endpoints using the command line and assign them to a specific group, use the GROUP variable and GroupID. The GroupID can be found on the Download Center page in the console.
Go to the Download Center. On the right side of the screen, click Specify group assignment link. From the list of GroupIDs that displays, copy the GroupID that you want to assign the server to.
If the GroupID entered in the command does not match any groups, the installer will use the Default Group and Default Policy. |
| LOGLEVEL | Sets the Endpoint Agent logging to INFO or DEBUG. INFO is the default value if not set. |
| NEBULA_PROXY_SERVER | Address of the proxy server. |
| NEBULA_PROXY_PORT | Proxy server port to connect on. |
| NEBULA_PROXY_USER | Proxy server username. If the username contains spaces, enclose it in quotes, like “Donald Blake”. |
| NEBULA_PROXY_PWD | Password to log in to the proxy server. If the password contains spaces, enclose it in quotes, like “s3cr3t p4ssw0rd”. |
| NEBULA_PROXY_BYPASS_ON_LOCAL | Allows the active proxy to be bypassed when accessing local resources. |
| VERIFY_NETWORK |
This optional variable checks connectivity during installation. When set to VERIFY_NETWORK=1, the installer checks for network connectivity and DNS resolution against:
Any addresses that fail this connection test are shown on screen and in the installer log. If VERIFY_NETWORK fails, endpoint installation fails. |
Additional MSI References
See the following articles for more information on using MSIs and the command line:
- How to enable Windows Installer logging
- Standard Installer Command-Line Options
- Windows Installer Error Messages
- Deploying an MSI through GPO tutorial
Check Windows Services
Once the endpoint agent is installed on the device, two services are loaded, MBEndpointAgent and MBAMService. These must be running in order for the endpoint to communicate and be protected. To check if these services are running, run these commands in Windows command line:
sc.exe query MBEndpointAgentExpected result:
SERVICE_NAME: mbendpointagent
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
sc.exe query MBAMServiceExpected result:
SERVICE_NAME: mbamservice
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
When the health monitoring policy option is enabled on the endpoint, a third service called EAServiceMonitor is also loaded onto the endpoint. This policy option is enabled by default. The service monitors and restarts the MBEndpointAgent service if it becomes disabled or stopped.
sc.exe query EAServiceMonitorExpected result:
SERVICE_NAME: easervicemonitor
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Using Sysprep to deploy images
Administrators who use machine images for fast endpoint deployment may wish to include the endpoint agent on their images. Endpoints have a unique identity assigned to them. Therefore, creating a deployable image containing the endpoint agent requires a few extra steps. You want to avoid accidentally creating multiple endpoints that try to share the same identity.
The Microsoft Sysprep utility helps strip the identity of the endpoint agent. A Sysprep-stripped agent can use a unique identity when copied from a deployed image onto a new endpoint. Sysprep is built into modern Windows versions.
Please see these articles to use Sysprep: