You can manually add Windows endpoints to the Nebula console in several ways. The most common method is to copy an installer file to the endpoint and run the MSI file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.
This article covers the following methods:
- Use a downloaded installer and copy it to the endpoint.
- Command line remote installation for Windows endpoints, which can be run silently.
If you have many endpoints, you can use the Windows 64-bit MSI installer with many common installation methods including:
- Microsoft Endpoint Manager (SCCM & Intune) and Microsoft GPO.
- Remote Monitoring and Management (RMM) solutions such as SolarWinds, Datto and others.
- Deploy using the Discovery and Deployment Tool. For more information, see the Discovery and Deployment Tool Handbook.
Use a downloaded installer
To manually install on a Windows endpoint, download the ThreatDown Endpoint Agent installer and run the file from the endpoint. Each installer is pre-configured for your account.
Windows Endpoint Installer Notes
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group. To automatically assign endpoints to a group during installation:
- On the left navigation menu, click Download Center.
- Under the Advanced tools tab, click the Specify group assignment link.
- The Deployment tab has two methods to begin deployment with your Windows users:
- Direct Download: Download the Endpoint Agent installer to your local endpoint.
-
Link Sharing: Copy and share the download link to the Endpoint Agent installer. Links expire after 7 days. Choose from the following options:
- Copy installer link: Contains the download link.
- Copy installer link with instructions: Contains the download link and installation instructions.
Installation process
- On the left navigation menu, click Download Center.
- Select Windows OS or Windows Server from the platform drop-down menu.
- Specify the installer type from the installer version drop-down menu.
- (64-bit) MSI installer: The default and most commonly used for modern Windows endpoints.
- (32-bit) MSI installer: Use on Windows devices running a 32-bit operating system.
- (ARM) MSI installer: Use on Windows 11 devices like a Surface Pro with an Advanced RISC Machine (ARM) Processor such as Snapdragon.
- Click Start download.
- After you have downloaded the installer, copy it to the endpoint and double-click the file to run the installer.
- When the installation process completes, the Endpoint Agent registers and the endpoint appears in Nebula.
- The Endpoint Agent retrieves policy information from the console, and configures the required agent services to communicate with Nebula. This process takes about 5 minutes until the endpoint is protected and ready to scan.
Command line installation
Another option is to run the installer on the target endpoint using command line. These commands can be run either manually or through automation.
See the commands below if you want to perform a silent installation on a Windows endpoint. The Windows MSI command is shown on multiple lines due to the length of the command. Note: < > denotes a variable but should not be used in commands.
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /q
Windows command line switches
- /i - Run installation. Example:
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /passive - /x - Runs uninstall. Example:
msiexec /x "<fullpath1>\Setup.MBEndpointAgentx.64.msi" /quiet - /quiet or /qn - Optional. Runs silent installation.
- /passive - Optional. Runs installation and shows GUI progress box.
- /lv - Optional. Outputs verbose logs to the specified file. Example:
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /qn /lv %userprofile%\desktop\MBInstallVerbose.txt - /log or /l - Optional. Outputs logs to the specified file. If a software deployment tool is being tested where /log cannot be used, a registry setting can force logging. For more information, see Additional MSI References below.
MSI notes
- The command switches and values must be used in the order shown.
- msiexec must be run as an administrator. This defaults the working directory to C:\windows\system32. Full quoted path names are recommended.
- UNC networked folders are supported, such as \\server\ThreatDown\Setup.MBEndpointAgent.x64.msi
MSIEXEC variables
Variables are optional MSIEXEC properties that may be used with the MSIEXEC command. Variables must come last in the command line but may be in any order.
See the table below for details on the optional MSIEXEC variables.
| Variable | Description |
| APPNOREMOVE |
When Endpoint Protection is running or being installed, two services show in Add/Remove Programs: Endpoint Agent, and service. APPNOREMOVE is a Microsoft variable that hides the Uninstall option for the Endpoint Agent in Add/Remove Programs. The service is not affected and will still display. Use this variable to prevent casual removal of the agent by end users such as students with local administrator rights. |
|
GROUP |
If you want to install endpoints using the command line and assign them to a specific group, use the GROUP variable and GroupID. The GroupID can be found on the Download Center page in the console.
Go to the Download Center. On the right side of the screen, click Specify group assignment link. From the list of GroupIDs that displays, copy the GroupID that you want to assign the server to.
If the GroupID entered in the command does not match any groups, the installer will use the Default Group and Default Policy. |
| LOGLEVEL | Sets the Endpoint Agent logging to INFO or DEBUG. INFO is the default value if not set. |
| NEBULA_PROXY_SERVER | Address of the proxy server. |
| NEBULA_PROXY_PORT | Proxy server port to connect on. |
| NEBULA_PROXY_USER | Proxy server username. If the username contains spaces, enclose it in quotes, like “Donald Blake”. |
| NEBULA_PROXY_PWD | Password to log in to the proxy server. If the password contains spaces, enclose it in quotes, like “s3cr3t p4ssw0rd”. |
| NEBULA_PROXY_BYPASS_ON_LOCAL | Allows the active proxy to be bypassed when accessing local resources. |
| VERIFY_NETWORK |
This optional variable checks connectivity during installation. When set to VERIFY_NETWORK=1, the installer checks for network connectivity and DNS resolution against:
Any addresses that fail this connection test are shown on screen and in the installer log. If VERIFY_NETWORK fails, endpoint installation fails. |
Additional MSI References
See the following articles for more information on using MSIs and the command line:
- How to enable Windows Installer logging
- Standard Installer Command-Line Options
- Windows Installer Error Messages
- Deploying an MSI through GPO tutorial
Check Windows Services
Once the endpoint agent is installed on the device, two services are loaded, MBEndpointAgent and MBAMService. These must be running in order for the endpoint to communicate and be protected. To check if these services are running, run these commands in Windows command line:
sc.exe query MBEndpointAgent
Expected result:
SERVICE_NAME: mbendpointagent
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
sc.exe query MBAMService
Expected result:
SERVICE_NAME: mbamservice
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
When the health monitoring policy option is enabled on the endpoint, a third service called EAServiceMonitor is also loaded onto the endpoint. This policy option is enabled by default. The service monitors and restarts the MBEndpointAgent service if it becomes disabled or stopped.
sc.exe query EAServiceMonitor
Expected result:
SERVICE_NAME: easervicemonitor
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Using Sysprep to deploy images
Administrators who use machine images for fast endpoint deployment may wish to include the endpoint agent on their images. Endpoints have a unique identity assigned to them. Therefore, creating a deployable image containing the endpoint agent requires a few extra steps. You want to avoid accidentally creating multiple endpoints that try to share the same identity.
The Microsoft Sysprep utility helps strip the identity of the endpoint agent. A Sysprep-stripped agent can use a unique identity when copied from a deployed image onto a new endpoint. Sysprep is built into modern Windows versions.
Please see these articles to use Sysprep: