Deploying Wazuh Agents Using Windows Group Policy Objects (GPO)#

Introduction#

Managing security agent deployment across hundreds or thousands of Windows endpoints can be a daunting task. Manual installation is time-consuming, error-prone, and doesn’t scale well. This is where Windows Group Policy Objects (GPO) come to the rescue, enabling centralized, automated deployment of the Wazuh agent across your entire Active Directory infrastructure.

By leveraging GPO for Wazuh agent deployment, organizations can achieve:

🚀 Automated Deployment: Push agents to all domain-joined machines
🎯 Centralized Management: Control deployments from a single location
🔧 Consistent Configuration: Ensure uniform agent settings
📊 Scalable Operations: Deploy to thousands of endpoints effortlessly
🔄 Easy Updates: Manage agent versions through policy updates

Understanding the Components#

Group Policy Objects (GPO)#

GPOs are collections of policy settings in Microsoft Windows that allow administrators to:

Configure operating system settings
Deploy software packages
Enforce security policies
Manage user and computer configurations

MSI and MST Files#

MSI (Microsoft Software Installer): Package format for Windows installations
MST (Microsoft Transform): Customization file that modifies MSI behavior
Orca: Microsoft tool for creating and editing MSI/MST files

Architecture Overview#

1
flowchart TB
2
    subgraph "Active Directory Infrastructure"
3
        DC[Domain Controller<br/>GPO Management]
4
        AD[Active Directory]
5
        GPO1[Wazuh Agent<br/>Deployment GPO]
6
        GPO2[Wazuh Service<br/>Activation GPO]
7
    end
8

9
    subgraph "Shared Resources"
10
        SF[Network Share<br/>\\Win-0aeqj5brr86\dc]
11
        MSI[Wazuh Agent MSI]
12
        MST[Custom.mst File]
13
    end
14

15
    subgraph "Target Endpoints"
16
        OU[Wazuh OU]
17
        W1[Windows 11<br/>Endpoint 1]
18
        W2[Windows 11<br/>Endpoint 2]
19
        W3[Windows 11<br/>Endpoint N]
20
    end
21

22
    subgraph "Wazuh Infrastructure"
23
        WS[Wazuh Server]
24
        WD[Wazuh Dashboard]
25
    end
26

27
    DC --> GPO1
28
    DC --> GPO2
29
    GPO1 --> SF
30
    SF --> MSI
31
    SF --> MST
32
    GPO1 --> OU
33
    GPO2 --> OU
34
    OU --> W1
35
    OU --> W2
36
    OU --> W3
37
    W1 -.->|Register| WS
38
    W2 -.->|Register| WS
39
    W3 -.->|Register| WS
40
    WS --> WD
41

42
    style DC fill:#ffd43b
43
    style WS fill:#51cf66
44
    style GPO1 fill:#4dabf7
45
    style GPO2 fill:#4dabf7

Infrastructure Requirements#

Wazuh Server: Pre-built OVA 4.7.3 with all core components
Domain Controller: Windows Server 2019+ hosting Active Directory
Target Endpoints: Windows 11 domain-joined machines
Administrative Account: Domain admin privileges for GPO creation

Implementation Guide#

Phase 1: Configure Wazuh Server#

Enable password-based agent enrollment for automated deployment:

1
# Edit the Wazuh configuration
2
vi /var/ossec/etc/ossec.conf

Enable password authentication:

1
<auth>
2
  <use_password>yes</use_password>
3
</auth>

Create and secure the password file:

1
# Set enrollment password
2
echo "BlueWolf" > /var/ossec/etc/authd.pass
3

4
# Secure the password file
5
chmod 640 /var/ossec/etc/authd.pass
6
chown root:wazuh /var/ossec/etc/authd.pass
7

8
# Restart Wazuh manager
9
systemctl restart wazuh-manager

Phase 2: Create MST File with Orca#

Install Orca#

Download Windows SDK Components for Windows Installer Developers
Install Orca from: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\Orca-x86_en-us.msi

Configure Wazuh Agent Installer#

Launch Orca and open the Wazuh agent MSI file
Navigate to the Property table
Create a new transform: Transform > New Transform
Add deployment parameters:

1
ADDRESS = <WAZUH_SERVER_IP>
2
AUTHD_SERVER = <WAZUH_SERVER_IP>
3
PROTOCOL = TCP
4
PASSWORD = BlueWolf

Save as custom.mst: Transform > Generate Transform

MST Configuration Details#

1
flowchart LR
2
    subgraph "MSI Package"
3
        MP[Original MSI<br/>Parameters]
4
    end
5

6
    subgraph "MST Transform"
7
        T1[ADDRESS]
8
        T2[AUTHD_SERVER]
9
        T3[PROTOCOL]
10
        T4[PASSWORD]
11
    end
12

13
    subgraph "Installation"
14
        I1[Modified<br/>Installation]
15
    end
16

17
    MP --> T1
18
    MP --> T2
19
    MP --> T3
20
    MP --> T4
21
    T1 --> I1
22
    T2 --> I1
23
    T3 --> I1
24
    T4 --> I1
25

26
    style T1 fill:#51cf66
27
    style T2 fill:#51cf66
28
    style T3 fill:#51cf66
29
    style T4 fill:#51cf66

Set up a shared folder for GPO deployment:

1
# Create shared folder
2
New-Item -Path "C:\Users\$env:USERNAME\Desktop\DC" -ItemType Directory
3

4
# Share with authenticated users
5
$sharePath = "C:\Users\$env:USERNAME\Desktop\DC"
6
New-SmbShare -Name "DC" -Path $sharePath -ReadAccess "Authenticated Users"

Copy the Wazuh MSI and custom.mst files to the shared folder.

Phase 4: Configure Group Policy Objects#

Create Organizational Unit#

Open Active Directory Users and Computers
Right-click domain → New → Organizational Unit
Name it “Wazuh”
Move target computers to this OU

Create Deployment GPO#

Open Group Policy Management (gpmc.msc)
Create new GPO: “Wazuh agent deployment”
Edit GPO:
- Navigate to: Computer Configuration → Policies → Software Settings → Software installation
- Right-click → New → Package
- Select MSI from network share
- Choose Advanced deployment
- Add custom.mst in Modifications tab

Create Service Activation GPO#

Create new GPO: “Wazuh agent activate”
Edit GPO:
- Navigate to: Computer Configuration → Preferences → Control Panel Settings → Services
- Create new service:
  - Service name: WazuhSvc
  - Service action: Start service
  - Recovery: Set all to Restart the Service

Phase 5: Apply and Test Deployment#

Link GPOs to OU#

1
# Link GPOs to Wazuh OU
2
New-GPLink -Name "Wazuh agent deployment" -Target "OU=Wazuh,DC=wazuhtests,DC=com"
3
New-GPLink -Name "Wazuh agent activate" -Target "OU=Wazuh,DC=wazuhtests,DC=com"

Force Policy Update#

On target endpoints, run with administrative privileges:

1
# Interactive update
2
gpupdate /force
3

4
# Non-interactive update
5
echo N | gpupdate /force

Verify Deployment#

On Wazuh server:

1
# Check registered agents
2
/var/ossec/bin/agent_control -l

Expected output:

1
Wazuh agent_control. List of available agents:
2
   ID: 000, Name: wazuh-server (server), IP: 127.0.0.1, Active/Local
3
   ID: 001, Name: Windows11, IP: any, Active

Advanced Configuration#

Customizing Deployment Parameters#

Create different MST files for various scenarios:

1
# Development environment MST
2
$devParams = @{
3
    ADDRESS = "10.0.1.100"
4
    AUTHD_SERVER = "10.0.1.100"
5
    PROTOCOL = "TCP"
6
    PASSWORD = "DevPassword"
7
    AGENT_NAME = "DEV-%COMPUTERNAME%"
8
}
9

10
# Production environment MST
11
$prodParams = @{
12
    ADDRESS = "10.0.2.100"
13
    AUTHD_SERVER = "10.0.2.100"
14
    PROTOCOL = "TCP"
15
    PASSWORD = "ProdPassword"
16
    AGENT_NAME = "PROD-%COMPUTERNAME%"
17
}

Targeting Specific Computer Groups#

Use WMI filters for granular deployment:

1
-- Deploy only to Windows 11 workstations
2
SELECT * FROM Win32_OperatingSystem
3
WHERE Version LIKE "10.0.22%"
4
AND ProductType = "1"
5

6
-- Deploy only to servers
7
SELECT * FROM Win32_OperatingSystem
8
WHERE ProductType != "1"

Monitoring Deployment Progress#

Create a PowerShell script for deployment monitoring:

1
$computers = Get-ADComputer -Filter * -SearchBase "OU=Wazuh,DC=wazuhtests,DC=com"
2

3
foreach ($computer in $computers) {
4
    $result = Test-Connection -ComputerName $computer.Name -Count 1 -Quiet
5
    if ($result) {
6
        $service = Get-Service -Name "WazuhSvc" -ComputerName $computer.Name -ErrorAction SilentlyContinue
7
        if ($service) {
8
            Write-Host "$($computer.Name): Wazuh installed - Status: $($service.Status)" -ForegroundColor Green
9
        } else {
10
            Write-Host "$($computer.Name): Wazuh not installed" -ForegroundColor Red
11
        }
12
    } else {
13
        Write-Host "$($computer.Name): Offline" -ForegroundColor Yellow
14
    }
15
}

Troubleshooting#

Common Issues and Solutions#

Issue 1: GPO Not Applying#

Symptoms: Agent not installing after gpupdate

Solutions:

1
# Check GPO application
2
gpresult /h gpreport.html
3

4
# Verify computer is in correct OU
5
Get-ADComputer -Identity "ComputerName" | Select DistinguishedName
6

7
# Check GPO permissions
8
Get-GPPermission -Name "Wazuh agent deployment" -All

Issue 2: Installation Fails#

Check Windows Event Logs:

1
# Check application logs
2
Get-EventLog -LogName Application -Source MsiInstaller -Newest 20
3

4
# Check system logs
5
Get-EventLog -LogName System -Source GroupPolicy -Newest 20

Issue 3: Agent Not Connecting#

Verify network connectivity:

1
# Test Wazuh server connectivity
2
Test-NetConnection -ComputerName <WAZUH_SERVER_IP> -Port 1514
3
Test-NetConnection -ComputerName <WAZUH_SERVER_IP> -Port 1515

Deployment Validation Script#

1
param(
2
    [string]$WazuhServer = "192.168.1.100",
3
    [string]$ExpectedVersion = "4.7.3"
4
)
5

6
function Test-WazuhDeployment {
7
    $results = @()
8

9
    # Check if Wazuh is installed
10
    $installed = Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Wazuh*"}
11

12
    if ($installed) {
13
        $results += "✓ Wazuh installed: $($installed.Version)"
14

15
        # Check service status
16
        $service = Get-Service -Name "WazuhSvc" -ErrorAction SilentlyContinue
17
        if ($service) {
18
            $results += "✓ Wazuh service status: $($service.Status)"
19
        } else {
20
            $results += "✗ Wazuh service not found"
21
        }
22

23
        # Check configuration
24
        $configPath = "C:\Program Files (x86)\ossec-agent\ossec.conf"
25
        if (Test-Path $configPath) {
26
            $config = Get-Content $configPath
27
            if ($config -match $WazuhServer) {
28
                $results += "✓ Correct server configured: $WazuhServer"
29
            } else {
30
                $results += "✗ Incorrect server configuration"
31
            }
32
        }
33

34
        # Check connectivity
35
        if (Test-NetConnection -ComputerName $WazuhServer -Port 1514 -InformationLevel Quiet) {
36
            $results += "✓ Can reach Wazuh server"
37
        } else {
38
            $results += "✗ Cannot reach Wazuh server"
39
        }
40
    } else {
41
        $results += "✗ Wazuh not installed"
42
    }
43

44
    return $results
45
}
46

47
# Run validation
48
$validation = Test-WazuhDeployment
49
$validation | ForEach-Object { Write-Host $_ }

Best Practices#

1. Phased Deployment#

1
flowchart LR
2
    subgraph "Phase 1"
3
        P1[Test OU<br/>5-10 machines]
4
    end
5

6
    subgraph "Phase 2"
7
        P2[Pilot OU<br/>50-100 machines]
8
    end
9

10
    subgraph "Phase 3"
11
        P3[Department OUs<br/>500+ machines]
12
    end
13

14
    subgraph "Phase 4"
15
        P4[Enterprise-wide<br/>All machines]
16
    end
17

18
    P1 -->|Validate| P2
19
    P2 -->|Monitor| P3
20
    P3 -->|Scale| P4
21

22
    style P1 fill:#51cf66
23
    style P2 fill:#4dabf7
24
    style P3 fill:#ffd43b
25
    style P4 fill:#ff6b6b

2. Security Considerations#

Password Protection: Use strong, unique passwords for agent enrollment
Network Security: Restrict share access to authenticated users only
MST Security: Protect MST files from unauthorized modification
GPO Permissions: Limit who can modify deployment GPOs

3. Maintenance Strategy#

1
# Automated agent version check
2
$targetVersion = "4.7.3"
3
$outdatedComputers = @()
4

5
Get-ADComputer -Filter * -SearchBase "OU=Wazuh,DC=wazuhtests,DC=com" | ForEach-Object {
6
    $version = Invoke-Command -ComputerName $_.Name -ScriptBlock {
7
        (Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
8
         Where-Object {$_.DisplayName -like "*Wazuh*"}).DisplayVersion
9
    } -ErrorAction SilentlyContinue
10

11
    if ($version -ne $targetVersion) {
12
        $outdatedComputers += $_.Name
13
    }
14
}
15

16
# Report outdated installations
17
if ($outdatedComputers.Count -gt 0) {
18
    Write-Host "Computers needing update:" -ForegroundColor Yellow
19
    $outdatedComputers | ForEach-Object { Write-Host " - $_" }
20
}

Scaling Considerations#

Large Enterprise Deployments#

For organizations with thousands of endpoints:

Stagger Deployments: Use multiple GPOs with different schedules
Regional Distribution: Create regional file shares for MSI distribution
Bandwidth Management: Implement BITS for package distribution
Load Balancing: Deploy multiple Wazuh servers behind a load balancer

Performance Optimization#

1
<!-- Optimize GPO processing -->
2
<GPO>
3
  <Computer>
4
    <ExtensionSettings>
5
      <Extension>
6
        <CSE>{42B5FAAE-6536-11d2-AE5A-0000F87571E3}</CSE>
7
        <Mode>Replace</Mode>
8
        <Policy>
9
          <SlowLinkThreshold>500</SlowLinkThreshold>
10
          <BackgroundPriority>Low</BackgroundPriority>
11
        </Policy>
12
      </Extension>
13
    </ExtensionSettings>
14
  </Computer>
15
</GPO>

Integration with SCCM/ConfigMgr#

For organizations using System Center Configuration Manager:

1
# Create SCCM application for Wazuh
2
$app = New-CMApplication `
3
    -Name "Wazuh Agent 4.7.3" `
4
    -Publisher "Wazuh Inc" `
5
    -SoftwareVersion "4.7.3"
6

7
# Add deployment type
8
Add-CMDeploymentType `
9
    -ApplicationName "Wazuh Agent 4.7.3" `
10
    -DeploymentTypeName "MSI Installer" `
11
    -InstallCommand "msiexec /i wazuh-agent.msi TRANSFORMS=custom.mst /qn" `
12
    -DetectionMethod {Get-Service -Name WazuhSvc}

Conclusion#

Deploying Wazuh agents through Group Policy Objects transforms a potentially complex, time-consuming task into an automated, scalable solution. This approach ensures:

✅ Consistent deployment across all domain-joined machines
🚀 Rapid rollout to thousands of endpoints
🔧 Centralized management of agent configurations
📊 Easy monitoring of deployment status
🔄 Simplified updates through policy modifications

By following this guide, organizations can achieve comprehensive endpoint security coverage while minimizing administrative overhead.

Key Takeaways#

Plan Thoroughly: Test MST configurations before mass deployment
Phase Rollouts: Start small and scale gradually
Monitor Progress: Use scripts to track deployment success
Document Everything: Maintain records of GPO configurations
Regular Updates: Plan for agent version management

Resources#

Automate security at scale. Deploy once, protect everywhere! 🛡️