Installing windows agent on mass servers via powershell help

bjerre · March 10, 2020, 8:34am

Dear forum.

I’m trying to install the windows agent on +100 servers and would like to do this via powershell. But i have run in to some problems.

When exec my script:

$RemoteMachine = "REMOTE-SERVER"
$domaincredentials = get-credential
write-host "Server Name is: $RemoteMachine"

#Copy the MSI Local to the computer
Write-Host "Copying MSI locally"
Copy "\\FILESERVER\d\cmk\check-mk-agent.msi" \\$RemoteMachine\c$\

#Run the MSI remotely
Write-Host "Running MSI"
Invoke-Command -ComputerName $RemoteMachine -Credential $domaincredentials -ScriptBlock { Start-Process -FilePath "msiexec.exe" -ArgumentList "/i C:\check-mk-agent.msi /quiet /lvx C:\cmk.log"}

I get this error in the verbose logging output
MSI (s) (4C:F0) [09:27:52:289]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2 MSI (s) (4C:F0) [09:27:52:290]: File will have security applied from OpCode. MSI (s) (4C:F0) [09:27:52:297]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\check-mk-agent.msi' against software restriction policy MSI (s) (4C:F0) [09:27:52:297]: Note: 1: 2262 2: DigitalSignature 3: -2147287038 MSI (s) (4C:F0) [09:27:52:297]: SOFTWARE RESTRICTION POLICY: C:\check-mk-agent.msi is not digitally signed MSI (s) (4C:F0) [09:27:52:298]: SOFTWARE RESTRICTION POLICY: C:\check-mk-agent.msi is permitted to run at the 'unrestricted' authorization level.

How do i go about installing the agent on all of my servers?

tavanez · March 10, 2020, 9:21am

Hi @bjerre,

Just add the execution policy at the beginning of the script and it will work.

bjerre · March 10, 2020, 9:23am

Thanks, i already read up some more.
And this is the final script

$HostToUpdate = Read-Host -Prompt 'FQDM Name of server'
$domaincredentials = get-credential
$RemoteMachine = $HostToUpdate

write-host "Server Name is: $RemoteMachine"

#Copy the MSI Local to the computer
Write-Host "Copying MSI locally"
Copy "\\FILESERVER\d\cmk\check-mk-agent.msi" \\$RemoteMachine\c$\

#Run the MSI remotely
Write-Host "Enable WINRM on $RemoteMachine"
PsExec.exe \\$RemoteMachine -s winrm.cmd quickconfig -q

#Run the MSI remotely
Write-Host "Running MSI"
Invoke-Command -cn $RemoteMachine -Credential $domaincredentials -ScriptBlock { Start-Process msiexec.exe -ArgumentList "/i C:\check-mk-agent.msi /qn /lvx C:\Windows\Logs\cmk-agent-install.log"}

Invoke-Command -cn $RemoteMachine -ScriptBlock {Remove-Item $args -force } -ArgumentList 'c:\check-mk-agent.msi'

darin · March 11, 2020, 1:08pm

Are you taking into account whether or not the local firewall is active and is going to block access to the service? You might want to add a rule that allows access to the service, see below. I realize this will allow any system on the domain,private network to access the service, I limit via only_from in the check_mk.user.yml configuration.

# firewall rule
$fwrule = Get-NetFirewallRule -DisplayName "*check_mk*"

if (-NOT($fwrule)) {
    New-NetFirewallRule -Name check_mk -DisplayName "Check_MK Monitoring Agent" -Enabled True -Direction Inbound -Profile Domain,Private -Protocol TCP -LocalPort 6556 -Program "%ProgramFiles(x86)%\checkmk\service\check_mk_agent.exe"
}

marass · March 12, 2020, 7:49am

I read that with a new Werk the 1.6.0p7 and newer takes care of firewall rules.
https://checkmk.de/check_mk-werks.php?werk_id=10197

system · April 11, 2020, 5:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.