Technical details on Windows agent
Installation and uninstallation of the agent
Windows installation package comes under the form of a .msi
file. This package follows Microsoft official recommendations regarding installation file creation.
Agent MSI is generated directly from the Cyberwatch interface, using the Windows agent creation form. The MSI is loaded with the selected configurations from the form in Cyberwatch, such as: the architecture type, groups, Cyberwatch instance URL…
It is also possible to get the installers directly through these download links:
- Windows Server 2003 & Windows 7: 32 bits version or 64 bits version
- Windows Server 2008: 64 bits version
- Windows Server 2012: 64 bits version
- Windows Server 2016 / 2019 / 2022 / 2025 & Windows 10 / 11: 32 bits version or 64 bits version
Once installed, a program is added to the the list of programs and features available through the control panel.
The MSI can be installed with a simple “double click” on the file, as any other installation file. For bulk deployment, the agent supports official Microsoft deployment methods such as GPOs but also any other deployment mechanism using third-party solutions (e.g. SCCM, Chocolatey…).
Uninstalling the Cyberwatch agent also follows official Microsoft recommendations. The agent can be uninstalled from the list of program and features of the control panel.
How the agent works
On Windows systems, agent installation will create a service named CyberwatchAgent.service
and a directory C:\Program Files\CYBERWATCH SAS\CyberwatchAgent\
.
This directory contains the following elements:
- a
logs/
directory gathering the agent logs in two separate files:- a file
agent.log
for the agent execution logs - a file
service.log
for the service execution logs
- a file
- the file
agent.conf
contains the agent configuration information (URL, API keys…) - executable file
cyberwatch-agent.exe
execution program of the agent - executable file
CyberwatchService.exe
, used for the service creation - a PowerShell script
launcher.ps1
called by the service, and responsible for launching the filecyberwatch-agent.exe
The service CyberwatchService
is executed every 5 minutes and triggers the communication of the agent with the Cyberwatch scanner to which it is registered, based on the URL configured than can be found in the file agent.conf
.
When communicating with the Cyberwatch server, the agent will simply send a request to the Cyberwatch API and fetch the tasks, if any, that has to be performed on the asset (e.g. launch a scan, deploy a patch…).
Agent updates
Cyberwatch regularly publishes agent updates, these changes are all listed in the changelog of the Cyberwatch agent.
These updates can include improvements on performance or some new features related to the agent installation and functioning for example.
These updates are not linked to the Cyberwatch application updates, an older agent version not updated will still work with the upcoming Cyberwatch versions (unless specifically indicated). Cyberwatch still recommends to update installed agents whenever it is possible.
To update the Windows agent, it is only needed to reinstall the MSI package over an already present installation. The new agent version will then replace the version previously present on the system. These updates can also be performed using the bulk deployment methods mentioned above.
Please note that if the agent update is done after a management server change, and before installing the new Cyberwatch agent, it will be necessary to take care about deleting all the elements that belongs to the old agent previously installed to avoid configuration issues. The following elements have to be deleted:
- those found in
C:\Program Files\CYBERWATCH SAS\CyberwatchAgent
- the associated register keys
Deploy the agent via GPO (optional)
This procedure has been tested on a Windows 2019 server, details may vary according to the version used. In this page, we will use the more commonly used term GPO for the Group Policy Preferences (GPP) to be defined.
The following procedure can be used to install the Cyberwatch agent using a GPO and the task scheduler to avoid restarting your assets:
Download the Cyberwatch agent MSI file from Assets Management > Agents > Add
Create a shared folder to store the Cyberwatch agent MSI file and the deployment batch script
The script content (.bat file) is as follows asset (ajust the script with the path to the MSI file):
@ECHO OFF if EXIST "C:\Program Files\CYBERWATCH SAS\CyberwatchAgent\cyberwatch-agent.exe" ( echo "Cyberwatch Agent is present" ) else ( msiexec /qn /i "\\Server\PathTo\cyberwatch_agent-x64.msi" )
This script checks the presence of the Cyberwatch agent on the machine and silently installs it if it is not installed.
On your Domain Controller server, open Group Policy Management and create a GPO under your domain
Edit the newly created GPO to open the Group Policy Management Editor
Under “Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks”, create a new scheduled task (At least Windows 7) with the following configuration:
- General tab: give the task a name and use the “NT AUTHORITY\System” account when running the task
- Triggers tab: add a trigger according to your preferences
- Actions tab: add a “Start a program” action and select the .bat file created earlier
Link the GPO to an OU or to your domain from Group Policy Management
Once the GPO applied to the clients, a scheduled task will be created to run the deployment script.