Taegis Endpoint Agent for Windows Installation
integrations endpoints edr taegis agent secureworks
Prerequisites ⫘
Prior to installation, review requirements and follow prerequisite steps on Taegis™ XDR Endpoint Agent Information and Prerequisites.
Important
To ensure uninterrupted connectivity to the Taegis Endpoint Agent update service, we recommended you periodically update CA certificates with the latest trusted root certificates.
DNS Resolution ⫘
The Windows Taegis Endpoint Agent leverages DNS to resolve the addresses listed in the Network Connectivity Requirements. By default, the agent attempts to use the primary Google DNS server (8.8.8.8) over HTTPS (TCP 443) to resolve the domains required for its registration and operation. If communications to 8.8.8.8 via TCP 443 are not permitted during installation, define alternate DNS server addresses to resolve domains using traditional DNS (UDP 53) communication during installation.
Agents attempt to resolve DNS in this order:
- Query Google DNS (8.8.8.8) over HTTPS.
- On failure of step 1, query primary user-provided override over UDP. Users are forced to provide an override during installation if the previous step fails in their environment.
- On failure of step 2, query secondary user-provided override—if available—over UDP.
Data Provided from Integration ⫘
Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Taegis Windows Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Installation ⫘
Choose one of the following options for installing the Taegis Endpoint Agent for Windows:
- Install using AgentMigrator PowerShell Scripts
- Install using the MSI Installer
- Install using Command Line
- Install using MDMs
Install Taegis Endpoint Agent Using PowerShell Script ⫘
Secureworks provides a PowerShell script that automates the validation of prerequisites for the Windows Taegis Endpoint Agent. The script can be used for migrations from Red Cloak Endpoint Agent to Taegis Endpoint Agent or for brand new installations as it can be helpful for validating prerequisites for new Taegis Endpoint Agent deployments.
At a high level, the script:
- Performs pre-installation validation checks
- Installs Taegis Endpoint Agent on the endpoint the script is run
- Performs post-install validation checks
- Uninstalls Red Cloak Endpoint Agent, if present
For detailed script usage instructions, see this Knowledge Base article: Automated Migration Script from Red Cloak to Taegis Agent.
Download the scripts here:
Check the Agent Migrator Script for the Latest Version ⫘
To verify you are using the latest version of the script, check the contents of the script to see the comments showing the latest version.
Latest version: 2.4
Install Taegis Endpoint Agent Using the MSI Installer ⫘
- Run the MSI package and the first screen provides the version number for the Taegis Endpoint Agent. Verify it is the desired version and select Next.
Taegis Agent Setup Wizard
- Choose an install location and select who you want to install the package for. The default location is
C:\Program Files\SecureWorks\Taegis Agent\
and the default usage is set for Everyone. Select Next.
Select Installation Folder
- Enter the following information:
- Registration Key and Registration Server copied during the prerequisite steps
- An optional Proxy server address if using a proxy
- DNS override servers, separated with a semicolon if defining multiple. There is no limit to the number of DNS servers. If no DNS server is supplied, then the default of 8.8.8.8 over HTTPS is used; see DNS Resolution. DNS override servers are optional except:
- Required if the agent configuration uses a proxy
- Required if Google DNS 8.8.8.8 via TCP 443—used by default for domain name resolution (DNS)—is not accessible
Enter Registration Key and Server
- Select Next, review the settings that have been entered, and select Next to confirm the installation.
Confirm Installation
-
Select Yes to provide User Account Control consent and allow the installation. The agent then installs.
-
During installation, the Registration Key, Registration Server, Proxy, and DNS server settings are verified. This process typically takes about 15 seconds and you can skip to Step 8 if successful. If this process fails, the most common reason is an incorrect Registration Key and/or Server. In this case, the installer displays a dialog allowing for corrections.
Retry Registration
- Re-enter the Registration Key, Registration Server, Proxy and DNS server. Select OK and the installer verifies the settings again. If the installer cannot verify once again, an error screen displays and the installer exits. See Windows Agent Troubleshooting for troubleshooting guidance.
Registration Failed
- Once the agent is installed, select Close to exit the UI.
Installation Complete
Install Taegis Endpoint Agent using Command Line ⫘
Once you have obtained the MSI package, open Command Prompt with administrator permissions and enter the following:
msiexec /i <path>.msi REGISTRATIONKEY=<registration key> REGISTRATIONSERVER=<registration server> PROXY=<proxyserver:port> DNS=<host> /quiet
- Include an optional Proxy server address with the
PROXY=<proxyserver>:<port>
switch if using a proxy (limit = 1) -
Include DNS override servers with the
DNS=<host>
switch, using a semicolon to separate each entry if using multiple. There is no limit to the number of DNS servers. If no DNS server is supplied, then the default of 8.8.8.8 over HTTPS is used; see DNS Resolution. DNS override servers are optional except:- Required if the agent configuration uses a proxy
- Required if Google DNS 8.8.8.8 via TCP 443—used by default for domain name resolution (DNS)—is not accessible
-
We recommend you add the
/quiet
flag for a quiet installation.
Install Using MDMs ⫘
- For deployment using Workspace ONE UEM (WS1) for Windows hosts, see the following Knowledge Base article: Deploy Taegis Agent for Windows with Workspace ONE.
- For deployment using Intune for Windows hosts, see the following Knowledge Base article: Deploy Taegis Agent for Windows with Intune.
- For deployment using SCCM for Windows hosts, see the following Knowledge Base article: Deploy Taegis Agent for Windows with SCCM.
Validate Installation ⫘
- Check for Host and Status using Windows Task Manager: Open Task Manager, ensure the Processes tab is selected, and choose More Details. Scroll down to confirm the following processes exist:
- Taegis Agent Host
- Taegis Agent Host
- Taegis Agent Host
- Taegis Agent Service
Validate Processes
- Check Agent Version using Windows Task Manager: Open Task Manager, ensure the Processes tab is selected, and choose More Details. Scroll down and right-click Taegis Agent Host. Select Properties, and then the Details tab to view Product Version.
Logging File Location ⫘
Post agent install: Open File Explorer and navigate to C:\ProgramData\SecureWorks\TaegisAgent\TaegisUser
. Note that you must enable hidden folders in order to access ProgramData folder. Open the TaegisUser document to view log report.
Logging File Location
Review Endpoint Agents Summary ⫘
Endpoint Agents Summary
As XDR processes endpoint telemetry, a list of endpoints is generated. Review these by navigating to Endpoint Agents → Summary from the Taegis XDR menu. For more information, see Manage Endpoint Agents.