Missing docs for remote upgrading agents

[L1ghtn1ng]

Its missing what GPO's on windows you need to allow if you have a locked down windows which seems to be allow msiexec and make sure msiexec is set to run with admin privs. The big issue that is also missing in the docs is that the remote upgrade can reboot windows!!! Found this out the hard-way this morning which needs to be added big time.

[L1ghtn1ng]

so it turns out the reboot issue is due to https://github.com/wazuh/wazuh/issues/19994

[vikman90]

@L1ghtn1ng I'm not an expert in GPO but I think that this issue is related to https://github.com/wazuh/wazuh/issues/20138 instead of https://github.com/wazuh/wazuh/issues/19994.

Remote upgrades use a custom package (WPK) which wraps the official MSI package and performs extra operations:

• Create a backup.
• Run the MSI.
• Check that the new agent gets connected. Otherwise:
  • Restore the previous version.

The last point is what was causing the problem, and the solution was to add the /norestart option: https://github.com/wazuh/wazuh/pull/20081.

On the other hand, the WPK and its logic are not related to GPO upgrades, which simply run the official MSI. We have to investigate this better, but with what we know for now, the solution would be to indicate during the update that the system should not reboot:

echo N | gpupdate /force

Reference: gpupdate with auto no for logoff and shutdown

If you know of a better option, or one that fits better with the standard way of working with GPO, we would appreciate your guidance.

Best regards.

[L1ghtn1ng]

@vikman90 No its not the issue you listed, but the one I listed, but I know thats regression that will fix that issue. But what I mean by GPO is what does it need to be able to use the agent_upgrade CLI/API to work when you have locked down systems. Basically from what I have found is that on Windows, out of the box remote upgrades fail due to msiexec needing to be set either via local group policy or via a domain controller to set it to always use admin privs when installing otherwise it fails. Then in my case due to the regession with the 4.6.0 agent it then ended up rebooting the system. So can we get docs added which will tell people how to get remote upgrading via the agent_upgrade to work?

[vikman90]

@L1ghtn1ng Of course. To be honest, I'm not familiar with group policies. We are going to investigate it, propose what is necessary (documentation and/or programming) and we will comment on the updates here.

Thanks for the clarification.

[L1ghtn1ng]

@vikman90 any updates as of yet? It's been a few weeks now and thought I would have heard something.

[vikman90]

@L1ghtn1ng This issue is still in the backlog. We'll take it ASAP and keep you posted.

[L1ghtn1ng]

Thanks victor

On 20 Dec 2023, at 09:36, Victor M. Fernandez-Castro @.***> wrote:



@L1ghtn1nghttps://github.com/L1ghtn1ng This issue is still in the backlog. We'll take it ASAP and keep you posted.

— Reply to this email directly, view it on GitHubhttps://github.com/wazuh/wazuh-documentation/issues/6739#issuecomment-1864148330, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA3V2QVA6NAFLNUDLAFYRZTYKKWR7AVCNFSM6AAAAAA7C257GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRUGE2DQMZTGA. You are receiving this because you were mentioned.Message ID: @.***>

[lchico]

Update 01-17-24:

Just started working on this, conducting some research.

Update 01-18-24:

Following the Wazuh documentation, I am encountering some issues with creating a Group Policy. I wasn't able to run the Group Policy Management Console (GPMC) on Windows 11 Pro (Build: 22454.1000) and Windows Server 2019 (Build: 17763).

Update 01-19-24:

I was able to run the Group Policy Management Console (GPMC) using this box (cdaf/WindowsServerDC). I am now attempting to configure Active Directory to proceed with the installation of the Wazuh agent using Windows GPO

Update 01-22-24

After some back and forth, I was able to configure the VirtualBox network, allowing me to add a computer to the Active Directory domain. Now, I am ready to start working on Creating a Group Policy.

[lchico]

Update 23-01-24

Once I configured the GPO in Active Directory, I encountered some issues with time synchronization, preventing me from updating the policy.

After resolving this issue, I ran the following command:

gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

However, the Wazuh agent wasn't installed. Therefore, I need to continue working on this.

[lchico]

Update 24-01-24

Finally, I was able to upgrade wazuh-agent 4.5.1 to 4.6.0 using GPO. To do that I had to:

I used it as a workstation (box: tranphuquy19/win11x64-professional) where I did:

1. Config DNS server to recognize the Domain: mshome.net -> IP: 192.168.56.2 (Windows Active Directory infrastructure - Box: msi/windows-2022)
2. Join the Domain: mshome.net

On Windows Server 2022 I had to add the package of wazuh-agent 4.6.0 for the upgrade process, so I did:

1. Go to the Domain Controller, press Win+R, and execute gpmc.msc
2. Add the wazuh-agent 4.6.0 msi package into the share, named wazuh-agent, on a network folder
3. Finally, add the wazuh-agent 4.6.0.msi into the Wazuh installer policy.

To complete the upgrade I had to do on the workstation:

1. Run powershell: gpupdate /force
2. Restart the workstation

In the next image we can see wazuh-agent was upgraded:

Update 25-01-24

I conducted research to identify a GPO configuration that avoids restarting the Wazuh agent, but unfortunately, I was unsuccessful. However, I did find some configurations that can prevent Windows from rebooting:

• Access the GPO at Computer Configuration -> Administrative Templates -> System -> Logon.

  • Enable "Always wait for the network at computer startup and logon."
  • This configuration ensures that GPO-based software installations complete before user logon, reducing unexpected reboots during user sessions.

• Navigate to Administrative Templates -> Windows Components -> Windows Update.

  • Configure "No Auto-Restart with Logged On Users."
  • Enable the policy to prevent automatic reboots after applying changes via gpupdate /force, ensuring a seamless user experience.

[lchico]

Update 27-01-24

Its missing what GPO's on windows you need to allow if you have a locked down windows which seems to be allow msiexec and make sure msiexec is set to run with admin privs.

So, if we are referring to this blog documentation, it is crucial to mention that the operations desktop (Workstation) should join the domain as an Administrator.

The big issue that is also missing in the docs is that the remote upgrade can reboot windows!

I tested several times and I got always this behaviour

The software will only install during a reboot and the computer must have its GPO settings updated. GPO settings will refresh automatically every 90 minutes.

To force the GPO settings you can use the gpupdate /force command.

Note: This requires user confirmation for the reboot.

I will mark this issue as blocked, awaiting further instructions. Some possibilities include:

1. Updating the existing blog
2. Creating Wazuh Documentation

I created this document to explain the GPO processes. GPO doc

[lchico]

Update 29-01-2024

I tested the command suggested by @vikman90, and It is useful in scenarios where you want to initiate the update without user intervention or when scripting the process. However, keep in mind that the installation or upgrade process may only take effect after a subsequent system reboot or when a user logs on.

Suggested update to the blog:

We need to make an addition to: [this blog](https://wazuh.com/blog/deploying-wazuh-agent-using-windows-gpo/#:~:text=Creating%20a%20Group%20Policy) After this line: [Remember you can force Windows to synchronize Group Policy by issuing a ](https://wazuh.com/blog/deploying-wazuh-agent-using-windows-gpo/#:~:text=Remember%20you%20can%20force%20Windows%20to%20synchronize%20Group%20Policy%20by%20issuing%20a%C2%A0gpupdate%20/force%C2%A0at%20the%20command%20prompt.)gpupdate /force[ at the command prompt](https://wazuh.com/blog/deploying-wazuh-agent-using-windows-gpo/#:~:text=Remember%20you%20can%20force%20Windows%20to%20synchronize%20Group%20Policy%20by%20issuing%20a%C2%A0gpupdate%20/force%C2%A0at%20the%20command%20prompt.). We'd like to add the following: For a non-interactive option, you can use the following command: ``` echo N | gpupdate /force ``` This command suppresses the interactive prompt during the Group Policy update process. It is useful in scenarios where you want to initiate the update without user intervention or when scripting the process. However, [keep in mind that the installation or upgrade process may only take effect after a subsequent system reboot or when a user logs on.](https://activedirectorypro.com/deploy-software-using-group-policy/#:~:text=The%20software%20will%20only%20install%20during%20a%20reboot%20and%20the%20computer%20must%20have%20its%20GPO%20settings%20updated.%20GPO%20settings%20will%20refresh%20automatically%20every%2090%20minutes)

Note: This issue will be blocked until the Content team can make the changes.

[lchico]

Update 02-19-2024

The change was already introduced on the blog.