Agent Reference Guide
Windows Agent
Installation
10 min
, install windows agent (supporting windows server 2016, 2019, 2022, windows 10, and 11), you need to have an installation package also, on the endpoint, the net framework 4 7 2 should be installed if it does not exist to get the setup file installation should be done with a user who has local admin rights kron pam’s kernel driver is not implemented for the arm architecture so you should not install the agents on arm architecture when the installation is successful, the agent is going to take over credential provider functionality from windows os and other login options can be disabled over the agent group configuration so agent may be the only credential provider for windows login operations local accounts are not going to be asked to pam and their authentication will be done by windows via agent ad accounts will be asked to domain via agent navigate to windows agent management and agent dashboard, then click the add button click agent installation download the ps1 file by clicking here an example of the ps1 file is provided below copy this file to the endpoint where you want to install the agent ensure that port 443 is open between the endpoint and kron pam servers when you execute the ps1 file on the endpoint, it will download the agent, allowing you to proceed with the installation the ps1 script must be run as an administrator if script execution is disabled on the system, enable it using the following command set executionpolicy executionpolicy unrestricted add type @" using system net; using system security cryptography x509certificates; public class trustallcertspolicy icertificatepolicy { public bool checkvalidationresult( servicepoint srvpoint, x509certificate certificate, webrequest request, int certificateproblem) { return true; } } "@ $allprotocols = \[system net securityprotocoltype]'ssl3,tls,tls11,tls12' \[system net servicepointmanager] securityprotocol = $allprotocols \[system net servicepointmanager] certificatepolicy = new object trustallcertspolicy set location path c invoke webrequest uri " https //10 20 42 12 443/repo/windows agent/win agent exe " outfile "win agent exe" invoke webrequest uri " https //10 20 42 12 443/repo/windows agent/kron 3 7 0 patch1 cab " outfile "kron cab" start process nonewwindow filepath "c \win agent exe" argumentlist "initial token=8123800 2d0f 4a51 9453 475a1761c857","register endpoint= https //1 0 2 1 443 " if a non expired token is already on the screen, you will see it on the download page but if you need a new token, you can return to the first screen to reproduce one then, go to the next page to download the batch file again with a new token the agent is installed when you place the ps1 file on the endpoint and run it as a local admin start the installation package and click license agreement click next enter the necessary information then click install the registering endpoint is the kron pam server the initial token is a registration token super local admin is a local admin account for all the endpoints this account can perform any process on the server an agent cannot block this account's actions on the endpoint, but every action of this account will be logged installation is successful during installation, the agent sends the server's ip address, hostname, and os version to kron pam if the server's ip address changes at any point, the agent updates kron pam with the new information from then on, the updated ip is used throughout kron pam, replacing the old one if an agent remains offline beyond a specified time, it is automatically removed from the agent dashboard, along with any associated agent specific rules the device will then be moved to the "unassigned device" group in the device tree without affecting any kron pam related rules this is a configurable option set in the system configuration manager, using the parameter below (measured in days) win agent remove after expire time = 60 to install the agent silently on cmd please use the below command line syntax "agent exe" initial token= "cb6b6d7f bebb 4463 8a6e ca58cb168120" register endpoint="https //10 20 42 12/" sometimes system administrators need a powerful user who can do anything in these cases, you need to define the parameter below in the system configuration management page when a user is defined with the below parameter those users can do anything, and they are not being policed just they are logged this is called all run right win agent all run right = administrator, pamadmin, systemadmin