Windows
Probe Install
The following versions are supported: Windows 8.1, Windows 10, Windows 11, Server 1016, Server 2019 and Server 2022.
ProxMox installs can fail due to Serial Number being blank. Simply providing one in the VM options under SMBIOS setting (type1) -> Serial will allow the MSI work.
Install
msiexec.exe /qn /l*v detect-log.txt /i detect.msi REGISTRATION_STRING="<ACCOUNT_ID>/<TOKEN>" ENDPOINT_TAGS="tag1,tag2,tag3"
Uninstall
MSI uninstall:
msiexec.exe /qn /l*v detect-log.txt /x detect.msi
PowerShell uninstall (can be ran directly in Crowdstrike RTR or any other MDM solution):
[CmdletBinding()]
param ()
function Uninstall-MSIByName {
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()][String]$ApplicationName,
[ValidateNotNullOrEmpty()][String]$Switches
)
#MSIEXEC.EXE
$Executable = $Env:windir + "\system32\msiexec.exe"
Do {
#Get list of all Add/Remove Programs for 32-Bit and 64-Bit
$Uninstall = Get-ChildItem REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall -Recurse -ErrorAction SilentlyContinue -Force
$Uninstall += Get-ChildItem REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -Recurse -ErrorAction SilentlyContinue
#Find the registry containing the application name specified in $ApplicationName
$Key = $uninstall | foreach-object { Get-ItemProperty REGISTRY::$_ -ErrorAction SilentlyContinue} | where-object { $_.DisplayName -like "*$ApplicationName*" }
If ($Key -ne $null) {
Write-Host "Uninstall"$Key[0].DisplayName"....." -NoNewline
#Define msiexec.exe parameters to use with the uninstall
$Parameters = "/x " + $Key[0].PSChildName + [char]32 + $Switches
#Execute the uninstall of the MSI
$ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Parameters -Wait -Passthru).ExitCode
#Return the success/failure to the display
If (($ErrCode -eq 0) -or ($ErrCode -eq 3010) -or ($ErrCode -eq 1605)) {
Write-Host "Success" -ForegroundColor Yellow
} else {
Write-Host "Failed with error code "$ErrCode -ForegroundColor Red
}
}
} While ($Key -ne $null)
}
Uninstall-MSIByName -ApplicationName "Prelude Probe" -Switches "/qn /norestart"
Probe Service Control
How to check the status and control the probe service.
Check if Prelude Probe service is running
sc interrogate “Prelude Probe Service”
Stop Prelude Probe service
sc stop "Prelude Probe Service"
Start Prelude Probe service
sc start "Prelude Probe Service"
Restart Prelude Probe service
sc stop "Prelude Probe Service" && sc start "Prelude Probe Service"
Logging
- By default the Prelude Probe writes log events to the Windows Event Viewer Application log.
Microsoft Intune Deployment
-
Login to https://endpoint.microsoft.com/ and go to Apps > All apps
-
Click on +Add to add a new Intune application for deployment.
-
Select Line-of-Business app – App Type drop-down menu from Add app.
-
Click on Select app package file and provide the latest detect .msi package Download here
-
Click ok after uploading
-
Under Add App set the following required fields and any other optional fields
-
Name: "Prelude Probe"
-
Description: "Prelude Probe"
-
Publisher: "Prelude Security"
-
App Install context: "Device"
-
Ignore app version: "Yes"
-
Command Line:
/qn /l*v detect-log.txt /i detect.msi REGISTRATION_STRING="<ACCOUNT_ID>/<TOKEN>" ENDPOINT_TAGS="tag1,tag2,tag3"
Note
- ensure you replace <ACCOUNT_ID>/ with your installation string
- Add any optional Tags after "ENDPOINT_TAGS" or delete ENDPOINT_TAGS="tag1,tag2,tag3"
-
-
Under Assignments set desired group or devices you'd like to target (It's not recommended to install the Prelude Detect Probe on a per user basis
-
Review settings and save
Note: The Prelude Detect Probe will automatically update so there is no need to manage updating after the probe is installed/deployed.
Updated 4 months ago