Guides

Windows

Suggest Edits

Probe Install

The following versions are supported: Windows 8.1, Windows 10, Windows 11, Server 1016, Server 2019 and Server 2022.

ProxMox installs can fail due to Serial Number being blank. Simply providing one in the VM options under SMBIOS setting (type1) -> Serial will allow the MSI work.

Download here

Install

msiexec.exe /qn /l*v detect-log.txt /i detect.msi REGISTRATION_STRING="<ACCOUNT_ID>/<TOKEN>" ENDPOINT_TAGS="tag1,tag2,tag3"

Uninstall

MSI uninstall:

msiexec.exe /qn /l*v detect-log.txt /x detect.msi

PowerShell uninstall (can be ran directly in Crowdstrike RTR or any other MDM solution):

[CmdletBinding()]
param ()

function Uninstall-MSIByName {

	
	[CmdletBinding()]
	param
	(
		[ValidateNotNullOrEmpty()][String]$ApplicationName,
		[ValidateNotNullOrEmpty()][String]$Switches
	)
	
	#MSIEXEC.EXE
	$Executable = $Env:windir + "\system32\msiexec.exe"
	Do {
		#Get list of all Add/Remove Programs for 32-Bit and 64-Bit
		$Uninstall = Get-ChildItem REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall -Recurse -ErrorAction SilentlyContinue -Force
		$Uninstall += Get-ChildItem REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -Recurse -ErrorAction SilentlyContinue
		#Find the registry containing the application name specified in $ApplicationName
		$Key = $uninstall | foreach-object { Get-ItemProperty REGISTRY::$_ -ErrorAction SilentlyContinue} | where-object { $_.DisplayName -like "*$ApplicationName*" }
		If ($Key -ne $null) {
			Write-Host "Uninstall"$Key[0].DisplayName"....." -NoNewline
			#Define msiexec.exe parameters to use with the uninstall
			$Parameters = "/x " + $Key[0].PSChildName + [char]32 + $Switches
			#Execute the uninstall of the MSI
			$ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Parameters -Wait -Passthru).ExitCode
			#Return the success/failure to the display
			If (($ErrCode -eq 0) -or ($ErrCode -eq 3010) -or ($ErrCode -eq 1605)) {
				Write-Host "Success" -ForegroundColor Yellow
			} else {
				Write-Host "Failed with error code "$ErrCode -ForegroundColor Red
			}
		}
	} While ($Key -ne $null)
}

Uninstall-MSIByName -ApplicationName "Prelude Probe" -Switches "/qn /norestart"

Probe Service Control

How to check the status and control the probe service.

Check if Prelude Probe service is running

 sc interrogate “Prelude Probe Service”

Stop Prelude Probe service

 sc stop "Prelude Probe Service"

Start Prelude Probe service

 sc start "Prelude Probe Service"

Restart Prelude Probe service

 sc stop "Prelude Probe Service" && sc start "Prelude Probe Service"

Logging

  • By default the Prelude Probe writes log events to the Windows Event Viewer Application log.

Microsoft Intune Deployment

  1. Login to https://endpoint.microsoft.com/ and go to Apps > All apps

  2. Click on +Add to add a new Intune application for deployment.

  3. Select Line-of-Business app – App Type drop-down menu from Add app.

  4. Click on Select app package file and provide the latest detect .msi package Download here

  5. Click ok after uploading

  6. Under Add App set the following required fields and any other optional fields

    • Name: "Prelude Probe"

    • Description: "Prelude Probe"

    • Publisher: "Prelude Security"

    • App Install context: "Device"

    • Ignore app version: "Yes"

    • Command Line:

      /qn /l*v detect-log.txt /i detect.msi REGISTRATION_STRING="<ACCOUNT_ID>/<TOKEN>" ENDPOINT_TAGS="tag1,tag2,tag3"

      Note

      • ensure you replace <ACCOUNT_ID>/ with your installation string
      • Add any optional Tags after "ENDPOINT_TAGS" or delete ENDPOINT_TAGS="tag1,tag2,tag3"

  7. Under Assignments set desired group or devices you'd like to target (It's not recommended to install the Prelude Detect Probe on a per user basis

  8. Review settings and save

Note: The Prelude Detect Probe will automatically update so there is no need to manage updating after the probe is installed/deployed.

Updated 3 months ago