Table of Contents
Scheduling Continuous Deployment using ConnectWise RMM
Note: For organizations deploying to a large number of endpoints, ThreatLocker recommends using a staggered deployment approach. Organizations that deploy to a large number of endpoints at once may experience increased bandwidth usage as Windows Core and application definitions are downloaded to each endpoint. QOS can be used to limit bandwidth to corecdn.threatlocker.com and apps.threatlocker.com
The ThreatLocker agent can be deployed using ConnectWise RMM. Your account must have the option to deploy scripts.
First, you must install the ThreatLocker PowerShell script. To do so, select the ‘Install Computer’ button in your ThreatLocker portal, which is located at the top right corner of every page.
This button can also be found in the top left-hand corner of the ‘Devices’ page.
A pop-up window titled ‘Download Installer’ will now open. From here, select the dropdown menu under ‘Select your deployment method’ to change the deployment method from ‘Manual Deployment’ to ‘ConnectWise RMM’. Select ‘Installation Script’.
Selecting ‘Installation Script’ will download the ConnectWise RMM Deployment script. Before deployment, you must change a few qualities about the script. You can do this by opening the script on your machine using Notepad++ or Notepad.
Once your script has been opened, you will need to change the following:
-
Under ## Variables, change where it says ‘Insert Organization Name’. Instead, this should be the name of the Organization you wish these deployed machines to belong to. If you are deploying your agents to an existing organization, this name must match the ‘Unique Identifier’.
-
Under ## Attempt Install, you will need to replace the ‘key="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"’ portion with the ‘Unique Identifier’ of your organization. The ‘Unique Identifier’ can be located within the same ‘Download Installer’ pop-up window you navigated to after selecting the ‘Install Computer’ button.
Now that these changes have been made, you can save your newly edited script as a PowerShell script.
You can now open ConnectWise RMM. From here, navigate to the ‘Automation’ dropdown and select ‘Tasks’.
On the top right-hand side of the page, select the ‘Add’ button, then select ‘PowerShell Script’ from the dropdown menu.
A new page titled ‘New Powershell Script’ will open.
From here, enter the name of your PowerShell script, add an optional description, and select the category.
In the ‘PowerShell Script Editor’ field, paste your PowerShell script.
Once you have entered all the information, select the ‘Save & Run’ button at the top right corner of the page.
A pop-up stating, “This task will be added to tasks list.” will display. Select the ‘Save & Run’ button again.
Selecting this button a second time will bring you to the ‘Schedule Task’ page.
Choose the ‘Select Targets’ button within the ‘Targeted Resources’ section.
Select the target endpoints for which you would like the ThreatLocker deployment script to be sent. When you are done, select the ‘Save Selection’ button.
Above the ‘Targeted Resources’ section, change the radio button on ‘Next Agent Check In’ to ‘Run Now’. Once all information has been input, select the ‘Run’ button in the top right-hand corner of the page to begin deploying your script to machines within your selected Site.
Within a few minutes, ThreatLocker will deploy on the specified machines. Once this task has been completed, the status will reflect ‘Success’.
Scheduling Continuous Deployment using ConnectWise RMM
To schedule continuous deployment with ConnectWise RMM, navigate to the ‘Endpoints’ dropdown, then select the ‘Alerts’ dropdown. Choose ‘Monitors’ from the menu.
Now, on the ‘Monitors’ page, select the ‘Create Monitor’ button in the top right corner.
You will now be directed to the ‘New Monitor’ page.
First, enter the name of your monitor. You can also enter an optional description.
For the ‘Type’ dropdown, select ‘Complex’. Select ‘Critical Impact Alerts’ for ‘Severity’, then select ‘Antivirus’ for ‘Family’.
Select the ‘Select Targets’ button, then choose the Site name you want to apply this monitor to.
Select the Site(s) you will be applying this monitor to, then select the ‘Save Selection’ button when you are finished.
Within the ‘Conditions’ section:
-
Select ‘File System’ from the dropdown.
-
Change ‘File or Directory’ to ‘File’.
-
Enter the following file path:
C:\Program Files\ThreatLocker\threatlockerservice.exe
This file path leads to the ThreatLocker Service, which will not exist if ThreatLocker is not installed or installed improperly.
-
Change the ‘Exists’ dropdown to ‘Does not exist’.
-
Select the ‘+ Add inner block’ button.
Make sure that ‘AND’ is selected.
In the second dropdown:
- Select ‘Device Availability’.
- Select ‘Up’ in the ‘Endpoint is’ field.
- Select ‘10’ minutes.
At the bottom of the ‘Conditions’ section, you will see a button labeled ‘Add Automation’. Select this, then find the task that was previously created to deploy the ThreatLocker PowerShell script. Hit the ‘Select’ button at the bottom of the page once this is found.
This condition is now designed to check if the user has the threatlockerservice.exe file at that location. If the threatlockerservice.exe file is not found and the endpoint has been up for 10 minutes, the PowerShell script with the ThreatLocker installer will run on the machine.
Beneath the conditions section is ‘Ticket Resolution’.
Using the dropdown:
- Select ‘Services’.
- From the ‘Service’ dropdown, select ‘ThreatLockerService’.
- Select ‘is running’.
This will ensure that if ‘ThreatLockerService’ is running on the machine, tickets generated on ConnectWise related to this monitor are automatically resolved as ThreatLocker has downloaded onto the machine.
Alternatively, if ‘ThreatLockerService’ is not an option in the ‘Service’ dropdown, you can instead:
- Select ‘File System’ from the dropdown.
- Select ‘File’ in ‘File or Directory’.
- Insert the following path into the field:
C:\Program Files\ThreatLocker\threatlockerservice.exe
- Choose ‘Exists’ from the dropdown.
This will search the system for the threatlockerservice.exe application. If it sees it on your machine, tickets generated from this monitor will automatically be resolved as ThreatLocker will have downloaded onto the system.
The ‘Monitor Output’ field can be set to whatever you prefer, but generating a ticket for it is recommended so you can be notified if a machine doesn’t properly install ThreatLocker.
Select the ‘Save’ button at the top of the page.
Your monitor will now be applied. The next time a user restarts their machine, ThreatLocker will begin installing on it after 10 minutes of uptime if it has not already been installed.