# Install DISCOVER Agent

The Scanning Agent, DISCOVER Agent, or simply Agent, is the Windows service that performs scan work and reports results to the Management Console. It can be deployed in two ways, depending on whether you want each device to scan itself (local scan) or a central host to scan other devices remotely (agentless scan).

## Prerequisites

Before proceeding, ensure the following requirements are met:

{% hint style="info" %}

* You have administrator rights on the device where the Scanning Agent will be installed and can access the Management Console over HTTPS.
* If you plan to scan Microsoft 365 services, have the Tenant ID, Client ID, Global admin credentials, and client secret/certificate ready.
  {% endhint %}

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="171">Component</th><th width="217">Minimum Requirements (Scanning Agent)</th><th>Minimum Requirements (Endpoints)</th></tr></thead><tbody><tr><td>Processor</td><td>8 cores or more</td><td>4 cores or more</td></tr><tr><td>RAM</td><td>16 GB</td><td>8 GB</td></tr><tr><td>Disk Space</td><td>Atleast 500 GB</td><td>5 GB or more</td></tr><tr><td>Operating System</td><td>Windows 10, Windows 11, Windows Server 2019+</td><td>Windows 10, Windows 11, Windows Server 2019+</td></tr></tbody></table>

{% stepper %}
{% step %}

## Install the Agent

1. Double-click the `.msi` file to launch the installer.
2. Click **Next**, then click **Install**.
3. Wait for the installation to complete.

<div align="left"><img src="/files/66b87545fdd1923ae62e3454fbed68a44939c0d8" alt="" width="375"></div>

The Scanning Agent installs and runs as a Windows background service. Once running, the scanning agent registers with the Management Console by using the device name and is ready to receive and execute instructions.

### 2.1 Verify the Installation

Confirm the Scanning Agent is running before proceeding:

1. Open **Task Manager** (`Ctrl + Shift + Esc`).
2. Click **Processes**, type **GuardWare Scan Utility** and confirm that it appears under **Background processes**.

<div align="left"><figure><img src="/files/C3LlXR94aEwVRlgxKL9W" alt="" width="480"><figcaption></figcaption></figure></div>

3. Next, open **Run**, type `services.msc`, and press **Enter**. Confirm the GuardWare scanning service is listed and running.

<div align="left"><figure><img src="/files/lbp1n5W71cXaBOZQKGt3" alt="" width="480"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

## Confirm Registration

1. Open a browser and log in to the **Management Console**.
2. Navigate to **DEVICES** > **DISCOVER**.<br>

   <figure><img src="/files/pkgMPbgGPkWqRtT6aogt" alt="" width="563"><figcaption></figcaption></figure>
3. Confirm the Scanning Server appears in the list and its status shows as **Online**.

If the host does not appear, confirm it can reach the Management Console host over HTTPS and that no firewall is blocking the connection.
{% endstep %}

{% step %}

## Configure Certificate Verification

If a self-signed certificate is used, whether generated automatically by the installer or provided as a `.pfx` file during installation, you need to bypass certificate verification after installation.

Bypassing certificate verification disables validation of the certificate's authenticity, not the encryption itself and communication between the Scanning Server and the Management Console remains encrypted over HTTPS using SSL/TLS.

1. Open **Registry Editor**.
2. Navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\GuardWare\DISCOVER`.
3. Right-click and select **New** > **String Value**.<br>

   <div align="left"><figure><img src="/files/AmVDYiYaQCcfkqwbg271" alt="" width="375"><figcaption></figcaption></figure></div>
4. Name the value `cert_verification` , set the value data to `0` and click **OK**.<br>

   <div align="left"><figure><img src="/files/hMneb9a1M8L4M949tIs3" alt="" width="489"><figcaption></figcaption></figure></div>
5. Close the Registry Editor.&#x20;
   {% endstep %}

{% step %}

## Configure Remote Access

{% hint style="danger" %}
If you only want to perform local scans or Microsoft 365 services, **skip the Configure Remote Access section** and continue to [**Whitelist GuardWare DISCOVER**](/setup-and-deploy/whitelist-guardware/whitelist-discover.md). The following step is only required if the Scanning Server will scan targets remotely (agentless scans).
{% endhint %}

To perform a remote scan, each target device must have the appropriate protocol configured to accept connections from the Management Console. GuardWare provides PowerShell scripts that enable the required services, set permissions, and configure firewall rules.

For Microsoft 365 targets the Scanning Server only needs outbound HTTPS access and valid Microsoft Entra ID (Azure AD) Global admin credentials.

#### Ports Required

<table><thead><tr><th width="125">Target type</th><th width="82">Protocol</th><th width="94">Port(s)</th><th width="135">Direction</th><th>Notes</th></tr></thead><tbody><tr><td>Windows endpoints</td><td>WinRM</td><td>5985 (HTTP), 5986 (HTTPS)</td><td>Outbound from scanning server</td><td>Run the WinRM configuration script on each target.</td></tr><tr><td>Other endpoints</td><td>SSH</td><td>22</td><td>Outbound from scanning server</td><td>Run the OpenSSH configuration script on each target.</td></tr><tr><td>SMB file shares</td><td>SMB</td><td>445</td><td>Outbound from scanning server</td><td>Ensure the share is accessible with valid credentials.</td></tr><tr><td>Exchange Online / SharePoint Online</td><td>HTTPS</td><td>443</td><td>Outbound from scanning server</td><td>No device-side script required. Requires Microsoft Entra ID (Azure AD) Global Admin credentials.</td></tr></tbody></table>

#### Remote Configuration Scripts

Download and deploy the appropriate script on each target device (WinRM for Windows and SSH for other devices):

{% file src="/files/QGcrBEnqg5wceCeSpeGl" %}

{% file src="/files/izeJiUCSJ3QBUF9xRNQP" %}

{% hint style="info" %}
[**Microsoft Intune**](#deploy-script-via-microsoft-intune)[
](#id-3.1-deploy-script-via-microsoft-intune)

Recommended for cloud-managed or Entra ID (Azure AD)-joined devices. Go to the Intune admin center and deploy the script.

[**Group Policy (GPMC)**](#deploy-script-via-group-policy-management-console)

Recommended for Active Directory-joined devices. Assign as a Startup or Logon script via the Group Policy Management Console.

[**Local Deployment**](#deploy-the-script-locally)

Run the script directly on each target device using PowerShell with administrator rights. Suitable for small environments or one-off targets.
{% endhint %}

<details open>

<summary><strong>Deploy Script via Microsoft Intune</strong></summary>

Use this method for devices enrolled in Microsoft Intune and joined to Microsoft Entra ID (Azure AD). Devices must be running Windows 10 or 11 (version 1607 or later, excluding Home and S Mode) with .NET Framework 4.7.2 or later installed.

1. Open the [Microsoft Intune admin center](https://endpoint.microsoft.com/) and sign in using your administrator credentials.
2. Go to **Devices** > **Scripts and remediations** > **Platform scripts** and click **+Add**.

<div align="left"><img src="/files/f319fa3c4febee202cfcbcd1f666c0304397be5d" alt="" width="563"></div>

3. Enter a **Name** for your script (e.g., *Configure WinRM* or *Configure SSH*), add a **Description** (optional), and click **Next**.

<div align="left"><figure><img src="/files/qK6oDRQNustrIdd47M5q" alt="" width="375"><figcaption></figcaption></figure></div>

4. Click the **folder icon** and upload the provided PowerShell script.
   1. Set to **No** to run as **System** (recommended for admin-level operations like remote access).
   2. **Enforce script signature check:** Enable only if your script is digitally signed.
   3. **Run the script in 64-bit PowerShell:** Set to **Yes**, then click **Next.**

<div align="left"><figure><img src="/files/k2bEi6r0Fh6EFD6NnyPz" alt="" width="375"><figcaption></figcaption></figure></div>

5. If your organisation uses **scope tags** for role-based access control, add them here and click **Next**.
6. Under **Included groups**, click **Add groups** and select the Entra ID (Azure AD) user or device groups you want to target.

<div align="left"><img src="/files/c65697bde3ff001f8c875bdc4edc5203d279a510" alt="" width="563"></div>

7. Optionally, configure **Excluded groups** and click **Next**.

<div align="left"><img src="/files/e326f0a378edd6dedbe45a3527fc6d85974c7dcf" alt="" width="563"></div>

8. Review your configuration, then click **Create** to deploy the script.

<div align="left"><img src="/files/b6e73c4867e6343da8b820e5a718196542922b8d" alt="" width="563"></div>

</details>

<details>

<summary><strong>Deploy Script via Group Policy Management Console</strong></summary>

Use this method for devices joined to an Active Directory domain. The script runs automatically on target devices depending on the policy type assigned.

1. Press **Windows + R**, type `gpmc.msc`, and press **Enter** to open the **Group Policy Management Console (GPMC)**.

<div align="left"><img src="/files/9eb76fd5e81e8e1547345b7ba00e939ad9cc56c2" alt="" width="375"></div>

2. In the GPMC console, navigate to the **Organizational Unit (OU)** that contains the target devices.
3. Right-click the OU and select **Create a GPO in this domain, and Link it here**.

<div align="left"><img src="/files/08d8c79ab98bd55f05854ebc13c60ea670158111" alt="" width="563"></div>

4. Enter a name for the GPO (e.g., Remote Access Configuration) and click **OK**.

<div align="left"><img src="/files/c7f4c5faaf68f0cdfca4bb62a00156f64fc0cd24" alt="" width="563"></div>

5. Right-click the newly created GPO and select **Edit** to open the **Group Policy Management Editor**.

<div align="left"><img src="/files/3f8b13b6ee9ace934531d15da11223f26ed3b161" alt="" width="563"></div>

6. To deploy the script as a **Startup script (runs as System)**, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Scripts (Startup/Shutdown)** > **Startup.**

<div align="left"><img src="/files/984f1ce08e8d2b01a55b69c27d8b711a43e3b34c" alt="" width="563"></div>

7. Click **Add**, then **Browse** to select your PowerShell script, or enter the **network path** if stored on a shared location, and click **OK** to save.

<div align="left"><img src="/files/855b25cd6be9e5779f7c782fa00cbfed155863ce" alt="" width="563"></div>

8. To deploy the script as a **Logon script (runs as the logged-in user)**, navigate to **User Configuration** > **Policies** > **Windows Settings** > **Scripts (Logon/Logoff)** > **Logon**.

<div align="left"><img src="/files/18262cb974f4e5cd83dbbe8cacb01111dda04fa4" alt="" width="563"></div>

9. Click **Add**, then **Browse** to select your PowerShell script and click **OK** to save.

<div align="left"><img src="/files/7390a743a49e6d466583ca586e3eebc6a87ce75a" alt="" width="563"></div>

10. Close the editor, then ensure the GPO is **linked to the correct OU** that contains the target devices.
11. On a target device, open **Command Prompt** and run `gpupdate /force` to apply the new policy immediately, or wait for the next automatic Group Policy refresh.

<div align="left"><img src="/files/56f3a10b0cef6c4e516bf5259bc52d9aac1d0b5c" alt="" width="375"></div>

Once deployed, the script executes on target devices based on the assigned policy type (**Startup** or **Logon**) and automatically applies the intended configuration.

</details>

<details>

<summary><strong>Deploy the Script Locally</strong></summary>

Use this method to run the configuration script directly on an individual target device. Before running the SSH script, configure SSH sessions to open in PowerShell rather than the default Command Prompt.

#### Set PowerShell as the SSH default shell (SSH targets only)

1. Open **Run** and type `regedit` to open the **Registry Editor**.

<div align="left"><img src="/files/738928615da28e580a36c9426b50ad8345748a67" alt="" width="375"></div>

2. Navigate to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH`.

<div align="left"><img src="/files/cedc82c6849f07e99ae6673fc0af0cd02cfa3aa8" alt="" width="563"></div>

3. Check for a string-value file named `DefaultShell`. If the file is not there, right-click on a space and select **New** > **String Value**. Name the value `DefaultShell` and open it.

<div align="left"><img src="/files/e50d941099f35cb7dbbb321a08c22b44ec6b89e6" alt="" width="375"></div>

4. Set the value data to:\
   `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`. \
   If PowerShell Core is installed and preferred, you may need to enter:\
   &#x20;`C:\Program Files\PowerShell\7\pwsh.exe`.

<div align="left"><img src="/files/5c46883ded7ca19542e6721f17ec4f250d82357f" alt="" width="375"></div>

5. Close the Registry Editor.

#### Run the Remote Configuration Script

1. Click **Start**, type **`PowerShell`** , right-click it, and select **Run as administrator**.

<div align="left"><img src="/files/9356462ca1abcc2f2c4e5bcd4f4f31135a810a15" alt="" width="375"></div>

2. Run the following commands, replacing the filename with the script you are deploying:

{% code overflow="wrap" %}

```powershell
##Replace WinRM Configuration.ps1 with OpenSSH Configuration.ps1 if configuring SSH targets.

$scriptPath = Join-Path $env:USERPROFILE "Downloads\WinRM Configuration.ps1"
& $scriptPath
```

{% endcode %}

<figure><img src="/files/p8miSvNBmV116agsDz0u" alt=""><figcaption></figcaption></figure>

3. Close **PowerShell.**

</details>
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.guardware.com/setup-and-deploy/install-agent/install-discover-agent.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.