Cisco
Login
Search
Software Secure Workload
Activity Configure

Deploy Software Agents on Workloads Deploy Software Agents Install Windows Agents for Deep Visibility and Enforcement Supported Methods to Install Windows Agents Install Windows Agent using the Agent Script Installer Method

Last updated: Jun 09, 2025

Install Windows Agent using the Agent Script Installer Method

We recommend the script installer method to deploy Windows agents for deep visibility and enforcement.


 

To install a Windows agent using the script installer method:

Procedure

1

Navigate to Agent Installation Methods:

  • If you are a first-time user, launch the Quick Start wizard and click Install Agents.

  • From the navigation pane, choose Manage > Agents, and select the Installer tab.
2

Click Agent Script Installer.
3

From the Select Platform drop-down menu, choose Windows.

To view the supported Windows platforms, click Show Supported Platforms.
4

Choose the tenant to install the agents.


 

Selecting a tenant is not required for Secure Workload SaaS clusters.
5

If you want to assign labels to the workload, choose the label keys and enter label values.

When the installed agent reports IP addresses on the host, the installer CMDB labels selected here, along with other uploaded CMDB labels that have been assigned to IPs reported by this host, would be assigned to the new IP address. If there are conflicts between uploaded CMDB labels and installer CMDB labels:

  • Labels assigned to an exact IP address take precedence over labels assigned to the subnet.

  • Existing labels assigned to an exact IP address take precedence over installer CMDB labels.
6

If HTTP proxy is required to communicate with Secure Workload, choose Yes, and then enter a valid proxy URL.
7

Under the Installer expiration section, select one from the available options:

  • No expiration: The installer script can be used multiple times.

  • One time: The installer script can be used only once.

  • Time bound: You can set the number of days for which the installer script can be used.

  • Number of deployments: You can set the number of times the installer script can be used.
8

Click Download and save the file to the local disk.
9

Copy the installer PowerShell script to all the Windows hosts for deployment and run the script with administrative privileges.


 

  • Depending on the system settings, the command Unblock-File may need to be run before other commands.

  • The script does not run if the agent is already installed on the tenant.
We recommend running the pre-check, as specified in the script usage details.

Windows installer script usage details:

# powershell -ExecutionPolicy Bypass -File tetration_windows_installer.ps1 [-preCheck] [-skipPreCheck <Option>] [-noInstall] [-logFile <FileName>] [-proxy <ProxyString>] [-noProxy] [-help] [-version] [-sensorVersion <VersionInfo>] [-ls] [-file <FileName>] [-save <FileName>] [-new] [-reinstall] [
-npcap] [-forceUpgrade] [-upgradeLocal] [-upgradeByUUID <FileName>] [-visibility] [-goldenImage] [-installFolder <Installation Path>]
  -preCheck: run pre-check only
  -skipPreCheck <Option>: skip pre-installation check by given option; Valid options include 'all', 'ipv6' and 'enforcement'; e.g.: '-skipPreCheck all' will skip all pre-installation checks; All pre-checks will be performed by default
  -noInstall: will not download and install sensor package onto the system
  -logFile <FileName>: write the log to the file specified by <FileName>
  -proxy <ProxyString>: set the value of HTTPS_PROXY, the string should be formatted as http://<proxy>:<port>
  -noProxy: bypass system wide proxy; this flag will be ignored if -proxy flag was provided
  -help: print this usage
  -version: print current script's version
  -sensorVersion <VersionInfo>: select sensor's version; e.g.: '-sensorVersion 3.4.1.0.win64'; will download the latest version by default if this flag was not provided
  -ls: list all available sensor versions for your system (will not list pre-3.1 packages); will not download any package
  -file <FileName>: provide local zip file to install sensor instead of downloading it from cluster
  -save <FileName>: downloaded and save zip file as <FileName>
  -new: remove any previous installed sensor;
  -reinstall: reinstall sensor and retain the same identity with cluster; this flag has higher priority than -new
  -npcap: overwrite existing npcap
  -forceUpgrade: force sensor upgrade to version given by -sensorVersion flag; e.g.: '-sensorVersion 3.4.1.0.win64 -forceUpgrade'; apply the latest version by default if -sensorVersion flag was not provided
  -upgradeLocal: trigger local sensor upgrade to version given by -sensorVersion flag; e.g.: '-sensorVersion 3.4.1.0.win64 -upgradeLocal'; apply the latest version by default if -sensorVersion flag was not provided
  -upgradeByUUID <FileName>: trigger sensor whose uuid is listed in <FileName> upgrade to version given by -sensorVersion flag; e.g.: '-sensorVersion 3.4.1.0.win64 -upgradeByUUID "C:\\Program Files\\Cisco Tetration\\sensor_id"'; apply the latest version by default if -sensorVersion flag was not provided
  -visibility: install deep visibility agent only; -reinstall would overwrite this flag if previous installed agent type was enforcer
  -goldenImage: install Cisco Secure Workload Agent but do not start the Cisco Secure Workload Services; use to install Cisco Secure Workload Agent on Golden Images in VDI environment or Template VM. On VDI/VM instance created from golden image with different host name, Cisco Secure Workload Services will work normally
  -installFolder: install Cisco Secure Workload Agent in a custom folder specified by -installFolder e.g.: '-installFolder "c:\\custom sensor path"'; default path is "C:\Program Files\Cisco Tetration"

Previous topic Supported Methods to Install Windows Agents Next topic Install Windows Agent using the Agent Image Installer Method