Deploying GYTPOL Sensor via GPO
- Mark Zuk
Export GYTPOL certificate
Install GYTPOL Sensor for Windows manually from an elevated CMD.
Please follow this user guide to see manual installation steps.
Once GYTPOL Sensor is installed, please open mmc from Run and add Certificates Snap-in using the file menu.
When you click Add > → choose Computer Account and click Next.
Choose Local Computer and click Finish.
Click OK on the Add or Remove Snap-ins window.
In the Certificates console, browse to Trusted Publishers → Certificates and look for GYTPOL LTD.
Right click GYTPOL LTD → All Tasks → Export
Follow the Export Wizard with its defaults and save the file somewhere in your network. We will import it to our GPO created in the next steps, so keep in mind it should be accessible to your Domain Controller.
Creating the GPO
Create a folder named gytpol under your domains NETLOGON folder.
Replace domain.local with your domain name
Copy the MSI files only from GYTPOLs Sensor zip file into that folder
Download the gytpolClient_GPO.txt from https://gytpol.com/gpoScript and rename it to gytpolClient_GPO.ps1. Copy the gytpolClient_GPO.ps1 script to the Netlogon folder you created.
Go to your Group Policy Management Console (GPMC) → Forest → Domains → yourDomainName → Right click and select “Create a GPO in this domain, and link it here…”
Name the GPO as GYTPOL Sensor Deployment (or any relevant name) → OK
Right click the policy you created → Edit
Go to Computer Configuration → Preferences → Control Panel Settings → Scheduled Tasks → New → Immediate Task (At least Windows 7)
Task Properties:
General tab: Name the task “GYTPOL Sensor deploy”, run it under NT AUTHORITY\SYSTEM, check Run with highest privileges and select the Hidden check boxes.
Actions tab: click New.
Under Settings Program/Settings enter the following: c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments (optional): -executionpolicy remoteSigned -file “\\yourDomainName\netlogon\gytpol\gytpolClient_GPO.ps1”
Conditions tab: check Wake the computer to run this task
Settings tab: Set the options as shown
Common tab: leave default settings
Click OK to close the task scheduler properties
Adding the Certificate to our GPO
Browse to Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Publishers
R. click on Trusted Publishers → Import
Browse to the location where the exported certificate is stored and import it to the Certificate Import Wizard
Follow the Wizard with its defaults and the certificate will be shown in the Trusted Publishers folder in GPMC:
Close the GPO window and go back to the Group Policy Management Console (GPMC) → right click on the GYTPOL Sensor Deployment object → click Enforced and make sure this is what you see:
Once the GPO is refreshed on the PC/Server it will run the task and you should start seeing new devices added to the Dashboard.
You can manually test the policy by running gpupdate /force from an elevated Command Prompt and check if Powershell.exe executes and msiexec.exe is also running.