![FullColor-800px-Aug-04-2025-07-56-16-5066-PM.png]](https://help.agileblue.com/hs-fs/hubfs/FullColor-800px-Aug-04-2025-07-56-16-5066-PM.png?height=32&name=FullColor-800px-Aug-04-2025-07-56-16-5066-PM.png){kind=small}
Installing the Windows Cerulean Agent via GPO
A step-by-step guide to deploying the Cerulean Agent across your Windows environment using Group Policy Object (GPO).
Overview
The Cerulean Agent provides automated data collection and configuration services for your endpoints and lays the framework for AgileBlue's autonomous response capabilities. The Cerulean Agent includes several enhancements and remote support capabilities not included in previous AgileBlue Management Agent versions.
This guide covers deploying the Cerulean Agent at scale using Group Policy Object (GPO) via a startup script. This method is ideal for environments where a Remote Monitoring and Management (RMM) tool is not available.
Relevant Agent Versions
This guide covers the installation process for the Cerulean Agent, starting with version 2304.3.2.
For questions regarding installation of previous AgileBlue Agent versions, please contact AgileBlue Support.
Supported Operating Systems
The agent supports the following Windows operating systems:
- Windows 10 and newer
- Windows Server 2016 and newer
Minimum System Requirements
The agent is specially designed to use minimal system resources; the requirements for the agent are simply that of the operating system installed. Special consideration should be made on virtual machine infrastructure such that the actual allocation of resources meets the operating system and user load requirements. Specifically, shared computing environments such as VDI desktops or Terminal Server / Services should have adequate resources to handle the user load. AgileBlue cannot guarantee the complete functionality of the agent if resources do not meet recommended levels.
Networking Requirements
The Cerulean Agent, and its associated data collection services, securely sends data over the internet to the AgileBlue Cloud. To allow this, the following ports should be configured for outbound traffic on all devices and environment firewalls, routers, etc.:
- TCP Outbound Port 443
- TCP Outbound Port 9243
Additionally, the Cerulean Agent will install the Elastic Agent, which requires the following TCP ports to be available:
- 6791/HTTP – Leveraged for performance monitoring of the Elastic Agent
- 6789/GRPC – Used for management of the Elastic Agent
Any endpoint receiving the Cerulean Agent must also be able to reach the following domains for full functionality:
- agentapi.agileblue.com
- data.agileblue.com
- response.agileblue.com
- artifacts.security.elastic.co
Anti-Virus Configuration
The Cerulean Agent performs administrative actions on your devices that some anti-virus systems may identify as malicious. To prevent anti-virus systems from quarantining or otherwise impeding the agent, please whitelist the following files and paths before deployment:
- C:\Program Files\Cerulean\*
- C:\Program Files\Elastic\Agent\*
- C:\programdata\cerulean\*
- C:\Program Files\Elastic\Agent\elastic-agent.yml
- C:\Program Files\Elastic\Agent\fleet.enc
- C:\Program Files\Elastic\Agent\data\elastic-agent-*\logs\elastic-agent-json.log
- C:\Program Files\Elastic\Agent\data\elastic-agent-*\logs\default\*-json.log*
- C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
- C:\Windows\system32\drivers\elastic-endpoint-driver.sys
- C:\Windows\system32\drivers\ElasticElam.sys
Step 1: Download the Installer
When downloading the Cerulean Agent installer, you will receive a ZIP file containing windows_installer3.exe, which is required for the installation process.
- Open a web browser and navigate to the AgileBlue Portal
- Select Agent from the management section of the navigation menu
- Click on the Windows Agent Installer tile
- Take note of the API Key provided on the corresponding pop-up — you will need this in a later step
- Download and unzip the ZIP file to a secure location on your network
Step 2: Place the Installer on a Network Share
A network share is required so that all target machines can access the installer files during the GPO startup script execution.
- Identify or create a shared network folder accessible to all target machines (e.g., \\YourServer\CeruleanDeploy)
- Copy windows_installer3.exe into that shared folder
- Confirm that the share permissions grant read access to the computer accounts (or the appropriate security group) that will be receiving the agent
Step 3: Create the Startup Script
A startup script will be used to silently install the Cerulean Agent on each target machine when it boots.
- Create a new text file and name it install_cerulean.bat
- Add the following command to the file, replacing YOURAPIKEY with the API Key noted in Step 1:
- \\YourServer\CeruleanDeploy\windows_installer3.exe install -a YOURAPIKEY -u https://agentapi.agileblue.com
- Save the file and copy it into the same shared network folder created in Step 2
Note: If your environment requires PowerShell instead of a batch script, create a .ps1 file and use the following command instead, replacing YOURAPIKEY with your API Key:
- & "\\YourServer\CeruleanDeploy\windows_installer3.exe" install -a YOURAPIKEY -u https://agentapi.agileblue.com
Step 4: Configure the GPO
- Open the Group Policy Management Console (GPMC) on your domain controller
- Right-click the Organizational Unit (OU) containing the target machines and select Create a GPO in this domain, and Link it here…
- Name the GPO (e.g., Cerulean Agent Deployment) and click OK
- Right-click the newly created GPO and select Edit
- In the Group Policy Management Editor, navigate to: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
- Double-click Startup
- Click Add
- In the Script Name field, enter the full UNC path to your startup script:
- \\YourServer\CeruleanDeploy\install_cerulean.bat
- Leave the Script Parameters field blank and click OK
- Click Apply, then OK to close the Startup Properties window
Step 5: Apply and Force the GPO
- Close the Group Policy Management Editor
- In the Group Policy Management Console, confirm the GPO is linked to the correct OU
- To apply the policy immediately without waiting for the next reboot cycle, open a Command Prompt with administrator privileges on a target machine and run:
- gpupdate /force
Step 6: Confirm Installation Success
After deployment of group policy, verify that the installation completed successfully by confirming that the following services are present with the status and startup type listed below:
|
Service |
Status |
Startup Type |
|
Cerulean Agent |
Running |
Automatic |
|
Cerulean Updater |
N/A |
Manual |
|
Elastic Agent |
Running |
Automatic |
|
Elastic Endpoint |
Running |
Automatic |
Note: For PRO subscribers, Cerulean will also automatically install the Nodeware Agent for vulnerability scanning.
Optionally, you can also confirm installation by verifying that the following file is present on the target machine:
- C:\Program Files\Cerulean\cerulean-agent.exe
Manage Your Installation
Once deployed, the Cerulean Agent has several built-in management options available from an elevated command prompt. The following commands can be used for ongoing management:
- windows_installer3.exe help
Available Commands:
|
Command |
Description |
|
help |
Help about any command |
|
install |
Installs the Cerulean Agent onto the system |
|
repair |
Repairs a Cerulean Agent installation |
|
uninstall |
Uninstalls the Cerulean Agent |
Available Flags (must be added after one of the commands above):
|
Flag |
Description |
|
-h |
Help for windows_installer3.exe |
|
-v |
Verbose output |
|
-i |
Places agent into image mode, intended for Golden Image usage |
|
-s |
Places agent into syslog mode |
Need Help?
AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support.
Email: support@agileblue.com
Phone: (216) 606-9400