DeepSurface: Microsoft Endpoint Configuration Manager (part of InTune)
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
Using Microsoft Endpoint Configuration Manager (MECM) with DeepSurface RiskAnalyzer
There are many ways for DeepSurface RiskAnalyzer to gather the data on the hosts in your environment. Two of these ways can use automated tools, such as MECM, to either run a script remotely (user managed scan) or install the DeepSurface agent. Below is a guide for both methods depending on which method will work best for your given environment.
Before deciding on which method to use for a given host or group of hosts, consider what may make the most sense from a maintenance, access rights, and/or system loading perspective. Should you have any questions about how to decide on a method, don’t hesitate to reach out to DeepSurface support for further guidance.
Prerequisites
- The DeepSurface appliance is installed and configured
- Hosts that will run the agent must be able to communicate with the DeepSurface appliance over TCP port 44305 using the configured endpoint address
- Your team has an MECM subscription (or free trial)
Obtain the Relevant Script
The first step to installing a DeepSurface Agent or running a User-Managed Scan with RiskAnalyzer is to configure the associated endpoints, and then obtain the script related to the specific deployment method.
DeepSurface Agent
In the RiskAnalyzer console, navigate to:
*Scanning > Agents > Edit Agent Configuration
Ensure the endpoint configuration and blackout settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit Agent Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script.
Finally, copy the command and arguments presented on the page for later use.
User-Managed
In the RiskAnalyzer console, navigate to:
*Scanning > User Managed> Edit User Managed Configuration
Ensure the endpoint configuration settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit User Managed Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script.
Finally, copy the command and arguments presented on the page for later use.
The command and arguments presented on the page should resemble this:
NOTE: The name of the script varies depending on deployment method and will be referred to as “<deployment-script>” throughout the rest of this document.
Deploying with MECM
Prepare the installer
- Launch the Configuration Manager Console and select Software Library
- Select Overview > Right-Click Scripts > Create Script
- Specify script details with a name and description, leaving the script language defaulted to PowerShell
- Paste the modified <deployment-script> file into the script box
- Click Next
- Click inside the Default Value box for the thumbprint, registration_code, and endpoint parameters, entering the appropriate value for each. (
Refer to the Obtain the Relevant Script
section above if you are unsure of the required values for these parameters.)
- Select Next and confirm the details
- Upon completion, click Close to exit the wizard
Running the installation script
- Right-click the script and click Approve/Deny. Click through the wizard and verify that the thumbprint, registration_code, and endpoint parameter fields are correct.
- Click on Assets and Compliance. Select the agent installation target devices.
- Right-click your selection and click Run Script. Select the script you created and hit Next.
Verify your installation
- The script status will be displayed on the next screen
- Log into the DeepSurface appliance console and check the Scanning > Status > Agent/User Managed section. Your DeepSurface agents will show up here as they check-in.