Install cnspec on Windows
This page provides details on installing and configuring cnspec on Windows.
The msi package REGISTRATIONTOKEN argument allows you to pass in a temporary registration token
to the MSI installer. If the argument is provided, cnspec will be registered automatically during
installation.
Prerequisites
Before you integrate Microsoft Windows with Mondoo:
- Confirm access to the internet using PowerShell or CMD Terminal
- Confirm access to Mondoo systems using PowerShell or CMD Terminal
- Synchronize your system clock
Note: If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Access to the internet using PowerShell or CMD Terminal
If your organization's region (in the Mondoo Console) is US, you must be able to access us.api.mondoo.com. If your region is EU, you must be able to access eu.api.mondoo.com.
# from PowerShell
Test-NetConnection mondoo.com -Port 443
# from CMD terminal (activate telnet client if not already activated)
Telnet google.com 443If you have a proxy setting in your environment, you might need to configure it in the PowerShell and CMD Terminal:
netsh winhttp show proxySystems access
Be sure you have access to these systems from PowerShell or CMD Terminal:
install.mondoo.com Port 443/https
releases.mondoo.com Port 443/https
eu.api.mondoo.com Port 443/https
us.api.mondoo.com Port 443/https
registry.api.mondoo.com Port 443/httpsTo check connectivity, follow the approach in the previous section.
System clock sync
Make sure your system clock is in sync with your NTP or internet time:
w32tm /query /status
w32tm /query /peers
w32tm /resyncInstall cnspec on Windows
There are two ways of installing Mondoo on Windows:
Option A: Install using the automated install script in PowerShell
Make sure TLS 1.2 is enabled (it's enabled by default in modern Windows systems):
# To check
[Net.ServicePointManager]::SecurityProtocol
# If it is not enabled, enable it:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Install cnspec by downloading a PowerShell script to memory and running it:
If you wish later the scan happens by loading the configured Policy from your Mondoo Console space, you need to register by having a registration token which will be given to you during integration from https://console.mondoo.com/.
Without RegistrationToken set, the policies will be automatically loaded from our registry of open source policies.
# $MONDOO_REGISTRATION_TOKEN="YOUR_TOKEN_HERE"
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'))
Install-Mondoo # -RegistrationToken $MONDOO_REGISTRATION_TOKENThe installation creates one or two directories:
- The
C:\Program Files\Mondoodirectory contains binaries. - The
C:\ProgramData\Mondoodirectory is only created if the registration token is used. It contains themondoo.ymlconfiguration file.
Option B: Install manually (Mondoo package including cnspec)
-
Download the Mondoo Windows installer.
-
Execute the installer as administrator.
Example:
manual installation # PowerShell Start-Process -Wait msiexec -ArgumentList ' /i mondoo_12.8.1_windows_amd64.msi' # CMD Terminal start /wait msiexec /i mondoo_12.8.1_windows_amd64.msi -
Follow the steps and agree to the license agreement.
-
(Optional) Register cnspec with your Mondoo Platform account.
If you enter a registration token during the installation wizard, cnspec registers automatically.
You can also register by token later if needed:
CMD Terminal start /wait msiexec /i mondoo_12.8.1_windows_amd64.msi REGISTRATIONTOKEN="XXXXXXXXXXXXXXXXX"
Test and troubleshoot
Make sure the service is running and that it runs automatically at startup:
Set-Service -Name mondoo -Status Running -StartupType AutomaticValidate that the service is running:
# PowerShell
Get-Service mondoo
# CMD terminal
sc query mondooCheck the cnspec status:
cnspec statusIf cnspec is already registered, you should see this line in the status:
loaded configuration from C:\ProgramData\Mondoo\mondoo.yml using source defaultThe mondoo.yaml file has the certificate, private key, and the api endpoint.
Scan the local system:
cnspec scan localHere the cnspec will automatically load the policies from Mondoo Console spaces provided you have registered the mondoo with the token. Otherwise, the policies will be loaded from our registry.
You can also force the cnspec to load the policies only from registry:
cnspec scan local --incognitoDelete and reinstall:
In some situations, you might need to remove the services and install again.
sc stop mondoo
sc delete mondoo
rmdir "C:\Program Files\Mondoo"
rmdir "C:\ProgramData\Mondoo"Proxy configuration
cnspec also works behind a forward proxy, such as Squid.
$env:https_proxy = "<ip-address>:<port>"To set the proxy configuration for cnspec permanently, add the proxy configuration during cnspec registration:
cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1' --config 'C:\ProgramData\Mondoo\mondoo.yml'Or add it to the cnspec configuration directly, follow these steps:
- Navigate to the cnspec configuration file under
C:\ProgramData\Mondoo\mondoo.yml - Add this line:
api_proxy: http://1.1.1.1