<# .SYNOPSIS Bootstrap trust of the TompkinsRND MeshCentral root CA and install the MeshCentral agent on a Windows machine. .DESCRIPTION Run as Administrator in an elevated PowerShell session. 1. Downloads the MeshCentral root CA certificate from https://certs.mesh.tompkinsrnd.com and installs it into the LocalMachine Trusted Root store. This makes the agent's Authenticode signature validate as trusted. 2. Downloads the MeshCentral agent installer for the specified device group and runs it. The agent installer is downloaded from the MeshCentral web endpoint with the supplied -MeshId. Find the mesh ID for a device group in the MeshCentral web UI: My Devices > > Add Agent > look at the download URL for `meshid=...`. .PARAMETER MeshId The MeshCentral device group ID (the `meshid` parameter from the agent download URL). .PARAMETER Server Base URL of the MeshCentral server. Default: https://mesh.tompkinsrnd.com .PARAMETER CertServer Base URL of the root CA distribution endpoint. Default: https://certs.mesh.tompkinsrnd.com .PARAMETER AgentType Numeric agent type passed to /meshagents?id=. 4 = Windows x64 service, 3 = Windows x86 service. Default: 4. .EXAMPLE Set-ExecutionPolicy -Scope Process Bypass -Force .\install-agent.ps1 -MeshId 'abcdef1234567890...@$' .NOTES Requires PowerShell 5.1+ (built into Windows 10 / Server 2016+) and administrative privileges. #> [CmdletBinding()] param( [Parameter(Mandatory = $true)] [string]$MeshId, [string]$Server = 'https://mesh.tompkinsrnd.com', [string]$CertServer = 'https://certs.mesh.tompkinsrnd.com', [ValidateSet('3', '4')] [string]$AgentType = '4' ) $ErrorActionPreference = 'Stop' function Assert-Elevated { $current = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() if (-not $current.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { throw 'This script must be run from an elevated (Administrator) PowerShell session.' } } function Install-RootCa { param([string]$Url) $certPath = Join-Path $env:TEMP 'tompkinsrnd-mc-root.cer' Write-Host "Downloading root CA from $Url ..." Invoke-WebRequest -Uri $Url -OutFile $certPath -UseBasicParsing Write-Host "Installing root CA into LocalMachine\Root ..." $result = Import-Certificate -FilePath $certPath -CertStoreLocation 'Cert:\LocalMachine\Root' Write-Host ("Imported: subject={0} thumbprint={1}" -f $result.Subject, $result.Thumbprint) Remove-Item $certPath -Force -ErrorAction SilentlyContinue } function Install-MeshAgent { param( [string]$ServerUrl, [string]$MeshIdValue, [string]$Type ) $agentUrl = "{0}/meshagents?id={1}&meshid={2}&installflags=0" -f ` $ServerUrl.TrimEnd('/'), $Type, [Uri]::EscapeDataString($MeshIdValue) $agentPath = Join-Path $env:TEMP 'meshagent-installer.exe' Write-Host "Downloading MeshCentral agent from $agentUrl ..." Invoke-WebRequest -Uri $agentUrl -OutFile $agentPath -UseBasicParsing Write-Host 'Running agent installer (-fullinstall) ...' $proc = Start-Process -FilePath $agentPath -ArgumentList '-fullinstall' -Wait -PassThru if ($proc.ExitCode -ne 0) { throw "Agent installer exited with code $($proc.ExitCode)." } Remove-Item $agentPath -Force -ErrorAction SilentlyContinue } Assert-Elevated # Force TLS 1.2 on older Windows versions where it isn't the default. [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 Install-RootCa -Url "$CertServer/root-ca.cer" Install-MeshAgent -ServerUrl $Server -MeshIdValue $MeshId -Type $AgentType Write-Host '' Write-Host 'Done. The MeshCentral agent should now be running as the "Mesh Agent" Windows service.' Write-Host 'Verify with: Get-Service -Name "Mesh Agent"'