The Cyrisma Windows Agent enables local vulnerability assessments, configuration scans, data discovery, and network-based (agentless) scanning of other systems. This guide outlines all supported deployment methods for Windows environments—manual installation, scripted deployment, PowerShell, and enterprise-wide GPO rollouts.

For network, hardware, or OS prerequisites, refer to the Global Agent Requirements article.

1. Supported Windows Operating Systems

Cyrisma supports installation on:

• Windows Server 2012 R2, 2016, 2019, 2022, 2025

• Windows 10 and Windows 11

2. Windows Prerequisites

Before installing the agent, ensure:

System Requirements

• Microsoft .NET Framework 4.7.2 or higher

  • The installer attempts to install it if missing, but a reboot may be required.

  • Recommended to install .NET in advance.

• Device can contact:

  • *.cyrisma.com over port 443 (HTTPS)

• Antivirus and endpoint protection allow:

  • The directory C:\Cyrisma_Agent

  • Required executables (listed in Section 10)

Network Scanning Requirement

If the agent will perform agentless scans of Windows devices:

• A service account with administrative rights on target machines is required.

• For standard local-only scanning, no credentials are required.

3. Downloading the Windows Installer

1. Log into your Cyrisma instance.

2. Navigate to Admin > Scan Agents.

3. Generate (or regenerate) a Windows Installation Key.

4. Download the Cyrisma_Setup.exe installer.

Important:

• If the key is regenerated, any deployment script using the old key will fail.

• Keys are bound to an instance and prevent accidental cross-instance pairing.

4. Manual Installation on Windows

Installation Steps

1. Run Cyrisma_Setup.exe as Administrator.

2. Enter:

   • Installation Key

   • Instance URL (e.g., https://ccNNNN.cyrisma.com)

3. Accept the EULA and continue.

4. The installer runs in the background to complete installation.

5. A confirmation message appears when finished.

After installation, the agent checks in and awaits provisioning inside Cyrisma

5. Command-Line Installation (Silent Install)

Basic Silent Installation

Cyrisma_Setup.exe /verysilent /key=nnnn-nnnn-nnnn /url=https://ccNNNNNN.cyrisma.com

Optional: Sensor Role (Packet Capture / Unauthenticated Subnet Scanning)

/role=sensor

(Adds packet-capture driver support.)

Auto-Provisioning Mode

Bypasses manual approval inside Cyrisma:

/autoprovision=yes

Full Auto-Provisioning Example

Cyrisma_Setup.exe /verysilent /key=nnnn-nnnn-nnnn /url=https://ccNNNNNN.cyrisma.com /autoprovision=yes

Rules:

• No spaces around = signs.

• The /autoprovision=yes switch must appear after key and URL.

6. Deploying Agents Using PowerShell

Cyrisma supports automated deployments through PowerShell for environments using RMMs, Intune, PDQ, or custom automation pipelines.

Video Guide: Deploying Agents Via Powershell script

PowerShell Script (Manual Provisioning)

$a = "/verysilent /key=XXXXXX /URL=XX"
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe", "C:\windows\temp\Cyrisma_Setup.exe")
$process = "C:\windows\temp\Cyrisma_Setup.exe"
Start-Process -FilePath $process -ArgumentList $a -Wait

PowerShell Script (Auto Provisioning)

$a = "/verysilent /key=XXXXXX /URL=XX /autoprovision=yes"
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe", "C:\windows\temp\Cyrisma_Setup.exe")
$process = "C:\windows\temp\Cyrisma_Setup.exe"
Start-Process -FilePath $process -ArgumentList $a -Wait

Notes

• Replace placeholders with your installation key and URL.

• Avoid the variable $args (reserved in PowerShell).

• Auto-provisioning is powerful but should be used carefully in multi-instance environments.

7. Alternative Windows Deployment Script (BITS-Based)

In environments where PowerShell execution is restricted or unavailable, Cyrisma supports an alternative Windows agent deployment method using the built-in Background Intelligent Transfer Service (BITS). This approach relies only on native Windows components and performs a silent installation via a batch script.

This deployment method should be used only when PowerShell-based, RMM-based, or GPO deployments are not viable.

Prerequisites

Before using this method, ensure the following requirements are met:

• Administrator privileges on the target system

• Internet access to download the Cyrisma installer

• bitsadmin is enabled on the system (enabled by default on supported Windows versions)

Installation Methods

Two script variants are supported:

• Installation with auto-provisioning enabled

• Installation without auto-provisioning (manual provisioning required)

Option 1: Install With Auto-Provisioning

This method installs the Cyrisma agent and automatically provisions it to the instance, eliminating the need for manual approval in the platform.

Save the following script as a .bat file (for example, install_cyrisma.bat) and run it as an administrator.

@echo off
setlocal

:: Define variables
set "INSTALLER_URL=https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe"
set "INSTALLER_PATH=C:\windows\temp\Cyrisma_Setup.exe"
set "INSTALL_ARGS=/verysilent /key=XXXXXX /URL=XX /autoprovision=yes"

:: Download the installer using bitsadmin (Windows built-in tool)
bitsadmin /transfer "DownloadCyrisma" %INSTALLER_URL% %INSTALLER_PATH%

:: Check if download was successful
if not exist %INSTALLER_PATH% (
   echo Download failed!
   exit /b 1
)

:: Run the installer with arguments
start /wait "" "%INSTALLER_PATH%" %INSTALL_ARGS%

:: Cleanup (optional)
:: del %INSTALLER_PATH%

echo Installation complete.
exit /b 0

Instructions for use:

• Replace XXXXXX with your Cyrisma installation key

• Replace XX with the appropriate Cyrisma instance URL

• Save the file and run it as an administrator

Option 2: Install Without Auto-Provisioning

Use this option if you prefer to manually provision the agent after installation.

Save the following script as a .bat file (for example, install_cyrisma_no_provision.bat) and run it as an administrator.

@echo off
setlocal

:: Define variables
set "INSTALLER_URL=https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe"
set "INSTALLER_PATH=C:\windows\temp\Cyrisma_Setup.exe"
set "INSTALL_ARGS=/verysilent /key=XXXXXX /URL=XX"

:: Download the installer using bitsadmin (Windows built-in tool)
bitsadmin /transfer "DownloadCyrisma" %INSTALLER_URL% %INSTALLER_PATH%

:: Check if download was successful
if not exist %INSTALLER_PATH% (
   echo Download failed!
   exit /b 1
)

:: Run the installer with arguments
start /wait "" "%INSTALLER_PATH%" %INSTALL_ARGS%

:: Cleanup (optional)
:: del %INSTALLER_PATH%

echo Installation complete.
exit /b 0

After installation completes, the agent must be manually provisioned in the Cyrisma platform.

Troubleshooting

If the installer fails to download:

• Confirm the system can reach the Cyrisma download endpoint

• Test connectivity using:

  ping dl.cyrisma.com

• If bitsadmin is restricted, download the installer using PowerShell:

  Invoke-WebRequest -Uri "https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe" -OutFile "C:\windows\temp\Cyrisma_Setup.exe"

If the installation fails:

• Ensure the script is run as an administrator

• Review agent logs located at:

  C:\ProgramData\Cyrisma\Logs

• Verify antivirus or endpoint protection software is not blocking execution

8. Deploying Windows Agents Using Group Policy (GPO)

For enterprise-wide deployments across domain-managed Windows machines.

Step 1 — Create Netlogon Directory

On a Domain Controller, navigate to the Netlogon folder.

Create a folder named CYRISMA.

Ensure this folder replicates across all domain controllers in the network.

\\<DCServer>\netlogon\CYRISMA

Step 2 — Add Installer

Place CYRISMA_Setup.exe into the CYRISMA Netlogon folder.

Step 3 — Create Batch File

Create cyrisma_install.cmd:

:: Check if CYRISMA Agent is already installed
sc query state= all | findstr /C:"SERVICE_NAME: Cyrisma_Agent"
if %ERRORLEVEL% gtr 0 (
    copy \\[dcServerName]\netlogon\CYRISMA\CYRISMA_Setup.exe %temp%
    %temp%\CYRISMA_Setup.exe /verysilent /key=XXXX-XXXX-XXXX /url=https://ccXXXXX.cyrisma.com
)

Optional autoprovision:

This version automatically provisions the agent, skipping the manual provisioning step.

:: Check if CYRISMA Agent is already installed
sc query state= all | findstr /C:"SERVICE_NAME: Cyrisma_Agent"
if %ERRORLEVEL% gtr 0 (
    copy \\[dcServerName]\netlogon\CYRISMA\CYRISMA_Setup.exe %temp%
    %temp%\CYRISMA_Setup.exe /verysilent /key=XXXX-XXXX-XXXX /url=https://ccXXXXX.cyrisma.com /autoprovision=yes
)

Replace the placeholders in the script:

• [dcServerName] with the name of your domain controller.

• XXXX-XXXX-XXXX with your CYRISMA license key.

• https://ccXXXXX.cyrisma.com with your CYRISMA portal URL.

Step 4 — Create a New GPO

Log in to the Domain Controller.

Open Group Policy Management.

Create a new GPO named CYRISMA Deployment at the root of the domain.

Step 5 — Assign Permissions

Ensure Authenticated Users (or your deployment group) have Read & Execute permissions.

Step 6 — Add the Batch File to the GPO

1. Open the newly created GPO for editing.

2. Navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

3. In the right pane, double-click Startup.

4. In the Startup Properties window, click Add.

5. Browse to the location of the batch file created in step 3:

\\[dcServerName]\Netlogon\CYRISMA\cyrisma_install.cmd

1. Select the batch file, click Open, then OK.

2. Click Apply and OK to save the configuration.

Step 7 — Force GPO Update

Replicate GPO Across Domain Controllers

To ensure the new GPO is applied, run the following command:

gpupdate /force

9. Deploying the Cyrisma Agent via Microsoft Intune (with Detection Rules)

Applies to: Cyrisma Windows Agent Deployment
Use case: Deploy the Cyrisma Agent through Microsoft Intune using a Win32 app package and validate installation using file or registry detection rules.

Step 1: Prepare the Batch Script

Create a batch script to download and install the CYRISMA agent silently.

Save the following as Install_CYRISMA.bat:

@echo off
setlocal

:: Define variables
set "INSTALLER_URL=https://dl.cyrisma.com/6167656E7473/Cyrisma_Setup.exe"
set "INSTALLER_PATH=C:\windows\temp\Cyrisma_Setup.exe"
set "INSTALL_ARGS=/verysilent /key=XXXXXX /URL=https://YOUR_CYRISMA_INSTANCE /autoprovision=yes"

:: Download the installer
bitsadmin /transfer "DownloadCyrisma" %INSTALLER_URL% %INSTALLER_PATH%

:: Check if download was successful
if not exist %INSTALLER_PATH% (
  echo Download failed!
  exit /b 1
)

:: Run the installer with arguments
start /wait "" "%INSTALLER_PATH%" %INSTALL_ARGS%

echo Installation complete.
exit /b 0

Replace the following values:

• XXXXXX = your organization’s agent installation key

• https://YOUR_CYRISMA_INSTANCE = your instance URL (example format: https://ccxxxxxx.cyrisma.com)

Step 2: Package the App with IntuneWinAppUtil

1. Download the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe).

2. Create a source folder (example):
   C:\CYRISMADeployment\Source

3. Place Install_CYRISMA.bat into the source folder.

4. Run the command:

IntuneWinAppUtil.exe -c C:\CYRISMADeployment\Source -s Install_CYRISMA.bat -o C:\CYRISMADeployment\Output

This produces an .intunewin package in the output folder.

Step 3: Add the App in Microsoft Intune

1. Go to Intune Admin Center → Apps → Windows → + Add

2. Select Windows app (Win32)

3. Configure the app:

App information

• Name: CYRISMA Agent

• Description: Silent deployment of the CYRISMA Windows Agent

• Publisher: CYRISMA

Program

• Install command: Install_CYRISMA.bat

• Install behavior: System

Uninstall command (optional)
If you do not have an official uninstall string from CYRISMA, leave this blank or handle removal via a separate process. (Win32 uninstall methods vary by installer type.)

Step 4: Configure Detection Rules

Choose one detection method.

Option 1: File Detection (Recommended if path is consistent)

• Rule type: File

• Path: C:\CYRISMA_Agent

• File: DataSpotliteAgent.exe

• Detection method: Exists

Option 2: Registry Detection

• Rule type: Registry

• Key path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CYRISMA Agent

• Value name: DisplayName

• Detection method: String equals

• Value: CYRISMA Agent

Note: Registry paths can vary depending on installer behavior (and 32-bit vs 64-bit registration). If detection fails, confirm the actual uninstall key on a machine where the agent is installed.

Step 5: Assign the App

1. Assign the app to the appropriate groups (for example: All Devices or a specific device group).

2. Set the assignment as Required to enforce deployment.

Step 6: Monitor Deployment

1. Go to Intune Admin Center → Apps → Monitor

2. Review:

• Deployment success/failure rates

• Device install status

• Error details for failed installs

If you want, paste your known “correct” agent install directory and/or uninstall registry key from a real installed machine, and I can tune the detection rule section to match your actual agent footprint (to reduce false failures in Intune reporting).

10. Provisioning Newly Installed Agents (Windows)

After installation, the agent appears for provisioning under Admin > Scan Agents > Agents Awaiting Provisioning.

Local-Only Scan Mode

Select Yes for "Agent only runs local scans?"

Network Scanning Mode

Select No, then provide:

• Domain (NetBIOS format recommended)

  When configuring network scanning credentials, you must use the NT-style (NetBIOS) domain format, not a UPN. Cyrisma requires credentials in the form:

  DOMAIN\username
  

  UPN-style logins such as:

  username@domain.com
  

  are not supported for network-based scanning operations.

• Service Account Username

• Password (must meet Cyrisma password policy)

Once submitted, the agent becomes active for local or network scanning.

11. Verifying Successful Installation

On any Windows device:

1. Open Services (services.msc).

2. Locate Cyrisma Agent service.

3. Confirm status is Running.

4. In Cyrisma → Admin > Scan Agents, ensure agent status is online.

   Note: After provisioning, allow up to 15 minutes for the agent to complete its initial check-in. When the agent first appears in Admin > Scan Agents, it may display a status of Idle – Down. Once provisioning completes, the status will update to Idle. Afterward, the agent checks in with the instance approximately every 5 minutes while the device remains online.

12. Windows Endpoint Protection Exclusions

Some security tools may block Cyrisma functions, including:

• TCP port scanning

• Remote attribute collection

• File analysis

• Packaging of scan results

Recommended Directory Exclusion

C:\Cyrisma_Agent

If file-level exclusions are required:

13. Best Practices for Windows Deployments

• Pre-install .NET Framework 4.7.2 to avoid required reboot delays.

• Use GPO for large-scale, stable domain-wide deployment.

• Use PowerShell scripts for RMM or cloud-managed fleets.

• Keep installation keys synchronized—regenerating keys invalidates old scripts.

• Validate endpoint protection compatibility before rolling out network scanning.

• Use auto-provisioning only when operationally appropriate.

Conclusion

By following the methods outlined in this guide, you can reliably deploy Cyrisma agents across individual machines, large Windows domains, and highly distributed environments. Whether using manual installation, scripting, PowerShell, or Group Policy, Cyrisma’s Windows agent integrates smoothly into enterprise workflows and supports both local and network-based scanning capabilities.