Skip to main content

Install cnspec on Windows


The msi package REGISTRATIONTOKEN argument allows you to pass in a temporary registration token to the MSI installer. If the argument is provided, cnspec will be registered automatically during installation.


Before you integrate Microsoft Windows with Mondoo:

  • Confirm access to the internet using PowerShell or CMD Terminal

  • Confirm access to Mondoo systems using PowerShell or CMD Terminal

  • Synchronize your system clock


If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.

Access to the internet using PowerShell or CMD Terminal


If your organization's region (in the Mondoo Console) is US, you must be able to access If your region is EU, you must be able to access

Check internet connectivity
# from PowerShell
Test-NetConnection -Port 443

# from CMD terminal (activate telnet client if not already activated)
Telnet 443

If you have a proxy setting in your environment, you might need to configure it in the PowerShell and CMD Terminal:

netsh winhttp show proxy

Systems access

Be sure you have access to these systems from PowerShell or CMD Terminal:

Check the Internet connectivity                   Port 443/https Port 443/https Port 443/https Port 443/https Port 443/https

To check connectivity, follow the approach in the previous section.

System clock sync

Make sure your system clock is in sync with your NTP or internet time:

w32tm /query /status
w32tm /query /peers
w32tm /resync

Install cnspec on Windows

There are two ways of installing Mondoo on Windows:

Option A: Install using the automated install script in PowerShell

Make sure TLS 1.2 is enabled (it's enabled by default in modern Windows systems):

TLS version
# To check

# If it is not enabled, enable it:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install cnspec by downloading a PowerShell script to memory and running it:

If you wish later the scan happens by loading the configured Policy from your Mondoo Console space, you need to register by having a registration token which will be given to you during integration from

Without RegistrationToken set, the policies will be automatically loaded from our registry of open source policies.

Automated installation script
iex ((New-Object System.Net.WebClient).DownloadString(''))
Install-Mondoo # -RegistrationToken $MONDOO_REGISTRATION_TOKEN

The installation creates one or two directories:

  • The C:\Program Files\Mondoo directory contains binaries.

- The `C:\ProgramData\Mondoo` directory is only created if the registration token is used. It contains the `mondoo.yml` configuration file.

## Option B: Install manually (Mondoo package including cnspec)

1. Download the [Mondoo Windows installer](
2. Execute the installer as administrator.


```powershell title="manual installation"
# PowerShell
Start-Process -Wait msiexec -ArgumentList ' /i mondoo_8.9.1_windows_amd64.msi'

# CMD Terminal
start /wait msiexec /i mondoo_8.9.1_windows_amd64.msi
  1. Follow the steps and agree to the license agreement.
  2. (Optional) Register cnspec with your Mondoo Platform account.

If you enter a registration token during the installation wizard, cnspec registers automatically.

You can also register by token later if needed:

CMD Terminal
start /wait msiexec /i mondoo_10.9.1_windows_amd64.msi  REGISTRATIONTOKEN="XXXXXXXXXXXXXXXXX"

Test and troubleshoot

Make sure the service is running and that it runs automatically at startup:

Set-Service -Name mondoo -Status Running -StartupType Automatic

Validate that the service is running:

# PowerShell
Get-Service mondoo

# CMD terminal
sc query mondoo

Check the cnspec status:

cnspec status

If cnspec is already registered, you should see this line in the status:

loaded configuration from C:\ProgramData\Mondoo\mondoo.yml using source default

The mondoo.yaml file has the certificate, private key, and the api endpoint.

Scan the local system:

cnspec scan local

Here the cnspec will automatically load the policies from Mondoo Console spaces provided you have registered the mondoo with the token. Otherwise, the policies will be loaded from our registry.

You can also force the cnspec to load the policies only from registry:

cnspec scan local --incognito

Delete and reinstall:

In some situations, you might need to remove the services and install again.

sc stop mondoo
sc delete mondoo
rmdir "C:\Program Files\Mondoo"
rmdir "C:\ProgramData\Mondoo"

Proxy configuration

cnspec also works behind a forward proxy, such as Squid.

Set https_proxy environment variable
$env:https_proxy = "<ip-address>:<port>"

To set the proxy configuration for cnspec permanently, add the proxy configuration during cnspec registration:

Set Proxy via cnspec command
cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy '' --config 'C:\ProgramData\Mondoo\mondoo.yml'

Or add it to the cnspec configuration directly, follow these steps:

  1. Navigate to the cnspec configuration file under C:\ProgramData\Mondoo\mondoo.yml
  2. Add this line:
Set Proxy via cnspec configuration file

Learn more