Install cnspec on Windows
Install and configure cnspec on Microsoft Windows using PowerShell scripts, MSI packages, or Chocolatey.
The msi package REGISTRATIONTOKEN argument allows you to pass in a temporary registration token
to the MSI installer. If the argument is provided, cnspec will be registered automatically during
installation.
Quick start
To install cnspec using PowerShell:
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'))
Install-MondooTo also register cnspec with Mondoo Platform during installation:
$MONDOO_REGISTRATION_TOKEN="<your token from console.mondoo.com>"
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'))
Install-Mondoo -RegistrationToken $MONDOO_REGISTRATION_TOKENFor manual MSI installation or troubleshooting, read on.
Prerequisites
Before you integrate Microsoft Windows with Mondoo:
- Confirm access to the internet using PowerShell or CMD Terminal
- Confirm access to Mondoo systems using PowerShell or CMD Terminal
- Synchronize your system clock
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Access to the internet using PowerShell or CMD Terminal
If your organization's region (in the Mondoo Console) is US, you must be able to access us.api.mondoo.com. If your region is EU, you must be able to access eu.api.mondoo.com.
# from PowerShell
Test-NetConnection mondoo.com -Port 443
# from CMD terminal (activate telnet client if not already activated)
Telnet google.com 443If you have a proxy setting in your environment, you might need to configure it in the PowerShell and CMD Terminal:
netsh winhttp show proxySystems access
Be sure you have access to these systems from PowerShell or CMD Terminal:
install.mondoo.com Port 443/https
releases.mondoo.com Port 443/https
eu.api.mondoo.com Port 443/https
us.api.mondoo.com Port 443/https
registry.api.mondoo.com Port 443/httpsTo check connectivity, follow the approach in the previous section.
System clock sync
Make sure your system clock is in sync with your NTP or internet time:
w32tm /query /status
w32tm /query /peers
w32tm /resyncInstall cnspec on Windows
Pick one of the install methods below.
Option A: Install using the automated install script in PowerShell
Make sure TLS 1.2 is enabled (it's enabled by default in modern Windows systems):
# To check
[Net.ServicePointManager]::SecurityProtocol
# If it is not enabled, enable it:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Install cnspec by downloading a PowerShell script to memory and running it:
If you want the scan to use policies configured in your Mondoo Console space, you need to register using a registration token, which you receive during integration from https://console.mondoo.com/.
Without RegistrationToken set, the policies will be automatically loaded from our registry of open source policies.
# $MONDOO_REGISTRATION_TOKEN="YOUR_TOKEN_HERE"
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'))
Install-Mondoo # -RegistrationToken $MONDOO_REGISTRATION_TOKENThe installation creates one or two directories:
- The
C:\Program Files\Mondoodirectory contains binaries. - The
C:\ProgramData\Mondoodirectory is only created if the registration token is used. It contains themondoo.ymlconfiguration file.
Option B: Install manually (Mondoo package including cnspec)
-
Download the Mondoo Windows installer.
-
Execute the installer as administrator.
Example:
manual installation # PowerShell Start-Process -Wait msiexec -ArgumentList ' /i mondoo_13.0.0_windows_amd64.msi' # CMD Terminal start /wait msiexec /i mondoo_13.0.0_windows_amd64.msi -
Follow the steps and agree to the license agreement.
-
(Optional) Register cnspec with your Mondoo Platform account.
If you enter a registration token during the installation wizard, cnspec registers automatically.
You can also register by token later if needed:
CMD Terminal start /wait msiexec /i mondoo_13.0.0_windows_amd64.msi REGISTRATIONTOKEN="XXXXXXXXXXXXXXXXX"
Option C: Install with Chocolatey
If you manage Windows software with Chocolatey, install the mondoo package from an elevated PowerShell or CMD prompt:
choco install mondoo -yTo register cnspec with Mondoo Platform after the install completes, run cnspec login with a registration token (read Register cnspec for details):
cnspec login --token "YOUR_REGISTRATION_TOKEN"To upgrade later:
choco upgrade mondoo -yVerify the install
Confirm cnspec is registered and can reach Mondoo Platform:
cnspec statusIf cnspec is registered, the output includes loaded configuration from C:\ProgramData\Mondoo\mondoo.yml. For other outcomes, see Validate registration.
Run a one-off scan against the local host:
cnspec scan localcnspec uses the policies enabled for the registered space. To scan with Mondoo's open source policies instead:
cnspec scan local --incognitoRun cnspec as a service
The Windows installer registers mondoo with the Service Control Manager but leaves it set to Manual startup. To enable it so cnspec scans on a recurring schedule and reports back to Mondoo Platform, follow Run cnspec as a service and use the Windows tab.
Proxy configuration
cnspec also works behind a forward proxy, such as Squid.
$env:https_proxy = "<ip-address>:<port>"To set the proxy configuration for cnspec permanently, add the proxy configuration during cnspec registration:
cnspec login --token 'YOUR_TOKEN_HERE' --api-proxy 'http://1.1.1.1' --config 'C:\ProgramData\Mondoo\mondoo.yml'Or add it to the cnspec configuration directly. Follow these steps:
- Navigate to the cnspec configuration file under
C:\ProgramData\Mondoo\mondoo.yml - Add this line:
api_proxy: http://1.1.1.1