View Categories

Adding Windows Servers

6 min read

Overview

CertMS can automatically discover and monitor certificates on Windows servers through a lightweight PowerShell agent. The agent runs as a scheduled task, scanning for certificates every 6 hours and reporting back to your CertMS instance. This process can be deployed at scale using SCCM, Group Policy, or other enterprise deployment tools.

Prerequisites

Before adding Windows servers, ensure you have:

  • Administrative access to the target Windows server(s)
  • PowerShell execution permissions on the server(s)
  • Network connectivity between the server(s) and your CertMS instance
  • Appropriate permissions in CertMS to create API keys

Step-by-Step Configuration

Step 1: Create API Key for Server Monitoring

The Windows agent requires an API key to authenticate and communicate with CertMS.

Navigate to API Key Management

  1. In the left-hand navigation menu, click on Settings dropdown
  2. Select API Keys
  3. Review existing API keys (you may see existing keys for other purposes)

Create New API Key

  1. Click Create New API Key
  2. Complete the API key configuration:
FieldConfiguration
NameDescriptive name (e.g., “Windows Server Agent API Key”)
DescriptionOptional description (e.g., “API key for Windows server certificate monitoring”)
RolesSelect required permissions:
• ✅ Servers Admin (required)
• ✅ Cert Admin (required)
Expiration DateSet expiration date based on your security policy
Active✅ Checkbox (checked by default)
  1. Click Create API Key

Save Your API Key

  • A popup window will display your newly generated API key
  • ⚠️ CRITICAL: This is the only time you can view the complete API key
  • Copy and save the API key in a secure location immediately
  • You will need this key for every server you onboard

Best Practice: You can use one API key for all Windows servers, or create separate keys for different server groups depending on your security and organizational requirements.

Step 2: Download the Windows Agent

  1. In the left-hand navigation menu, click on Servers
  2. Locate the Download Agents dropdown button
  3. Select Windows Agent from the dropdown
  4. The PowerShell script will download to your computer
  5. Save the script in a location where you can easily access it for deployment

Step 3: Deploy Agent to Target Server

Copy Script to Server

  1. Copy the downloaded PowerShell script to the Windows server you want to monitor
  2. Place it in a temporary location (e.g., C:\Temp\ or your desktop)

Open Elevated PowerShell

  1. On the target server, right-click PowerShell or Windows PowerShell
  2. Select Run as Administrator
  3. Navigate to the directory containing the script

Step 4: Install the Agent

Run the Installation Command

Execute the PowerShell script with the required parameters:

Command Format: .\windows_agent.ps1 -Install -ApiUrl "<api_url>" -ApiKey "<api_key>"

Parameter Details

ParameterDescriptionExample
-InstallSwitch to install and onboard the server(no value needed)
-ApiUrlYour CertMS instance API URLhttps://acmecorp.certms.com/certms
-ApiKeyThe API key created in Step 1your-generated-api-key-here

Example Installation Command

.\windows_agent.ps1 -Install -ApiUrl "https://acmecorp.certms.com/certms/api/v2" -ApiKey "abcd1234-5678-90ef-ghij-klmnopqrstuv"

What Happens During Installation

The installation script will:

  1. Create a certms folder on the server to store agent files and configuration
  2. Configure the agent with your API credentials
  3. Create a scheduled task that runs every 6 hours
  4. Display success messages upon completion

Step 5: Verify Server Onboarding

Check in CertMS

  1. Return to your CertMS instance
  2. Navigate to Servers in the left-hand navigation menu
  3. The newly onboarded server should appear in the servers list
  4. Verify that certificate data is being collected

Verification Timeline

  • Initial scan: Can be executed by running the scheduled task
  • Subsequent scans: Every 6 hours automatically
  • Data visibility: Server and certificates appear in CertMS after first successful scan

Enterprise Deployment Options

Deploying to Multiple Servers

The Windows agent can be deployed at scale using enterprise tools:

Option 1: System Center Configuration Manager (SCCM)

  1. Create an SCCM package with the PowerShell script
  2. Configure the installation command with your API URL and key
  3. Deploy to target server collections
  4. Monitor deployment status through SCCM console

Option 2: Group Policy

  1. Create a Group Policy Object (GPO)
  2. Add the script as a startup or scheduled task script
  3. Configure script parameters in the GPO
  4. Link the GPO to appropriate Organizational Units (OUs)
  5. Force policy update or wait for natural refresh

Option 3: Remote PowerShell

  1. Use PowerShell remoting to deploy to multiple servers
  2. Create a script to iterate through server lists
  3. Copy agent and execute installation remotely
  4. Collect and log results

Deployment Best Practices

  • Test first: Deploy to a test server before rolling out enterprise-wide
  • Use secure credential storage: Store API keys in secure vaults or encrypted configuration
  • Monitor deployment: Track successful installations and troubleshoot failures
  • Document servers: Maintain inventory of monitored servers
  • Schedule maintenance windows: Deploy during low-impact periods

Managing Server Monitoring

Viewing Monitored Servers

  1. Navigate to Servers in the left-hand navigation
  2. View all onboarded servers with status information
  3. Click on individual servers to view detailed certificate information

Scheduled Task Details

  • Task Name: CertMS Certificate Scanner (or similar)
  • Frequency: Every 6 hours
  • Run As: Local System account
  • Location: Task Scheduler Library

Modifying Scan Frequency

To change the scan interval:

  1. Open Task Scheduler on the server
  2. Locate the CertMS scheduled task
  3. Modify the trigger schedule as needed
  4. Save changes

Troubleshooting

Common Installation Issues

IssueSolution
PowerShell execution policy errorRun Set-ExecutionPolicy RemoteSigned as administrator
API authentication failedVerify API key is correct and has Servers Admin + Cert Admin roles
Network connectivity issuesVerify firewall allows HTTPS traffic to CertMS instance
Script not foundEnsure you’re in the correct directory containing the script
Scheduled task creation failedVerify you have administrative privileges on the server

Verification Steps

  • Check Task Scheduler for the CertMS scheduled task
  • Review the task history for successful executions
  • Verify the certms folder was created on the server
  • Check network connectivity: Test-NetConnection <certms-instance> -Port 443
  • Confirm API key permissions in CertMS Settings > API Keys

Server Not Appearing in CertMS

If a server doesn’t appear after installation:

  1. Wait 10-15 minutes and check again
  2. Check scheduled task ran successfully in Task Scheduler
  3. Verify API credentials are correct in the agent configuration
  4. Test network connectivity to CertMS instance via 443
  5. Confirm API key is active and has proper roles

Security Considerations

  • Protect API keys: Store securely and limit access
  • Use least privilege: API keys should only have required roles
  • Monitor key usage: Regularly review API key activity
  • Rotate keys periodically: Update keys according to security policy
  • Audit server access: Track which servers are monitored
  • Secure agent files: Protect the certms folder from unauthorized access

Uninstalling the Agent

To remove the agent from a server:

  1. Delete the scheduled task from Task Scheduler
  2. Remove the certms folder and its contents
  3. Remove the server from CertMS interface

Need Help? Contact our support team at support@certms.com for assistance with Windows server agent deployment or troubleshooting.

What are your Feelings

Powered by BetterDocs