When it comes to deploying the HEIMDAL Agent in a company, there are several ways of doing that. Some of the solutions that we’ve tested are Active Directory GPO, SCCM, and Microsoft Intune. The most used has been Active Directory GPO and the issues on this type of deployment stem from the limitations/restrictions, GPO misconfiguration, or missing Heimdal licensing in the Heimdal Agent installer.
BEHAVIOR: I want to deploy the HEIMDAL Agent through Active Directory GPO but the HEIMDAL Agent does not get installed.
SOLUTION: in order to troubleshoot the issues with the deployment method, we need to check the entire GPO flow in reverse, from the endpoint to the server.
1. Open the Control Panel -> Programs and Features and check the list of installed applications/programs to see if the Heimdal Thor Agent is present. If the application is present, this means the deployment worked and the HEIMDAL Agent has been installed and the next thing would be to check the status of the HEIMDAL services. If the application is not present, proceed with the next step.
2. Check the Event Viewer Logs -> Windows Logs -> Application and Filter the Current Log by MsiInstaller event source. Look for an event regarding the Heimdal Thor Agent. If an event with an installation error status of 0 is found, this means that the application has been deployed and installed on the computer. If another error status code is displayed, the issue needs to be investigated by the Support Team. If no event regarding the Heimdal Thor Agent can’t be found, this means the issue is related to the GPO and requires you to check if the GPO is applying on the computer/for the logged-in user.
Other issues could be related to the .NET Framework or the missing Heimdal license key (the Invalid key provided error message could also relate to the fact that the endpoint is revoked).
3. To check if a GPO is applying to the computer/logged-in user, open Command Prompt (as Administrator) and run gpresult /r and press Enter. If the GPO that installs the HEIMDAL Agent is listed among the GPOs, this means the issue might come from the GPO scope or from the permissions configured on the Shared location where the installer is placed.
4. Although the GPO is applying to the computer, the HEIMDAL Agent does not get installed and a gpresult report shows the error below or something similar:
Event Viewer -> System logs show the GPO reaching the computer but a 1274 error ID. This might be because of the communication between the client machine and the Domain Controller. You can perform a gpresult /r to see how long it takes until the results are being offered. If it takes longer than 10 seconds, you need to enable Always wait for the network at computer startup and logon and Specify startup policy processing wait time to about 120 seconds.
Also, check to see if the deployment is configured to use a Shared folder (where the HEIMDAL Agent installer is placed) and can be accessed from the client machine in File Explorer (by typing the path to the folder: \\ShareFolder\HeimdalAgent\).
5. If the GPO is not in the list, this means the GPO is not applying to the computer/logged-in user and you need to proceed with the next step.
6. On the Domain Controller, open Server Manager, click Tools -> Group Policy Manager, and check the HEIMDAL Agent deployment GPO to see if it’s applying to the correct computer/user object.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.