Install Windows agents

There are many ways you can install agents on Windows nodes, including PowerShell scripts, the Puppet Enterprise (PE) console, the MSI installer, and the msiexec command.

We recommend you Install agents with the install script or Install agents from the console whenever possible, and we've described other cases here for your reference. For non-root agents, refer to Install non-root Windows agents.

Install Windows agents with PE package management

Puppet Enterprise (PE) provides its own package management to help you install agents on Windows nodes. You can use this method with or without internet access.

Before you begin

If your primary server doesn't have internet access, download the appropriate agent tarball and save it to the appropriate agent package directory on your primary server.

For 32-bit systems, save the tarball at /opt/puppetlabs/server/data/packages/public/<PE_VERSION>/windows-i386-<AGENT_VERSION>/
For 64-bit systems, save the tarball at /opt/puppetlabs/server/data/packages/public/<PE_VERSION>/windows-x86_64-<AGENT_VERSION>/

These commands modify the standard agent install script for specific platforms or airgapped environments. If you do not have a specific need for these commands, we recommend you Install agents with the install script.

Note: The <PRIMARY_HOSTNAME> portion of the installer script—as provided in the following example—refers to the FQDN of the primary server. The FQDN must be fully resolvable by the machine on which you're installing or upgrading the agent.

On the agent node, open an administrative PowerShell window, and run the appropriate agent install script command:

For Microsoft Windows Server 2008r2:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; `
$webClient.DownloadFile('https://<PRIMARY_HOSTNAME>:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 -v

For all other Windows platforms:

[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; `
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; `
$webClient.DownloadFile('https://<PRIMARY_HOSTNAME>:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 -v

After running the install script, the following output indicates the agent was installed successfully:

Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
  ensure => 'running',
  enable => 'true',
}

Run puppet agent -t to add the node to the node inventory and generate the CSR.
Accept the CSR as explained in Managing certificate signing requests.

Install Windows agents using a manually-transferred certificate

If you need to perform a secure installation on Windows nodes, you can manually transfer the primary server CA certificate to any Windows machines you want to install agents on, and then run a variation of the agent install script against that cert.

Transfer the CA certificate:
1. On the machine where you want to install the agent, create this directory: C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\
2. On the primary server, navigate to: /etc/puppetlabs/puppet/ssl/certs/
3. Copy ca.pem to the certs directory you created on the agent node.
Transfer the agent install script:
1. On the primary server, navigate to: /opt/puppetlabs/server/data/packages/public/
2. Copy install.ps1 to any accessible local directory on the agent node.
In an administrative PowerShell window, run the install script with the -UsePuppetCA flag: .\install.ps1 -UsePuppetCA
Run puppet agent -t to add the node to the node inventory and generate the CSR.
Accept the CSR as explained in Managing certificate signing requests.

Install Windows agents with the `.msi` package

You can use the Windows MSI installer or the msiexec command to install the agent .msi package if you need to specify agent configuration details during installation or if you need to install Windows agents locally without internet access.

Before you begin

Download the appropriate agent .msi package.

To install agents on Windows nodes without internet access, save the .msi package to the appropriate agent package directory:

For 32-bit systems, save the package at /opt/puppetlabs/server/data/packages/public/<PE_VERSION>/windows-i386-<AGENT_VERSION>/
For 64-bit systems, save the package at /opt/puppetlabs/server/data/packages/public/<PE_VERSION>/windows-x86_64-<AGENT_VERSION>/

Install Windows agents with the MSI installer

Use the MSI installer for an automated installation process. The installer can configure puppet.conf, configure CSR attributes, and connect the agent to your primary server.

Run the MSI installer as administrator.
When prompted, provide your primary server's hostname, for example puppet.company.com.
Once the agent is installed, you must accept the node's CSR as explained in Managing certificate signing requests.

Install Windows agents using `msiexec` from the command line

You can install the .msi package manually from the command line if you need to customize puppet.conf, CSR attributes, or certain agent properties.

If you Install agents with the install script (with PowerShell), you can Customize the install script by specifying CSR attribute settings and some MSI properties. The msiexec command does not require PowerShell and allows you to specify more MSI properties.

Identify the MSI properties you want to include in the msiexec command and prepare the syntax for those properties.
If you need to set CSR attributes, create a csr_attributes.yaml file in the Puppet confdir (at C:\ProgramData\PuppetLabs\puppet\etc\csr_attributes.yaml) prior to installing the Puppet agent package.
Customize the install script explains how to specify CSR attribute settings.
To log installation progress to an install.txt log file, include /l*v install.txt in your msiexec command.
On the command line of the node where you want to install the agent, run your msiexec command.
The basic command is:
```
msiexec /qn /norestart /i <PACKAGE_NAME>.msi
```
Your command likely includes additional arguments, such as /l*v, PUPPET_AGENT_CERTNAME, or any other valid MSI properties. For example, this msiexec command installs the agent with a primary server located at puppet.acme.com:
```
msiexec /qn /norestart /i <PACKAGE_NAME>.msi PUPPET_SERVER=puppet.acme.com
```
This msiexec command installs the agent to a domain user account called bob on the ExampleCorp domain with the account password of password:
```
msiexec /qn /norestart /i <PACKAGE_NAME>.msi PUPPET_AGENT_ACCOUNT_DOMAIN=ExampleCorp PUPPET_AGENT_ACCOUNT_USER=bob PUPPET_AGENT_ACCOUNT_PASSWORD=password
```
Run puppet agent -t to add the node to the node inventory and generate the CSR.
Accept the CSR as explained in Managing certificate signing requests.

MSI properties

You can use these MSI properties if you install Windows agents with the msiexec command.

Important: The following MSI properties define puppet.conf settings:

PUPPET_SERVER corresponds with server
PUPPET_CA_SERVER corresponds with ca_server
PUPPET_AGENT_CERTNAME corresponds with certname
PUPPET_AGENT_ENVIRONMENT corresponds with environment

If you use msiexec to specify a non-default value for these properties, the installer replaces the default value in puppet.conf and re-uses your specified value at upgrade. Therefore, if you need to change these properties after setting them with msiexec, don't change them directly in puppet.conf; instead, you need to re-run the installer and set a new value.

Customize the install script provides more details on puppet.conf settings.


Property	Definition	Default value
`INSTALLDIR`	Location to install Puppet and its dependencies.	For 32-bit systems: `C:\Program Files\Puppet Labs\Puppet` For 64-bit systems: `C:\Program Files \Puppet Labs\Puppet`
`PUPPET_SERVER`	Hostname where the primary server can be reached.	`puppet`
`PUPPET_CA_SERVER`	Hostname where the CA primary server can be reached if you're using multiple primary servers and only one of them is acting as the CA.	Value of `PUPPET_SERVER`
`PUPPET_AGENT_CERTNAME`	The agent node's certificate name and the name it uses when requesting catalogs. Important: Only use lowercase letters, numbers, periods, underscores, and dashes.	Value of `facter fdqn`
`PUPPET_AGENT_ENVIRONMENT`	The agent node's environment. Important: If the node already has a `puppet.conf` file containing a value for the `environment` variable, specifying it during installation doesn't override that value.	`production`
`PUPPET_AGENT_STARTUP_MODE`	Whether and how the agent service is allowed to run. Allowed values are: `Automatic`: The agent service when Windows starts and remains running in the background. `Manual`: The agent service can be started in the services console or with `net start` on the command line. `Disabled`: The agent service is installed but disabled. You must change its startup type in the services console before you can start the service.	`Automatic`
`PUPPET_AGENT_ACCOUNT_USER`	The Windows user account the agent service uses. Use this property when the agent needs to access files on UNC shares, because the default `LocalService` account can't access these network resources. The user account must already exist and can be either a local or domain user. The installer: Allows domain users even if they have not accessed the machine before. Grants `Logon as Service` to the user. Add the user to the `Administrators` group, if the user isn't already a local administrator. Important: If you specify this property, you must also specify `PUPPET_AGENT_ACCOUNT_PASSWORD` and `PUPPET_AGENT_ACCOUNT_DOMAIN` unless the node is under a gMSA. For gMSAs, you must also specify `PUPPET_AGENT_ACCOUNT_DOMAIN`, but do not specify `PUPPET_AGENT_ACCOUNT_PASSWORD`.	`LocalSystem`
`PUPPET_AGENT_ACCOUNT_PASSWORD`	Password for the agent's user account. Do not specify this property for nodes running under gMSAs.	No value
`PUPPET_AGENT_ACCOUNT_DOMAIN`	Domain of the agent's user account.	`.`
`REINSTALLMODE`	A default MSI property that controls file copy behavior during installation. Important: If you need to downgrade agents, use `REINSTALLMODE=amus` when calling `msiexec.exe` at the command line to prevent removing required files.	From `puppet-agent` version 1.10.10 and 5.3.4: `amus` Prior releases: `omus`

About Windows agents

Windows nodes can fetch configurations from the primary server and apply manifests locally, and respond to orchestration commands.

After installing a Windows node, the Start Menu contains a Puppet folder with shortcuts for running the agent manually, running Facter, and opening a command prompt to use Puppet tools.

Remember: You must run Puppet with elevated privileges. Select Run as administrator when opening the command prompt.

The agent runs as a Windows service. By default, the agent fetches and applies configurations every 30 minutes. The agent service can be started and stopped independently using either the service control manager UI or the command line sc.exe utility.

Puppet is automatically added to the machine's PATH environment variable, so you can open any command line and run puppet, facter and the other batch files that are in the Puppet installation's bin directory. Items necessary for the Puppet environment are also added to the shell, but only for the duration of each command's execution.

The installer includes Ruby, Ruby gems, and Facter. If you have existing copies of these applications, such as Ruby, they aren't affected by the re-distributed version included with Puppet.

Program files directory

Unless overridden during installation, PE and its dependencies are installed in Program Files at \Puppet Labs\Puppet.

You can locate the Program Files directory using the PROGRAMFILES variable or the PROGRAMFILES(X86) variable.

The program files directory contains these subdirectories:


Subdirectory	Contents
`bin`	Scripts for running Puppet and Facter
`facter`	Facter source
`hiera`	Hiera source
`misc`	Resources
`puppet`	Puppet source
`service`	Code to run the agent as a service
`sys`	Ruby and other tools

Data directory

PE stores settings, manifests, and generated data (such as logs and catalogs) in the data directory. The data directory contains two subdirectories:

etc (the $confdir): Contains configuration files, manifests, certificates, and other important files.
var (the $vardir): Contains generated data and logs.

When you run Puppet with elevated privileges, the data directory is located in the COMMON_APPDATA.aspx directory. This direcotry is typically located at C:\ProgramData\PuppetLabs\. Because the COMMAN_APPDATA.aspx directory is a system folder, it is hidden by default.

If you run Puppet without elevated privileges, it uses a .puppet directory in the current user's home directory as its data directory, which can result in unexpected settings. We recommend always running Puppet with elevated privileges, unless otherwise specified for specific scenarios.

Was this page helpful?

We’re sorry to hear that!
Please tell us why so we can help. Enter your feedback and email. This form is sent to the Puppet docs team. We ask for your email as we might contact you regarding your feedback. If you need help with the product itself, visit Puppet Support or ask in Puppet Community on Slack. Feedback:

Email Address:

To learn about how Puppet uses your personal information, visit our privacy policy.

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project.