Installation of components
Initial configuration tasks
Initial whitelist generation
Add entries to whitelist
Agent deployment (RemoteClientManagement)
The feature "RemoteClientManagement" (RCM) enables automatic
deployment of SecuLution Agent software in your ActiveDirectory.
While you can use the SecuLution AdminWizard on any number of
computers, we recommend you use the RCM feature only on the
computer on which an administrator does his daily work.
System requirements for RCM:
- Microsoft ActiveDirectory
- Dot Net Framework 4.5
To setup RCM:
- Install the RCMWizard from the AdminWizard folder of your
- (Re-) Start the AdminWizard
- Select Extra > Directories > MS-Active-Directory
> Start RCM Wizard from the menu
The RCM Wizard will then guide you through the required steps.
Follow the on screen instructions. The RCM Wizard will ask for a
UNC path in which the installation files of the SecuLution Agent
are to be stored. You must set up this share manually, permissions
need to be "Everyone" -> "Read, Execute".
RCM tools update
The feature "RemoteClientManagement" uses MS Active Directory
group policy objects to install the Agents
on computers of your choice. This can also be done manually but
SecuLutions RemoteClientManagement feature (RCM) sets everything up
for you. Until Windows XP the Microsoft Group Policy Management
Console (GPMC) was used. Since Windows Vista the GPMC is
discontinued. Therefore updating the SecuLution RCMTools is not
strictly required but it will make deployment of the Agent easier
when managing from a computer running Windows Vista or later.
To update the RCMTools:
- Install Microsofts RemoteServerAdministrationTools
- Install SecuLutions
- Open path
in Windows Explorer
- You may have to create two new directories "install" and
- In directoy "install" the following files must be made
available. You'll find these on your SecuLution install-CD or on
the path you've yet been using for Agent deployment.
- In directoy "uninstall" the following file must be made
available. You'll find it on your SecuLution install-CD or on the
path you've yet been using for Agent deployment, too.
- Now (re-) start the SecuLution AdminWizard
- Choose menu "Extra/Directories/MS-Active-Directory/Start RCM
- Now just follow the instructions on your screen. The RCM Wizard
will guide you through the setup process.
To deploy Agents to computers in your ActiveDirectory, select the
You'll find four lists:
- Hosts not running the Agent
- Hosts marked for Agent deployment
- Hosts on which the Agent has been successfully deployed
- Hosts marked for Agent uninstallation
Just select one or more computer objects where the Agent should
be deployed, then click on the arrow to move these objects from one
list to another. Click apply to apply changes to the AD.
Clicking on "apply" will change the computer's membership of
security groups inside the OU SecuLution. This will apply the GPO
object's security filtering. However, a computer only renews its
own membership of AD groups at the time a user logs into that
computer. Furthermore the GPO which is used for the installation of
the Agent configures the GPO setting "run these programs at user
login", which may not be immediately applied but in some cases
requires one more reboot. This results in the following effect:
- Day one: Admin uses RCM, group membership of computer changed
in AD but the computer does not yet know about this
- Day two: Computer started, user logs in, computer detects new
group membership, GPO not yet applied
- Day three: Computer started, user logs in, computer applies
GPO, Agent installation triggered, after successful installation
Computer is moved to the appropriate group in AD
- Day four: Computer started, user logs in, computer detects new
group membership, GPO will not be applied any longer
To avoid system messages on the user's screen, UAC is turned off
by the RCM's GPO for installation and uninstallation of the Agent.
This setting remains valid until the security filter for the GPO
update deployment using RCM
Download the new Agent update file, unpack it to
then (re-) start the RCMWizard.
To trigger an update of the SecuLution Agent to the latest version,
select the computers in column "These hosts are currently running
SecuLution" (1) and click the arrow to the left (2) to move the
computers to the column "These hosts will install or update
SecuLution on next login" (3).
The RCM tools will take care of uninstallation, installation and
change of group memberships in AD automatically. It is not
necessary to manually check if the version is already up to date.
The RCM tools identify the installed version automatically,
therefore it is possible to move all computers from the 4th column
to the 3rd
column independent of the currently running version.
Details about how RCM works
RCM in detail:
The RCMWizard verifies the following AD configuration and sets them
- A new OU SecuLution will be created in the root of your
- New groups will be created in the OU SecuLution:
- Hosts to install the Agent
- Hosts to uninstall the Agent
- Hosts running the Agent
- A user SSAdmin will be created and added to the group
- A GPO "Agent Management" will be created and linked to the
domain root. This GPO
- Configures "run these programs at system boot time"
- A security filtering for the GPO will be added so that the GPO
will be applied only to Computers which are members of the groups
"install" or "uninstall".
If the RCM does not work as expected, you can delete all OUs
(together with the users and groups contained therein) and GPOs
which are related to SecuLution and start the RCMWizard again. The
RCMWizard will then recreate and reconfigure all the required
objects. If the RCM still does not work, please manually change the
order in which GPOs are processed so that the SecuLution
AgentManagement GPO is applied first.
By clicking "Apply", the computers membership in security groups in
OU SecuLution is changed. This will affect the security filter of
the Group Policy Object "SecuLution Agent Management". A Windows
computer updates the information about which groups it is a member
of a few minutes after the logon of a user. The Group Policy to
install the SecuLution Agents will also be executed when a user
logs in. This setting is not always immediately being applied by
Windows, but may require restarts and the system being idle for a
while. This can result in the following effect:
- First day: The admin uses the RCM. The group membership of a
computer in the AD is being changed. This will not have any effect
on the computer itself at this time.
- Second day: Windows boots. After login, Windows detects it's
now member of a new group. Simultaneously Group Policies are
applied. However, because the security filter for the Group Policy
"SecuLution Agent Management" has not yet been updated, the GPO for
SecuLution Agent management is not being applied.
- Third day: Windows boots. After login, Windows will apply the
Group Policy "SecuLution Agent Management" . As a result, the agent
will be installed. After successful installation, the computer will
be moved to the appropriate group in AD.
- Fourth day: Windows boots. After login, Windows detects the
change in group memberships. The security filter for the Group
Policy "SecuLution Agent Management" has changed again, therefore
the GPO will be applied no more.
The above operations take time. Rebooting the computer in order
to force the application of GPO settings can effectively result in
the opposite effect, because Windows might not come to the point
where it can check its AD membership if rebooted too quickly.
Waiting a few minutes before rebooting is generally a good
In general, the Agent deployment is initiated successfully after
one to two days. Installing, uninstalling or updating the
SecuLution Agent requires exactly one reboot. However, it is
possible that Windows Group policies may take some time to
Still nothing happens.
If the Agent deployment still does not take place
- Re- sort the precedence of your GPOs so to that SecuLution
AgentManagement GPO is applied first.
- Check the output (as admin) of "gpresult / R" to determine
whether the computer (!not the user!) is correctly listed to be a
member of the AD group "SecuLutionInstallAgent". Additionally check
the section "Applied Group Policy Objects" for the line "SecuLution
Agent Management". If this line is not listedm there's still
something superseeding configured in your Active Directory which
needs to be solved first.
rsop.msc to verify the effective settings.
What is the Splash Screen
If the DotNet Framework has not been used yet, starting a program
that is based on DotNet can take a while. Running
Splashscreenstarter.exe instead provides a visual indication that
the RCMWizard is strting up now.
The RCMWizard does not
If clicking on the menu "Extra / Directories / MS-Active-Directory
/ Run RCM Wizard" in AdminWizard does not start the RCMWizard, it
can be started manually by right-clicking -> Run as
administrator on Splashscreenstarter.exe in folder
The RCMWizard does not start.
Error message 80040154 is shown.
The error 0x080040154 (CLASS_NOT_REGISTERED) is a Windows (not
SecuLution) error. The error can occur if a required Windows
component is not properly activated in Windows. Identified causes
were for example a component of Dot Net Framework or the Remote
Server Administration Tools not being installed properly. The
RCMWizard can try to solve these issues. To do this, proceed as
- Close all instances of RCMWizard
- Start cmd.exe as Administrator, type:
- RCMWizard.exe -preinstall
- Start the RCMWizard
If this still does not produce the desired result, you can try to
install the Remote Server Administration Tools manually. After that
make sure "Control Panel> Programs and Features> Turn Windows
features on or off> Remote Server Administration Tools>
Feature Administration Tools> Group Policy Management Tools" is