Install Windows agents
There are many ways you can install agents on Windows
nodes, including PowerShell scripts, the Puppet Enterprise (PE) console, the MSI installer, and the msiexec
command.
We recommend you Install agents with the install script or Install agents from the console whenever possible, and we've described other cases here for your reference. For non-root agents, refer to Install non-root Windows agents.
Install Windows agents with PE package management
Puppet Enterprise (PE) provides its own package management to help you install agents on Windows nodes. You can use this method with or without internet access.
- For 32-bit systems, save the tarball at
\opt\puppetlabs\server\data\packages\public\<PE_VERSION>\windows-i386-<AGENT_VERSION>\
- For 64-bit systems, save the tarball at
\opt\puppetlabs\server\data\packages\public\<PE_VERSION>\windows-x86_64-<AGENT_VERSION>\
<PRIMARY_HOSTNAME>
portion of the installer script—as provided in the following example—refers to the
FQDN of the primary server. The FQDN must be fully resolvable by the machine on
which you're installing or upgrading the agent.Install Windows agents using a manually-transferred certificate
If you need to perform a secure installation on Windows nodes, you can manually transfer the primary server CA certificate to any Windows machines you want to install agents on, and then run a variation of the agent install script against that cert.
-
Transfer the CA certificate:
-
On the machine where you want to install the agent, create this
directory:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\
' -
On the primary server, navigate to:
\etc\puppetlabs\puppet\ssl\certs\
-
Copy
ca.pem
to thecerts
directory you created on the agent node.
-
On the machine where you want to install the agent, create this
directory:
-
Transfer the agent install script:
-
On the primary server, navigate to:
\opt\puppetlabs\server\data\packages\public\
-
Copy
install.ps1
to any accessible local directory on the agent node.
-
On the primary server, navigate to:
-
In an administrative PowerShell window, run the
install script with the
-UsePuppetCA
flag:.\install.ps1 -UsePuppetCA
-
Run
puppet agent -t
to add the node to the node inventory and generate the CSR. - Accept the CSR as explained in Managing certificate signing requests.
Install Windows agents with the .msi
package
You can use the Windows MSI installer or the msiexec
command to install the agent .msi
package if you need to specify agent configuration details during
installation or if you need to install Windows agents locally
without internet access.
.msi
package..msi
package to the
appropriate agent package directory:- For 32-bit systems, save the package at
\opt\puppetlabs\server\data\packages\public\<PE_VERSION>\windows-i386-<AGENT_VERSION>\
- For 64-bit systems, save the package at
\opt\puppetlabs\server\data\packages\public\<PE_VERSION>\windows-x86_64-<AGENT_VERSION>\
Install Windows agents with the MSI installer
Use the MSI installer for an automated installation process. The installer can
configure puppet.conf
, configure CSR attributes, and connect the agent
to your primary server.
- Run the MSI installer as administrator.
-
When prompted, provide your primary server's hostname, for example
puppet.company.com
. - Once the agent is installed, you must accept the node's CSR as explained in Managing certificate signing requests.
Install Windows agents using msiexec
from
the command line
You can install the .msi
package manually from the
command line if you need to customize puppet.conf
, CSR attributes, or
certain agent properties.
If you Install agents with the install script
(with PowerShell), you can Customize the install script by specifying CSR attribute settings and
some MSI properties. The msiexec
command does not
require PowerShell and allows you to specify more MSI
properties.
MSI properties
You can use these MSI properties if you install Windows agents with the msiexec
command.
puppet.conf
settings:-
PUPPET_SERVER
corresponds withserver
-
PUPPET_CA_SERVER
corresponds withca_server
-
PUPPET_AGENT_CERTNAME
corresponds withcertname
-
PUPPET_AGENT_ENVIRONMENT
corresponds withenvironment
If you use msiexec
to specify a non-default
value for these properties, the installer replaces the default value in
puppet.conf
and re-uses your specified value at upgrade.
Therefore, if you need to change these properties after setting them with
msiexec
, don't change them directly in
puppet.conf
; instead, you need to re-run the installer and
set a new value.
Customize the install script provides
more details on puppet.conf
settings.
Property | Definition | Default value |
---|---|---|
INSTALLDIR |
Location to install Puppet and its dependencies. |
For 32-bit systems: For 64-bit systems: |
PUPPET_SERVER |
Hostname where the primary server can be reached. | puppet |
PUPPET_CA_SERVER |
Hostname where the CA primary server can be reached if you're using multiple primary servers and only one of them is acting as the CA. | Value of PUPPET_SERVER
|
PUPPET_AGENT_CERTNAME |
The agent node's certificate name and the name it
uses when requesting catalogs.
Important: Only use
lowercase letters, numbers, periods, underscores, and
dashes.
|
Value of facter fdqn
|
PUPPET_AGENT_ENVIRONMENT |
The agent node's environment.
Important: If the node already has a
puppet.conf file containing a value
for the environment variable, specifying it
during installation doesn't override that value. |
production |
PUPPET_AGENT_STARTUP_MODE |
Whether and how the agent service is allowed to
run. Allowed values are:
|
Automatic |
PUPPET_AGENT_ACCOUNT_USER |
The Windows user account the agent service uses. Use this property when the agent needs to access files on UNC
shares, because the default The user account must already exist and can be either a local or
domain user. The installer:
Important: If you specify this property, you must also
specify
PUPPET_AGENT_ACCOUNT_PASSWORD and
PUPPET_AGENT_ACCOUNT_DOMAIN unless the node
is under a gMSA.For gMSAs, you
must also specify
|
LocalSystem |
PUPPET_AGENT_ACCOUNT_PASSWORD |
Password for the agent's user account. Do not specify this property for nodes running under gMSAs. |
No value |
PUPPET_AGENT_ACCOUNT_DOMAIN |
Domain of the agent's user account. | . |
REINSTALLMODE |
A default MSI property that controls file
copy behavior during installation.
Important: If you need
to downgrade agents, use
REINSTALLMODE=amus
when calling msiexec.exe at the command line to
prevent removing required files. |
From Prior releases: |
About Windows agents
Windows nodes can fetch configurations from the primary server and apply manifests locally, and respond to orchestration commands.
The agent runs as a Windows service. By default, the agent
fetches and applies configurations every 30 minutes. The agent service can be started
and stopped independently using either the service control manager UI or the command
line sc.exe
utility.
Puppet is automatically added to the machine's
PATH
environment variable, so you can open any command line and run
puppet
, facter
and the other batch files that are
in the Puppet installation's bin
directory. Items necessary for the Puppet environment are
also added to the shell, but only for the duration of each command's execution.
The installer includes Ruby, Ruby gems, and Facter. If you have existing copies of these applications, such as Ruby, they aren't affected by the re-distributed version included with Puppet.
Program files directory
Unless overridden during installation, PE and its
dependencies are installed in Program Files
at \Puppet
Labs\Puppet
.
You can locate the Program Files
directory using the
PROGRAMFILES
variable or the PROGRAMFILES(X86)
variable.
Subdirectory | Contents |
---|---|
bin |
Scripts for running Puppet and Facter |
facter |
Facter source |
hiera |
Hiera source |
misc |
Resources |
puppet |
Puppet source |
service |
Code to run the agent as a service |
sys |
Ruby and other tools |
Data directory
data
directory.
The data
directory contains two subdirectories:-
etc
(the$confdir
): Contains configuration files, manifests, certificates, and other important files. -
var
(the$vardir
): Contains generated data and logs.
When you run Puppet with elevated privileges, the data
directory is located in the COMMON_APPDATA.aspx
directory. This
direcotry is typically located at C:\ProgramData\PuppetLabs\
.
Because the COMMAN_APPDATA.aspx
directory is a
system folder, it is hidden by default.
If you run Puppet without elevated privileges, it uses
a .puppet
directory in the current user's home directory as its
data
directory, which can result in unexpected
settings. We recommend always running Puppet with
elevated privileges, unless otherwise specified for specific scenarios.