Install Upwind Sensor on Windows Hosts

Overview

This topic describes how to install the Upwind Sensor on a Windows Server host using an MSI installer.

note

This topic assumes the following criteria are met:

You have already connected the cloud account where the Windows host is hosted to Upwind. If you haven't, please follow the Connect a Cloud Account page.
Your host is running Windows Server 2016 or later.

Step 1: Generate Client Credentials

note

This step is relevant only if you want to create new client credentials. If you already have client credentials, you can skip this step.

After you connect your cloud account to Upwind, generate client credentials so the Upwind Sensor can communicate with the Upwind platform. You can create them during the host connection flow, or in the Upwind Console under Client Credentials .

Save UPWIND_CLIENT_ID and UPWIND_CLIENT_SECRET. You won’t be able to view UPWIND_CLIENT_SECRET again after saving.

Step 2: Install the Upwind Sensor

warning

This script must be run as Administrator.

warning

On Windows Server 2016 TLS 1.2 must be enabled.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Open an elevated PowerShell prompt and run the following commands:

$CLIENT_ID = "{CLIENT_ID}"
$CLIENT_SECRET = "{CLIENT_SECRET}"

$installer = (Invoke-WebRequest `
  -Uri https://get.upwind.io/sensor.ps1 `
  -UseBasicParsing).Content
& ([ScriptBlock]::Create($installer)) `
  -UPWIND_CLIENT_ID $CLIENT_ID `
  -UPWIND_CLIENT_SECRET $CLIENT_SECRET

Replace {CLIENT_ID} and {CLIENT_SECRET} with the values you noted in Step 1.

The installation script accepts the following optional parameters:

Parameter	Description	Default
`UPWIND_CLIENT_ID`	Upwind API client ID (required)
`UPWIND_CLIENT_SECRET`	Upwind API client secret (required)
`UPWIND_REGION`	Upwind region (`us`, `eu`, `me`)	`us`
`UPWIND_SENSOR_VERSION`	Sensor version to install (`stable`, or a specific version)	`stable`
`UPWIND_CONFIG`	Path to an existing config YAML to pass to the installer
`UPWIND_API_HOST`	Override the API host (e.g. `https://agent.upwind.io`)
`UPWIND_AUTH_ENDPOINT`	Override the auth endpoint (e.g. `https://oauth.upwind.io/oauth/token`)
`UPWIND_ENABLE_HOST_SCAN`	Enable host filesystem scan (`1` to enable, `0` to disable)	`1`
`UPWIND_HOST_SCAN_INTERVAL`	Interval in minutes between checks if host filesystem is due to be scanned	`60`
`UPWIND_CLOUD_PROVIDER`	Cloud Provider (set to `aws`, `gcp`, `azure` if IMDS not available, `byoc` for BYOC hosts)
`UPWIND_CLOUD_ACCOUNT_ID`	Cloud Account ID (set to account ID if IMDS not available, or `byoc-{ACCOUNT_ID}` for BYOC hosts

Parameters can also be set as environment variables.

Region

By default the sensor connects to the US region. To install against a different region, pass -UPWIND_REGION:

& ([ScriptBlock]::Create($installer)) `
  -UPWIND_CLIENT_ID $CLIENT_ID `
  -UPWIND_CLIENT_SECRET $CLIENT_SECRET `
  -UPWIND_REGION "eu"

BYOC

For a BYOC deployment, set the UPWIND_CLOUD_PROVIDER and UPWIND_CLOUD_ACCOUNT_ID parameters:

& ([ScriptBlock]::Create($installer)) `
  -UPWIND_CLIENT_ID $CLIENT_ID `
  -UPWIND_CLIENT_SECRET $CLIENT_SECRET
  -UPWIND_CLOUD_PROVIDER "byoc" `
  -UPWIND_CLOUD_ACCOUNT_ID "byoc-{ACCOUNT_ID}"

UPWIND_CLOUD_PROVIDER and UPWIND_CLOUD_ACCOUNT_ID will be specific to the BYOC cloud account you configured when connecting your BYOC account in the Upwind console. It's essential to set these accurately to reflect your specific setup and ensure the sensor's correct operation within your cloud environment.

Custom Endpoints

If you need to override the API host and auth endpoint directly (for example, in a custom deployment), pass -UPWIND_API_HOST and -UPWIND_AUTH_ENDPOINT:

& ([ScriptBlock]::Create($installer)) `
  -UPWIND_CLIENT_ID $CLIENT_ID `
  -UPWIND_CLIENT_SECRET $CLIENT_SECRET `
  -UPWIND_API_HOST "https://agent.example.upwind.io" `
  -UPWIND_AUTH_ENDPOINT "https://oauth.example.upwind.io/oauth/token"

When both UPWIND_API_HOST and UPWIND_AUTH_ENDPOINT are set, UPWIND_REGION is ignored.

BYOC Installation

For Bring Your Own Cloud (BYOC) environments, include the UPWIND_CLOUD_PROVIDER and UPWIND_CLOUD_ACCOUNT_ID parameters when running the installer.

Open an elevated PowerShell prompt and run the following commands:

$CLIENT_ID = "{CLIENT_ID}"
$CLIENT_SECRET = "{CLIENT_SECRET}"

$installer = (Invoke-WebRequest `
  -Uri https://get.upwind.io/sensor.ps1 `
  -UseBasicParsing).Content

& ([ScriptBlock]::Create($installer)) `
  -UPWIND_CLIENT_ID $CLIENT_ID `
  -UPWIND_CLIENT_SECRET $CLIENT_SECRET `
  -UPWIND_CLOUD_PROVIDER "byoc" `
  -UPWIND_CLOUD_ACCOUNT_ID "byoc-{ACCOUNT_ID}"

Replace {CLIENT_ID} and {CLIENT_SECRET} with the values you noted in Step 1, and {ACCOUNT_ID} with your BYOC account ID.

Step 3: Validate the Installation

After installation, verify that the Upwind Sensor service is running.

Open an elevated PowerShell prompt and run the following command:

Get-Service -Name "UpwindSensor"

The output should show that the service status is Running.

You can also check the Upwind Console to confirm that the host appears in your inventory.

Overview​

Step 1: Generate Client Credentials​

Step 2: Install the Upwind Sensor​

Region​

BYOC​

Custom Endpoints​

BYOC Installation​

Step 3: Validate the Installation​