Deploy on Windows

The InfraScout agent runs as a Windows Service and gives Claude visibility into the host through shell, PowerShell, WMI, and Event Log capabilities. This guide walks you through downloading the binary, enrolling the agent with your InfraScout server, and installing it as a persistent service.

Prerequisites

The agent requires Windows 10 or Windows Server 2016 or later. PowerShell 5.1 is sufficient and ships with all supported Windows versions. The host needs outbound network access to your InfraScout server on port 443. Before you begin, generate an enrollment token in the dashboard under Settings → Enrollment Tokens. You also need a local administrator account to install the service.

Download the Agent

Open the InfraScout dashboard and navigate to Settings → Downloads. Download infrascout-agent-windows-amd64.exe for x64 hardware, or infrascout-agent-windows-arm64.exe if you are running ARM-based hardware such as Windows Dev Kit devices. Place the binary in a permanent directory before proceeding — C:\Program Files\InfraScout\ is a sensible choice that keeps it off the system path and under a consistent location.

Enroll the Agent

Open an elevated PowerShell prompt and run the enrollment command, substituting your token and server address:

powershell
& "C:\Program Files\InfraScout\infrascout-agent.exe" enroll `
    --token YOUR_ENROLLMENT_TOKEN `
    --server YOUR_SERVER_ADDRESS

Replace YOUR_ENROLLMENT_TOKEN with the token you generated under Settings → Enrollment Tokens, and YOUR_SERVER_ADDRESS with the gRPC server address shown on the same page. The agent connects to InfraScout, completes a mutual TLS certificate exchange, and writes agent-config.yaml to the same directory as the binary. A confirmation message displays the agent's assigned ID, which you can also see in the dashboard immediately after enrollment.

INFO

The enrollment token is consumed on first use. If enrollment fails partway through, generate a new token before retrying.

Install as a Windows Service

With enrollment complete, install the agent as a Windows service so it starts automatically and survives reboots. Run in an elevated PowerShell prompt:

powershell
& "C:\Program Files\InfraScout\infrascout-agent.exe" service install

Then start the service:

powershell
Start-Service InfraScoutAgent

Confirm it is running:

powershell
Get-Service InfraScoutAgent

The service runs under the NT AUTHORITY\SYSTEM account. If you ever need to stop or remove it, run Stop-Service InfraScoutAgent followed by infrascout-agent.exe service uninstall from an elevated prompt.

Configure LDAP (Optional)

If you want the agent to run LDAP queries against Active Directory — for example, to enumerate groups, users, or organizational units during an assessment — add an ldap block to agent-config.yaml. The file lives in the same directory as the binary:

yaml
ldap:
  server: ldap://dc01.example.com
  base_dn: DC=example,DC=com
  bind_dn: CN=svc-infrascout,OU=Service Accounts,DC=example,DC=com
  bind_password: YourServiceAccountPassword

After saving, restart the service so the agent picks up the new configuration:

powershell
Restart-Service InfraScoutAgent

On first startup after this change, the agent encrypts bind_password in place — the file will show an encrypted value rather than the plaintext you entered.

TIP

Use a read-only service account with minimal Active Directory permissions. The agent only reads from Active Directory and never writes to it.

Capabilities on Windows

After a successful enrollment, the agent advertises the following capabilities to InfraScout:

  • shell — run commands via Windows Command Prompt
  • powershell — run PowerShell scripts and cmdlets
  • wmi — execute WMI queries
  • eventlog — query Windows Event Logs
  • ldap — search Active Directory via LDAP (requires LDAP configuration; see Configure LDAP above)

Claude can use all available capabilities during an assessment session to collect data, run checks, and surface findings.

Troubleshooting

Service fails to start — Open Event Viewer and check the Application log for entries from InfraScoutAgent. The most common cause is a missing or corrupt agent-config.yaml. If the file is absent or damaged, re-run the enrollment command to regenerate it, then try starting the service again.

Enrollment fails with a certificate error — Verify that the host can reach the InfraScout server on port 443. If your network routes outbound traffic through a proxy that performs SSL inspection, the mTLS client certificate exchange will fail. mTLS is incompatible with SSL inspection proxies — you need to exclude the InfraScout server address from inspection or route it directly.

Agent appears offline in the dashboard — Confirm the service is running with Get-Service InfraScoutAgent. Also check that the system clock is accurate; certificate validation fails when the host clock is more than a few minutes out of sync with the server. Windows Time service (w32tm /resync) can correct clock drift.