Deploy with GPO
Use Group Policy to deploy the Willow Scan Agent registry policy and installation script to domain-joined Windows devices.
Prerequisites
- Active Directory and Group Policy Management Console access.
- Permission to create or edit a GPO linked to the target device OU.
- A pilot OU or security group for test devices.
- The Windows
.zippackage and.regregistry policy from the Willow AI Discovery setup flow.
Minimum requirements
| Component | Minimum requirement |
|---|---|
| Group Policy | Domain-based Group Policy with startup scripts and Group Policy Preferences. Microsoft documents startup scripts in Using Startup, Shutdown, Logon, and Logoff Scripts in Group Policy and registry preferences in Group Policy preferences in Windows. |
| Target OS | Domain-joined Windows x64 devices. |
| Willow files | The Windows .zip package and .reg registry policy from Willow. |
| Execution privileges | Startup scripts run under the local system context and can install software or write HKLM policy values. |
Willow does not publish a separate minimum Windows Server or GPMC version. Use currently supported Windows domain infrastructure that supports computer startup scripts and Group Policy Preferences.
Expected outcome
Target Windows devices receive the Willow registry policy, install the Scan Agent, start the scheduled task, and appear in AI Discovery after the next scan interval.
For browser-based AI visibility, deploy Willow Guard through Chrome policy separately from the Scan Agent package. See Deploy Willow Guard Browser Extension.
Prepare the deployment share
- Extract the Willow Windows
.zippackage to a secured network share readable by target computers. - Place the Willow
.regregistry policy file in the same folder. - Confirm
install.ps1is present.
Configure registry policy
Use one of these approaches:
- Import the Willow
.regfile from the startup script before runninginstall.ps1. - Or create equivalent values under Computer Configuration > Preferences > Windows Settings > Registry.
The Willow-generated .reg file contains your organization connection values. Do not edit those values unless Willow Support asks you to.
Configure the startup script
Create a PowerShell startup script that imports the registry policy and runs the installer from your deployment share:
reg import "\\fileserver\share\willow\willow-scan-agent-policy.reg"
powershell -ExecutionPolicy Bypass -File "\\fileserver\share\willow\install.ps1"
Start-ScheduledTask -TaskName "MCP-S-Scan Agent"
If your downloaded registry file has a different name, use that filename in the script.
Link the GPO to your pilot device OU first. After policy refresh and reboot, the startup script runs on scoped devices.
Verify deployment
On a scoped test device:
Get-ScheduledTask -TaskName "MCP-S-Scan Agent" | Select-Object State
Get-Content C:\ProgramData\mcp-s-scan\logs\agent.log -Tail 50
Then open AI Discovery in Willow and confirm the device appears with a recent last scan time.
Expand rollout
After the pilot OU reports successfully:
- Expand the GPO link or security filtering.
- Monitor Group Policy application and startup script results.
- Monitor Willow AI Discovery device counts.
Roll back
To remove the agent from a Windows device, deploy this command through a startup script or your endpoint-management workflow:
powershell -ExecutionPolicy Bypass -File "C:\Program Files\MCP-S-Scan\uninstall.ps1"
Remove the registry policy from the same scope if the device should stop reporting to Willow.