Synopsis

This step-by-step document will describe how to deploy the provided EvoCredentialProviderSetup.msi via a PowerShell script. The script can be used to deploy the installation at user logon or remotely using any RMM tool such as PDQDeploy, SCCM, etc.

Requirements

• Download the latest Evo Credential Provider agent from HERE, and save it to a network share.
• Network Share accessible by all users and workstations with read-only permissions set.

Steps

1. Log on as domain administrator to the file server where the network share resides.
2. Locate the shared network folder or create one.
   
3. Verify your network share folder has the proper network share permissions for the Everyone group.
   1. Note: A hidden share can also be used.  Append a $ at end of the Share name to hide it.
      
4. Create a folder named Evo in the network share.
   
5. Right-click the Evo folder and select Properties.
   
6. On the Share Properties page, click on the Security tab and click on Edit. 
   
7. On the Permissions for Shares page, click on Add.
   
8. On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Users and click OK.
   
9. Set permissions for Domain Users to Read & execute, List folder contents, and Read.
   
10. Once again, on the Permissions for Shares page, click on Add.
    
11. On the Select Users, Computers, Service Accounts, or Groups dialog box, click on Object Types…
    
12. On the Object Types page, select Computers and then click OK.
    
13. On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Computers and click OK.
    
14. Set permissions for Domain Computers to Read & execute, List folder contents, and Read. Then click OK twice.
    
15. Copy the EvoCredentialProviderSetup.msi file to the Evo folder in the network share.
    
16. Open Windows PowerShell ISE by clicking on Start, type in PowerShell, and select Windows PowerShell ISE program.
    
17. Copy and paste the script below into the Windows PowerShell ISE program and modify the variables to suit your environment.
    
18. Save the script to your network share.
    
19. Test script.

PowerShell Script

The script variables MUST be modified for your environment.

########################################
# 
# Description: This script is used to 
# silently install EvoCredentialProviderSetup.msi in 
# 
# Author: Evo Security
#
########################################

​

#Requires -RunAsAdministrator

# Variables - Change these for your environment. The Values provided are examples only!

# 

# Enter the full UNC path to the network share in quotes (as a string)

$MsiPath = "\\servername.your.ADdomain\ShareName$\Evo\EvoCredentialProviderSetup.msi"

# $MsiPath = "..\src\evo\windows-credential-provider\release-x64\evocredentialprovidersetup.msi"


# Enter your Evo Directory name

$EvoDirectory = "your_evo_directory"

​
# Enter your Environment URL provided by Evo Security...no trailing slash!!!!

$EnvUrl = "https://ENVIRONMENT.evosecurity.com"


# Enter your failsafeuser. Can be a domain user: "your.ADdomain\username" OR a local user "WORKGROUP\username" 

# OR just a user "username" which covers AD and local users with that username

$FailSafeUser = "username"

​
# Enter your credential mode. 10 = Elevated Login, 90 = Secure Login, 100 = Secure + ElevatedLogin

$CredMode = 100


# Enter your SecretKey provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)

$ApiKey = 'abc123'


# Enter your AccessToken provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)

$Accesstoken = 'ACCESSTOKEN'


# Uncomment the following line to make Evo Credential Provider the sole credential provider on the system. It enforces login through Evo 2FA

#$SoleProvider = $True


# Change the following value to set an MFA grace period

$MFATimeOut = 0 # good values are from 0-1440 minutes, 0 means no grace period, 240 = 4 hours


# Uncomment following line to only display message box showing InstallerParams for debugging

$DebugParams = $True


#######################################################

# Script - Do not modify anything after this line!

#######################################################
​

function IsRunningAsAdministrator {

    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())

    return $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

}


$FullMsiPath = (Resolve-Path $MsiPath -ErrorAction SilentlyContinue).Path 


$EnvUrl = $EnvUrl.Trim("/ ") # cleans up environment url


$InstallerParams = "DOMAIN=$EvoDirectory ENVIRONMENTURL=$EnvUrl FAILSAFEUSER=$FailSafeUser ACCESSTOKEN=$Accesstoken APIKEY=$SecretKey CREDENTIAL_MODE=$CredMode MFATIMEOUT=$MFATimeOut"


if ($CredMode -eq 100 -or $CredMode -eq 10) {

    $InstallerParams += " APIKEY=$ApiKey"

}


if ($SoleProvider) {

    $InstallerParams += " SOLEPROVIDER=1"

}


if ($DebugParams) {

    echo "InstallerParams`: $InstallerParams"

    echo "MSI Path`: $MsiPath"

    echo "Full MSI Path`: $FullMsiPath"

}

else {

    if (-not $FullMsiPath) {

        throw "Could not find the MSI file`: $MsiPath."

    }


    $msi = New-Object -com "WindowsInstaller.installer"

    $msi.UILevel = 2 # 2 is for silent, 3 will give a prompt

    $msi.InstallProduct($FullMsiPath, $InstallerParams)

    if ($msi) { [System.Runtime.Interopservices.Marshal]::ReleaseComObject($msi) | Out-Null }

}

Conclusion

This concludes the setup guide. Please proceed to test the PowerShell script by deploying it to a test group of users and computers via your RMM tool of choice. It can also be used to deploy via GPO user logon script.