Overview
This step-by-step document will describe how to deploy the EvoCredentialProviderSetup.msi via PowerShell. These scripts and files can be used to deploy the installation at user logon or remotely using any RMM tool such as PDQDeploy, SCCM, etc.
Requirements
- Download the latest Evo Credential Provider agent ZIP file from HERE, or a MSI file from HERE.
- Network Share accessible by all users and workstations with read-only permissions set.
Powershell 1-Liner
The below Powershell Command can be used to install the Evo Credential Provider. This command assumes the MSI is present in the location you are running it from.
msiexec /i EvoCredentialProviderSetup.msi CREDENTIAL_MODE=100 ENVIRONMENTURL="https://yourENVname.evosecurity.com" DOMAIN="EvoDirectoryName" ACCESSTOKEN="yourAccessTokenID" APIKEY="yourSecretKey" FAILSAFEUSER="LocalAdmin" SOLEPROVIDER="0" /qn /norestart
Variables explained:
-
CREDENTIAL_MODE - Defines the operating mode for the Credential Provider.
- CREDENTIAL_MODE=10 - Enables Elevated Login ONLY operating mode.
- CREDENTIAL_MODE=90 - Enables Evo Secure Login (No Elevated Access) ONLY operating mode.
- CREDENTIAL_MODE=100 - Enablesboth Evo Secure Login and Elevated Access modes.
- ENVIRONMENTURL="https://yourENVname.evosecurity.com"
- DOMAIN="EvoDirectoryName"
- ACCESSTOKEN="yourAccessTokenID"
- APIKEY="yourSecretKey"
-
SOLEPROVIDER="0"
- The SOLEPROVIDER property can be used to set Evo Secure Login as the only credential provider available on the computer where it is installed. By default, this feature is set to 0 which is disabled. You can edit the default SOLEPROVIDER property and set it to 1 to enable it.
-
FAILSAFEUSER="Enter failsafe username here" [*OPTIONAL*]
- The FAILSAFEUSER property should be used when setting the Credential Provider to "Evo Login Only". This user will be a LocalAdmin that can bypass MFA in case the machine is taken offline or off the network.
- If the computer is attached to a domain, then this setting should be DOMAIN\USERNAME where DOMAIN is the Windows Active Directory domain and USERNAME is the username for the user on that domain.
- If the computer is not attached to a domain, it is preferable that it would be WORKGROUP\USERNAME where WORKGROUP should be the literal string “WORKGROUP” (without quotes) and USERNAME will be the login name for that machine.
-
MFATIMEOUT="" [*OPTIONAL*] - Defines intervals between MFA requirements.
- MFATIMEOUT="0" (minutes): Timer starts from the last time MFA has been used on a computer. Within this time frame, MFA is NOT required when the computer is in LOCK or Screen Saver mode. Does not apply for SIGNOUT/REBOOT. [see: MFA Grace Period]
-
NOELEVRDP="" [*OPTIONAL*] - Used to enable or disable Elevated Logins with Remote Desktop (RDP)
- NOELEVRDP="0" - This is the default setting and will allow Elevated Logins via RDP.
- NOELEVRDP="1" - This prevents Elevated Login for RDP and other apps. (<-Does not apply to Login/Unlock/UAC)
- DISABLE_UPDATE="1": by default, Evo Agent will auto-update itself when a new version is released, you can use this parameter to disable auto-update.
PS1 Files
At the bottom of this page is a Zip File with four ps1 Files that can be used directly via Powershell or your RMM tool. Here are the descriptions and contents of those files:
Download AND Install EvoCredPro
Will download/install then delete the msi of the latest Evo CredPro:
- Note: Must update the variables listed.
#Download and Install_EvoCredPro
#This script will uninstall existing Evo Agent (if any), then install/update the latest Evo Agent. It could also be used to change Evo Agent Settings.
#If you run UpdateEvo.ps1 as a script file, please make sure you bypass Execution policy.
#powershell.exe -ExecutionPolicy Bypass -File C:\YourPath\UpdateEvo.ps1
# - For "Fail-Safe" user remove # from variable and add: FAILSAFEUSER=$failsafe to end LINE 56 (before /qn /NORESTART)
#***UPDATE VARIABLES*** - Properties explained in our KB here:
# https://support.evosecurity.com/hc/en-us/articles/5516145306267-Deploy-Update-Uninstall-Evo-Credential-Provider-via-PowerShell
$url = '"https://YourEnvironmentURL"'
$domain = '"DirectoryName"'
$token = '"TokenID"'
$secret = '"SecretID"'
$soleprovider = '"0"' #change to 1 to turn on Evo Login Only mode
$credmode = '"100"'
#$failsafe = '"LocalAdminAccount"' #Add a Local Admin fail-safe account, used to unlock the machine for troubleshooting.
$mfatimeout = '"0"' #Defines intervals (minutes) between MFA requirements when a user logs in to a machine.
#$eue = "0" #End User Elevation ON(1)/OFF(0) (OFF by default)
write-host "Downloading the latest Evo Secure Login..."
Invoke-WebRequest -Uri "https://download.evosecurity.com/release/credpro/credential-provider-latest.zip" -OutFile "C:\Windows\Temp\EvoCredPro.zip"
Expand-Archive -Path "C:\Windows\Temp\EvoCredPro.zip" -DestinationPath "C:\Windows\Temp\" -Force
Start-Sleep -Seconds 2
Remove-Item "C:\Windows\Temp\EvoCredPro.zip"
#Uninstall Evo Agent (if any)
$EvoSecureLogin = Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "Evo Secure Login"}
If ($EvoSecureLogin){
Stop-Service -Name "EvoSecureLoginAgent"
$EvoSecureLogin.Uninstall()
# Remove the registry key
$registryPath = "HKLM:\Software\EvoSecurity\EvoLogin-CP"
if (Test-Path $registryPath) {
Remove-Item -Path $registryPath -Recurse -Force
Write-Host "Registry key $registryPath has been removed."
}
else {
Write-Host "Registry key $registryPath does not exist."
}
Write-Host "Finished uninstalling!"
}
else{
Write-Host "Evo Secure Login was not found!"
}
Start-Sleep -Seconds 2
#Install the latest Evo Agent with the settings above
Write-Host "Start installing the latest Evo Secure Login..."
#main command
msiexec.exe /i C:\Windows\Temp\EvoCredentialProviderSetup.msi CREDENTIAL_MODE=$credmode ENVIRONMENTURL=$url DOMAIN=$domain ACCESSTOKEN=$token APIKEY=$secret SOLEPROVIDER=$soleprovider MFATIMEOUT=$mfatimeout /qn /NORESTART
Start-Sleep -Seconds 4
Write-Host "Finished installing Evo Secure Login!"
#Turn on End User Elevation
#Set-ItemProperty hklm:\SOFTWARE\EvoSecurity\EvoLogin-CP end_user_elevation $eue
# Remove EvoCredentialProviderSetup.msi
Remove-Item "C:\windows\temp\EvoCredentialProviderSetup.msi" -Force
#Restart-Service -Name "EvoSecureLoginAgent"
Download,Install EvoCredPro-LOGO
Will download/install the latest Evo CredPro with your desired logo image:
- For this ps1, you will need to have a URL for the Logo.
- The image must be a BMP, PNG, JPEG, TIFF, or GIF. Microsoft recommends a 192x192 pixel image
- For more info, see: How to Change Logo and Re-Name Credential Provider at Login Screen
# Download and Install_EvoCredPro_LOGO.ps1
# Instructions for running the script:
# - Modify the variables with your information
# - Properties explained in our KB here:
# https://support.evosecurity.com/hc/en-us/articles/5516145306267-Deploy-Update-Uninstall-Evo-Credential-Provider-via-PowerShell
# - For "Fail-Safe" user remove # from variable and add "FAILSAFEUSER=$failsafe" to end LINE 40
# Variables (*keep quotation marks)
$url = "https://CNAMEHERE.evosecurity.com"
$domain = "DirectoryNameHere"
$token = "AccessTokenHere"
$secret = "SecretKeyHere"
$soleprovider = "0"
$credmode = "100"
# $failsafe = "LocalAdminUserNameHere"
$logourl = "https://logoURL.com"
$logoname = "EvoLogo.png"
$logintext = "Your Company Secure Login"
##########
# Download EvoCredPro.zip
Write-Host "Downloading & Installing Evo Credential Provider"
Invoke-WebRequest -Uri "https://download.evosecurity.com/release/credpro/credential-provider-latest.zip" -OutFile "C:\windows\temp\EvoCredPro.zip"
Start-Sleep -Seconds 2
# Extract EvoCredPro.zip
Expand-Archive -Path "C:\windows\temp\EvoCredPro.zip" -DestinationPath "C:\windows\temp\" -Force
Start-Sleep -Seconds 2
# Remove EvoCredPro.zip
Remove-Item "C:\windows\temp\EvoCredPro.zip"
Start-Sleep -Seconds 2
# Install new Evo Secure Login
Start-Process -FilePath "msiexec.exe" -ArgumentList "/i", "C:\Windows\temp\EvoCredentialProviderSetup.msi", "CREDENTIAL_MODE=$credmode", "ENVIRONMENTURL=$url", "DOMAIN=$domain", "ACCESSTOKEN=$token", "APIKEY=$secret", "SOLEPROVIDER=$soleprovider", "/qn", "/norestart" -Wait
Write-Host "Evo Secure Login Successfully Installed"
# Remove EvoCredentialProviderSetup.msi
Remove-Item "C:\windows\temp\EvoCredentialProviderSetup.msi"
# Download and place the logo
Invoke-WebRequest -Uri $logourl -OutFile "C:\Program Files\EvoSecurity\EvoSecureLogin\$logoname"
# Set registry properties (ensure you are running as an administrator)
try {
Set-ItemProperty -Path "HKLM:\SOFTWARE\EvoSecurity\EvoLogin-CP" -Name "login_text" -Value $logintext
Set-ItemProperty -Path "HKLM:\SOFTWARE\EvoSecurity\EvoLogin-CP" -Name "v1_bitmap_path" -Value "C:\Program Files\EvoSecurity\EvoSecureLogin\$logoname"
} catch {
Write-Host "Failed to set registry properties. Error: $_"
}
Change/Modify Evo CredPro Settings
Will update existing Evo CredPro by modifying the Registry Editor settings:
#This script is used to change Evo Agent Settings
#Please delete the "#" sign infront of each command (2nd line of each set) and change the value to take affect.
$EvoSecureLogin = Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "Evo Secure Login"}
If (($EvoSecureLogin).Name -contains "Evo Secure Login") {
###Change Credential Mode, 10 for Elevated Only, 90 for End User Only, 100 for both (default)
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP credential_mode 100
###Set Evo Agent as Sole Credential Provider (1 is ON, 0 is OFF (default))
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP evo_login_only 1
###Set fail safe username, this is a local admin account used for emergency purposes
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP failsafe_user "Enter_fail_safe_username"
###Turn on End User Elevation feature, 1 is ON, 0 is OFF (default)
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP end_user_elevation 1
###Set MFA timeout intervals (minutes) between MFA requirement when a user logs in to a machine.
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP MFATimeOut 0
###Turn OFF Evo Agent auto update feature (not recommended), change to 1 to disable auto update.
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP disable_update 1
###Turn ON Windows Remote Desktop Elevated Access feature, change to 0 to turn ON this feature. It's disabled by default (1).
#Set-ItemProperty hklm:\Software\EvoSecurity\EvoLogin-CP NoElevRDP 1
Restart-Service -Name "EvoSecureLoginAgent"
Write-Host "The setting(s) has changed." -ForegroundColor Green
}
Else {
Write-Host "The Evo Agent has not installed. Please install Evo Agent before running this script." -ForegroundColor Red
}
Uninstall EvoCredPro
Will look for and unistall Credpro:
# Evo Agent Uninstall
# Check if Evo Secure Login is installed
$EvoSecureLogin = Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -eq "Evo Secure Login"}
if ($EvoSecureLogin) {
# Uninstall Evo Secure Login
$uninstallResult = $EvoSecureLogin.Uninstall()
if ($uninstallResult.ReturnValue -eq 0) {
Write-Host "Evo Secure Login uninstalled successfully."
} else {
Write-Host "Failed to uninstall Evo Secure Login with error code $($uninstallResult.ReturnValue)."
}
} else {
Write-Host "Evo Secure Login is not installed."
}
# Wait for uninstallation to finish
Start-Sleep -Seconds 2
# Remove the folder and all its contents
$folderPath = "C:\Program Files\EvoSecurity\EvoSecureLogin"
if (Test-Path $folderPath) {
Remove-Item $folderPath -Recurse -Force
Write-Host "$folderPath and its contents have been removed."
} else {
Write-Host "$folderPath does not exist."
}
# Remove the registry key
$registryPath = "HKLM:\Software\EvoSecurity\EvoLogin-CP"
if (Test-Path $registryPath) {
Remove-Item -Path $registryPath -Recurse -Force
Write-Host "Registry key $registryPath has been removed."
}
else {
Write-Host "Registry key $registryPath does not exist."
}
PS1 Zipped Files