Automating Wazuh Windows agent deployment with certificate-based identity verification

[Amaury Thomas]

Hello everyone,

I am currently working on a mass deployment of Wazuh agents on Windows endpoints.

I have already reviewed the GPO-based deployment method described here:
https://wazuh.com/blog/deploying-wazuh-agent-using-windows-gpo/

However, this approach mainly relies on password-based enrollment and does not cover the use of certificates for agent authentication.

According to the official documentation on agent identity verification:
https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/security-options/agent-identity-verification.html#windows
it is required to deploy certificate files (sslagent.cert and sslagent.key) on each endpoint and configure the ossec.conf file accordingly (in the <client><enrollment> section).

My question is the following:

👉 Has anyone successfully implemented a mass deployment of Wazuh Windows agents WITH certificate-based authentication?
👉 If so, what method did you use to:

• distribute the certificates (GPO, scripts, or other solutions?)

• automate the agent configuration (editing ossec.conf, custom MSI packaging, etc.)

It seems that the certificate part makes automation significantly more complex, especially when using unique certificates per host.

Any feedback, experience, or guidance would be greatly appreciated.

Thanks in advance 🙂

[Othniel Ebolum]

Hello Amaury,

Directly from my personal research or experience, I haven't seen, and you can drop this on our Slack or Discord community to get all active users' opinions as well. The password-based enrollment is more commonly used for ease of mass deployment.

If you were to approach this i would recommend using shared certificates (no per-host validation) for ease of mass deployment.

I would also recommend following the method as described in the blog post https://wazuh.com/blog/deploying-wazuh-agent-using-windows-gpo/, which you reviewed.

The certificates created will be hosted in a shared folder that workstations in the OU can access and download to the specified folder noted in your ossec.conf for sslagent.cert + sslagent.key.

If following the GPO guide, like in the blog 

• In Orca, add the four properties above (instead of or in addition to the password one).
• Ensure the file-copy GPO (certs) applies before the software-install GPO (or link them to the same OU and test ordering).
• Link the GPO to the target OU → force GPUpdate.

Post-install script alternative

  Add a GPO startup script that:

• Copies certs if missing.
• Edits C:\Program Files (x86)\ossec-agent\ossec.conf to add

<client>
<server>
<address>your.manager.fqdn</address>
</server>
<enrollment>
<agent_certificate_path>C:\ProgramData\WazuhCerts\sslagent.cert</agent_certificate_path>
<agent_key_path>C:\ProgramData\WazuhCerts\sslagent.key</agent_key_path>
</enrollment>
</client>

C:\ProgramData\WazuhCerts\ is just an example of where they could be.

In summary tho, this method could encounter a lot of issues like

Timing: Cert files must exist at the exact path when msiexec runs. Test with a small OU first.

Client key mismatch (This is a major one, even faced on single deployments with additional security for Wazuh agent identity enrollment)

Permissions: Cert files should be readable by the Wazuh service account. You can explore other mass deployment options using certificates with SCCM/Intune/PDQ or fallback to password based enrollment.

Any situation, kindly let us know your results for further assistance or share with the community on Slack or Discord.