Docs / Enrollment / Desktop / Enrol Windows

How to Enrol a Windows Endpoint

This guide walks you through enrolling a Windows 10/11 endpoint into ZEM Cloud.

Prerequisites

Before enrolling, ensure you have:

  • Supported OS: Windows 10 (1903+) or Windows 11
  • Administrator Access: Local admin or domain admin privileges
  • Network Access: Connectivity to your ZEM Cloud server (HTTPS port 443)
  • PowerShell: Version 5.1 or later (pre-installed on Windows 10/11)
  • Execution Policy: Must allow running remote scripts

Enrolment Steps

Step 1: Open the Enrol Endpoint Wizard

  1. Log in to your ZEM Cloud dashboard
  2. Click the Enrol Endpoint button (green + icon) in the sidebar
  3. Select Desktop as the device type
  4. Select Windows from the platform options

Step 2: Configure Enrolment Options

Configure the following settings:

  • Auto Reboot - Automatically schedules a reboot when an update requires it
  • Reboot Time - Time of day for scheduled reboots (24-hour format)

Toggle the Auto Reboot switch and set your preferred reboot time if needed.

Step 3: Copy the One-Liner Command

A customised PowerShell installation command will be displayed. It looks like this:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://your-zem-server.com/install-windows.ps1?token=YOUR_API_KEY&auto_reboot=true&reboot_time=03:00'))

Click the Copy button to copy the command to your clipboard.

Step 4: Run the Command on the Target Machine

  1. Open PowerShell as Administrator: Press Win + X and select "Windows PowerShell (Admin)" or "Terminal (Admin)", or search for "PowerShell", right-click, and select "Run as administrator"
  2. Paste and execute the copied command
  3. Wait for the installation to complete

Step 5: Wait for Installation

The script will automatically:

  1. Download NSSM (Non-Sucking Service Manager) for Windows service management
  2. Download the Windows-specific ZEM Cloud agent scripts
  3. Create the configuration directory and files
  4. Register NSSM Windows services
  5. Start the agent services

Installation typically takes 1-2 minutes.

What Gets Installed

Agent Scripts

Script | Location
zen-update-agent-windows.ps1 | C:\Program Files\ZenUpdate\
zen-update-report-windows.ps1 | C:\Program Files\ZenUpdate\

Configuration

File | Location
Agent Config | C:\ProgramData\ZenUpdate\agent.conf
Machine ID | C:\ProgramData\ZenUpdate\.machine_id
Enrolment Marker | C:\ProgramData\ZenUpdate\.enrolled
Logs | C:\ProgramData\ZenUpdate\logs\

Windows Services (NSSM)

Service | Restart Delay | Purpose
ZenUpdateAgent | 60 seconds | Main agent for updates and actions
ZenUpdateReport | 60 seconds | Status reporting
ZenUpdateTelemetry | 5 seconds | Real-time resource monitoring
ZenUpdateHwinfo | 30 minutes | Hardware information collection

NSSM (Service Manager)

NSSM is installed at C:\Program Files\ZenUpdate\nssm.exe. It wraps PowerShell scripts as proper Windows services with:

  • Automatic restart on failure
  • Logging to file
  • Service dependency management

Windows-Specific Features

Update Management

The Windows agent uses the Windows Update COM API:

  • Update Detection - Uses Microsoft.Update.Session to search for updates
  • Update Download - Downloads updates in the background
  • Update Installation - Installs updates automatically when Auto Reboot is enabled
  • EULA Acceptance - Automatically accepts update license agreements

User Management

Windows user management uses PowerShell cmdlets:

  • Add User - New-LocalUser + Add-LocalGroupMember
  • Remove User - Remove-LocalUser + profile cleanup
  • Lock User - Disable-LocalUser
  • Unlock User - Enable-LocalUser
  • Logout User - query user + logoff

Protected Accounts

The following built-in accounts cannot be removed:

  • Administrator
  • Guest
  • DefaultAccount
  • WDAGUtilityAccount

Timezone Handling

The agent automatically converts IANA timezone IDs (e.g., "America/New_York") to Windows timezone IDs (e.g., "Eastern Standard Time").

Verifying Enrolment

Check Agent Status

Check if the agent service is running:

Get-Service ZenUpdateAgent

Check all ZEM Cloud services:

Get-Service ZenUpdate*

View service status via NSSM:

& "C:\Program Files\ZenUpdate\nssm.exe" status ZenUpdateAgent

View in Dashboard

  1. Navigate to Endpoint Overview in ZEM Cloud
  2. The new endpoint should appear within 60 seconds
  3. Click on the endpoint to view details

Expected Output

When the agent runs successfully, you'll see:

  • Hostname and IP address in the dashboard
  • Windows version and build information
  • Windows Update count
  • Real-time telemetry data
  • Hardware information

Configuration Options

The agent configuration is stored in C:\ProgramData\ZenUpdate\agent.conf:

MASTER_URL=https://your-zem-server.com
TOKEN=your-api-key
AUTO_REBOOT=true
REBOOT_TIME=03:00

Troubleshooting

Agent Not Running

Restart the agent service:

Restart-Service ZenUpdateAgent

Or via NSSM:

& "C:\Program Files\ZenUpdate\nssm.exe" restart ZenUpdateAgent

Start if stopped:

Start-Service ZenUpdateAgent

View Agent Logs

View recent log entries:

Get-Content "C:\ProgramData\ZenUpdate\logs\agent.log" -Tail 50

Follow logs in real-time:

Get-Content "C:\ProgramData\ZenUpdate\logs\agent.log" -Wait

PowerShell Execution Policy

If the script won't run due to execution policy:

Check current policy:

Get-ExecutionPolicy

Allow scripts for current session only:

Set-ExecutionPolicy Bypass -Scope Process -Force

Or permanently for the machine (requires admin):

Set-ExecutionPolicy RemoteSigned -Force

Network Issues

Test connectivity to ZEM Cloud:

Invoke-WebRequest -Uri "https://your-zem-server.com/api/agent_version" -UseBasicParsing

Check DNS resolution:

Resolve-DnsName your-zem-server.com

Check Windows Firewall:

Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*ZenUpdate*" }

Windows Update Service Issues

Check Windows Update service status:

Get-Service wuauserv

Restart Windows Update service if needed:

Restart-Service wuauserv

Check for Windows Update errors in Event Viewer:

Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" -MaxEvents 20

Common Errors

Error | Cause | Solution
Access Denied | Not running as Administrator | Run PowerShell as Admin
Execution Policy | Scripts blocked | Set execution policy to Bypass
TLS Error | Old TLS version | Ensure TLS 1.2 is enabled
Service won't start | NSSM issue | Check NSSM logs in Event Viewer

NSSM Service Issues

Check NSSM service configuration:

& "C:\Program Files\ZenUpdate\nssm.exe" dump ZenUpdateAgent

View NSSM service stderr output:

& "C:\Program Files\ZenUpdate\nssm.exe" get ZenUpdateAgent AppStderr

Reinstall service if corrupted:

& "C:\Program Files\ZenUpdate\nssm.exe" remove ZenUpdateAgent confirm
& "C:\Program Files\ZenUpdate\nssm.exe" install ZenUpdateAgent powershell.exe -ExecutionPolicy Bypass -File "C:\Program Files\ZenUpdate\zen-update-agent-windows.ps1"

Uninstalling the Agent

To remove the ZEM Cloud agent from Windows (run as Administrator):

Stop all services:

Stop-Service ZenUpdateAgent, ZenUpdateReport, ZenUpdateTelemetry, ZenUpdateHwinfo -ErrorAction SilentlyContinue

Remove NSSM services:

$nssm = "C:\Program Files\ZenUpdate\nssm.exe"
& $nssm remove ZenUpdateAgent confirm
& $nssm remove ZenUpdateReport confirm
& $nssm remove ZenUpdateTelemetry confirm
& $nssm remove ZenUpdateHwinfo confirm

Remove scheduled tasks (if any):

Unregister-ScheduledTask -TaskName "ZenUpdateAutoReboot" -Confirm:$false -ErrorAction SilentlyContinue

Remove installation directory:

Remove-Item -Path "C:\Program Files\ZenUpdate" -Recurse -Force

Remove configuration and logs:

Remove-Item -Path "C:\ProgramData\ZenUpdate" -Recurse -Force