Skip to content
GSISG VPN Modernization

TacticalRMM Deployment Script

The following PowerShell script deploys NetBird silently via TacticalRMM as an always-on background service with zero user interaction.

Usage in TRMM

Section titled “Usage in TRMM”
  1. Create a Script in TRMM (PowerShell, Run as System)
  2. Paste this script
  3. Set script arguments or edit the variables below
  4. Deploy to agents via TRMM policy or manual run

IMPORTANT: During GlobalProtect coexistence, --network-monitor=false is required to prevent GP from triggering WireGuard interface restarts (GitHub #5077). Remove the flag AFTER GlobalProtect is fully uninstalled from all endpoints.

Script

Section titled “Script”
Terminal window
# NetBird Silent Deployment Script for TacticalRMM
# Deploys NetBird as an always-on background service with zero user interaction
#
# Usage in TRMM:
#   1. Create a Script in TRMM (PowerShell, Run as System)
#   2. Paste this script
#   3. Set script arguments or edit the variables below
#   4. Deploy to agents via TRMM policy or manual run
#
# IMPORTANT: During GlobalProtect coexistence, --network-monitor=false is required
# to prevent GP from triggering WireGuard interface restarts (GitHub #5077).
# Remove the flag AFTER GlobalProtect is fully uninstalled from all endpoints.


param(
    [Parameter(Mandatory=$false)]
    [string]$SetupKey = "REPLACE_WITH_YOUR_SETUP_KEY",


    [Parameter(Mandatory=$false)]
    [string]$ManagementUrl = "https://netbird.gsisg.com",


    # Set to $true during GP coexistence period. Set to $false after GP is removed.
    [Parameter(Mandatory=$false)]
    [bool]$DisableNetworkMonitor = $true
)


# --- Configuration ---
$NetBirdMsiUrl = "https://github.com/netbirdio/netbird/releases/latest/download/netbird_installer_windows_amd64.msi"
$NetBirdExePath = "C:\Program Files\NetBird\netbird.exe"
$TempDir = "$env:TEMP\netbird-install"
$MsiPath = "$TempDir\netbird.msi"
$LogPath = "$TempDir\netbird-install.log"


# --- Pre-flight checks ---
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Error "This script requires Administrator privileges."
    exit 1
}


# Check if NetBird is already installed
$existing = Get-Service -Name "NetBird" -ErrorAction SilentlyContinue
if ($existing) {
    Write-Host "NetBird service already exists (Status: $($existing.Status)). Skipping install."
    if ($existing.Status -ne "Running") {
        Start-Service "NetBird"
        Write-Host "NetBird service started."
    }
    exit 0
}


# --- Add AV/EDR exclusion (do this BEFORE install) ---
Write-Host "Adding AV exclusion for NetBird directory..."
try {
    Add-MpPreference -ExclusionPath "C:\Program Files\NetBird\" -ErrorAction SilentlyContinue
    Write-Host "Windows Defender exclusion added."
} catch {
    Write-Host "Could not add Defender exclusion (may not be primary AV). Continuing..."
}


# --- Download ---
New-Item -ItemType Directory -Force -Path $TempDir | Out-Null
Write-Host "Downloading NetBird MSI..."
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri $NetBirdMsiUrl -OutFile $MsiPath -UseBasicParsing


if (-not (Test-Path $MsiPath)) {
    Write-Error "Failed to download NetBird MSI."
    exit 1
}


# --- Install ---
Write-Host "Installing NetBird silently..."
$MsiArgs = @(
    "/i", "`"$MsiPath`"",
    "/qn",
    "/norestart",
    "/Lv", "`"$LogPath`"",
    "SETUP_KEY=$SetupKey",
    "MANAGEMENT_URL=$ManagementUrl"
)


$process = Start-Process -FilePath "msiexec.exe" -ArgumentList $MsiArgs -Wait -PassThru
if ($process.ExitCode -ne 0) {
    Write-Error "MSI installation failed with exit code $($process.ExitCode). Check log: $LogPath"
    exit 1
}


Write-Host "NetBird installed successfully."


# --- Apply network-monitor flag if needed (GP coexistence) ---
if ($DisableNetworkMonitor -and (Test-Path $NetBirdExePath)) {
    Write-Host "Applying --network-monitor=false for GlobalProtect coexistence..."
    # Stop the service, reconfigure, restart
    Stop-Service "NetBird" -Force -ErrorAction SilentlyContinue
    Start-Sleep -Seconds 3
    & $NetBirdExePath up --setup-key $SetupKey --management-url $ManagementUrl --network-monitor=false 2>&1
    Start-Sleep -Seconds 5
}


# --- Verify service ---
Start-Sleep -Seconds 5
$svc = Get-Service -Name "NetBird" -ErrorAction SilentlyContinue
if ($svc) {
    if ($svc.Status -ne "Running") {
        Start-Service "NetBird"
    }
    Write-Host "NetBird service is running."
} else {
    Write-Error "NetBird service not found after installation."
    exit 1
}


# --- Verify connectivity ---
Start-Sleep -Seconds 10
if (Test-Path $NetBirdExePath) {
    $status = & $NetBirdExePath status 2>&1
    Write-Host "NetBird status: $status"
} else {
    Write-Host "NetBird CLI not found at expected path. Service may still be connecting."
}


# --- Cleanup ---
Remove-Item -Path $TempDir -Recurse -Force -ErrorAction SilentlyContinue


Write-Host "NetBird deployment complete. Machine is connected to the corporate network."
exit 0