Step 5: Client Deployment

This step creates the setup key for endpoint enrollment and deploys the NetBird Windows client to approximately 200 machines using TacticalRMM.

5.1 Create the Endpoint Setup Key

1. Sign in to https://netbird.gsisg.com
2. Go to Setup Keys > Create Setup Key

Field	Value
Name	Company Laptops - TRMM Deploy
Type	Reusable
Usage Limit	250 (buffer above 200 machines)
Expires	90 days (extend as needed during rollout)
Auto-assigned groups	Company-Laptops

Click Create Setup Key and copy the key.

Caution

The setup key is shown only once. Store it in your password manager immediately. If lost, create a new key and update the TRMM script.

Key Expiration vs Peer Access

The setup key expiration applies only to the key’s validity for enrolling new machines. Once a machine is enrolled, it stays connected regardless of key expiration.

5.2 TacticalRMM Deployment Script

The TRMM script performs a silent MSI install, applies the setup key, configures GlobalProtect coexistence flags, and verifies connectivity. The production script is maintained at:

/home/adminuser/projects/work-vpn/trmm-deploy-netbird.ps1

Script Overview

The script:

1. Checks if NetBird is already installed (skips if yes)
2. Adds a Windows Defender exclusion for C:\Program Files\NetBird\
3. Downloads the latest MSI from GitHub
4. Runs a silent install with SETUP_KEY and MANAGEMENT_URL properties
5. Applies --network-monitor=false for GlobalProtect coexistence
6. Verifies the NetBird service is running
7. Reports connection status

Key Script Parameters

param(
    [string]$SetupKey = "REPLACE_WITH_YOUR_SETUP_KEY",
    [string]$ManagementUrl = "https://netbird.gsisg.com",
    [bool]$DisableNetworkMonitor = $true
)

Deploying via TRMM

1. In TacticalRMM, go to Settings > Script Manager > New Script
2. Set:
   • Name: Deploy NetBird Client
   • Shell: PowerShell
   • Run as: System
3. Paste the script content
4. In the script arguments, set:

   -SetupKey "YOUR_ACTUAL_SETUP_KEY" -ManagementUrl "https://netbird.gsisg.com" -DisableNetworkMonitor $true

MSI Silent Install Details

The MSI supports these properties for silent deployment:

msiexec.exe /i "netbird.msi" /qn /norestart SETUP_KEY=<KEY> MANAGEMENT_URL=https://netbird.gsisg.com

This installs the NetBird agent and UI client to C:\Program Files\NetBird\ and creates a Windows service named NetBird.

5.3 GlobalProtect Coexistence

During the transition period while GlobalProtect (Palo Alto) is still installed on some machines, the --network-monitor=false flag is required.

Why: NetBird’s network monitor detects interface changes and reconnects. When GlobalProtect brings its tunnel interface up/down, it triggers NetBird to restart, causing unnecessary disruptions. Disabling the network monitor prevents this.

The flag is applied in the TRMM script after installation:

if ($DisableNetworkMonitor) {
    & $NetBirdExePath up --setup-key $SetupKey --management-url $ManagementUrl --network-monitor=false
}

Remove After GP Is Gone

Once GlobalProtect is fully uninstalled from all endpoints, set $DisableNetworkMonitor = $false in the TRMM script and redeploy. The network monitor improves connection reliability by detecting network changes.

5.4 Additional Client Lockdown Flags

For managed deployments, consider these additional flags to prevent users from modifying the NetBird configuration:

netbird up --disable-profiles --disable-update-settings

Flag	Purpose
--network-monitor=false	Prevent GP-triggered restarts (remove after GP uninstall)
--disable-profiles	Prevent users from switching network profiles
--disable-update-settings	Prevent users from changing management URL or other settings

5.5 Push AV Exclusions

Push Windows Defender (and any third-party AV) exclusions for the NetBird directory before or during installation. This prevents false-positive detections on the WireGuard driver and tunnel interface.

Via TRMM Script (Included in Deploy Script)

Add-MpPreference -ExclusionPath "C:\Program Files\NetBird\"

Via Group Policy (Recommended for Persistence)

1. Open Group Policy Management
2. Edit a GPO linked to your computer OUs
3. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions > Path Exclusions
4. Add: C:\Program Files\NetBird\

5.6 GPO Firewall Rules for wt0 Interface

NetBird creates a virtual network interface named wt0. Windows Firewall may block traffic on this interface depending on the network profile it is assigned. Create a GPO to ensure traffic flows properly.

Via Group Policy

1. Open Group Policy Management
2. Edit a GPO linked to your computer OUs
3. Navigate to: Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security
4. Create an Inbound Rule:

Field	Value
Rule Type	Custom
Program	All programs
Protocol	Any
Scope	Local IP: Any, Remote IP: 100.64.0.0/10 (NetBird CGNAT range)
Action	Allow
Profile	Domain, Private, Public
Name	NetBird - Allow wt0 Inbound

5. Create a matching Outbound Rule with the same settings

Via PowerShell (Alternative)

# Allow inbound from NetBird CGNAT range
New-NetFirewallRule -DisplayName "NetBird wt0 Inbound" `
  -Direction Inbound -Action Allow -Protocol Any `
  -RemoteAddress 100.64.0.0/10

# Allow outbound to NetBird CGNAT range
New-NetFirewallRule -DisplayName "NetBird wt0 Outbound" `
  -Direction Outbound -Action Allow -Protocol Any `
  -RemoteAddress 100.64.0.0/10

5.7 Pilot Deployment

Roll out to a small pilot group first (8-10 users across both offices and remote workers).

Pilot Selection Criteria

• 2-3 IT staff (immediate troubleshooting capability)
• 2-3 Honolulu office users
• 2-3 Boulder office users
• 1-2 fully remote users

Pilot Test Plan

1. Deploy the NetBird client via TRMM to pilot machines
2. Verify the system tray icon shows “Connected”

3. Test from each pilot machine:
   • Ping DCs: ping 10.100.7.10 (Honolulu AD0), ping 10.15.0.10 (Boulder AD1)
   • SMB access: net use \\10.100.7.15\ShareName (FILES server)
   • DNS resolution: nslookup ad0.gsisg.local 10.100.7.10
   • RDP: Connect to a server via RDP through NetBird
   • SAGE access: Verify SAGE application at 10.100.7.40
4. Run for 5-7 business days before proceeding to full rollout
5. Collect feedback on performance, disconnects, and usability

Pilot Success Criteria

• All pilot machines show “Connected” in the Dashboard
• DC authentication works (Group Policy applies, drive mappings work)
• File shares accessible at both sites
• No conflicts with existing GlobalProtect (if still installed)
• No reported performance issues
• Connection type is P2P (not relayed) for same-site peers — verify with netbird status --detail

5.8 Full Deployment

After a successful pilot, deploy to all remaining machines:

1. Create a TRMM policy targeting all Windows agents (or deploy in batches by site)
2. Use the same script with the same setup key
3. Monitor the Peers tab in the Dashboard — new machines should appear within minutes
4. Verify peer count matches expected machine count

Rollout Schedule (Recommended)

Phase	Target	Machines	Duration
Pilot	IT staff + selected users	8-10	5-7 days
Wave 1	Honolulu office	~80	2-3 days
Wave 2	Boulder office	~80	2-3 days
Wave 3	Remaining remote users	~30	2-3 days

Verification

At this point you should have:

• Reusable setup key created for Company-Laptops group
• TRMM deployment script configured with setup key and management URL
• AV exclusions pushed (Defender + GPO)
• Firewall GPO for wt0 interface deployed
• Pilot group deployed and tested for 5-7 days
• Full rollout completed in waves
• All machines visible in the NetBird Dashboard Peers tab

Next Step

Proceed to Step 6: Verification and Monitoring to validate the full deployment and configure ongoing monitoring.