How to Deploy Employee Monitoring Software in 30 Minutes via Group Policy

This is a working IT admin's checklist for rolling out the Headx Windows agent across 25-2,000 PCs. The principles apply equally to other Windows monitoring agents that ship as a code-signed MSI.

The fastest deployment we have seen for a 50-PC team: 22 minutes, start to first dashboard report. The slowest: 4 hours, because the customer had antivirus policy blocking unsigned MSI installs and we had to whitelist first. Plan for an hour, but expect under 30 minutes if your environment is standard.

Prerequisites (5 minutes to verify)

Before you start, confirm these are in place:

• Active Directory with Group Policy Management Console (GPMC) — standard for any AD-joined environment
• An OU or Security Group containing the target machines (e.g., "Headx-Pilot-50PCs")
• A network share readable by Domain Computers — typically \\fileserver\Software\Headx\
• Headx tenant credentials from your account dashboard — Tenant ID and Agent Enrollment Key (Settings → Agent Installation)
• Antivirus exclusion approved — most Indian environments are fine with code-signed MSIs, but conservative AV policies (some banks, defence) require pre-approval. Headx provides SHA-256 fingerprints and AV-vendor escalation contacts on request.
• One pilot PC you have RDP access to — for a manual install first, before mass rollout

Path 1: Group Policy Software Installation (recommended, 30 min)

Step 1 — Copy the MSI to a network share (3 min)

Download HeadxAgent.msi from your tenant dashboard. Copy to a network share accessible by Domain Computers, not just Domain Users. The "Domain Computers" group permission is critical — GPO Software Installation runs as SYSTEM, which is a domain-computer-level access, not a user-level access.

\\fileserver\Software\Headx\HeadxAgent.msi
\\fileserver\Software\Headx\HeadxAgent.mst   (transform file, see Step 3)

Verify permissions: right-click the folder → Properties → Security. "Domain Computers" must have Read & Execute. If you only see "Authenticated Users," that includes Domain Computers — but explicit is better.

Step 2 — Open Group Policy Management Console (1 min)

On any Domain Controller or a workstation with RSAT installed: gpmc.msc. Navigate to your target OU. Right-click → Create a GPO in this domain and Link it here → name it "Headx Agent Deployment - Pilot."

Step 3 — Configure the MSI with tenant credentials (4 min)

This is the only Headx-specific step. The agent needs your Tenant ID and Enrollment Key embedded in the install. Two ways to do this:

• Option A (easiest): use the customised MSI from your dashboard. The tenant dashboard generates a HeadxAgent-{TenantID}.msi already containing the credentials. Use this directly.
• Option B (advanced): use an MST transform file. Open HeadxAgent.msi in Orca (free Microsoft tool), set the TENANT_ID and ENROLLMENT_KEY properties, save as HeadxAgent.mst. This is useful when you have multiple tenants on the same domain.

Step 4 — Add the package to the GPO (3 min)

In the new GPO: Computer Configuration → Policies → Software Settings → Software Installation. Right-click → New → Package. Browse to the UNC path of the MSI (\\fileserver\Software\Headx\HeadxAgent.msi) — do NOT use a local drive letter.

When prompted, choose Assigned (not Published). Assigned means the software installs automatically; Published means it appears in Add/Remove Programs for users to install themselves. For mandatory monitoring, Assigned is correct.

If using an MST transform: in the deployment dialog, select Advanced → Modifications tab → Add → browse to HeadxAgent.mst. Click OK.

Step 5 — Add restart behaviour (2 min)

The agent needs a reboot to complete installation. Most BPO PCs reboot at end of shift anyway, so this is usually fine — but configure it explicitly:

Computer Configuration → Policies → Administrative Templates → System → Logon → "Always wait for the network at computer startup and logon" → Enabled. This forces the GPO to fully process at boot, ensuring the install completes on the next reboot rather than the one after.

Step 6 — Test on the pilot OU first (5 min)

Move 3-5 test PCs into the target OU. On each: gpupdate /force from elevated cmd, then reboot. Watch the install log at:

C:\Windows\Temp\HeadxAgent_install.log

Verify the service is running:

Get-Service "Headx Agent"   # PowerShell
sc query "Headx Agent"      # cmd

Status should be Running within 60 seconds of reboot.

Step 7 — Verify it is reporting to the dashboard (3 min)

Log in to your Headx dashboard → Agents tab. Each newly-installed agent should appear with status "Online" within 5 minutes of the service starting. If you see 5 PCs in the dashboard after 5 minutes, your deployment is working — scale up.

Step 8 — Scale to the full fleet (5 min + rollout time)

Move the rest of the target machines into the OU (or apply the GPO to the parent OU containing them). Force gpupdate if you want immediate deployment; otherwise the install happens at the next reboot for each PC. Most BPOs see 80-90% of their fleet online within 24 hours of GPO link.

Path 2: Microsoft Intune (cloud-only environments, 25 min)

If your fleet is Intune-managed (typical for newer BFSI and IT services deployments):

1. Intune admin centre → Apps → Windows → Add → "Line-of-business app"
2. Upload HeadxAgent.msi from your dashboard
3. App information: Name "Headx Agent," Publisher "Headx Monitor," Category "Productivity"
4. Assignment: Required → Select group → choose your target Azure AD group
5. Save. Intune begins distributing to enrolled devices on next check-in (typically within 8 hours; can force from device with "Sync" button in the Company Portal)

Validation is identical to GPO path: check the Agents tab in your dashboard.

Path 3: Manual / PowerShell (small deployments, 1 min per PC)

For under 10 PCs or for ad-hoc installations, the manual MSI path is fastest:

# Run as Administrator on each PC
msiexec /i \\fileserver\Software\Headx\HeadxAgent.msi /qn TENANT_ID=YOUR_TENANT_ID ENROLLMENT_KEY=YOUR_KEY

# Verify
Get-Service "Headx Agent" | Select-Object Name, Status

For remote-pushing to a list of PCs without GPO:

$pcs = Get-Content C:\temp\pclist.txt
foreach ($pc in $pcs) {
    Invoke-Command -ComputerName $pc -ScriptBlock {
        Start-Process msiexec -ArgumentList '/i', `
            '\\fileserver\Software\Headx\HeadxAgent.msi', `
            '/qn', 'TENANT_ID=YOUR_TENANT_ID', 'ENROLLMENT_KEY=YOUR_KEY' `
            -Wait -NoNewWindow
    }
}

Requires WinRM enabled on each target PC (typically already on for AD-joined Windows 10/11) and an admin account that can authenticate.

Validation: how to know it actually worked

Three checks, in order:

Check 1 — Service status (per-PC)

Get-Service "Headx Agent"

Expected: Running. If Stopped, see the troubleshooting section below.

Check 2 — Local install log

type C:\Windows\Temp\HeadxAgent_install.log | findstr /i "error fail"

Expected: no matches. If you see "Error 1603" or similar, the most common cause is permissions or AV interference — see below.

Check 3 — Dashboard online status

Headx dashboard → Agents → filter by your test OU name. All agents should show "Online" within 5 minutes. If some show "Offline" but the service is running locally, the network path to the dashboard is blocked — check firewall rules for outbound HTTPS on port 443 to headx.in (Cloud) or your on-premise dashboard host.

Five common failure modes and fixes

1. "MSI installation pending reboot"

Symptom: GPO log shows install queued, but service is not running.
Fix: Reboot the PC. The MSI install completes at next boot. Use shutdown /r /t 0 if needed.

2. "Service installed but not running"

Symptom: Get-Service "Headx Agent" shows Stopped status.
Fix: Start-Service "Headx Agent". If it fails to start, check the Windows Event Log → Application → look for "Headx" entries. Most common cause: missing .NET 8 runtime (the agent's MSI installs it; if blocked, install separately).

3. "GPO not applying to target PCs"

Symptom: gpresult /r on a target PC does not list the Headx Agent GPO.
Fix: Two common causes. (1) The PC is in the wrong OU — move it. (2) WMI filter or security filter on the GPO is excluding it — open the GPO → Scope tab → check Security Filtering and WMI Filters.

4. "Antivirus blocking install"

Symptom: Install log shows MSI extraction blocked, or installed but service immediately killed.
Fix: Add an AV exclusion for C:\Program Files\Headx Agent\ and the service executable. Headx provides signed SHA-256 fingerprints on request for whitelisting in Windows Defender, CrowdStrike, Trend Micro, Symantec, McAfee, Kaspersky, and SentinelOne.

5. "Agents online locally but not appearing in dashboard"

Symptom: Service running, install log clean, but Agents tab shows no entries.
Fix: Outbound HTTPS connectivity. From the PC: Test-NetConnection headx.in -Port 443. If TcpTestSucceeded is False, a firewall or proxy is blocking. Whitelist *.headx.in for Cloud deployments, or your on-premise dashboard hostname.

Rollback procedure

If something goes wrong and you need to undo the deployment in a hurry:

1. In GPMC: right-click the Headx GPO → Edit → Computer Configuration → Software Installation → right-click the Headx package → All Tasks → Remove → "Immediately uninstall the software from users and computers."
2. Force gpupdate /force on the affected PCs (or wait for next boot).
3. Service stops, MSI uninstalls, no manual intervention per-PC needed.

For Intune: change the assignment from "Required" to "Uninstall" on the same Azure AD group.

FAQ

Can I deploy to PCs that are not joined to AD?

Yes, via Intune (if Azure AD-joined), manual MSI install, or PowerShell remoting. GPO requires AD membership.

Does the install require a reboot?

For first-time install, yes (service registration and driver load on Windows). For agent updates after that, no — the agent updates itself in-place without rebooting.

How big is the MSI?

Roughly 18-22 MB depending on version. Fits comfortably in a GPO software-installation deployment over a typical office LAN.

Can the agent run on Windows Server (RDS / Citrix environments)?

Yes, the agent is supported on Windows Server 2019 and 2022, including Remote Desktop Services and Citrix XenApp/Virtual Apps environments. On a multi-user session host, the agent treats each logged-in user as a separate session.

What about Mac and Linux endpoints?

The Headx Windows agent does not run on Mac or Linux. Mac and Linux agents are on the Headx roadmap.

How does the agent handle laptops that go offline (WFH, travel)?

Activity is captured locally and buffered in an encrypted queue. When the PC reconnects, the queue uploads to the dashboard. No data loss during offline periods.

Can users see they are being monitored?

By default, yes — a system-tray icon shows when the agent is active and the first run displays a consent prompt. This is the recommended legal posture under the IT Act 2000. Admins can configure visibility per policy, but transparency is strongly advised. See our consent form template for the legal framing.