There are two options to install DNS Guard on a Windows device. Both have their benefits and downsides. These instructions are recommended for devices that are not domain-joined.
We always recommend to deploy DNS Guard on a few devices first to prevent unexpected situations or behavior.
If you require captive portals, please also read this article: https://knowledgebase.securityhive.io/en/articles/133345-captive-portal
Options
Use DNS Guard client (standalone deployment).
If you are running a Windows version that doesn't support DoH natively or don't feel like running a Powershell script, you can use our DNS Guard Client for standalone deployment.Use DNS Guard client (MDM deployment).
If you manage many devices via an MDM/RMM tool, you can use the DNS Guard client to protect these devices easily.Use native DNS over HTTPS support.
Windows 10 / Server 2016 and higher support DNS over HTTPS (DoH) by default. However, to use DoH, you must run a Powershell script to configure DNS Guard.
Option 1: Use DNS Guard client (standalone deployment)
Go to the Installation tab of your DNS Guard server in the SecurityHive Portal and navigate to the Windows section.
Download the MSI Installer in the Software client (standalone deployment) section.
Execute the MSI installer and enter your server ID during installation.
Finish the installer setup. The client is configured and protected.
Option 2: Use DNS Guard client (MDM deployment)
Go to the Installation tab of your DNS Guard server in the SecurityHive Portal and navigate to the Windows section.
Download the MSI Installer in the Software client (MDM deployment) section.
Deploy the MDM installer via your MDM/RMM tool with the following parameters (make sure to replace [serverId] with your specific and unique server ID): /qn INSTALL=TRUE SERVERID="[serverId]"
The devices are configured and protected.
If you want to uninstall DNS Guard via MDM, use the instructions for your MDM tooling. We have some recommendations:
1. Identify the GUID of your DNS Guard installation.
2. If you're running DNS Guard 3.0.0 you'll have to specify the SERVERID="[serverId]" part with your unique server ID due to a bug in the MSI.
3. Use logging functionality if you run into issues and contact support with these logs.
Option 3. Use native DNS over HTTPS support
1. Create a remote client
First, you must create a remote client in your DNS Guard server. When managing a DNS Guard server, go to the Installation tab and select Windows. Enter the name of the client and click Generate. Copy the contents to execute manually in Powershell, or click Download.
A Powershell script will be downloaded. Open this script on the device you've created and want to protect with DNS Guard. Make sure you create a different client for each device to keep an overview of the DNS queries of separate devices.
2. Apply settings
Open the Powershell script with Administrator rights. The DNS Guard server will be added and configured. You're done now!