Install a Nessus Agent on Windows
Caution: If you install a Tenable Nessus Agent on a system where an existing Tenable Nessus Agent, Tenable Nessus Manager, or Tenable Nessus scanner is running nessusd
, the installation process kills all other nessusd
processes. You may lose scan data as a result.
Note: This procedure describes deploying Tenable Nessus Agents via the command line. You can also deploy Tenable Nessus Agents with a standard Windows service such as Active Directory (AD), Systems Management Server (SMS), or other software delivery system for MSI packages. For more information on deploying via these methods, see the appropriate vendor's documentation.
Note: You may be required to restart your computer to complete installation.
Before You Begin
- Retrieve the Nessus Agents linking key. For more information, see the Tenable Nessus User Guide or the Tenable Vulnerability Management User Guide, depending on what manager you use.
- Consider the following if you are reinstalling Tenable Nessus Agent after uninstalling it:
- If you previously had the Tenable Nessus Agent installed on your system, see the knowledge base article on how to avoid linking errors.
On Windows, the Tenable Nessus Agent uninstall process automatically creates a backup file in the %TEMP% directory. If you reinstall Tenable Nessus Agent within 24 hours, Tenable Nessus Agent uses that backup file to restore the installation. If you want to reinstall Tenable Nessus Agent within 24 hours without using the backup, manually delete the backup file in the %TEMP% directory beforehand.
Deploy and Link via the Command Line
You can deploy and link Tenable Nessus Agents via the command line. For example:
msiexec /i NessusAgent-<version number>-x64.msi NESSUS_GROUPS="Agent Group Name" NESSUS_SERVER="192.168.0.1:8834" NESSUS_KEY=00abcd00000efgh11111i0k222lmopq3333st4455u66v777777w88xy9999zabc00 /qn
The following are available linking parameters:
Parameter | Description |
---|---|
NESSUS_OFFLINE_INSTALL | You can install the Tenable Nessus Agent on a system even if it is offline. Add the command line option NESSUS_OFFLINE_INSTALL="yes" to the command line input. The Tenable Nessus Agent will periodically attempt to link itself to either Tenable Vulnerability Management or Tenable Nessus Manager. If the agent cannot connect to the controller then it retries every hour, and if the agent can connect to the controller but the link fails then it retries every 24 hours. |
NESSUS_SERVICE_AUTOSTART=false |
Prevents the Tenable Nessus Agent from starting up after installation. This parameter can be useful for streamlined deployment options (for example, deploying using a JSON file). |
ADDLOCAL=ALL | Install the Tenable Nessus Agent System Tray Application. |
NESSUS_PLUGINS_FILEPATH="C:\path\to\plugins_set.tgz" | Install a full plugins set before linking to reduce the bandwidth impact during a mass installation. Add the command line option NESSUS_PLUGINS_FILEPATH="C:\path\to\plugins_set.tgz" where plugins_set.tgz is a recent plugins set tarball less than five days old. A stale plugins set older than five days will force a full plugins download to occur. You can download a recent plugins set from the Tenable downloads page. |
NESSUS_GROUPS |
Specify existing agent group or groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management. Note: The agent group name is case-sensitive and must match exactly. Note: Quotation marks (") are necessary when listing multiple groups, or one group with spaces in its name. For example:
|
NESSUS_PROCESS_PRIORITY |
Determine the priority of the agent relative to the priority of other tasks running on the system. For valid values and more information on how the setting works, see Agent CPU Resource Control in the Tenable Nessus Agent Deployment and User Guide. |
NESSUS_NAME
|
Specify the name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent. |
NESSUS_CA_PATH
|
Specify a custom CA certificate to use to validate the manager's server certificate. |
NESSUS_PROXY_SERVER
|
Specify the hostname or IP address of your proxy server. |
NESSUS_PROXY_USERNAME
|
Specify the name of a user account that has permissions to access and use the proxy server. |
NESSUS_PROXY_PASSWORD
|
Specify the password of the user account that you specified as the username. |
NESSUS_PROXY_AGENT
|
Specify the user agent name, if your proxy requires a preset user agent. |
Download Nessus Agent
On the Nessus Agents Download Page, download the package specific to your operating system.

NessusAgent-<version number>-Win32.msi
Windows Server 7, and 8 (32-bit)
Start Nessus Agent Installation
- Navigate to the folder where you downloaded the Tenable Nessus Agent installer.
- Next, double-click the file name to start the installation process. The Welcome to the InstallShield Wizard for Nessus Agent window appears.
Complete the Windows InstallShield Wizard
Note: You may have to restart your computer to complete installation on Windows.
Note: If you want to include the system tray application in your installation, see System Tray Application.
- In the Welcome to the InstallShield Wizard for Nessus Agent window, click Next to continue.
- In the License Agreement window, read the terms of the Tenable, Inc. Nessus software license and subscription agreement.
- Click I accept the terms of the license agreement.
- Click Next.
-
In the Destination Folder window, click Next to accept the default installation folder.
-or-
Click Change to browse and select a different folder where you want to install Tenable Nessus Agents.
-
In the Configuration Options window, type the Agent Key values:
Field Value Key (Required) Use the value you retrieved from the manager. Server (Required) Use the value you retrieved from the manager.
-
To link to Tenable Vulnerability Management, enter cloud.tenable.com:443.
-
To link to Tenable Nessus Manager, enter the IP/hostname of the manager with the appended port 8834; for example, 192.0.2.0:8834.
Groups Specify existing agent group(s) where you want to add the agent.
If you do not specify an agent group during the installation process, you can later add your linked agent to an agent group.
Note: The agent name defaults to the name of the computer where you are installing the agent.
-
- Click Next.
- In the Ready to Install the Program window, click Install.
- If presented with a User Account Control message, click Yes to allow the Tenable Nessus Agent to install.
- In the InstallShield Wizard Complete window, click Finish.
Note: If you attempt to clone an Agent and link it to Tenable Nessus Manager or Tenable Vulnerability Management, a 409 error may appear. This error appears because another machine was linked with the same UUID value in the HKLM/Software/Tenable/TAG
file. To resolve this issue, replace the value in the HKLM/Software/Tenable/TAG
file with a valid UUIDv4 value.
Note: For more information about linking agents to Tenable Vulnerability Management, see Link a Sensor in the Tenable.io User Guide.
Verify a Linked Agent
To verify a linked agent in Tenable Vulnerability Management:
-
In the upper-left corner, click the
button.
The left navigation plane appears.
-
In the left navigation plane, click Settings.
The Settings page appears.
-
Click the Sensors tile.
The Sensors page appears. By default, Nessus Scanners is selected in the left navigation menu and the Cloud Scanners tab is active.
-
In the left navigation menu, click Nessus Agents.
The Nessus Agents page appears and the Linked Agents tab is active.
-
Locate the new agent in the linked agents table.
To verify a linked agent in Tenable Nessus Manager:
-
In the top navigation bar, click Sensors.
The Linked Agents page appears.
-
Locate the new agent in the linked agents table.