Agent Reference
This page documents the TridentStack Control agent's installation paths, configuration files, service details, and supported platforms for each operating system.
Windows Agent
Supported Versions
- Windows 8.1 and later
- Windows Server 2012 R2 and later
On Windows Server 2012 R2 and older, the agent runs as a headless service without the desktop system tray UI. All management features work normally. See Desktop UI below for details.
Installation
The Windows agent is distributed as an MSI installer. Install interactively or via command line:
msiexec /i TridentStack-Control.msi ENROLLMENT_TOKEN="<token>" /qn /norestart
The /qn flag runs a silent install. The /norestart flag prevents an automatic reboot after installation.
File Locations
| Path | Contents |
|---|---|
C:\Program Files\TridentStack Control\ | Agent binaries (read-only after install) |
C:\ProgramData\TridentStack Control\ | Runtime data root |
C:\ProgramData\TridentStack Control\config\ | Configuration files |
C:\ProgramData\TridentStack Control\logs\ | Agent log files |
C:\ProgramData\TridentStack Control\downloads\ | Downloaded update files and pre-staged content |
C:\ProgramData\TridentStack Control\servicedata\ | Service runtime state |
C:\ProgramData\TridentStack Control\cache\ | Cached data |
Configuration Files
All configuration files are located in C:\ProgramData\TridentStack Control\config\:
| File | Purpose |
|---|---|
server.json | Server connection URL, gateway address |
agent.json | Agent identity and configuration |
agent_credentials.dat | Encrypted credentials (DPAPI, SYSTEM-only access) |
debug-settings.json | Debug logging levels and options |
Never manually edit agent_credentials.dat. It is encrypted using Windows DPAPI under the SYSTEM account and cannot be read or modified by user accounts.
Windows Service
| Property | Value |
|---|---|
| Service Name | TridentStack-ControlService |
| Display Name | TridentStack Control Service |
| Account | Local System (SYSTEM) |
| Start Type | Automatic |
| Recovery | Restart on failure |
Common commands:
# Check service status
Get-Service TridentStack-ControlService
# Restart the service
Restart-Service TridentStack-ControlService
# View recent service logs
Get-EventLog -LogName Application -Source "TridentStack*" -Newest 20
Binaries
| Binary | Purpose |
|---|---|
tridentstack-core.exe | Core agent daemon (runs as SYSTEM) |
TridentStack Control.exe | Desktop UI application (runs as current user) |
tridentstack-updater.exe | Self-update handler (runs as SYSTEM) |
Desktop UI (System Tray)
The TridentStack Control agent includes a desktop UI application that runs in the system tray when a user is logged in. The system tray icon provides quick access to agent status, version information, and update notifications.
The desktop UI requires the Microsoft Edge WebView2 Runtime, which is pre-installed on Windows 10 and Windows 11. On Windows Server editions, the agent installer downloads and installs WebView2 automatically during setup.
Legacy OS limitation: On Windows Server 2012 R2 and older, the desktop UI is not available. Microsoft ended WebView2 support for these operating systems in October 2023, and installing the last compatible version (v109) would introduce known security vulnerabilities. The agent installer skips WebView2 installation on these systems to avoid this risk.
The desktop UI is optional. The agent service operates with full functionality without it. All patch management, vulnerability scanning, policy enforcement, and update deployment features work identically whether or not the desktop UI is running. Server endpoints, which typically run without interactive user sessions, are unaffected by this limitation.
Windows Update Management
When the TridentStack Control agent is installed, it automatically configures the endpoint so that the platform is the primary update provider. Native Windows Update scanning and automatic installation are suppressed to prevent conflicts with managed patching.
What the agent configures:
The agent applies Windows Update registry policies on startup and verifies them on every service restart. If the configuration is tampered with or removed (for example, by a Group Policy refresh or manual change), the agent reapplies it automatically.
| Windows Version | Mode | Behavior |
|---|---|---|
| Windows 10 2004+, Windows 11, Server 2022+ | Driver-only | Quality, feature, and other updates are blocked from Windows Update. Driver updates are still delivered through Windows Update. All non-driver patching is managed exclusively by TridentStack Control. |
| Server 2019, Server 2016, older Windows 10 | Fully managed | All updates (including drivers) are blocked from Windows Update. TridentStack Control manages every update category. |
Registry policies applied:
| Key | Value | Purpose |
|---|---|---|
WUServer | http://localhost:8530 | Points Windows Update at an unreachable endpoint |
WUStatusServer | http://localhost:8530 | Matching status server for the unreachable endpoint |
UseWUServer | 1 | Enforces the configured WSUS source |
NoAutoRebootWithLoggedOnUsers | 1 | Prevents automatic restarts; TridentStack Control manages reboot scheduling |
On modern systems (build 19041+), additional per-category source policies route each update classification individually. On older systems, NoAutoUpdate=1 is set instead to fully disable automatic update checks.
Clean uninstall:
When the agent is uninstalled, all Windows Update registry changes are restored to their pre-installation values. The agent maintains a registry backup of every value it modifies, so uninstalling returns the endpoint to its original Windows Update configuration.
Administrators do not need to configure Windows Update suppression manually. The agent handles this automatically on every supported Windows version. If your organization uses Active Directory Group Policy to manage Windows Update settings, be aware that GPO may override the agent's configuration on domain-joined endpoints. In that case, configure your GPO to align with the agent's settings or exclude managed endpoints from the WU GPO.
Self-Update Process
When an update is available, the agent:
- Downloads the new MSI to
C:\ProgramData\TridentStack Control\downloads\agent-updates\ - Validates the file integrity
- Executes the MSI upgrade silently
- The service restarts automatically with the new version
Application Updates Note
Application updates (third-party software management) are supported on all Windows versions. On modern systems (Windows 10+, Server 2019+), the agent uses the native package manager when available. On legacy systems (Server 2016, Windows 8.1), the agent downloads and executes installers directly from the synced catalog.
Linux Agent
Supported Distributions
Primary support (DEB packages):
- Ubuntu 20.04 LTS and later
- Debian 12 and later
Detected and supported (package manager integration):
- RHEL 8 and later
- CentOS Stream 8 and later
- Rocky Linux 8 and later
- AlmaLinux 8 and later
- Fedora (latest stable)
- Amazon Linux 2 and later
The installer script automatically detects the distribution and package manager.
Installation
Install using the one-line installer:
curl -fsSL https://get.tridentstack.com/linux | sudo bash -s -- --key <ENROLLMENT_TOKEN>
The installer downloads the latest DEB package, installs it, configures the agent, and starts the service.
Installer options:
| Flag | Purpose |
|---|---|
--key <TOKEN> | Install with enrollment token (new installation) |
--upgrade | Upgrade an existing installation to the latest version |
--uninstall | Remove the agent and all configuration |
| (no flags) | Repair/heal an existing installation (preserves credentials) |
File Locations
| Path | Contents |
|---|---|
/opt/tridentstack/bin/ | Agent binary |
/etc/tridentstack/ | Configuration files (root-only, mode 700) |
/var/log/tridentstack/ | Agent log files |
/var/lib/tridentstack/ | Runtime state and cache (root-only, mode 700) |
Configuration Files
All configuration files are located in /etc/tridentstack/:
| File | Purpose |
|---|---|
agent.json | Agent identity and configuration |
credentials.enc | Encrypted agent credentials |
Systemd Service
| Property | Value |
|---|---|
| Service Name | tridentstack-agent |
| Binary | /opt/tridentstack/bin/tridentstack-agent daemon |
| Account | root |
| Start Type | Enabled (starts on boot) |
| Recovery | Always restart (10-second delay) |
Security hardening applied via systemd:
ProtectHome=yes(cannot access /home)PrivateTmp=yes(isolated /tmp)ProtectKernelTunables=yesProtectControlGroups=yes
Common commands:
# Check service status
sudo systemctl status tridentstack-agent
# Restart the service
sudo systemctl restart tridentstack-agent
# View recent logs
sudo journalctl -u tridentstack-agent -n 50
# Follow logs in real time
sudo journalctl -u tridentstack-agent -f
Self-Update Process
When an update is available, the agent:
- Downloads the new binary
- Replaces the binary at
/opt/tridentstack/bin/tridentstack-agent - The systemd service restarts automatically with the new version
Linux-Specific Features
- Package update detection: The agent queries apt/dnf for available package updates and reports them as pending updates, including whether each update is a security patch.
- Docker enrichment: Ports held by
docker-proxyare enriched with the associated container name and image. - Reboot detection: The agent checks for
/var/run/reboot-requiredto determine if the system needs a restart after updates.
Network Requirements
Both Windows and Linux agents require:
| Requirement | Details |
|---|---|
| Outbound port 443 | gRPC connection to gateway.tridentstack.com (TLS encrypted) |
| No inbound ports | The agent initiates all connections. No firewall rules needed for inbound traffic. |
| Proxy support | The agent respects system proxy settings for outbound connections |
The agent maintains a persistent gRPC connection to the gateway for real-time command delivery and telemetry reporting.
Agent Version
Check the installed agent version:
# Windows
reg query "HKLM\SOFTWARE\TridentStack\Control" /v Version
# Linux
/opt/tridentstack/bin/tridentstack-agent --version
The agent version is also visible in the TridentStack Control console on the agent detail page under the System tab.