Introduction
You can deploy the Level agent to domain-joined Windows devices using Group Policy. There are two approaches: importing a pre-built automation from Level that handles GPO creation automatically, or setting up the GPO manually.
⚙️ PREREQUISITES
Active Directory domain with Group Policy Management
A domain controller accessible from Level
A Level account with permission to add devices
ℹ️ NOTE: This deployment method is provided as a convenience. GPO behavior varies across Active Directory environments — test before deploying to production.
Install via Group Policy
Method 1: Automated Setup (Recommended)
Level provides a pre-built automation that creates and links the GPO for you. It runs on a single domain controller and propagates the agent install to all clients via scheduled task.
Step 1: Import the GPO Automation
Import the automation into your Level account: Import Level GPO Automation
Click Import automation to add it to your account.
Step 2: Get Your Install Key
In Level, open the Device Listing and click Add new device.
Select Windows from the OS selector.
Optionally select a device group — the install key will include the group ID if one is selected.
Copy the install key from the modal.
Step 3: Configure Automation Variables
Open the imported automation and select the Variables tab.
Paste your install key into the
LEVEL_API_KEYvariable.If you selected a group, paste the group ID into the group ID variable.
Step 4: Assign to a Domain Controller
Add a single domain controller as the target device for this automation.
⚠️ WARNING: Only assign this automation to one domain controller. The automation creates a GPO at the domain root — running it on multiple controllers will cause conflicts.
Step 5: Approve and Run
The automation's first step is an admin approval gate. Review and click Approve to proceed.
The second step runs a script that creates a new GPO called "Install Level Agent" and links it to the root of the domain. The GPO creates a scheduled task on all Active Directory clients that immediately runs the Level install script.
ℹ️ NOTE: The automated setup drops Windows Event Log messages on client machines when the installer script runs. These are useful for troubleshooting failed installs.
Method 2: Manual Setup
If you prefer to configure the GPO yourself, use an immediate scheduled task.
Step 1: Create and Link the GPO
Open Group Policy Management.
Create a new GPO and link it to the appropriate OU in Active Directory.
Step 2: Configure the Scheduled Task
Edit the GPO and navigate to Computer Configuration → Preferences → Control Panel Settings → Scheduled Tasks.
Right-click and select New → Immediate Task (At least Windows 7).
General tab:
Setting | Value |
Name | Install Level Agent |
User | SYSTEM |
Run whether user is logged on or not | Enabled |
Run with highest privileges | Enabled |
Configure for | Windows 7, Windows Server 2008 R2 |
Actions tab:
Click New and configure the action:
Field | Value |
Program/script |
|
Add arguments | See below |
In the Add arguments field, paste the following. Replace PUT_YOUR_LEVEL_KEY_HERE with your install key:
__PRESERVE_CODE_3__
Click OK to close the action, then OK again to close the task properties.
Step 3: Wait for Policy Refresh
On the next Group Policy refresh, the scheduled task runs and the Level agent is installed on domain-joined devices in the linked OU. Devices appear in Level within seconds of the install completing.
ℹ️ NOTE: Manual GPO setup doesn't generate Windows Event Log messages on client machines. Use the automated method if you need install activity logging for troubleshooting.
FAQ
The GPO ran but devices aren't showing up in Level — what happened? First, check the Windows Event Log on affected clients for messages from the Level install script (automated method only). Common causes: the PowerShell script was blocked by an execution policy, an AV/EDR tool quarantined the download, or the device couldn't reach
downloads.level.io. See AV/EDR False Detections and Offline Troubleshooting.Can I target a specific OU instead of the whole domain? For the automated method, the script links the GPO at the domain root. If you need OU-level targeting, use the manual method and link the GPO to the specific OU.
Do I need to update the GPO if my install key changes? Yes. Update the
LEVEL_API_KEYvalue in the automation variables (automated method) or in the scheduled task arguments (manual method).Who can run the automated GPO setup? Any Level technician with permission to run automations on the domain controller device. The admin approval step in the automation provides a manual review gate before the script runs.