Prerequisites:

Before installing, confirm the following:

Download the PowerShell Orchestrator package:

[Your administrator should confirm whether packages are distributed internally or downloaded directly from the portal in your environment.]

Enabling WinRM on the installation machine:

If WinRM is not already enabled, run the following in PowerShell as Administrator:

Enable-PSRemoting -Force

Confirm WinRM is running:

Get-Service WinRM

The service should show as Running.

[Your administrator should confirm whether WinRM is managed via Group Policy in your environment before enabling it manually.]

Installation steps:

1. Copy the lta-mp-orchestrator.zip package to the target Windows machine
   
2. Extract the zip file to a working directory
   
3. Open PowerShell as Administrator and navigate to the extracted directory:
   

cd C:\path\to\extracted\orchestrator

4. If not already done, allow PowerShell scripts to run:

Set-ExecutionPolicy Unrestricted

5. Run the installation script:

.\Install.ps1

6. Follow any on-screen prompts during installation, including:
   
   • Entering the LT Auditor ^MP server IP address or hostname
   • Confirming the syslog port (default: 514)
   • Selecting the communication protocol (UDP, TCP, or TLS)
   • Entering the service account credentials to be used for Active Directory and Entra ID assessments
7. Once installation is complete, reset the PowerShell execution policy:
   

Set-ExecutionPolicy Restricted

[Your administrator should fill in the exact installer prompts and any environment-specific options that appear during installation.]

Post-installation verification:

After installation completes, confirm that PowerShell Orchestrator is running and communicating with the LT Auditor ^MP server.

1. Check the service status:

sc query PowerShellOrchestrator

The service should show as Running.

2. In the LT Auditor ^MP Web UI, navigate to Admin → Modules and confirm the PowerShell Orchestrator instance appears with a status of Connected
   
3. Check the PowerShell Orchestrator logs for any errors:
   

\Program Files\Blue Lance 2-0\PowerShellOrchestrator\Logs\

4. Verify that assessment data is appearing in the LT Auditor ^MP View module by navigating to View and selecting the Active Directory environment

If the module does not appear as connected in the Web UI, confirm that no firewall is blocking communication between the installation machine and the LT Auditor ^MP server on the configured syslog port.

[Your administrator should note the specific port, protocol, and service account used in your environment, and document which machine PowerShell Orchestrator is installed on.]

Verifying service account permissions:

The service account used by PowerShell Orchestrator requires the following minimum permissions:

Active Directory:

• Read access to all user, group, and computer objects in the monitored domains
• Read access to Group Policy Objects (GPOs)
• Read access to Active Directory Sites and Services

Microsoft Entra ID:

• Directory.Read.All — read access to directory objects
• AuditLog.Read.All — read access to audit logs
• Policy.Read.All — read access to conditional access and other policies

[Your administrator should confirm the exact permissions required in your environment and ensure the service account is configured accordingly before running the first assessment.]

1. Change the default admin password Log in to the Web UI and immediately change the default administrator password to a strong, unique password.

1. Navigate to Admin → User Management
2. Select the admin account
3. Click Change Password
4. Enter and confirm a new password
5. Click Save

2. Configure SMTP for email alerts Set up email delivery so that alerts and scheduled reports can be sent to your team.

1. Navigate to Admin → SMTP Settings
2. Enter your mail server details:
   • SMTP Host
   • Port
   • Authentication credentials
   • From address
3. Send a test email to confirm delivery
4. Click Save

[Your administrator should fill in the specific SMTP server details for your environment.]

3. Install and connect modules Install the relevant modules for your environment and confirm they are sending data to the LT Auditor ^MP server. Refer to each module’s dedicated documentation section for full instructions.

4. Configure monitored scopes Define which servers, directories, and systems LT Auditor ^MP should monitor.

1. Navigate to Configure → Environments
2. Add each environment relevant to your deployment (Windows, Linux, eDirectory, etc.)
3. Define log categories and operations to capture within each environment
4. Save your configuration

5. Set up alert rules Configure at minimum a basic set of alert rules to notify your team of critical events. See the Configuring Alert Rules article for full instructions.

Recommended starting alerts:

• Failed login threshold exceeded
• Privileged account changes
• File deletion on sensitive directories
• New admin account created

6. Configure data retention policy Set how long audit data is retained in the database to manage storage and meet compliance requirements.

1. Navigate to Admin → Retention Settings
2. Set the retention period in days
3. Click Save

7. Set up user roles and access Create user accounts and assign appropriate roles for your team before sharing access to the platform.

1. Navigate to Admin → User Management
2. Add user accounts for each team member
3. Assign roles based on responsibilities (admin, analyst, report viewer, etc.)
4. Save all changes

8. Test an alert end-to-end Before going live, confirm that the full alert pipeline is working correctly.

1. Trigger a test event that matches one of your alert rules
2. Confirm the alert appears in Alerts → Active Alerts
3. Confirm the alert notification email is received
4. Resolve the test alert

Cannot access from remote machines The server was likely configured using 127.0.0.1 (localhost) as the IP address during installation. This restricts access to the local machine only. Reconfigure the server using its actual IP address or domain name.

SMTP not working Email/alert delivery settings can be reconfigured after installation by editing the configuration files in the installation directory. You do not need to reinstall.

Port conflicts If a required port is already in use by another application, the service will fail to start. Confirm all required ports are free before installation. Use the following to check for port conflicts:

On Linux:

sudo ss -tulnp | grep <port>

On Windows:

netstat -ano | findstr <port>

Service errors on startup Check the application logs for error details:

On Linux:

cd /opt/bluelance/lcollector/logs/general/

cd /opt/bluelance/web/server/logs/

On Windows:

\Program Files\Blue Lance 2-0\Web\Apps\Logs\

\Program Files\Blue Lance 2-0\Collector\Logs\General\

Services not starting automatically on reboot (Linux) If services do not restart after a system reboot, ensure they are enabled:

sudo systemctl enable lta-web

sudo systemctl enable lta-collector

PowerShell execution policy error (Windows) If the installation script fails to run, confirm the execution policy is set correctly before running the installer:

Set-ExecutionPolicy Unrestricted

Remember to reset it after installation completes:

Set-ExecutionPolicy Restricted

For additional support, refer to the Blue Lance documentation at https://www.bluelance.com/docs or contact your system administrator.

Check service status:

sc query LTA_Web

sc query LTA_Server

sc query LTA_DataCollector

All three services should show as running. If any service is not running, check the logs for errors before continuing.

Check logs for errors or warnings:

\Program Files\Blue Lance 2-0\Web\Apps\Logs\

\Program Files\Blue Lance 2-0\Collector\Logs\General\

[Your administrator should note any expected output or common first-run messages specific to your environment.]

Check service status:

systemctl status lta-web

systemctl status lta-collector

Both services should show as active and running. If either service is not running, check the logs for errors before continuing.

Check logs for errors or warnings:

cd /opt/bluelance/lcollector/logs/general/

cd /opt/bluelance/web/server/logs/

[Your administrator should note any expected output or common first-run messages specific to your environment.]