Elastic Explained: How To Deploy Elastic Agent on Windows with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For macOS, please use my companion guide.

Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security capabilities, it’s great for analyzing your Zeek logs, and monitoring your Microsoft 365 cloud.  Beyond that, there are plenty of of other great use cases.

In this guide, we’ll walkthrough step-by-step how to deploy Elastic Agent in your Intune-managed enterprise so you can start securing and monitoring your environment.

Create .intunewin file

First, we must create a Win32 app package that Intune can use to deploy to our Windows systems. We’ll do this by using Microsoft Win32 Content Prep Tool to package the Elastic Agent installation files and create a .intunewin file.

  1. Download the latest version of Elastic Agent for Windows and unzip it.
    For example, if you unzipped this to your Desktop, it should be saved to C:\Users\EricOoi\Desktop\elastic-agent-8.0.0-windows-x86_64.
  2. Download Microsoft Win32 Content Prep Tool and unzip it.
    For example, if you unzipped this to your Desktop it should be saved to C:\Users\EricOoi\Desktop\Microsoft-Win32-Content-Prep-Tool-master.
  3. Open a Command Prompt or Windows Terminal window and navigate to the folder with the Win32 Content Prep Tool.
  4. Assuming both Elastic Agent and Microsoft Win32 Content Prep Tool are unzipped to your Desktop as in the steps above, execute the following command to create the .intunewin file.
    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>
    

    Using our example, we would specifically type:

    IntuneWinAppUtil.exe -c C:\Users\EricOoi\Desktop\elastic-agent-8.0.0-windows-x86_64\ -s C:\Users\EricOoi\Desktop\elastic-agent-8.0.0-windows-x86_64\elastic-agent.exe -o C:\Users\EricOoi\Desktop\
  5. You should now have a file named elastic-agent.intunewin on your Desktop. Let’s rename this to include the version number so we are clear on which version we are deploying (e.g., elastic-agent-8-0-0.intunewin).

Create The Intune App Deployment

With our .intunewin package ready to go, let’s configure the settings needed to deploy and install Elastic Agent to our Windows systems. We’ll define the install/uninstall commands and the groups to which we want to deploy to.

  1. Navigate to https://endpoint.microsoft.com/ and click on Apps in the left menu.
  2. Click on Windows in the Apps | Overview left menu.
  3. Click on + Add to add a new deployment configuration.
  4. A menu will appear asking for App type, select Windows app (Win32) and click Select at the bottom.
  5. In the Add App menu, click on Select app package file.
  6. In the App package file menu, click on the blue folder icon and select the elastic-agent-8-0-0.intunewin file that we just created. Then click OK.
  7. Complete the App information section. Only the Name, Description, and Publisher fields are required. Click Next at the bottom when finished.
  8. Complete the Program section. Click Next at the bottom when finished.Install command
    elastic-agent.exe install -f --url=https://<your-elastic-url> --enrollment-token=<your-enrollment-token>

    Note: You can find your Elastic Fleet server URL and enrollment token by navigating in Kibana’s left menu and clicking on Fleet under Management. Next, click on Add agent and select the Agent policy you want deployed. This will display a command that includes the URL and enrollment token as shown below.

    Uninstall command
    C:\”Program Files”\Elastic\Agent\elastic-agent.exe uninstall -f

    Install behavior
    System

    Device restart behavior
    No specific action

  9. Complete the Requirements section. Click Next at the bottom when finished.
  10. Complete the Detection rules section. For Rules format, select Manually configure detection rules, and then click + Add.In the Detection rule menu that appears, configure the following and click OK when finished. Then click Next at the bottom when finished.Rule type
    FilePath
    C:\Program Files\Elastic\Agent\File or folder
    elastic-agent.exeDetection method
    File or folder existsAssociated with a 32-bit app on 64-bit clients
    No
  11. Click Next at the bottom to skip the Dependencies section.
  12. Click Next at the bottom to skip the Supersedence section.
  13. Complete the Assignments section. Under the Required section click on one of + Add group, + Add all users, or + Add all devices to assign the application as needed.You’ll want to first create an Azure AD pilot group to test this deployment. Upon selecting a group, click on + Included and in the Edit assignment menu, adjust the settings as needed.
    Click Next at the bottom when finished. Once everything is working as expected, you can then deploy to a broader group.
  14. In the Review + create section, look over the settings one more time. Once you’re ready, click Create at the bottom to create the application deployment.

That’s it! Once your systems start checking in, you’ll see them appear in Fleet inside of Kibana. Happy deploying!

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How To Guides For The Elastic Stack

Elastic Explained: How To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

Transform Your Business & Operate at Peak Efficiency