How to Deploy Elastic Agent on Windows with Microsoft Endpoint Manager (Intune)

You can also read our companion blog on how to deploy Elastic Agent on macOS.

If you’re using Elastic SIEM to monitor your infrastructure, then you probably know about Elastic Agent. If you haven’t yet tried it out, there are a lot of great use cases for it including:

  • Full endpoint security (EPP/EDR) solution
  • Easily capture Windows event logs
  • Query systems via osquery

Aside from the endpoint-specific use cases, you can also use it to secure your Microsoft cloud environment.

Unfortunately, deploying Elastic Agent is not trivial as Elastic provides a ZIP file instead of an MSI file for installation. To further complicate deployment in Microsoft Endpoint Manager / Intune-managed enterprises, there isn’t a native way to deploy and install an app in ZIP format. Fortunately, we’ve worked through these challenges and come up with the following solution that we’ll walk through below.

Create .intunewin file

First, we must create a Win32 app package that Intune can use to deploy to our Windows systems. We’ll do this by using Microsoft’s Win32 Content Prep Tool to package the Elastic Agent installation files and create a .intunewin file.

  1. Download the latest version of Elastic Agent for Windows and unzip it. For example, if you unzipped this to your Desktop, it should be saved to C:\Users\IronVine\Desktop\elastic-agent-8.0.0-windows-x86_64.
  1. Download Microsoft Win32 Content Prep Tool and unzip it. For example, if you unzipped this to your Desktop it should be saved to C:\Users\IronVine\Desktop\Microsoft-Win32-Content-Prep-Tool-master.
  1. Open a Command Prompt or Windows Terminal window and navigate to the folder with the Win32 Content Prep Tool.
  1. Assuming both Elastic Agent and Microsoft Win32 Content Prep Tool are unzipped to your Desktop as in the steps above, execute the following command to create the .intunewin file.
    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>

    Using our example, we would specifically type:

    IntuneWinAppUtil.exe -c C:\Users\IronVine\Desktop\elastic-agent-8.0.0-windows-x86_64\ -s C:\Users\IronVine\Desktop\elastic-agent-8.0.0-windows-x86_64\elastic-agent.exe -o C:\Users\IronVine\Desktop\
  1. You should now have a file named elastic-agent.intunewin on your Desktop. Let’s rename this to include the version number so we are clear on which version we are deploying (e.g., elastic-agent-8-0-0.intunewin).

Create Microsoft Endpoint Manager App Deployment

With our .intunewin package ready to go, let’s configure the settings needed to deploy and install Elastic Agent to our Windows systems. We’ll define the install/uninstall commands and the groups to which we want to deploy to.

  1. Authenticate to M365, navigate to https://endpoint.microsoft.com/, and click on Apps in the left menu.
  2. Click on Windows in the Apps | Overview left menu.
  3. Click on + Add to add a new deployment configuration.
  4. A menu will appear asking for App type, select Windows app (Win32), and click Select at the bottom.
  5. In the Add App menu, click on Select app package file.
  6. In the App package file menu, click on the blue folder icon and select the elastic-agent-8-0-0.intunewin file that we just created. Then click OK.
  7. Complete the App information section. Only the Name, Description, and Publisher fields are required. Click Next at the bottom when finished.
  8. Complete the Program section. Click Next at the bottom when finished.

    • Install command
      elastic-agent.exe install -f –url=https://<your-elastic-url> –enrollment-token=<your-enrollment-token>
      Note: You can get your Elastic Fleet server URL and enrollment token by navigating in Kibana’s left menu and clicking on Fleet under Management.  Next, click on Add agent and select the Agent policy you want deployed.  This will display a command that shows the URL and enrollment token.
    • Uninstall command
      C:\”Program Files”\Elastic\Agent\elastic-agent.exe uninstall -f
    • Install behavior
      System
    • Device restart behavior
      No specific action
  9. Complete the Requirements section. Click Next at the bottom when finished.
  10. Complete the Detection rules section. For Rules format, select Manually configure detection rules, and then click + Add.

    In the Detection rule menu that appears, configure the following and click OK when finished.  Then click Next at the bottom when finished.

    • Rule type
      File
    • Path
      C:\Program Files\Elastic\Agent\
    • File or folder
      elastic-agent.exe
    • Detection method
      File or folder exists
    • Associated with a 32-bit app on 64-bit clients
      No
  11. Click Next at the bottom to skip the Dependencies section.
  12. Click Next at the bottom to skip the Supersedence section.
  13. Complete the Assignments section. Under the Required section click on one of + Add group, + Add all users, or + Add all devices to assign the application as needed.

    We recommend that you create an Azure AD pilot group to test this deployment. Upon selecting a group, click on + Included and in the Edit assignment menu, adjust the settings as needed.

    Once everything is working as expected, you can then deploy to a broader group. Click Next at the bottom when finished.
  14. In the Review + create section, look over the configure settings one more time. Once you’re ready, click Create at the bottom to create the application deployment.

That’s it! Once your systems start checking in, you’ll see them appear in Fleet inside of Kibana. Happy deploying!