Deploy Elastic Agent with Microsoft Intune
Date Published
In my previous story I shared how any organisation can go from having zero security visibility to having a wealth of contextual information in less than a day.
In this article I’m going to share a small Powershell script that can be used with any management tool to deploy Elastic Agent to a whole fleet of Windows systems. Using this tool an administrator can easily deploy Elastic Agent to 10 or 1000 systems without breaking a sweat!
Here is an overview of what the script does:
- Checking to see if it has run before and if the deployment version is current (using the registry)
- Downloading and installing Elastic Agent
- Enrolling the system using an enrolment token
Here is the link to the script on Github :
Assuming you have a fleet of Windows systems enrolled in Microsoft InTune (and you have Elastic stack up and running — either in Elastic Cloud or on-prem) you will need to :
1. Grab an enrolment token and fleet server URL from Kibana > Fleet
2. Modify the $enrollmentToken and $fleetUrl variables in the script
3. Add and upload the script under Devices > Scripts in Microsoft Endpoint Manager admin centre (https://endpoint.microsoft.com)
4. Assign it to an Azure Active Directory security group (use a pilot group first in a test environment!)
Once you’ve done that your endpoints will start to appear in Kibana under Fleet > Agents!
Now you can get busy designing detection rules that will provide you with accurate, relevant and actionable information about the security posture of your fleet!