Installing Elastic Agent with GPO

riahc3 · August 9, 2024, 9:30am

Im looking to deploy Elastic Agent via a GPO.

What is the best way to do it? It should autoenroll onto Fleet without any manual token needed

lesio · August 9, 2024, 10:12am

I think the msi is what you're looking for

Install Elastic Agent from an MSI package | Fleet and Elastic Agent Guide [8.15] | Elastic

riahc3 · August 9, 2024, 10:15am

Several questions:

1: Is some kind of autoenrollement supported? Where I do not have to provide a token?

2: Can I upgrade/update thru Fleet even if the first time I install it thru MSI?

Thank you

lesio · August 9, 2024, 10:56am

1: No.

Perhaps you can deploy Agents, let them sit dormant initially, then enroll them from command line via other means

Elastic Agent command reference | Fleet and Elastic Agent Guide [8.15] | Elastic

2: That's what the documentation implies. I haven't tried it yet myself nor developed the MSI.

Install Elastic Agent from an MSI package | Fleet and Elastic Agent Guide [8.15] | Elastic

riahc3 · August 9, 2024, 10:59am

Yeah, thats not gonna work.

I need to silently and automatically enroll them

Yeah, it seemed weird Fleet could manage them but

riahc3 · August 9, 2024, 11:24am

For example:

Start-Process -FilePath "msiexec.exe" -ArgumentList '/i', 'elastic-agent-8.13.4-windows-x86_64.msi', 'INSTALLARGS="--url=http://fleetserver.domain.local:8220 --enrollment-token=VnJKUUlwRUJHNlRB30Jjb3M4TzIfbW52L2lNZaFRNbJq2lA41m9vq0MWZw== --insecure --force"', '/quiet', '/norestart', '-L*V', 'elasticlog.txt' -Wait -NoNewWindow

Running that, makes the folders but no data/agent/services/files/etc. Looking at the log doesnt show anything except that it cannot be enrolled.

gabriel.landau · August 9, 2024, 4:01pm

I was able to reproduce something similar by disconnecting the NIC, breaking Agent's ability to enroll.

PS C:\Users\user\Desktop> $ARGLIST = @(
>>     '/i',
>>     'elastic-agent-8.13.4-windows-x86_64.msi',
>>     'INSTALLARGS="--url=URL --enrollment-token=TOKEN --insecure --force"',
>>     '/quiet',
>>     '/norestart',
>>     '/l*v', 'elasticlog.txt'
>>     )
PS C:\Users\user\Desktop> Start-Process "C:\Windows\System32\msiexec.exe" $ARGLIST -Wait -NoNewWindow
PS C:\Users\user\Desktop> Get-Process elastic-agent
Get-Process : Cannot find a process with the name "elastic-agent". Verify the process name and call the cmdlet again.
At line:1 char:1
+ Get-Process elastic-agent
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (elastic-agent:String) [Get-Process], ProcessCommandException
    + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell.Commands.GetProcessCommand

PS C:\Users\user\Desktop> dir 'C:\Program Files\Elastic\Beats\8.13.4\elastic-agent\'


    Directory: C:\Program Files\Elastic\Beats\8.13.4\elastic-agent


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          8/9/2024   8:40 AM                data
-a----          8/9/2024   8:39 AM              0 fleet.enc.lock

If I reconnect the NIC, Agent successfully enrolls and installs:

PS C:\Users\user\Desktop> $ARGLIST = @(
>>     '/i',
>>     'elastic-agent-8.13.4-windows-x86_64.msi',
>>     'INSTALLARGS="--url=URL --enrollment-token=TOKEN --insecure --force"',
>>     '/quiet',
>>     '/norestart',
>>     '/l*v', 'elasticlog.txt'
>>     )
PS C:\Users\user\Desktop> Start-Process "C:\Windows\System32\msiexec.exe" $ARGLIST -Wait -NoNewWindow
PS C:\Users\user\Desktop> Get-Process elastic-agent

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    253      22    30988      45272       0.36  10768   0 elastic-agent


PS C:\Users\user\Desktop> Get-Process elastic-endpoint

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    513      23    13704      14256       0.31  10292   0 elastic-endpoint

Given that, it sounds like you have an issue with Agent enrollment, not an issue specific to the MSI. To simplify your debugging, you could debug the enrollment issue using the regular 8.13.4 zip.

gabriel.landau · August 9, 2024, 4:49pm

I just created a PowerShell script to embed INSTALLARGS into the MSI, giving you another way to achieve this. If you're interested, feel free to give it a try.
Personalize-ElasticAgentMSI.ps1 · GitHub

strawgate · August 13, 2024, 3:20pm

I would recommend creating an MST via a tool like ORCA to embed the INSTALLARGS property. This will allow customization in a way that is deployable via GPO while retaining the MSI signature.

If I have some time I can produce an example w/ instructions

riahc3 · August 21, 2024, 10:55am

Yes, if you could, please give a example. I tried it as well with that and nothing.

Thank you very much @strawgate

riahc3 · August 21, 2024, 10:59am

Im gonna try this out as well. Thank you

strawgate · August 21, 2024, 2:03pm

Running an MSI with an MST by command line:

msiexec /i elastic-agent-8.15.0-windows-x86_64.msi /qb TRANSFORMS="enroll-elastic-agent.mst"

Applying an MST with installing an MSI via GPO

In the GPO, under the modifications tab, add the MST to have Windows apply the MST during MSI installation.

Making an MST

Download ORCA Orca.exe - Win32 apps | Microsoft Learn and open the MSI with ORCA. At the top press, Transform and then New Transform.

Navigate to the Property table on the left-hand side of ORCA:

Right click on the right hand side and press Add Row and set the Property to INSTALLARGS and the Value to your installation arguments:

and press OK.

Now at the top press Transform and then Generate Transform, save the MST and close ORCA.

Notes

Installation of the MSI will fail if the Fleet server cannot be reached or enrollment fails during installation. You can add --delay-enroll to the INSTALLARGS to separate installation from enrollment though enrollment may not proceed until the service is manually started or the system is rebooted.

gabriel.landau · August 21, 2024, 2:27pm

You may have missed this comment at the bottom of a prior post:

riahc3 · August 22, 2024, 12:03pm

I tried with this one editing Property and adding INSTALLARGS with these (example) values and it worked pretty fine:

--url=https://thenameofserver:8220 --enrollment-token=ksjdfgsdfgfdgdsfgfdsgfdsgsfdgfdsgsfdgfdsgsfdgsfdgsdfgdfdgvvvvvvvfZw== --insecure --delay-enroll

There are a couple of gotchas to this:

If you reploy software via GPO, later there is issues with reinstallation.
1: Run the MSI manually. It will say to remove the Elastic Agent. Remove it.
2: SOMETIMES the service stays installed. Stop the service and remove it via cmd as admin:
sc remove "Elastic Agent"
3: Same thing with the installation files. Go to C:\Program Files\Elastic and just delete the folder of Elastic
4: In regedit, go to HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt you should have a key, that references to Elastic Agent. Delete the entire key.
5: Run a gpupdate /force and it will ask you to reboot.
6: After this, look at services. Elastic Agent should be present.
7: Reboot again. Once you reboot, the Elastic Agent service should start up (at this point, you can start it manually as well if you want) and it should register with Fleet.

system · September 19, 2024, 12:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Installing ElasticAgent with GPO Endpoint Security windows-installer , elastic-agent	6	3092	June 8, 2022
Install Elastic Agent 8.12 via SCCM Elastic Agent	7	533	February 28, 2024
Elastic Agent silent install Elastic Agent	3	2075	June 12, 2023
Fleet managed elastic agent enrolled as standalone via AzDo pipeline Beats fleet , elastic-agent	4	402	August 16, 2021
Enrolling elastic-agent, the production-ready way? Elastic Agent	6	965	August 2, 2023

Installing Elastic Agent with GPO

Running an MSI with an MST by command line:

Applying an MST with installing an MSI via GPO

Making an MST

Notes

Related Topics