Installing ElasticAgent with GPO

kotvmrc · April 12, 2022, 2:49pm

Hi all,

I'm looking for installing elastic-agent 7.16 on several Windows PCs with a GPO, EPs could be too many to install it manually.

I can't find any guide to do it, so I tried to do it by myself creating a Powershell script to run with a Startup/Logon Script GPO

My problem is that the installation seems to work and the C:\Program Files\Elastic\Agent folder is created at the end of the process, but the agent doesn't enroll to the fleet server and the C:\Program Files\Elastic\Agent\elastic-agent.exe symlink is not present,
meanwhile is present the "C:\Program Files\Elastic\Agent\data\elastic-agent-d420cc\elastic-agent.exe" file.

I paste here the powershell script I created to deploy the agent. Can anybody help me? Somebody had installed the elastic agent massively on domain joined windows PCs?

	#Using Powershell 5.0+

$file = '.\Elastic\Agent\elastic-agent.exe'
Set-Location $Env:ProgramFiles

if (-not (Test-Path -Path $file)) {
   
		Set-Location $Env:TEMP
		#Uncomment (this ↓) line if you need to download the zip file and comment the Copy-Item line
		# Invoke-WebRequest https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.16.3-windows-x86_64.zip -OutFile elastic-agent-7.16.3.zip
		Copy-Item "\\domaincontroller.local\SYSVOL\domaincontroller.local\scripts\Elastic\elastic-agent-7.16.3.zip" .\elastic-agent-7.16.3.zip
		Start-Sleep -s 15 #sleep to ensure previous job was completed
		Expand-Archive .\elastic-agent-7.16.3.zip -DestinationPath .
		Start-Sleep -s 5  #sleep to ensure previous job was completed
		Set-Location .\elastic-agent-7.16.3-windows-x86_64
		start-process -FilePath ".\elastic-agent.exe" -ArgumentList "install", "--url=https://fleet.domain.tld:port", "--enrollment-token=my_token", "--insecure", "--force" -Wait
			#↑ same as .\elastic-agent.exe install --url=https://fleet.domain.tld:port --enrollment-token=my_token --insecure --force
		Start-Sleep -s 10  #sleep to ensure previous job was completed
		#Removing files no more needed
		Set-Location ..
		Remove-Item .\elastic-agent-7.16.3.zip
		Remove-Item .\elastic-agent-7.16.3-windows-x86_64 -Recurse

	}

else {
	
	exit
	
}

kotvmrc · April 12, 2022, 3:02pm

Edit:

I tried to manually launch the script in a powershell window and it works like a charm. But I need to deploy the agent using GPO because I need to install it on hundreds of PCs

Nima_Rezainia · April 13, 2022, 8:23pm

Hi
Do you have the actual output from the script?

there could be many reasons why it didn't enroll into fleet. for example, not sure what fleet url was given as an argument or whether token is valid.

thanks
Nima

kotvmrc · April 19, 2022, 9:37am

Hello Nima,

fleet url and token are valid (I simply posted general names on this page, but in the script they are correct) in fact the script correctly install elastic agent if I run it from powershell.

The problem is present when the script is executed by a Logon Script trough a GPO.

Anyway I post here the output of the same script when launched manually

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\System32> cd $env:USERPROFILE\desktop
PS C:\Users\user\desktop> .\InstallElasticAgent.ps1
Set-Location $Env:TEMP
Copy-Item "\\domaincontroller.local\SYSVOL\domaincontroller.local\scripts\Elastic\elastic-agent-7.16.3.zip" .\elastic-agent-7.16.3.zip
Expand-Archive .\elastic-agent-7.16.3.zip -DestinationPath .
Set-Location .\elastic-agent-7.16.3-windows-x86_64
start-process -FilePath ".\elastic-agent.exe" -ArgumentList "install", "--url=https://fleet.url.tld:port", "--enrollment-token="token"--insecure", "--force" -Wait
2022-04-19T11:23:36.267+0200    WARN    [tls]   tlscommon/tls_config.go:98      SSL/TLS verifications disabled.
2022-04-19T11:23:36.820+0200    INFO    cmd/enroll_cmd.go:454   Starting enrollment to URL: https://fleet.url.tld:port/
2022-04-19T11:23:37.124+0200    WARN    [tls]   tlscommon/tls_config.go:98      SSL/TLS verifications disabled.
2022-04-19T11:23:43.467+0200    INFO    cmd/enroll_cmd.go:254   Successfully triggered restart on running Elastic Agent.
Successfully enrolled the Elastic Agent.
Elastic Agent has been successfully installed.
Set-Location ..
Remove-Item .\elastic-agent-7.16.3.zip
Remove-Item .\elastic-agent-7.16.3-windows-x86_64 -Recurse
PS C:\Users\user\AppData\Local\Temp>

slash24 · April 25, 2022, 9:33pm

You should probably try to fetch some output from that execution..
If there's no logfiles from the agent-execution, maybe embed "Start-Transcript" in the script or use ErrorVariable in Start-Process or something.

I had an old script like that lying around in my lab.
Paid it a visit today as i need to enroll in prod soon.

Seems to work (even tried with 7.16.3 like your example)
oviously it needs some error-handling..
using robocopy since i think some 2012-boxes with old wmf lacks Expand-Archive. (and it saves some disk-allocation at scale as well :-p)

$source = "\\fleet-server\ea-extracted-share"
$destination = "c:\temp\elasticagent"

function GetAgent {
	robocopy $source $destination /S /E /MT:10 /W:1 /R:5
}

function InstallAgent {
    cd $destination
    Start-Process -FilePath ".\elastic-agent.exe" -ArgumentList "install", "--url=https://fleet.fqdn:port","--enrollment-token=<token>","-f" -Wait
	cd ..
    Start-Sleep -Seconds 5
    Remove-Item -Force -Recurse $destination
}

GetAgent
InstallAgent

Also, i leveraged this by a Immediate Scheduled Task (GPP) instead of a login script.
The script is still located at sysvol but atm, Im pulling the agentfiles from the fleet-server (not suitable for production)...

kotvmrc · May 11, 2022, 8:01am

Hi slash24,

apologies for the late response, I was able to try the policy settings and the script just today.

It worked like a charm!!

Many thanks

system · June 8, 2022, 8:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.