Prerequisites

Prior to deploying the Elastic Endpoint Security sensor, please ensure you have accounted for the following items:

Configure the necessary network connectivity

The Elastic Endpoint Security sensor communicates with an Elastic server using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your Elastic server's sensor check-in address by clicking Endpoints > Deploy sensors > Windows > Endgame.

Please be sure that this address is authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing Elastic Endpoint Security using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via a deployment tool such as Windows System Center Configuration Manager (SCCM).

To automatically install the Elastic Endpoint Security sensor for Windows:

1. Login to your Elastic Endpoint Security platform.
2. Click Settings > Sensor > Download Profile to download the sensor installer/uninstaller profile.
3. Make a note of the API key for the downloaded profile.
4. Copy these two files to your preferred SCCM content folder:
   

   SensorWindowsInstaller-<sensor profile name>.exe
   SensorWindowsInstaller-<sensor profile name>.cfg

5. Load the System Center Configuration Manager.
6. Select the Software Library.
7. Open the Specify Settings for this application page and click Manually Specify the application information.
8. Click Next. 
9. Enter a name for the application.
10. Click Next twice, skipping the Application Catalog.
11. On the Deployment Types screen, click Add.
12. Click Manually specify the deployment type information.
13. Click Next. 
14. Enter a name for the application.
15. Click Next. 
16. On the Content page, enter the following information:
    1. Content Location: UNC path to the files from Step 2 above.
    2. Installation Program:
       

       SensorWindowsInstaller-<sensor profile name>.exe -c SensorWindowsInstaller-<sensor profile name>.cfg -k <API_Key_from_UI>  -l install.txt

    3. Uninstall Program:

    SensorWindowsInstaller-<sensor profile name>.exe -c SensorWindowsInstaller-<sensor profile name>.cfg -u force -l uninstall.txt

    Note: The -l option creates a log file of the install/uninstall, which is useful for troubleshooting. The -l option may be omitted if desired. The log files will be found in c:\Windows\ccmcache or c:\Program File\SMS_CCM on the endpoint.

• Click Next.
• Click Add Clause.
• Enter the method to detect if a sensor is already installed on the host:
  1. Setting Type: File System
  2. Path: C:\Program Files\Endgame
  3. File: esensor.exe
  4. "The file system setting must satisfy the following rule to indicate the presence of this application":
     Property: Version
     Operator: Equals
     Value: 3.55.1 (update accordingly for the sensor version being used in your environment)
• Click OK.
• Click Next.
• On the User Experience page, make the following selections:
  1. Installation Behavior: Install for System
  2. Login Requirement: Whether or not a user is logged on
• Click Next through the next three screens (includes “Requirements and “Dependencies”).
• Review the settings on the Summary Page and close the deployment wizard.
• On the Application Wizard, click Next.
• Review the summary and click Next.
• Close when the Application Wizard completes successfully.

Use the Elastic Endpoint Security platform’s Endpoints > Sensors Active view to confirm sensors have been installed and are transmitting data.

Installing Elastic Endpoint Security manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the Elastic Endpoint Security sensor for Windows:

1. Login to your Elastic Endpoint Security platform.
2. Click Settings > Sensor > Download Profile to download the sensor installer/uninstaller profile.
3. Make a note of the API key for the downloaded profile.
4. Unzip the SensorInstaller-xxxxxxx-xxxxxx.zip file.
5. Using your preferred management tool, copy the SensorWindowsInstaller file to the endpoint(s).
   Note: The name of the sensor profile is appended to the end of the installer filename. Be sure to include it in the command specified in the following step.
6. Run the following command to configure the executable to install the sensor on the endpoint:
   

   SensorWindowsInstaller-<profile name>.exe -c SensorWindowsInstaller-<profile name>.cfg -k <API key> -l install.log

Use the Elastic Endpoint Security platform’s Endpoints > Sensors Active view to confirm the sensor has been installed and is transmitting data.

Uninstalling Elastic Endpoint Security

1. Locate the previously saved SensorWindowsInstaller file from the sensor profile, or download it again.
2. Using your preferred asset management tool, copy the file to the appropriate endpoint(s).
3. Depending on the preferred uninstall mode, run one of the following commands to configure the executable to uninstall the sensor (note: commands are to be entered on one line; copying and pasting is not recommended):
   Graceful uninstall:

   SensorWindowsInstaller-<profile name>.exe -c SensorWindowsInstaller-<profile name>.cfg -u true -d false -uninstall.log

   Forceful uninstall:

   SensorWindowsInstaller-<profile name>.exe -c SensorWindowsInstaller-<profile name>.cfg -u force -d false -l uninstall.log

   Note: The -c option uses the specified configuration, and the -u option initiates the true or force uninstall process. While optional, it is recommended to include the -d false option so the installer does not self-delete, and the -l option to create a log file.