Team: Huntress EDR
Product: Intune (scripts)
Environment: Windows Server 2008 and newer, Windows Vista and newer
Summary: Automated Huntress agent deployment via Intune (scripts)
Deploying the Huntress agent via Microsoft Intune is easy and can be accomplished in one of two methods. This is the first method, via the "Scripts" interface under "Devices" management which utilizes our PowerShell script for deployment. The second method is via Win32 app deployment, which is documented here deploying Huntress with Intune (Win32 app)
Microsoft Intune is a complex and powerful tool for managing endpoints and mobile devices. This is a guideline using basic settings to accomplish the deployment of the Huntress agent. Your specific Intune setup may require tweaking or changes. Huntress support is not able to perform advanced Intune troubleshooting, please consult the Microsoft documentation or their support channels for Intune assistance.
- First step is to download the latest version of our PowerShell deployment script from our GitHub.
- Using your favorite text editor, edit the script to include your Huntress Account Key and Organization Key. You can search the script for "AccountKey" to find the line, in the example below it's around line 47. Ensure both your account key and organization key are within the quotation marks in their respective lines. Save your changes when done.
- Log into your Intune instance and navigate to Devices | Scripts, click Add, and then Windows 10.
- In the Basics section, provide a name and description for your script. In this example we've used the name Install Huntress Agent. Click Next when done.
- In the Script settings section, click the blue folder icon and upload the script you edited in Step 2. Once the script uploads configure the additional options as shown below. Ensure Run this script using the logged on credentials is set to No (default) as we want the installation to run in the SYSTEM context. Ensure Enforce script signature check is set to No (default) since each script is edited before deployment signing isn't feasible. Finally, set the Run script in 64 bit PowerShell Host option to Yes (not-default) to ensure the script is run in the proper PowerShell architecture on both 32 and 64 bit machines. Click Next when done.
- In this step you will select which objects in your Azure AD/Intune deployment should have the Huntress deployment script ran on. In our example below we have an Azure AD Security Group titled "Huntress Users" to which we've applied the assignment to. Click Select and Next when done.
This will almost certainly vary based on your specific Intune deployment and configuration needs. The only requirement for functionality is ensuring the assigned group contains the users or devices you wish to deploy Huntress to. Huntress support may not be able to assist in resolving security group/permission errors within your Azure AD environment.
- On this final screen review the settings and click Add when done. Scripts are deployed to selected groups once every hour by Intune. You may need to wait at least one hour before the deployment is pushed out to the endpoints.
According to Microsoft, the deployment schedule is as follows: The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the script or policy. If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-ins.
In our testing, we found that endpoint reboots may trigger an installation of pending deployment scripts.
- By clicking on the script name in the list of scripts you can see the status of the deployment.
- After clicking the script name above, click on Device status in the left pane. In this view you will be able to see the devices the script successfully installed on (or failed to install on) and is an excellent place to start troubleshooting or reviewing your deployment. The graphs in the Overview may not update in real time.
Please sign in to leave a comment.