Prevent Elastic Agent uninstallation

edit

For hosts enrolled in Elastic Defend, you can prevent unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling Elastic Defend’s endpoint protections.

When enabled, Elastic Agent and Elastic Endpoint can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the Fleet UI.

Agent tamper protection setting highlighted on Agent policy settings page

Enable Agent tamper protection

edit

You can enable Agent tamper protection by configuring the Elastic Agent policy.

  1. Go to FleetAgent policies, then select the Agent policy you want to configure.
  2. Select the Settings tab on the policy details page.
  3. In the Agent tamper protection section, turn on the Prevent agent tampering setting.

    This makes the Get uninstall command link available, which you can follow to get the uninstall token and CLI command if you need to uninstall an Agent on this policy.

    You can also access an Agent policy’s uninstall tokens on the Uninstall tokens tab on the Fleet page. Refer to Access uninstall tokens for more information.

  4. Select Save changes.

Access uninstall tokens

edit

If you need the uninstall token to remove Elastic Agent from an endpoint, you can find it in several ways:

  • On the Agent policy — Go to the Agent policy’s Settings tab, then click the Get uninstall command link. The Uninstall agent flyout opens, containing the full uninstall command with the token.
  • On the Fleet page — Go to FleetUninstall tokens for a list of the uninstall tokens generated for your Agent policies. You can:

    • Click the Show token icon in the Token column to reveal a specific token.
    • Click the View uninstall command icon in the Actions column to open the Uninstall agent flyout, containing the full uninstall command with the token.

If you have many tamper-protected Elastic Agent policies, you may want to Provide multiple uninstall tokens in a single command.