Prevent Elastic Agent uninstallation
editPrevent Elastic Agent uninstallation
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
For hosts enrolled in Elastic Defend, you can prevent unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling Elastic Defend’s endpoint protections.
When enabled, Elastic Agent and Elastic Endpoint can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the Fleet UI.
Requirements
- Agent tamper protection requires the Endpoint Protection Complete project feature.
- Hosts must be enrolled in the Elastic Defend integration.
- Elastic Agents must be version 8.11.0 or later.
- This feature is supported for all operating systems.
Enable Agent tamper protection
editYou can enable Agent tamper protection by configuring the Elastic Agent policy.
- Go to Fleet → Agent policies, then select the Agent policy you want to configure.
- Select the Settings tab on the policy details page.
-
In the Agent tamper protection section, turn on the Prevent agent tampering setting.
This makes the Get uninstall command link available, which you can follow to get the uninstall token and CLI command if you need to uninstall an Agent on this policy.
You can also access an Agent policy’s uninstall tokens on the Uninstall tokens tab on the Fleet page. Refer to Access uninstall tokens for more information.
- Select Save changes.
Access uninstall tokens
editIf you need the uninstall token to remove Elastic Agent from an endpoint, you can find it in several ways:
- On the Agent policy — Go to the Agent policy’s Settings tab, then click the Get uninstall command link. The Uninstall agent flyout opens, containing the full uninstall command with the token.
-
On the Fleet page — Go to Fleet → Uninstall tokens for a list of the uninstall tokens generated for your Agent policies. You can:
- Click the Show token icon in the Token column to reveal a specific token.
- Click the View uninstall command icon in the Actions column to open the Uninstall agent flyout, containing the full uninstall command with the token.