Prevent Elastic Agent uninstallation

edit

For hosts enrolled in Elastic Defend, you can prevent unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling Elastic Defend’s endpoint protections.

When enabled, Elastic Agent and Elastic Endpoint can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the Fleet UI.

Requirements

  • Agent tamper protection requires the Endpoint Protection Complete project feature.
  • Hosts must be enrolled in the Elastic Defend integration.
  • Elastic Agents must be version 8.11.0 or later.
  • This feature is supported for all operating systems.
Agent tamper protection setting highlighted on Agent policy settings page
Enable Agent tamper protection
edit

You can enable Agent tamper protection by configuring the Elastic Agent policy.

  1. Go to FleetAgent policies, then select the Agent policy you want to configure.
  2. Select the Settings tab on the policy details page.
  3. In the Agent tamper protection section, turn on the Prevent agent tampering setting.

    This makes the Get uninstall command link available, which you can follow to get the uninstall token and CLI command if you need to uninstall an Agent on this policy.

    You can also access an Agent policy’s uninstall tokens on the Uninstall tokens tab on the Fleet page. Refer to Access uninstall tokens for more information.

  4. Select Save changes.
Access uninstall tokens
edit

If you need the uninstall token to remove Elastic Agent from an endpoint, you can find it in several ways:

  • On the Agent policy — Go to the Agent policy’s Settings tab, then click the Get uninstall command link. The Uninstall agent flyout opens, containing the full uninstall command with the token.
  • On the Fleet page — Go to FleetUninstall tokens for a list of the uninstall tokens generated for your Agent policies. You can:

    • Click the Show token icon in the Token column to reveal a specific token.
    • Click the View uninstall command icon in the Actions column to open the Uninstall agent flyout, containing the full uninstall command with the token.