Install Arctic Wolf Agent using Intune

You can install Arctic Wolf® Agent on Windows using Microsoft Intune. Intune is a cloud-based service for mobile device management (MDM). This service enables you to manage how employees use company-owned devices. For example, laptops. See Microsoft documentation for more information.

Note:

  • Agent is designed to maintain a minimal footprint on all systems, but Arctic Wolf recommends some OS requirements. Arctic Wolf cannot guarantee functionality on virtual machine (VM) environments if resources do not meet recommended levels.

  • Agent does not support ARM architecture.

  • Windows 8.1, 8, 7, and Windows Server 2008 R2 are only supported on Agent version 2023-02_138.

These resources are required:

  • To correctly view Agent risks in the Unified Portal, Windows Agent version 2023-02_138 or later is required

  • Administrator permissions or the ability to do administrator or root level functions

  • Your customer UUID.

    To find this value, in the Arctic Wolf Unified Portal, click Resources > Downloads, and then, in the Arctic Wolf Agent section, copy the Your Customer UUID value.

  • Your regional DNS hostname.

    To find this value, in the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then, in the Agent section, copy the DNS hostname that begins with activate.agent-common.prod.

  • A device that is enrolled in Intune and meets one of these requirements:
    • Registered with Microsoft Entra ID
    • Joined with Microsoft Entra ID
    • Joined as a hybrid with Microsoft Entra ID

    See Microsoft documentation for more information about Win32 app management in Microsoft Intune.

  • One of these operating systems:
    • Windows 11 for 64-bit systems
    • Windows 10 Pro for 64-bit and 32-bit systems
    • Windows 10 version 1607 or later
    • Windows Server 2025, 2022, 2019, 2016, 2012 R2, or 2012 for 64-bit systems
    • Windows 11 IoT or Windows 10 IoT for 64-bit systems

    • If you plan to use Sysmon with Agent, Sysmon has these operating system requirements:

      • Windows 10 or newer for 64- and 32-bit systems
      • Windows Server 2016 or newer for 64-bit systems
  • These system resources:
    • A x64 or x86 processor
    • At a minimum:
      • A dual-core CPU
      • 2 GB of memory
      • 50 MB of disk space

These actions are required:

  • Confirm the installation location. Install Agent on the same drive as your ProgramFilesFolder, such as Program Files or Program Files (x86). This is usually the C:\.

  • Make sure outbound access is available for ports 443 and 1514.

Configure your environment firewall

Configure your firewall to allow traffic to Agent DNS hostnames.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. Configure your firewall to allow outbound traffic for all the hostnames, not IP addresses, listed in the Agent section.
    Note:

    Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative effect on the system.

Add Agent processes to the allowlist

If you install Agent and an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, add Agent processes to the allowlist in those applications to maintain stable CPU and memory utilization:

  1. Configure your security systems to allow the processes listed in Arctic Wolf Agent processes.
    Tip:
    Arctic Wolf recommends that you define a security rule or policy exclusion for the parent folder. Then, if new processes are added during a future Agent software update, the new rule or policy exclusion applies to it. For example, for a Windows endpoint, define a rule that applies to one of these file paths based on your Windows operating system (OS):

    • Windows 64-bit OS — C:\Program Files (x86)\Arctic Wolf Networks\

    • Windows 32-bit OS — C:\Program Files\Arctic Wolf Networks\

  2. Add the files listed in Arctic Wolf Agent hash values to all allowlists.
  3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

See the technical documentation for the security systems that you are configuring for more information.

Trust Agent scanner signed files

You must trust Agent scanner signed files to ensure Agent vulnerability and benchmark scanning is not impacted by other endpoint security tools installed on the endpoint.

If you partnered with Arctic Wolf as a Managed Risk customer before December 11, 2025, your vulnerability and benchmark scanning uses the PowerShell console by default. Scans fail if the console usage is blocked by endpoint security tools.

As of December 11, 2025, Arctic Wolf uses signed PowerShell scripts by default. Do one of these actions to ensure successful scans:

Enable VBScript

VBScript must be enabled to install Arctic Wolf Agent.

If you have disabled VBScript, you must re-enable this Windows feature.
  1. Go to Start > Settings > System > Optional features.
  2. Select View features.
  3. In the search dialog, enter VBSCRIPT, and then select the check box for the VBScript search result.
  4. To enable the VBScript feature, click Next.

Add Agent to Intune

  1. Download and install the Intune application packager.

    See Microsoft documentation for more information.

  2. Install the Microsoft Win32 Content Prep Tool. This allows you to convert a file to a .intunewin file to upload for distribution.
  3. Run this command:
    BASH 
    IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder>

    Where:

    • setup_folder is the source folder.
    • source_setup_file is the filename of the Agent MSI file.
    • output_folder is the location of the new .intunewin file.

Add Arctic Wolf Agent to Intune

  1. In the App information section:
    1. Click Select file to add the .intunewin file.
    2. In the Description field, enter a description.
    3. In the Publisher field, enter ArcticWolf.
  2. In the Program section, configure these settings:
    • Install command — Replace the existing command with:
      SHELL 
      msiexec /i <agent_file> /qn CUSTOMER_UUID=<customer_uuid> REGISTER_DNS=<regional_dns> /l*v scout_install.log

      Where:

      • agent_file is the name of the Agent MSI file that you downloaded.
      • customer_UUID is your customer UUID. For more information, see Prerequisites.
      • regional_DNS is your regional DNS hostname. For more information, see Prerequisites.
    • Uninstall command — Enter msiexec /x "GUID" /q, where GUID is the globally unique identifier of the application.
    • Device restart behavior — Select Determine behavior based on return codes.
  3. In the Requirements section, specify the operating system (OS) architecture and minimum OS.
  4. Create the detection rule:
    1. In the Detection rules section, in the Rules format list, select Manually configure detection rules.
    2. In the Rule type list, select File.
    3. In the Path field, enter C:\Program Files (x86)\Arctic Wolf Networks\Agent.
    4. In the File or Folder field, enter manifest.json.
    5. In the Detection method list, select File or folder exists.
    6. Verify that the Associated with a 32-bit app on 64-bit clients toggle is set to the No position.
  5. In the Review + create section, add the application.

    Intune notifies users that the software is updating on their device. You can view the installation status in the Intune portal.