All Collections
Internal vulnerability scanning
Installation guides
Windows
Group deployment of the internal agent via InTune
Group deployment of the internal agent via InTune

Need to speed things up? Try this...

Naomi Purvis avatar
Written by Naomi Purvis
Updated over a week ago

🚨 IMPORTANT 🚨

Please note, when selecting the DeviceName this must be unique to avoid issues when scanning.


Please note, every organisation has a different environment, different device/software management processes and very different requirements so we can only provide a generic guide – we cannot account for every eventuality, but we hope this helps.

Get your agent information

  1. Go to your Intruder account > Targets > Add Target > Internal Targets, and then populate the fields with the required information (please note, since you will be deploying multiple agents, the device name can be any value):

You will be presented with the following screen:

Installation instructions modal

  1. Make sure you download the Nessus Agent to a clean folder on your computer (in this case and for the remainder of this guide we will refer to the agent MSI file as NessusAgent-10.1.1-Win32.msi please note that the 10.1.1 part may change as new versions are released).

  2. Take a copy of the command and keep it handy so you can extract the information you need to deploy to multiple agents.
    In our example the command we will refer to is:

msiexec /i "NessusAgent-10.1.1-Win32.msi" NESSUS_SERVER="cloud.tenable.com:443" NESSUS_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef NESSUS_NAME=01234567-89ab-cdef-0123-456789abcdef_MYDEVICE /qn

Prepare your .intunewin package

  1. Download the Microsoft Intune Win32 App Packaging Tool Microsoft via Github:

  2. Create a folder and download your NessusAgent MSI file (NessusAgent-10.1.1-Win32.msi from the previous stage) in to that folder; if it's already in it's own folder don't worry about this step.

  3. Create an installation file (named Install.cmd) in the same folder as your NessusAgent-10.1.1-Win32.msi file, and add the following installation command on a single line:

msiexec /i "NessusAgent-10.1.1-Win32.msi" NESSUS_SERVER="cloud.tenable.com:443" NESSUS_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef NESSUS_NAME=01234567-89ab-cdef-0123-456789abcdef_%ComputerName% /qn
  1. Now, make sure that you:

    • Replace the NessusAgent-10.1.1-Win32.msi with the exact name of the MSI you downloaded previously

    • Replace the NESSUS_KEY value with the one in the command you copied from the portal in the previous stage

    • Replace the NESSUS_NAME value with the one in the command you copied from the portal in the previous stage, but add _%ComputerName% to the end of the NESSUS_NAME value (%ComputerName% is a placeholder that will be automatically replaced with the name of computer at installation time).

  2. Save the Install.cmd file and close

  3. Open a Command Prompt cmd.exe as Administrator (right-click on Command Prompt and "Run as Administrator")

  4. Run IntuneWinAppUtil.exe from the Intune Win32 App Packaging Tool that you downloaded previously.

  5. Follow the steps to create the .intunewin package that can be used to deploy to multiple systems:

    • Please specify the source folder: This should be the folder where your NessusAgent-10.1.1-Win32.msi and Install.cmd files are located

    • Please specify the setup file: This should be the NessusAgent-10.1.1-Win32.msi

    • Please specify the output folder: This should be the location you want to save the .intunewin package, such as C:\Temp

Deploy your .intunewin package

  1. In Intune you will need to add a Windows app (Win32)

  2. When creating the app select App package file and upload your .intunewin package file

  3. Add your App Information if needed:

    • Name

    • Description

    • Publisher

    • etc.

  4. Select Program and change the Install command setting to Install.cmd

  5. Make sure the Uninstall command setting is sensible

  6. Make sure your App requirements are appropriate

  7. Make sure the Detection rules contains a manually configured detection rule:

    • Rule type: this should be set to MSI

    • MSI product code: this should be pre-populated

  8. Make sure the Return codes are appropriate, they should be pre-populated

  9. Add your app

You should now be able to deploy your app to a test system and validate that the agent calls back to your Intruder portal account.

If you come unstuck, it might be worth reviewing the other help article found here.

Did this answer your question?