Zecurit supports seamless deployment of its agent to Azure AD-joined Windows devices, enabling IT admins to manage endpoints across cloud and hybrid environments efficiently. Using Azure-native tools, you can automate and scale agent installation across hundreds or thousands of devices.
This guide provides step-by-step instructions for enrolling Windows devices into Zecurit using Microsoft Azure. You can deploy the Zecurit Agent using one of the following methods:
- Method 1: Microsoft Intune Service with Storage Account
- Method 2: Automation Account with Hybrid Runbook Worker
Why Use Azure for Enrollment?
- Ideal for cloud-first or hybrid organizations
- Supports both cloud-only and on-premises devices
- No user interaction needed
- Centralized, policy-driven agent deployment
- Scalable to large device fleets
Method 1: Microsoft Intune with Azure Storage Account
This method uses Microsoft Intune (Endpoint Manager) to deploy the agent script and binaries hosted in a Azure Storage Account.
Prerequisites
- Azure AD tenant with Intune licensing
- Sufficient permissions to deploy applications via Intune
- Azure Storage Account (Blob storage)
Steps for Method 1
Step 1: Download & Extract Agent Files
- Download
ZecuritAgentStartupScript.zipfrom the Zecurit portal. - Extract the contents to a local folder.
Step 2: Create an Azure Storage Account & Blob
- Log in to the Azure Portal.
- Navigate to Storage Accounts > Create.
- Configure the storage account with:
- Subscription: Select your Azure subscription.
- Resource Group: Create new or select existing.
- Storage Account Name: Enter a unique name (e.g.,
zecuritagentstorage). - Region: Select the closest Azure region.
- Performance: Standard.
- Redundancy: LRS (Locally Redundant Storage).
- Click Review + Create > Create.
- Once deployed, go to Storage Account > Containers > + Container.
- Name the container (e.g.,
zecurit-agent) and set access level to Private.
Step 3: Upload Agent Files to Blob Storage
- Navigate to the container and click Upload.
- Select all extracted files from
ZecuritAgentStartupScript.zipand upload them.
Step 4: Generate a Shared Access Signature (SAS) Token
- Go to Storage Account > Shared Access Signature.
- Configure permissions:
- Allowed services: Blob
- Allowed resource types: Container, Object
- Permissions: Read, List
- Start & expiry date: Set a reasonable validity period.
- Click Generate SAS and connection string.
- Copy the Blob SAS URL (e.g.,
https://[storageaccount].blob.core.windows.net/[container]?[SAS-token]).
Step 5: Deploy via Microsoft Intune
- Go to Microsoft Intune Admin Center.
- Navigate to Apps > Windows > Add > Windows app (Win32).
- Upload the
ZecuritAgentInstaller.exefile. - Configure App Information:
- Name:
Zecurit Agent - Description: (Optional)
- Publisher: Zecurit
- Name:
- Configure Program Settings:
- Install command:
ZecuritAgentInstaller.exe /silent - Uninstall command:
ZecuritAgentInstaller.exe /uninstall
- Install command:
- Configure Requirements:
- OS Architecture: 64-bit
- Minimum OS: Windows 10 1809+
- Configure Detection Rules:
- Rule type: File
- Path:
%ProgramFiles%\\Zecurit\\Agent - File:
ZecuritAgent.exe
- Assign the app to Required groups (e.g., All Devices or a specific Azure AD group).
- Click Review + Create > Create.
The agent will now deploy to the selected devices.
Verify Deployment
- Once deployed, the Zecurit agent will install silently.
- The device will appear in the Zecurit Dashboard after successful enrollment.
???? Use Intune logging and Zecurit’s activity log to verify successful deployment.
Method 2: Automation Account with Hybrid Runbook Worker
This method uses Azure Automation and a Runbook for scalable deployment, including Hybrid Runbook Workers for on-premises or cloud devices.
Prerequisites
- Azure Automation Account
- Hybrid Runbook Worker configured
- Azure Storage Account
Steps for Method 2
Step 1: Download & Extract Agent Files
- Download
ZecuritAgentStartupScript.zipfrom the Zecurit portal. - Extract the contents to a local folder.
Step 2: Create an Automation Account
- Go to Azure Portal > Automation Accounts > Create.
- Configure:
- Name:
ZecuritAutomation - Subscription: Select your subscription.
- Resource Group: Create new or select existing.
- Region: Select a supported Azure region.
- Name:
- Click Review + Create > Create.
Step 3: Set Up Hybrid Runbook Worker Group
- In the Automation Account, go to Hybrid Worker Groups > Add.
- Select Existing Azure VM or On-Premises Server to install the Hybrid Worker.
- Follow Microsoft’s guide to install the Hybrid Runbook Worker.
Step 4: Upload Agent Files to Blob Storage
Follow Steps 2 & 3 from Method 1 to create a Storage Account and upload agent files.
Step 5: Modify & Deploy the Runbook
- In the Automation Account, go to Runbooks > Create a Runbook.
- Name:
Deploy-ZecuritAgent - Type: PowerShell
- Paste the modified script (from
ZecuritAgentStartupScript.zip) and update:- Storage Blob URL (with SAS token)
- Target device groups
- Click Publish.
- Run the Runbook on the Hybrid Worker Group to deploy the agent.
Verification & Troubleshooting
- Check Installation:
- On a target device, verify
C:\\Program Files\\Zecurit\\Agentexists. - Check Windows Services for
ZecuritAgent.
- On a target device, verify
- Logs:
- Agent logs:
C:\\ProgramData\\Zecurit\\Agent\\Logs - Intune logs:
C:\\ProgramData\\Microsoft\\IntuneManagementExtension\\Logs
- Agent logs:
- Common Issues:
- 403 Forbidden: Ensure SAS token is valid.
- Hybrid Worker Offline: Restart the
HybridServiceon the worker machine.
Summary: Method Comparison
| Criteria | Method 1: Intune + Storage | Method 2: Automation + Runbook |
|---|---|---|
| Suitable For | Azure AD devices | Cloud/on-prem hybrid environments |
| User Interaction | None | None |
| Scalability | High | High |
| Requires Hybrid Workers | ❌ No | ✅ Yes |
| Admin Complexity | Moderate | Advanced |
| Use Case | Corporate laptops, workstations | Servers, VM fleets, data center assets |