Prisma Access Agent Administration
  • Prisma Access Agent Administration
  • Prisma Access Agent Documentation
  • All Documentation
>
Deploy Prisma Access Agents to Windows Endpoints Using Microsoft Intune
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access Agent
  3. Deploy the Prisma Access Agent
  4. Deploy Prisma Access Agents Using Microsoft Intune
  5. Deploy Prisma Access Agents to Windows Endpoints Using Microsoft Intune
Download PDF
Prisma Access Agent

Deploy Prisma Access Agents to Windows Endpoints Using Microsoft Intune

Table of Contents
Learn how to deploy Prisma Access Agents to your Windows endpoints using Microsoft Intune.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
For Prisma Access deployments:
  • Minimum Required Prisma Access Version: 5.1 Preferred or Innovation
  • Prisma Access license with the Mobile User subscription
For NGFW deployments:
  • Minimum required PAN-OS version: 11.2
  • Prisma Access Agent license for NGFW deployments
For all deployments:
  • Prisma Access Agent version: 25.1.0.14
  • Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
You can use Microsoft Intune to deploy and install the Prisma Access Agent on managed Windows devices in your organization. You can also
create a script for uninstalling the Prisma Access Agent
that Intune can deploy to specific user groups.
To deploy the Prisma Access Agent for Windows using Intune:
  1. Download the Windows Prisma Access Agent package and configuration file from ManagePrisma Access Agent in Strata Cloud Manager.
  2. Create an .intunewin packager that includes the Prisma Access Agent installer and configuration file.
    1. Create a folder on your Windows machine and copy and paste the installer package (PrismaAccessAgent_x64_xx.x.xxxxx.xxxx.msi) and configuration file (config.json) to this folder.
      For example, create a folder called PAA_in and put the Prisma Access Agent installer and config.json file in this folder.
    2. Create a PowerShell wrapper script in this folder that tells Microsoft Intune how to install the Prisma Access Agent. The script must contain the name of the Prisma Access Agent installer file.
      For example, create a PowerShell script called paa.ps1 that includes the following statements:
      $MSIFileName = 'PrismaAccessAgent_x64_xx.x.xxxxx.xxxx.msi'
$MSISwitches = '/quiet /norestart'

$ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Path

$InstallProcess = Start-Process -FilePath "msiexec" -ArgumentList ("/i " + [char]34 + $ScriptPath + "\" + $MSIFileName + [char]34 + " " + $MSISwitches) -PassThru -Wait

Write-Host ("Installation completed, exiting with last return code (" + $InstallProcess.ExitCode + ")")
Exit $InstallProcess.ExitCode
    3. Create a batch file to invoke the wrapper script. For example, create a batch file called InstallPAA.cmd that includes the following statements:
      @ECHO OFF

@SystemRoot@\SysNative\WindowsPowershell\v1.0\powershell.exe -ExecutionPolicy Bypass .\paa.ps1

EXIT /B %ERRORLEVEL%
    4. Open the config.json file in a text editor and make sure that it contains the correct server URL and Prisma Access tenant ID.
      The config.json file should have at minimum the following elements:
      {
    "server_url":"xxx.epm.gpcloudservice.com",
    "tenant_id":"xxxxxxxxxx"
}
    5. Use the Microsoft Win32 Content Prep Tool to create the intunewin packager.
      1. Run the IntuneWinAppUtil.exe app on Windows.
      2. When prompted, specify the:
        • Source folder—Enter the name of the folder that you created. For example, enter C:\<your_path>\PAA_in.
        • Setup file—Enter the name of the Prisma Access Agent installer (PrismaAccessAgent_x64_xx.x.xxxxx.xxxx.msi).
        • Output folder—Enter the name of the folder where the .intunewin file will go. For example, enter C:\<your_path>\PAA_out.
        • Catalog folder—Enter N.
      The Microsoft Win32 Content Prep Tool will create the PrismaAccessAgent_x64_xx.x.xxxxx.xxxx.intune file in the output folder.
  3. Create a custom Win32-based app using the intunewin packager that you created in the previous step.
    1. Log in to the Microsoft Intune admin center from your web browser.
    2. Select AppsWindowsAdd.
    3. Select the Windows app (Win32) app type and click Select.
    4. In App information, select the app package file (.intunewin) that you created. For example, select PrismaAccessAgent_x64_xx.x.xxxxx.xxxx.intune. For the Publisher, enter Palo Alto Networks.
    5. For the Install command in the Program tab, enter the name of the batch file (.cmd) that you created. For example, enter InstallPAA.cmd.
    6. In Requirements, select 64-bit for the operating system architecture and select Windows 10 1607 as the minimum operating system.
    7. In Detection rules, select Manually configure detention rules and specify the following values:
      • Rule typeFile
      • PathC:\Program Files\Palo Alto Networks\Prisma Access Agent
      • File or folderPACli.exe
      • Detection methodFile or folder exists
      • Associated with a 32-bit app on 64-bit clientsNo
    8. In Assignments, specify the user groups that will use the app.
    9. In Review + create, review your settings for the app, and Create the app in Intune.
      The Prisma Access Agent will be deployed to the user groups that you assigned.
    10. To view the app installation status from Intune, select AppsAll Apps and select the Prisma Access Agent app that you added. You can get an overview of the app status and the Device install status and User install status.

Uninstall the Prisma Access Agent on Windows Endpoints Using Microsoft Intune

You can create a script for uninstalling the Prisma Access Agent from Windows endpoints and then upload the script to Microsoft Intune. You can assign the uninstall script to specific user groups, which uninstalls the Prisma Access Agent on their devices.
Before you begin, you will need the anti-tamper unlock (supervisor) password that you set up in the general global Prisma Access Agent settings.
  1. Create a PowerShell script that uninstalls the Prisma Access Agent.
    The following sample script is provided as a reference. Customize the script as needed for your environment:
    # Uninstall_PAA.ps1

# Check if running as Administrator
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
$isAdmin = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Write-Host "Script is not running as administrator."
	Exit -1
}

# Disable the anti tampering. For now the password needs to be echoed
Write-Host ("Disabling the anti-tampering")
$password = "example_supervisor_password"
echo $password | & 'C:\Program Files\Palo Alto Networks\Prisma Access Agent\PACli.exe'  protect disable /run /exit /SlientMode

# Retrieving the Prisma Access Agent product code
Write-Host ("Retrieving the Prisma Access Agent product code")
$prodCode = Get-ItemPropertyValue 'HKLM:\SOFTWARE\Palo Alto Networks\Prisma Access Agent' 'ProductCode'
Write-Host ("Prisma Access Agent product code: " + $prodCode) 

# Uninstall the agent using Msiexec.exe
Write-Host ("Executing the uninstaller")
$UnInstallProcess = Start-Process -FilePath "${env:SystemRoot}\System32\msiexec" -ArgumentList ("/x " + $prodCode + " /quiet /norestart") -PassThru -Wait

Write-Host ("UnInstallation completed, exiting with last return code (" + $UnInstallProcess.ExitCode + ")")
Exit $UnInstallProcess.ExitCode
  2. Upload and assign the script to specific user groups in Intune.
    1. Log in to the Microsoft Intune admin center from your web browser.
    2. Select DevicesScripts and remediationsPlatform scripts.
    3. Add a Windows 10 and later script.
    4. Enter a Name for the script.
    5. In the Script location, select the uninstall script that you created.
    6. In Assignments, specify the user groups that will receive the uninstall script.
    7. In Review + add, review the settings for the script, and Add the script to Intune.
      The Prisma Access Agent will be uninstalled from the devices in the user groups that you assigned.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.