Windows - Software Lifecycle - Install Rapid7 Insight Agent

What the Rapid7 Insight Agent deployer does

This Automox Worklet™ deploys the Rapid7 Insight Agent to Windows endpoints and binds each installation to your Rapid7 tenant with a custom token. The Insight Agent is the lightweight collector that feeds InsightVM for vulnerability assessment and InsightIDR for endpoint detection and response. Without the agent on an endpoint, that endpoint is invisible to Rapid7.

The Worklet reads your installation token from an Automox Shared Secret named rapid7_token, so the token never lives in plain text inside the policy. It detects whether the endpoint is 32-bit or 64-bit, downloads the matching agent installer MSI (PyForensicsAgent-x64.msi or PyForensicsAgent-x86.msi) from Rapid7's latest channel on s3.amazonaws.com/com.rapid7.razor.public, and runs msiexec silently with the CUSTOMTOKEN argument set to your token. If AUTOMOX_PROXY is set in the environment, the Worklet appends HTTPSPROXY to the MSI argument list so the agent uses your proxy for its initial registration call.

Installation media is renamed to Rapid7InsightAgent.msi in ProgramData\amagent\WorkletCache\WSE-458, the msiexec verbose log is written alongside it as Rapid7InsightAgent_install.log, and the MSI file is deleted once the install returns. The Worklet exits 87 if the rapid7_token Shared Secret is missing, 3 if the install directory is not present or the installer cannot be located after download, and 0 on success or when the agent is already detected.

Why deploy the Insight Agent through Automox

Rapid7 InsightVM and InsightIDR depend on the Insight Agent being installed and registered on every endpoint in scope. An endpoint without the agent does not appear in scans, does not contribute telemetry to InsightIDR detections, and shows up in board reports as an enrollment gap. Traditional rollout paths (GPO with a startup script, SCCM application, or an admin walking from desk to desk) move at the speed of the slowest endpoint. Coverage leaks every time a new workstation is imaged or a server is rebuilt.

Apply this Worklet to the Windows server and workstation endpoint groups; the Rapid7 MSI is pulled on every evaluation, the Shared Secret writes a tenant-scoped token at install time, and the Windows uninstall registry confirms compliance on the next pass. Coverage gaps surface as Automox non-compliance rather than as missing rows in the Rapid7 console.

How Rapid7 Insight Agent deployment works

1. Evaluation phase: The Worklet opens the HKLM hive in the architecture-matched registry view and walks the uninstall subkeys under SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. It reads the DisplayName value of each subkey and matches against "Rapid7 Insight Agent". If a match is found, the endpoint exits 0 as compliant. If not, it exits 2 and is flagged for remediation. Rapid7's own ir_agent service registration is downstream of this MSI install, so DisplayName presence is the right detection signal.

2. Remediation phase: The Worklet first verifies that the rapid7_token Shared Secret is present and exits 87 if it is not. It creates the cache directory ProgramData\amagent\WorkletCache\WSE-458, picks the x64 or x86 MSI from the Rapid7 latest channel based on Is64BitOperatingSystem, and downloads it via the Automox wrapper's $axWeb client (which respects AUTOMOX_PROXY). It then invokes msiexec.exe /i with /qn, /norestart, a verbose log to Rapid7InsightAgent_install.log, and the CUSTOMTOKEN argument carrying your token. The process is given a 300-second timeout. Exit codes 0, 1641, and 3010 are treated as success. Any other code throws, the installer file is removed, and the Worklet exits with the msiexec exit code.

Rapid7 Insight Agent deployment requirements

• Active Rapid7 InsightVM or InsightIDR subscription with a valid installation token issued from your Rapid7 platform

• Automox Shared Secret named rapid7_token holding your installation token; the Worklet exits 87 if this is missing

• Windows endpoint (server or workstation, 32-bit or 64-bit) with the Automox agent installed in its default SYSTEM context

• Outbound HTTPS reachability to s3.amazonaws.com/com.rapid7.razor.public for the MSI download, plus reachability to Rapid7's regional Insight platform for agent registration; if your endpoints egress through a proxy, set AUTOMOX_PROXY so the Worklet passes HTTPSPROXY into msiexec

• TLS 1.2 enabled in the SChannel registry for the MSI download to succeed; the Worklet emits a specific "TLS 1.2" error if SSL/TLS negotiation fails

• Administrative privileges for msiexec (the default Automox agent context already meets this)

Expected Insight Agent state after remediation

After a successful run, "Rapid7 Insight Agent" appears in Programs and Features and under HKLM:\SOFTWARE\Rapid7. The ir_agent service is registered and set to start automatically; it begins beaconing to your Insight platform within minutes, and the endpoint surfaces in the InsightVM Asset inventory or InsightIDR Agents view shortly after. Verify the service is running with Get-Service ir_agent and confirm the registered token under HKLM:\SOFTWARE\Rapid7\Insight\agent\config matches the tenant you expect.

The MSI verbose log at ProgramData\amagent\WorkletCache\WSE-458\Rapid7InsightAgent_install.log is the first place to look if remediation exits non-zero. The installer file itself is deleted once msiexec returns, so the cache directory holds only the log on the next evaluation. Subsequent Worklet runs find the Rapid7 DisplayName in the uninstall registry and exit 0 without re-downloading the MSI. Leave the policy on the same daily cadence as your patch policy so endpoints that drop off the Rapid7 console after a reimage or hardware replacement come back online on their next agent check-in.