Install Latest Agent On Systems With Old Agents

What the Automox agent upgrade utility does

This Automox Worklet™ automatically detects when your Windows endpoints run outdated Automox agent versions and initiates an in-place upgrade to the latest general availability release. The Worklet queries the Automox API to identify the current latest agent version, compares it against each endpoint's installed version, and schedules an upgrade only when needed.

The upgrade process runs independently of the Worklet itself through a scheduled task, allowing the remediation to complete without blocking the Worklet from exiting. A detailed log file is generated locally on the endpoint at C:\Windows\Temp\AutomoxUpgradeLog.log for troubleshooting and audit purposes. If the agent upgrade fails, the Worklet automatically attempts to restart the Automox agent service (amagent) to restore connectivity.

Problems with outdated Automox agents

Outdated agent versions create connectivity failures between your endpoints and the Automox console. When agents fall behind current releases, they lose access to new Worklets, cannot execute updated remediation logic, and miss critical security patches that protect against emerging threats.

Endpoints running agents older than version 1.0.40 cannot auto-update due to network restrictions or service interruptions. This leaves you with agents stuck on obsolete versions, creating blind spots in your patch management coverage and preventing you from deploying the latest automation capabilities to affected systems.

How Automox agent upgrade execution works

1. Evaluation phase: The evaluation script queries the Automox API to fetch the latest agent version, retrieves the installed agent version from the Windows registry (HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*), compares versions to determine if an upgrade is needed, validates that the endpoint can reach mandatory Automox URLs (api.automox.com, console.automox.com, rtt.automox.com) on port 443, and exits with a success code only if the endpoint is eligible for upgrade. Endpoints already running the latest version or agents older than 1.0.40 skip remediation.

2. Remediation phase: The remediation script performs the same checks as the evaluation phase, then downloads the latest Automox_Installer-latest.msi from the Automox console to the local temp directory, creates a PowerShell script (UpgradeAutomoxAgent.ps1) in the temp folder that handles the installation and service restart, registers a scheduled task named "Upgrade Automox Agent" to execute the PowerShell script within 15 seconds using the SYSTEM account with highest privilege level, and exits so the scheduled task can run the upgrade independently. The actual upgrade executes msiexec with the ACCESSKEY parameter obtained from Automox Shared Secrets, then attempts to restart the amagent service and clean up temporary files.

Automox agent upgrade requirements

• Windows 7, Windows 8, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows Server 2022

• PowerShell 5.1 or later

• Automox agent version 1.0.40 or later currently installed

• Endpoint must be connected and able to reach Automox API endpoints: api.automox.com, console.automox.com, and rtt.automox.com on port 443

• Automox Access Key configured as a Shared Secret with the name 'accessKey' in the Worklet parameters

• Sufficient disk space in C:\Windows\Temp to temporarily store the agent installer MSI (approximately 50 MB)

• Firewall rules allowing outbound HTTPS connections to console.automox.com on port 443

Outcomes after upgrading agents

Your endpoints run the latest Automox agent version with full connectivity to the console restored. The upgraded agents gain access to new Worklets, improved remediation capabilities, and security patches that protect against emerging vulnerabilities. Your entire fleet maintains consistent agent versions, eliminating gaps in patch management coverage.

The upgrade process completes with automatic service restart and cleanup. The Worklet removes temporary installer files, upgrade scripts, and scheduled tasks, leaving only a log at C:\Windows\Temp\AutomoxUpgradeLog.log for audit purposes. Newer agents (1.45+) include automatic rollback protection if issues occur, while older agents may require manual reinstallation from the console. Your endpoint configuration and registry settings persist unchanged through the in-place upgrade.

How to validate upgrade automox agent changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for upgrade automox agent.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Secrets-Management, Write-Output, Invoke-RestMethod.

4. Validate remediation effects from script operations such as Secrets-Management, Test-Path, Remove-Item, then rerun evaluation for compliance.

Expected state after upgrade automox agent changes

After remediation, endpoints reflect the target upgrade automox agent configuration and report compliant status in Automox.

You can confirm results by correlating activity logs with evaluation checks (Secrets-Management, Write-Output, Invoke-RestMethod) and remediation actions (Secrets-Management, Test-Path, Remove-Item).