Skip to main content
All CollectionsSentinelOne & GuardzManaged SentinelOne (Ultimate Plan)Deploying the SentinelOne Agent
SentinelOne Installation - Windows
SentinelOne Installation - Windows
Updated this week

Installing Windows Agents

To make the Agent deployment process more robust, we introduced a new installation package.

We still support the MSI installation package, but we recommend you use the new installer for a better installation experience and success rates. The new installation package is an MSI installer run by a SentinelOneInstaller.exe executable.

Important

There are some changes in the installer arguments format between SentinelInstaller.exe (the old package) and SentinelOneInstaller.exe (the new package). Review your deployment scripts to identify if any change is required.

For Windows Agent 22.1 and above, SentinelInstaller.exe (the old package) will be replaced by SentinelOneInstaller.exe (the new package).

Prerequisites:

The command to install, upgrade, and downgrade an Agent is the same. The Agent package and its version determine if it will install, upgrade, or downgrade the Agent.

The installer runs a series of tests on the endpoint to see if the installation will succeed. For details, see Tests Run by the Installer on Endpoints Before Installing the Agent.

Download the Installation Package

  1. Download the latest SentinelOneInstaller Windows installer package.

    1. Important: Make sure you use the file named SentinelOneInstaller.exe (the new installer) and not SentinelInstaller.exe (the old installer).

    2. Best Practice: Download the file to the local endpoint.

Get the Site Token

Get the Site token that registers the Agent with a Site. This can be found in Security Controls > Endpoint Security > SentinelOne > Managed > Deploy > View Site Token

Install the Agent By Double-Clicking the File: Versions 22.2+

Objective: Install SentinelOne Windows Agent on a local endpoint by double-clicking the installation file.

Note: This option is available only for Agent versions 22.2+.

  1. Go to the folder where you downloaded the new installation package.

  2. Double-click the installation file.

  3. Follow the instructions of the wizard.

  4. Enter the Site Token and click Install.

  5. Wait for the process to complete.

Install the Agent From the Local Command Line or a Deployment Tool: Versions 22.2+

Objective: Install SentinelOne Windows Agent on a local endpoint from the local Command Line (CMD) or with a deployment tool such as GPO, SCCM, or Tanium.

Note: This option is available only for Agent versions 22.2+.

  1. Log in to one of these:

    • A deployment tool with an administrator account.

      Note

      For instructions on how to upgrade a Windows Agent with SCCM using a PowerShell script, see .Upgrading Agents with SCCM Using a PowerShell Script

    • The command prompt on a local endpoint. In Windows Start or Search, enter CMD > right-click Command Prompt, and select Run as administrator.

    • PowerShell

  2. Go to the folder where you downloaded the new installation package.

    Example:

    cd C:\Users\adminWin\Downloads

  3. Install the Agent:

    • From CMD run:

      SentinelOneInstaller.exe [-a installer_arguments] -t site_Token

      Example:

      SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    • From PowerShell run:

      ./SentinelOneInstaller.exe [-a installer_arguments] -t site_Token

      Example:

      ./SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    Where:

    • SentinelOneInstaller.exe is the full package name.

    • -a installer_arguments : Installer arguments are optional. For a list of installer arguments, see .Installer Arguments

      If there is a web proxy between the endpoints and the Console, you must use the installer arguments to configure the proxy for the Agent in the installation command. To configure a proxy after the Agent is installed, you must .use sentinelctl

    • -t site_Token is the site token.

      Important:

      If you add the -q parameter you must use the -t parameter and enter the token.

      If you do not use -q parameter, the -t parameter is optional in this step of the procedure. If you do not enter the token now, you must add it into the UI later.

    • -q, --qn

      Optional unless you use a deployment tool to install theAgent (then it is mandatory).

      Quiet mode. The installer does not show the status of the upgrade as it progresses, and does not automatically show a return code when the upgrade completes.

      Important:

      If you use the -q or --qn parameter, you must also use the -t parameter and enter the token.

      Example syntax:

      SentinelOneInstaller.exe -t site_Token -q

    • -b, --reboot_on_need

      Optional.

      Automatically reboot the endpoint when one of these exit codes would have been returned after the installation:

      • 100: The uninstall of the previous Agent succeeded. Reboot the endpoint to continue with the installation of the new Agent.

      • 103: Reboot is required to uninstall the previous Agent and install the new Agent.

      • 104: Reboot is already required by a previous run of the installer.

    • -c, --clean_only

      Optional.

      Add to clean the Agent (remove previous installation directories and the current Agent) without installing a new version of the Agent.

      To use -c (clean only), you must:

      • Use -t (site token), AND

      • Use either -k with the Agent or Account passphrase, or the Confirm Local Upgrade action.

    • -k, --key

      Optional.

      Syntax: -k passphrase where passphrase is the Agent or Account passphrase, needed to validate privileges.

      The Agent or Account passphrase to validate privileges.

  4. Follow the instructions of the wizard.

  5. If you added -t site_Token to the command, the token already appears in the UI. Click Install.

    If you did not add -t site_Token to the command, enter the Site Token and click Install.

  6. Wait for the process to complete. Click Finish.

  7. If more Agent capabilities will be enabled after you reboot the endpoint, a notification appears.

    You do NOT have to reboot the endpoint.

    Optional: Click Yes to automatically reboot the endpoint.

    Note: If you are installing version 23.4.1 or later, this notification does not appear, and rebooting the endpoint is not necessary.

  8. Get the return code.

    • The return code is in the C:\windows\temp directory, in SC-exit-code.txt or SC-after-reboot-exit-code.txt. Open the most recently edited file.

    • If you ran the tool from CMD, run:

      start /wait SentinelOneInstaller.exe -t "..." echo %errorlevel%

      If you ran the tool from PowerShell (elevated), run:

      .\SentinelOneInstaller.exe -t "..." | Out-Host $LastExitCode

    • If you ran the tool from PowerShell (non-elevated), run

      $p = Start-Process .\SentinelOneInstaller.exe -PassThru -Wait -ArgumentList '-t "..."' $p.ExitCode

      Note: If the tool is run from PowerShell (non-elevated), the command line arguments must be specified with the -ArgumentList, see.documentation for PowerShell

  9. Find your return code (also called exit code) in and follow the instructions in the Next Step column.Return Codes After Installing or Updating Windows Agents

  10. Validate that a new version is installed.

    1. From the endpoint, go to the SentinelOne Agent directory:

      cd "c:\Program Files\SentinelOne\Sentinel Agent version"

      Example:

      cd "c:\Program Files\SentinelOne\Sentinel Agent 22.2.3.402"

    2. Run this sentinelctl command:

      sentinelctl status

    3. Look at the Monitor Build id in the output to validate that a new version of the Agent is installed and the Agent is loaded and running.

      Example output:

      Disable State: Not disabled by the user SentinelMonitor is loaded Self-Protection status: On Monitor Build id: 22.2.3.402+a1b2c3d4e5f6g7h8i9-Release.x64 SentinelAgent is loaded SentinelAgent is running as PPL Mitigation policy: quarantineThreat

Install the Agent From the Local Command Line or a Deployment Tool: Version 22.1

Objective: Install SentinelOne Windows Agent on a local endpoint from the local Command Line (CMD) or with a deployment tool such as GPO, SCCM, or Tanium.

  1. Log in to one of these:

    • A deployment tool with an administrator account.

      Note: For instructions on how to upgrade a Windows Agent with SCCM using a PowerShell script, see .Upgrading Agents with SCCM Using a PowerShell Script

    • The command prompt on a local endpoint. In Windows Start or Search, enter CMD > right-click Command Prompt, and select Run as administrator.

    • PowerShell

  2. Go to the folder where you downloaded the new installation package.

    Example:

    cd C:\Users\adminWin\Downloads

  3. Install the Agent:

    • From CMD run:

      SentinelOneInstaller.exe [-a installer_arguments] --dont_fail_on_config_preserving_failures -t site_Token

      Example:

      SentinelOneInstaller_windows_64bit_v22_1_2_210.exe --dont_fail_on_config_preserving_failures -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    • From PowerShell run:

      ./SentinelOneInstaller.exe [-a installer_arguments] --dont_fail_on_config_preserving_failures -t site_Token

      Example:

      ./SentinelOneInstaller_windows_64bit_v22_1_2_210.exe --dont_fail_on_config_preserving_failures -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    Where:

    • SentinelOneInstaller.exe is the full package name.

    • -a installer_arguments : Installer arguments are optional. For a list of installer arguments, see .Installer Arguments

      If there is a web proxy between the endpoints and the Console, you must use the installer arguments to configure the proxy for the Agent in the installation command. To configure a proxy after the Agent is installed, you must .use sentinelctl

    • --dont_fail_on_config_preserving_failures

      The installer will always try to preserve the configuration. If you add this parameter, it will not stop on failure if it cannot preserve the previous Agent configuration.

      Important:This parameter is mandatory for version 22.1 but optional for versions 22.2+.

    • -t site_Token is the site token.

    • -b, --reboot_on_need

      Optional.

      Automatically reboot the endpoint when required to continue with the installation.

    • -c, --clean_only

      Optional.

      Add to clean the Agent (remove previous installation directories and the current Agent) without installing a new version of the Agent.

      To use -c (clean only), you must:

      • Use -t (site token), AND

      • Use either -k with the Agent or Account passphrase, or the Confirm Local Upgrade action.

    • -k, --key

      Optional.

      Syntax: -k passphrase where passphrase is the Agent or Account passphrase, needed to validate privileges.

      The Agent or Account passphrase to validate privileges.

  4. Wait for the process to complete.

  5. Get the return code.

    • The return code is in the C:\windows\temp directory, in SC-exit-code.txt or SC-after-reboot-exit-code.txt. Open the most recently edited file.

    • Alternatively,

      If you ran the tool from CMD, run:

      echo %errorlevel%

      If you ran the tool from PowerShell, run:

      $LastExitCode

  6. Find your return code (also called exit code) in and follow the instructions in the Next Step column.Return Codes After Installing or Updating Windows Agents

  7. Validate that a new version is installed.

    1. From the endpoint, go to the SentinelOne Agent directory:

      cd "c:\Program Files\SentinelOne\Sentinel Agent version"

      Example:

      cd "c:\Program Files\SentinelOne\Sentinel Agent 22.2.3.402"

    2. Run this sentinelctl command:

      sentinelctl status

    3. Look at the Monitor Build id in the output to validate that a new version of the Agent is installed and the Agent is loaded and running.

      Example output:

      Disable State: Not disabled by the user SentinelMonitor is loaded Self-Protection status: On Monitor Build id: 22.2.3.402+a1b2c3d4e5f6g7h8i9-Release.x64 SentinelAgent is loaded SentinelAgent is running as PPL Mitigation policy: quarantineThreat

Installer Arguments

  • If you use any of the installer arguments , add the flag -a before the installer argument and wrap the argument with quotation marks (" "). After the flag -a you may add the equals character (=), but you do not have to.in this table

    Example:

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t MY_TOKEN -a "VDI=true AGENT_LOGGING=true"

    or

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t MY_TOKEN -a="VDI=true AGENT_LOGGING=true"

  • If an argument should contain quotation marks (" "), for example CUSTOMER_ID="Customer Identifier string", add three quotation marks.

    Example:

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -a "CUSTOMER_ID="""123321""""

  • Do not add /NORESTART. It will not affect the installation. By default, installing the Agent does not reboot the endpoint.

  • Regarding SentinelOneInstaller and Quiet mode:

    • In Agent 22.1, Quiet mode is not supported. Do not add /QUIET because it will not affect the installation. Version 22.1 does not support the parameters -q or --qn.

    • In Agents 22.2+ Quiet mode is supported but it is NOT the default. To run the installer in quiet mode add -q or --qn. Do not add /QUIET because it will not affect the installation.

Optional Installer Arguments

Optional Arguments

Description

SERVER_PROXY=mode

Set a proxy server between the Agent and its Management.

Important

For Windows Agents: If there is a web proxy between the endpoints and the Console, we recommend you for the Windows Agent in the installation command. If you did not configure a proxy, the Agent is already installed, and there is no connection between the Agent and the Management Console, see configure the proxyHow to Fix Never Connected Agents

Agent in the installation command. If you did not configure a proxy, the Agent is already installed, and there is no connection between the Agent and the Management Console, see .How to Fix Never Connected Agents

Mode valid values:

  • auto = use the Windows LAN settings (PAC file)

  • system = use Other proxy (not from OS) configured in the local Agent

  • user,fallback[:port] = user mode on Windows

  • http://{IP | FQDN}:[port]

AGENT_LOGGING={true | false}

Disable Agent logging.

INSTALL_PATH_DATA="drive:\path"

Customize the path for Agent database, logs, and large data files.

Requirements

  • The path must be in English, 150 characters or less.

  • The path must be a fixed drive (it cannot be a USB or other removable media), and it must be NTFS.

  • If the path is not on the System drive, it must have at least 4 GB free space.

(Supported from Agent versions 3.6)

SERVER_PROXY_CREDENTIALS=user:pass

Set credentials to authenticate with the Management proxy.

IOC_PROXY=mode

Set a proxy server between the Agent and the Deep Visibility™ EDR data server.

Mode valid values:

  • single = use the same proxy for Management and for Deep Visibility™

  • auto = use the Windows LAN settings (PAC file)

  • system = use Other proxy (not from OS) configured in the local Agent

  • user,fallback[:port] = user mode on Windows

  • http://{IP | FQDN}:[port]

IOC_PROXY_CREDENTIALS=username:password

Set the username and password to authenticate with the Deep Visibility™ proxy.

FORCE_PROXY={true | false}

Prevent fallback to direct communication if the proxy is not available.

Important! If the Management proxy or the Deep Visibility™ proxy is configured with user mode, do not use Force Proxy.

WSC={true | false}

Set the Agent installation to disable (true) or not disable (false) Windows Defender.

CUSTOMER_ID="Customer Identifier string"

Add a user-defined Identifier string to the endpoint.

Syntax:

SentinelOneInstaller.exe -a "CUSTOMER_ID="""Customer Identifier string""""

VDI={true | false}

Install on Virtual Desktop Infrastructure or VMs with a Golden (Master) Image.

Important: This property is NOT recommended for all VM installation types. See for when this property is recommended.Installing Windows Agents on VM or VDI

Tests Run by the Installer on Endpoints Before Installing the Agent

After you run the installation package, before the installation starts, the installer runs a series of tests on the endpoint to see if the installation will succeed.

  • The endpoint has enough disk space and RAM (greater than 1 GB) to run the installation.

  • The endpoint Admin has the required permissions.

  • Operating System is Windows 7 SP1 and above.

  • File system:

    • Agent data directory must be a fixed NTFS drive.

    • If the Agent data directory is the default drive, 2 GB on the system drive is required. Otherwise, 4 GB on the data drive and 500 MB on the system drive are required.

  • Program Files and Windows directory must reside on the same drive letter. Changing the location of Program Files is not supported by Microsoft. See Microsoft KB933700.

  • Microsoft KB2533623 (Insecure library loading could allow remote code execution) must be installed. After installation of the update, you need to restart your computer and begin the Agent installation process again.

  • SHA256 code signing support - Microsoft KB3033929 - Security Update for Windows must be installed.

  • Existence and Integrity of cryptographic services and databases under Windows CryptSvc.

Related Articles
SentinelOne Installation - macOS
SentinelOne Installation - Linux
Installing SentinelOne Windows Agents with Intune
Windows Agent Installer Command Line Options
Migrating from Existing SentinelOne to Guardz
Did this answer your question?