Skip to main content

SentinelOne Installation - Windows

Updated over 2 weeks ago

This article is based on SentinelOne community documentation, last updated on Oct 21 2025

Install the Agent By Double-Clicking the File: Versions 22.2+

Install SentinelOne Windows Agent on a local endpoint by double-clicking the installation file.

Please note:

This option is available only for Agent versions 22.2+.

  1. Go to the folder where you downloaded the new installation package.

  2. Double-click the installation file.

  3. Follow the instructions of the wizard.

  4. Enter the Site or Group Token and click Install.

  5. Wait for the process to complete.

Install the Agent From the Local Command Line or a Deployment Tool: Versions 22.2+

Install SentinelOne Windows Agent on a local endpoint from the local Command Line (CMD) or with a deployment tool such as GPO, SCCM, or Tanium.

Please note:

This option is available only for Agent versions 22.2+.

  1. Log in to one of these:

    • A deployment tool with an administrator account.

    • The command prompt on a local endpoint. In Windows Start or Search, enter CMD > right-click Command Prompt, and select Run as administrator.

    • PowerShell

  2. Go to the folder where you downloaded the new installation package.

    Example:

    cd C:\Users\adminWin\Downloads

  3. Install the Agent:

    • From CMD run:

      SentinelOneInstaller.exe [-a installer_arguments] -t site_Token or group_Token

      Example:

      SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    • From PowerShell, run:

      .\SentinelOneInstaller.exe [-a installer_arguments] -t site_Token or group_Token

      Example:

      .\SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    Where:

    • SentinelOneInstaller.exe is the full package name.

    • -a installer_arguments : Installer arguments are optional.

      If there is a web proxy between the endpoints and the Console, you must use the installer arguments to configure the proxy for the Agent in the installation command.

    • -t site_Token or group_Token is the site token or group token.

      Important:

      If you add the -q parameter you must use the -t parameter and enter the token. If you do not use -q parameter, the -t parameter is optional in this step of the procedure. If you do not enter the token now, you must add it into the UI later.

    • -q, --qn

      Optional unless you use a deployment tool to install theAgent (then it is mandatory).

      Quiet mode. The installer does not show the status of the upgrade as it progresses, and does not automatically show a return code when the upgrade completes.

      Important:

      If you use the -q or --qn parameter, you must also use the -t parameter and enter the token. Example syntax:

      SentinelOneInstaller.exe -t site_Token -q

    • -b, --reboot_on_need (Optional)

      Automatically reboot the endpoint when one of these exit codes would have been returned after the installation:

      • 100: The uninstall of the previous Agent succeeded. Reboot the endpoint to continue with the installation of the new Agent.

      • 103: Reboot is required to uninstall the previous Agent and install the new Agent.

      • 104: Reboot is already required by a previous run of the installer.

    • -c, --clean_only (Optional)

      Add to clean the Agent (remove previous installation directories and the current Agent) without installing a new version of the Agent.

      To use -c (clean only), you must:

      • Use -t (site token), AND

      • Use either -k with the Agent or Account passphrase, or the Confirm Local Upgrade action.

    • -k, --key (Optional)

      Syntax: -k passphrase where passphrase is the Agent or Account passphrase, needed to validate privileges.

      The Agent or Account passphrase to validate privileges.

  4. Follow the instructions of the wizard

  5. If you added -t site_Token or group_Token to the command, the token already appears in the UI. Click Install.

    If you did not add -t site_Token or group_Token to the command, enter the Site or Group Token and click Install.

  6. Wait for the process to complete. Click Finish.

  7. If more Agent capabilities will be enabled after you reboot the endpoint, a notification appears.

    You do NOT have to reboot the endpoint.

    Optional: Click Yes to automatically reboot the endpoint.

    Please Note:

    If you are installing version 23.4.1 or higher, this notification does not appear. A reboot is not mandatory because most Agent functionality is operational after installation. However, a reboot might be required to enable specific features. For example, you might be prompted by a Pending Action in the Console (Endpoint Status) to reboot the endpoint if Path Exclusions of type Extended are applied to the endpoint. To see which endpoints require a reboot, go to the Endpoints page, filter for Pending actions > Attention needed, and click an Endpoint Name to view its details.

  8. Get the return code.

    • The return code is in the C:\windows\temp directory, in SC-exit-code.txt or SC-after-reboot-exit-code.txt. Open the most recently edited file.

    • If you ran the tool from CMD, run:

      start /wait SentinelOneInstaller.exe -t "..." echo %errorlevel%

    • If you ran the tool from PowerShell (elevated), run:

      .\SentinelOneInstaller.exe -t "..." | Out-Host $LastExitCode

    • If you ran the tool from PowerShell (non-elevated), run

      $p = Start-Process .\SentinelOneInstaller.exe -PassThru -Wait -ArgumentList '-t "..."' $p.ExitCode

      Please Note:

      If the tool is run from PowerShell (non-elevated), the command line arguments must be specified with the -ArgumentList

  9. Find your return code (also called exit code) and follow the instructions in the Next Step column

  10. Validate that a new version is installed.

    1. From the endpoint, go to the SentinelOne Agent directory:

      cd "c:\Program Files\SentinelOne\Sentinel Agent version"

      Example:

      cd "c:\Program Files\SentinelOne\Sentinel Agent 22.2.3.402"

    2. Run this sentinelctl command:

      sentinelctl status

    3. Look at the Monitor Build id in the output to validate that a new version of the Agent is installed and the Agent is loaded and running.

      Example output:

      Disable State: Not disabled by the user SentinelMonitor is loaded Self-Protection status: On Monitor Build id: 22.2.3.402+a1b2c3d4e5f6g7h8i9-Release.x64 SentinelAgent is loaded SentinelAgent is running as PPL Mitigation policy: quarantineThreat

Install the Agent From the Local Command Line or a Deployment Tool: Version 22.1

Install SentinelOne Windows Agent on a local endpoint from the local Command Line (CMD) or with a deployment tool such as GPO, SCCM, or Tanium.

  1. Log in to one of these:

    • A deployment tool with an administrator account.

      Please Note:

      For instructions on how to upgrade a Windows Agent with SCCM using a PowerShell script

    • The command prompt on a local endpoint. In Windows Start or Search, enter CMD > right-click Command Prompt, and select Run as administrator.

    • PowerShell

  2. Go to the folder where you downloaded the new installation package.

    Example:

    cd C:\Users\adminWin\Downloads

  3. Install the Agent:

    • From CMD, run:

      SentinelOneInstaller.exe [-a installer_arguments] --dont_fail_on_config_preserving_failures -t site_Token or group_Token

      Example:

      SentinelOneInstaller_windows_64bit_v22_1_2_210.exe --dont_fail_on_config_preserving_failures -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    • From PowerShell, run:

      .\SentinelOneInstaller.exe [-a installer_arguments] --dont_fail_on_config_preserving_failures -t site_Token or group_Token

      Example:

      .\SentinelOneInstaller_windows_64bit_v22_1_2_210.exe --dont_fail_on_config_preserving_failures -t a1b2c3d4e5f6g7h8i9a1b2c3d4e5f6g7h8i9

    Where:

    • SentinelOneInstaller.exe is the full package name.

    • -a installer_arguments : Installer arguments are optional.

      If there is a web proxy between the endpoints and the Console, you must use the installer arguments to configure the proxy for the Agent in the installation command. To configure a proxy after the Agent is installed, you must use sentinelctl.

    • --dont_fail_on_config_preserving_failures

      The installer will always try to preserve the configuration. If you add this parameter, it will not stop on failure if it cannot preserve the previous Agent configuration.

      Please note:

      This parameter is mandatory for version 22.1 but optional for versions 22.2+.

    • -t site_Token or group_Token is the site token or group token.

    • -b, --reboot_on_need (Optional)

      Automatically reboot the endpoint when required to continue with the installation.

    • -c, --clean_only (Optional)

      Add to clean the Agent (remove previous installation directories and the current Agent) without installing a new version of the Agent.

      To use -c (clean only), you must:

      • Use -t (site token), AND

      • Use either -k with the Agent or Account passphrase, or the Confirm Local Upgrade action.

    • -k, --key (Optional)

      Syntax: -k passphrase where passphrase is the Agent or Account passphrase, needed to validate privileges.

      The Agent or Account passphrase to validate privileges.

  4. Wait for the process to complete.

  5. Get the return code.

    • The return code is in the C:\windows\temp directory, in SC-exit-code.txt or SC-after-reboot-exit-code.txt. Open the most recently edited file.

    • Alternatively,

      If you ran the tool from CMD, run:

      echo %errorlevel%

      If you ran the tool from PowerShell, run:

      $LastExitCode

  6. Find your return code (also called exit code) and follow the instructions in the Next Step column.

  7. Validate that a new version is installed.

    1. From the endpoint, go to the SentinelOne Agent directory:

      cd "c:\Program Files\SentinelOne\Sentinel Agent version"

      Example:

      cd "c:\Program Files\SentinelOne\Sentinel Agent 22.2.3.402"

    2. Run this sentinelctl command:

      sentinelctl status

    3. Look at the Monitor Build id in the output to validate that a new version of the Agent is installed and the Agent is loaded and running.

      Example output:

      Disable State: Not disabled by the user SentinelMonitor is loaded Self-Protection status: On Monitor Build id: 22.2.3.402+a1b2c3d4e5f6g7h8i9-Release.x64 SentinelAgent is loaded SentinelAgent is running as PPL Mitigation policy: quarantineThreat

Installer Arguments

  • If you use any of the installer arguments, add the flag -a before the installer argument and wrap the argument with quotation marks (" "). After the flag -a you may add the equals character (=), but you do not have to.

    Example:

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t MY_TOKEN -a "VDI=true AGENT_LOGGING=true"

    or

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -t MY_TOKEN -a="VDI=true AGENT_LOGGING=true"

  • If an argument should contain quotation marks (" "), for example CUSTOMER_ID="Customer Identifier string", add three quotation marks.

    Example:

    SentinelOneInstaller_windows_64bit_v22_2_1_200.exe -a "CUSTOMER_ID="""123321""""

  • Do not add /NORESTART. It will not affect the installation. By default, installing the Agent does not reboot the endpoint.

  • Regarding SentinelOneInstaller and Quiet mode:

    • In Agent 22.1, Quiet mode is not supported. Do not add /QUIET because it will not affect the installation. Version 22.1 does not support the parameters -q or --qn.

    • In Agents 22.2+ Quiet mode is supported but it is NOT the default. To run the installer in quiet mode add -q or --qn. Do not add /QUIET because it will not affect the installation.

Optional Installer Arguments

Optional Arguments

Description

SERVER_PROXY=mode

Set a proxy server between the Agent and its Management.

For Windows Agents: If there is a web proxy between the endpoints and the Console, we recommend you configure the proxy for the Windows Agent in the installation command.

Mode valid values:

  • auto = use the Windows LAN settings (PAC file)

  • system = use Other proxy (not from OS) configured in the local Agent

  • user,fallback[:port] = user mode on Windows

  • http://{IP | FQDN}:[port]

AGENT_LOGGING={true | false}

Disable Agent logging.

INSTALL_PATH_DATA="drive:\path"

Customize the path for Agent database, logs, and large data files.

Requirements

  • The path must be in English, 150 characters or less.

  • The path must be a fixed drive (it cannot be a USB or other removable media), and it must be NTFS.

  • If the path is not on the System drive, it must have at least 4 GB free space.

(Supported from Agent versions 3.6)

SERVER_PROXY_CREDENTIALS=user:pass

Set credentials to authenticate with the Management proxy.

IOC_PROXY=mode

Set a proxy server between the Agent and the Deep Visibility™ EDR data server.

Mode valid values:

  • single = use the same proxy for Management and for Deep Visibility™

  • auto = use the Windows LAN settings (PAC file)

  • system = use Other proxy (not from OS) configured in the local Agent

  • user,fallback[:port] = user mode on Windows

  • http://{IP | FQDN}:[port]

IOC_PROXY_CREDENTIALS=username:password

Set the username and password to authenticate with the Deep Visibility™ proxy.

FORCE_PROXY={true | false}

Prevent fallback to direct communication if the proxy is not available.

Important! If the Management proxy or the Deep Visibility™ proxy is configured with user mode, do not use Force Proxy.

WSC={true | false}

Set the Agent installation to disable (true) or not disable (false) Windows Defender.

CUSTOMER_ID="Customer Identifier string"

Add a user-defined Identifier string to the endpoint.

Syntax:

SentinelOneInstaller.exe -a "CUSTOMER_ID="""Customer Identifier string""""

VDI={true | false}

Install on Virtual Desktop Infrastructure or VMs with a Golden (Master) Image.

Important: This property is NOT recommended for all VM installation types.

Tests Run by the Installer on Endpoints Before Installing the Agent

After you run the installation package, before the installation starts, the installer runs a series of tests on the endpoint to see if the installation will succeed.

  • The endpoint has enough disk space and RAM (greater than 1 GB) to run the installation.

  • The endpoint Admin has the required permissions.

  • Operating System is Windows 7 SP1 and above.

  • File system:

    • Agent data directory must be a fixed NTFS drive.

    • If the Agent data directory is the default drive, 2 GB on the system drive is required. Otherwise, 4 GB on the data drive and 500 MB on the system drive are required.

  • Program Files and Windows directory must reside on the same drive letter. Changing the location of Program Files is not supported by Microsoft. See Microsoft KB933700.

  • Microsoft KB2533623 (Insecure library loading could allow remote code execution) must be installed. After installation of the update, you need to restart your computer and begin the Agent installation process again.

  • SHA256 code signing support - Microsoft KB3033929 - Security Update for Windows must be installed.

  • Existence and Integrity of cryptographic services and databases under Windows CryptSvc.

Related Articles
Installing SentinelOne Windows Agents with Intune
Windows Agent Installer Command Line Options
Installing SentinelOne Windows Agents on VM or VDI
VDI and VM Deployment
Installing the Windows Agent Using an MSI Package
Did this answer your question?