Installing the Windows Agent Using an MSI Package

This article is based on SentinelOne community documentation last updated on Jan 05 2025

Important:

Do not modify or try to customize MSI installation packages provided by SentinelOne. If you do, installation and future upgrades will fail.

You can also use the MSI package to run a new installation, or upgrade an Agent installed from an MSI installer or from an EXE installer. The Agent package and its version determines if it will install, upgrade, or downgrade the Agent.

SentinelOne uploads MSI packages to Consoles. Use the 32-bit version to install on a 32-bit OS, and the 64-bit version to install on a 64 bit OS.

New Installations from an MSI Package

Agent Version	Supported New Installation Methods
3.6.2+	Manually External deployment systems (including GPO)

Upgrading Agents Installed from an MSI Package with an MSI Package (MSI to MSI)

Source Agent Version	Target Agent Version	Supported MSI to MSI Upgrade Methods
3.6.2+	4.2.5+	Manually External deployment systems except GPO Remotely from the Console

Upgrading Agents Installed from an EXE Package with an MSI Package (EXE to MSI)

Source Agent Version	Target Agent Version	Supported EXE to MSI Upgrade Methods
4.1.5, 4.1.6, or 4.2.2+	4.2.5+ with Management Version Kauai SP3+	Manually External deployment systems except GPO Remotely from the Management Console

This article contains these topics:

Installation Methods.
Upgrade Methods.
Download and run the MSI file.
To install the MSI with GPO.
To create a Deployment MSI Application in SCCM.
To install the MSI without disabling Windows Defender.
To Upgrade the Agent from the Management Console.
Troubleshooting

Installation Methods

Manually: Download and run the MSI file or open it from the CLI.
From external deployment systems, such as SCCM and GPO.

Upgrade Methods

There are various ways to upgrade your Agents using an MSI package. The method you use depends on the versions of the source Agent and the target Agent.

Manually: Download and run the MSI file or open it from the CLI.
From an external deployment system, such as SCCM. .
Remotely from the Management Console.

Download and run the MSI file

In the Sentinels toolbar, click Packages.
Click the Download icon next to the File Name of the MSI package you want to install.
Double-click the file.
From version 4.5.1 double-clicking the MSI file opens a UI Wizard.
1. Note: A Site or Group token is only required when you install the Agent. If used during an upgrade, it is ignored.
2. Enter the Site/Group Token.
3. Optional: Click the Advanced button to select a customized path for the Agent installation and a customer identifier.
  A progress bar shows the progress of the installation.

To install the MSI with GPO

Note: SentinelOne only supports the site token property of the MST file. SentinelOne does not support its other properties.

Before you begin, download the MSI file and get the Site token.

Launch ORCA and open the Agent MSI.
When deploying the Agent using a group policy, you need to create a configuration file to include your unique parameters. You can access the Orca installer for Windows 7, Windows 8, Windows 8.1 and Windows 10 by downloading the Windows SDK. Agent files are architecture specific. You must create separate transform files for 32 bit and 64 bit agents. You can download the Orca from https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe.
Click Transform > New Transform.
In the loaded SentinelInstaller window, click Tables > Property. Right-click the other pane and select Add Row.
For the property name, enter SITE_TOKEN, and enter its value - the Site Token string.
1. Note: A Site or Group token is mandatory when you install the Agent. It is unnecessary to use a Site or Group token when you upgrade the Agent, and if you use one, it is ignored.
Click Transform > Generate Transform.
Save the MST file with the MSI file, in a path that all the target endpoints can access.
From your AD Domain Server > Server Manager, click Tools > Group Policy Management.
Right-click the domain and select Create a GPO in this domain and Link it here.
In the window that opens, enter a name for the new policy and click OK.
In the Group Policy Manager window, right-click the new policy and select Edit.
In the window that opens, expand Computer Configuration > Policies > Software Settings. Right-click Software Settings and select New > Package.
In the window that opens, select the SentinelOne MSI.
In the Deploy Software window, make sure Advanced is selected.
Click OK.
1. Wait for the Sentinel Agent Properties window to open.
Click Modifications > Add.
Select the MST file. Wait for it to load. Click OK.
On the endpoints, in cmd, run: gpupdate /force
When the policy is updated, enter Y to restart the endpoint.
When the user logs in, see that the Agent is installed.

To create a SentinelOne Deployment MSI Application in SCCM:

Before you begin, download the MSI file, if you are installing the Agent get the Site token, and create an SCCM collection of the endpoints on which you will install the new Agent.

Launch SCCM.
Click Software Library > Application Management.
Right-click Applications and select Create Application.
From the Create Application Wizard, select Windows Installer (*.msi file) and enter the location.
Click Next.
On the General Information page, in Name, enter: Sentinel Agent.
Click Browse to select the MSI file.
In the wizard, enter the Site Token as a command-line argument.
For example:
```
msiexec /i "<path to SentinelInstaller.msi>" /q SITE_TOKEN="string"
```
Note: A Site or Group token is mandatory when you install the Agent. It is unnessecary to use a Site or Group token when you upgrade the Agent, and if you use one, it is ignored.
Click Next and complete the wizard.

To install the MSI without disabling Windows Defender:

By default, the Windows Agent registers with Windows Security Center (WSC) as anti-virus protection. When SentinelOne is registered, Windows disables Windows Defender.

Note: SentinelOne does not recommend that you disable WSC. You can install the Agent with a switch to not register with WSC and to keep Windows Defender enabled.

Install the MSI with this command-line argument:
```
SentinelInstaller.msi /q SITE_TOKEN="string" WSC=false
```
Note: A Site or Group token is mandatory when you install the Agent. It is unnessecary to use a Site or Group token when you upgrade the Agent, and if you use one, it is ignored.

MSI Installer Options

Action and Description	Option
Silent installation (no UI, no user interaction, no reboot).	/q, /QUIET
With a Silent installation switch, you can use an optional flag for endpoint reboot: Install the Agent without an automatic reboot. Use for mass deployment when you send a message to users to restart their computers at the end of the day, or if you have a reboot scheduled for a specified time. Always reboot.	/NORESTART /FORCERESTART
Install the Agent with the UI disabled (no tray icon or notifications).	UI={true \| false}
Disable Agent logging.	AGENT_LOGGING={true \| false}
Assign Agents to a Site or Group. Note: A Site or Group token is mandatory when you install the Agent. It is unnessecary to use a Site or Group token when you upgrade the Agent, and if you use one, it is ignored.	SITE_TOKEN=string
Customize the path for Agent database, logs, and large data files. Requirements The path must be in English, 150 characters or less. The path must be a fixed drive (it cannot be a USB or other removable media), and it must be NTFS. If the path is not on the System drive, it must have at least 4 GB free space. (Supported from Agent versions 3.6)	INSTALL_PATH_DATA="drive:\path"
Set a proxy server between the Agent and its Management. Mode valid values: `auto` = use the Windows LAN settings (PAC file) `system` = use Other proxy (not from OS) configured in the local Agent `user`,fallback[:port] = user mode on Windows `http://`{IP `\| FQDN}:[`port]	SERVER_PROXY=mode
Set credentials to authenticate with the Management proxy.	SERVER_PROXY_CREDENTIALS=user:pass
Set a proxy server between the Agent and the Deep Visibility™ EDR data server. Mode valid values: `single` = use the same proxy for Management and for Deep Visibility™ `auto` = use the Windows LAN settings (PAC file) `system` = use Other proxy (not from OS) configured in the local Agent `user`,fallback[:port] = user mode on Windows `http://`{IP `\| FQDN}:[`port]	IOC_PROXY=mode
Set credentials to authenticate with the Deep Visibility™ proxy.	IOC_PROXY_CREDENTIALS=username:password
Prevent fallback to direct communication if the proxy is not available. Important! If the Management proxy or the Deep Visibility™ proxy is configured with `user` mode, do not use Force Proxy.	FORCE_PROXY={true \| false}
Set the Agent installation to disable (true) or not disable (false) Windows Defender.	WSC={true \| false}
Add a user-defined Identifier string to the endpoint.	CUSTOMER_ID="Customer Identifier string"
Install on Virtual Desktop Infrastructure or VMs with a Golden (Master) Image. Important: This property is NOT recommended for all VM installation types. See Installing Windows Agents on VM or VDI for when this property is recommended.	VDI={true \| false}

Important for all endpoints: We recommend that you enhance endpoint security with protection against physical theft and hacking (such as unauthorized disk mount modification). Enable full disk encryption, apply OS patches, and maintain measures according to your vendor recommendations and corporate policies.

Troubleshooting

To troubleshoot issues, see the MSI installation log or call Support.

The MSI installation log is named MSI<string>.log.

If you run the installation/upgrade from a specific user, the installation log will be in the folder %temp%.
If you run the installation/upgrade from a system user (like from the Management Console) the installation log will be in the folder %systemroot%\temp.

SentinelOne Installation - macOS

SentinelOne Installation - Windows

Installing SentinelOne Windows Agents with Intune

Windows Agent Installer Command Line Options

Installing SentinelOne Windows Agents on VM or VDI