Skip to main content
All CollectionsSentinelOne & Guardz
SentinelOne Agent Installation, Upgrade & Downgrade Guide (Windows)
SentinelOne Agent Installation, Upgrade & Downgrade Guide (Windows)
Updated over 3 weeks ago

πŸ“Œ Introduction

This guide provides detailed steps for installing, upgrading, and downgrading SentinelOne Agents on Windows devices. It includes local and remote deployment methods using EXE/MSI installers, GPO, SCCM, or other tools outside the SentinelOne Management Console.

βœ… Applies to: Windows SentinelOne Agents v4.5+
βœ… Supported Deployment Methods: EXE, MSI, GPO, SCCM, third-party deployment tools
​
πŸš€ Last Updated: September 2024


πŸ’‘ Important Notes:

  • Local upgrades may require a passphrase depending on the version.

  • Upgrading from versions before 4.5.1 β†’ Recommended to upgrade first to 4.6.12+ to avoid passphrase requirements.

  • If the upgrade fails due to missing passphrase, alternative solutions are available (detailed below).


πŸ“Œ SentinelOne Agent Upgrade Requirements

Upgrading From

Upgrading To

Passphrase Required?

Any version before 4.5.1

Any version before 4.5.1

βœ… Yes (Passphrase required)

Any version before 4.5.1

4.6.12

❌ No

4.5.1 – 4.7.1

Any version before 4.7.1

βœ… Yes

4.6.12

4.6.x – 21.7.x

❌ No

4.6.12

22.1 and later

⚠ Approve Local Upgrade

πŸ’‘ Best Practice:
If upgrading from versions earlier than 4.5.1, upgrade first to 4.6.12+ to avoid passphrase issues.


πŸ“Œ Installing & Upgrading the SentinelOne Agent

πŸ”Ή Method 1: Standard Local Installation (EXE/MSI)

To install the SentinelOne Agent on an endpoint locally (without the Management Console):


1️⃣ Download the SentinelOne Agent Installer

  • Locate the correct EXE/MSI package for your version.

  • Save it to the target device.

2️⃣ Run the Installer with Administrator Privileges

  • Open Command Prompt (Admin) and navigate to the folder where the installer is saved.

  • Run the following command:

    SentinelOneInstaller.exe /q /norestart

    or

    msiexec /i SentinelOneInstaller.msi /qn /norestart

3️⃣ Verify Installation

  • Open Task Manager β†’ Check if SentinelAgent.exe is running.

  • Navigate to Control Panel > Programs to confirm the version.


πŸ”Ή Method 2: Upgrading the SentinelOne Agent

To upgrade locally (without the Management Console):


1️⃣ Check if a passphrase is required (refer to the Passphrase Requirement Table above).
​
2️⃣ Run the upgrade using one of these commands:
​

SentinelOneInstaller.exe /q /norestart

or

msiexec /i SentinelOneInstaller.msi /qn /norestart


3️⃣ If upgrade fails due to missing passphrase:

  • Retrieve the passphrase from the Management Console (steps below).

  • Modify the Agent Configuration (if necessary).


πŸ“Œ Retrieving the Passphrase from SentinelOne Management Console

If an Agent upgrade fails due to a missing passphrase, follow these steps to retrieve it:

1️⃣ Log in to the SentinelOne Management Console.
2️⃣ Click Sentinels (left sidebar) β†’ Endpoints.
3️⃣ Use the search bar to find the endpoint.
4️⃣ Click the endpoint name to open its details.
5️⃣ Click Actions > Agent Actions > Show Passphrase.
6️⃣ The passphrase will appear in a new window.


πŸš€ Use this passphrase to complete the upgrade process.


πŸ“Œ Allowing Local Upgrades Without a Passphrase

If you prefer to bypass the passphrase requirement, you must modify the Agent configuration:

πŸ”Ή Step 1: Check if Passphrase Restriction is Enabled

1️⃣ In the SentinelOne Management Console, navigate to Sentinels > Endpoints.
2️⃣ Select the endpoint.
3️⃣ Click Actions > Configuration > Agent Configuration.
4️⃣ Search for the parameter:

allowUnprotectByApprovedProcess

5️⃣ Check its value:

  • true β†’ Passphrase is NOT required (you can proceed).

  • false β†’ Passphrase is required (modify the setting).

πŸ”Ή Step 2: Change Policy to Allow Local Upgrades

To disable the passphrase requirement, override the policy at the Group, Site, or Account level:

1️⃣ Go to Policy Override Settings.
2️⃣ Add the following policy setting:

{ "allowUnprotectByApprovedProcess": true }

3️⃣ Save changes and restart the upgrade process.


πŸš€ Once the upgrade is complete, reset the value back to false for security.


πŸ“Œ Troubleshooting Common Issues

πŸ”Ή Error: "SentinelOne Agent Installer has crashed."
βœ… Cause: Local upgrade is disabled.
πŸ”§ Fix: Enable allowUnprotectByApprovedProcess in the SentinelOne console.


πŸ”Ή Error: "Local upgrade is disabled."
βœ… Cause: Passphrase is required.
πŸ”§ Fix: Retrieve the passphrase from the Management Console.


πŸ”Ή Error: "Upgrade failed" (Silent Error)
βœ… Cause: Conflict with another security tool.
πŸ”§ Fix: Disable Windows Defender Tamper Protection and retry.


πŸ”Ή Issue: "Agent version mismatch after upgrade."
βœ… Cause: The MSI/EXE package is incorrect.
πŸ”§ Fix: Confirm correct installer version before running.


πŸ“Œ Best Practices for Deployment

βœ” Use the Management Console for Upgrades – This eliminates passphrase issues and manual interventions.
βœ” Deploy via GPO or SCCM – Best for large-scale deployments across multiple endpoints.
βœ” Enable Auto-Update for SentinelOne Agents – Reduces manual upgrade needs.
βœ” Verify Policy Settings Before Upgrading – Prevents upgrade failures due to security restrictions.


πŸš€ By following this guide, you can confidently install, upgrade, and manage SentinelOne Agents with Guardz! πŸ”

Did this answer your question?