π Introduction
This guide provides detailed steps for installing, upgrading, and downgrading SentinelOne Agents on Windows devices. It includes local and remote deployment methods using EXE/MSI installers, GPO, SCCM, or other tools outside the SentinelOne Management Console.
β
Applies to: Windows SentinelOne Agents v4.5+
β
Supported Deployment Methods: EXE, MSI, GPO, SCCM, third-party deployment tools
β
π Last Updated: September 2024
π‘ Important Notes:
Local upgrades may require a passphrase depending on the version.
Upgrading from versions before 4.5.1 β Recommended to upgrade first to 4.6.12+ to avoid passphrase requirements.
If the upgrade fails due to missing passphrase, alternative solutions are available (detailed below).
π SentinelOne Agent Upgrade Requirements
Upgrading From | Upgrading To | Passphrase Required? |
Any version before 4.5.1 | Any version before 4.5.1 | β Yes (Passphrase required) |
Any version before 4.5.1 | 4.6.12 | β No |
4.5.1 β 4.7.1 | Any version before 4.7.1 | β Yes |
4.6.12 | 4.6.x β 21.7.x | β No |
4.6.12 | 22.1 and later | β Approve Local Upgrade |
π‘ Best Practice:
If upgrading from versions earlier than 4.5.1, upgrade first to 4.6.12+ to avoid passphrase issues.
π Installing & Upgrading the SentinelOne Agent
πΉ Method 1: Standard Local Installation (EXE/MSI)
To install the SentinelOne Agent on an endpoint locally (without the Management Console):
1οΈβ£ Download the SentinelOne Agent Installer
Locate the correct EXE/MSI package for your version.
Save it to the target device.
2οΈβ£ Run the Installer with Administrator Privileges
Open Command Prompt (Admin) and navigate to the folder where the installer is saved.
Run the following command:
SentinelOneInstaller.exe /q /norestart
or
msiexec /i SentinelOneInstaller.msi /qn /norestart
3οΈβ£ Verify Installation
Open Task Manager β Check if
SentinelAgent.exeis running.Navigate to Control Panel > Programs to confirm the version.
πΉ Method 2: Upgrading the SentinelOne Agent
To upgrade locally (without the Management Console):
1οΈβ£ Check if a passphrase is required (refer to the Passphrase Requirement Table above).
β
2οΈβ£ Run the upgrade using one of these commands:
β
SentinelOneInstaller.exe /q /norestart
or
msiexec /i SentinelOneInstaller.msi /qn /norestart
3οΈβ£ If upgrade fails due to missing passphrase:
Retrieve the passphrase from the Management Console (steps below).
Modify the Agent Configuration (if necessary).
π Retrieving the Passphrase from SentinelOne Management Console
If an Agent upgrade fails due to a missing passphrase, follow these steps to retrieve it:
1οΈβ£ Log in to the SentinelOne Management Console.
2οΈβ£ Click Sentinels (left sidebar) β Endpoints.
3οΈβ£ Use the search bar to find the endpoint.
4οΈβ£ Click the endpoint name to open its details.
5οΈβ£ Click Actions > Agent Actions > Show Passphrase.
6οΈβ£ The passphrase will appear in a new window.
π Use this passphrase to complete the upgrade process.
π Allowing Local Upgrades Without a Passphrase
If you prefer to bypass the passphrase requirement, you must modify the Agent configuration:
πΉ Step 1: Check if Passphrase Restriction is Enabled
1οΈβ£ In the SentinelOne Management Console, navigate to Sentinels > Endpoints.
2οΈβ£ Select the endpoint.
3οΈβ£ Click Actions > Configuration > Agent Configuration.
4οΈβ£ Search for the parameter:
allowUnprotectByApprovedProcess
5οΈβ£ Check its value:
trueβ Passphrase is NOT required (you can proceed).falseβ Passphrase is required (modify the setting).
πΉ Step 2: Change Policy to Allow Local Upgrades
To disable the passphrase requirement, override the policy at the Group, Site, or Account level:
1οΈβ£ Go to Policy Override Settings.
2οΈβ£ Add the following policy setting:
{ "allowUnprotectByApprovedProcess": true }3οΈβ£ Save changes and restart the upgrade process.
π Once the upgrade is complete, reset the value back to false for security.
π Troubleshooting Common Issues
πΉ Error: "SentinelOne Agent Installer has crashed."
β
Cause: Local upgrade is disabled.
π§ Fix: Enable allowUnprotectByApprovedProcess in the SentinelOne console.
πΉ Error: "Local upgrade is disabled."
β
Cause: Passphrase is required.
π§ Fix: Retrieve the passphrase from the Management Console.
πΉ Error: "Upgrade failed" (Silent Error)
β
Cause: Conflict with another security tool.
π§ Fix: Disable Windows Defender Tamper Protection and retry.
πΉ Issue: "Agent version mismatch after upgrade."
β
Cause: The MSI/EXE package is incorrect.
π§ Fix: Confirm correct installer version before running.
π Best Practices for Deployment
β Use the Management Console for Upgrades β This eliminates passphrase issues and manual interventions.
β Deploy via GPO or SCCM β Best for large-scale deployments across multiple endpoints.
β Enable Auto-Update for SentinelOne Agents β Reduces manual upgrade needs.
β Verify Policy Settings Before Upgrading β Prevents upgrade failures due to security restrictions.
π By following this guide, you can confidently install, upgrade, and manage SentinelOne Agents with Guardz! π