Skip to main content
All CollectionsSentinelOne & Guardz
Upgrading Windows Agents with a Local Upgrade
Upgrading Windows Agents with a Local Upgrade
Updated over 2 weeks ago

This article is based on SentinelOne community documentation last updated on Sep 17 2024
​

Supported from Agent Version: Windows 4.5

πŸ’‘Note: This article applies to EXE and MSI installers and includes upgrades run through GPO, SCCM, or any deployment tool that is not through the Management Console.

The command to install, upgrade, and downgrade an Agent is the same. The Agent package and its version determine if it will install, upgrade, or downgrade the Agent.

If you upgrade the Windows Agent on an endpoint locally (not through the Management Console), specific versions require a passphrase or Agent configuration change.

Upgrading from version

Upgrading to version

Requires passphrase or special Agent configuration?

Any version before 4.5.1

Any version before 4.5.1

Yes (passphrase)

Any version before 4.5.1

4.6.12

No

4.5.1, 4.5.2, 4.5.11, 4.5.12,

4.6.1, 4.6.2. 4.6.11, or

4.7.1

4.5.1, 4.5.2, 4.5.11, 4.5.12,

4.6.1, 4.6.2. 4.6.11, 4.6.12, or

4.7.1

Yes

4.6.12

4.6.x - 21.7.x

No

4.6.12

22.1 and later

Approve Local Upgrade

πŸ’‘Note: On upgrade from a version earlier than 4.51, we recommend that you upgrade to version 4.6.12 or later, to avoid the required passphrase.

If you try to run a local upgrade on an Agent without a passphrase when necessary, you will see errors such as:

  • SentinelOne Agent Installer has crashed. If this is a local upgrade, it's probably disabled. Please contact support.

  • Local upgrade is disabled.

If you try to upgrade the Agent locally and it fails, do one of these:

  • Upgrade through the Management Console.

  • Get the endpoint passphrase.

  • Disable a parameter in the Agent configuration to allow local upgrades without a passphrase.

To get the passphrase for an endpoint from the Management Console:

  1. In the sidebar, click Sentinels.

    Endpoints opens.

  2. In Select Filters search for the endpoint.

  3. Click the endpoint to open its details.

  4. In the Details window, click Actions > Agent Actions > Show Passphrase.

  5. The Passphrase opens in a new window

To change the Agent configuration to allow upgrade without a passphrase

  1. See if the endpoint configuration has the parameter allowUnprotectByApprovedProcess set to true or false.

    1. In the sidebar, click Sentinels.

      Endpoints opens.

    2. Select an endpoint.

    3. Click Actions > Configuration > Agent Configuration (requires correct role permissions or Advanced Mode).

    4. In the window that opens, search for allowUnprotectByApprovedProcess and look for its value.

      If its value is true, you can stop and upgrade that endpoint.

      If its value is false, continue with the next step.

  2. In Policy Override for a Group, Site, or Account, change allowUnprotectByApprovedProcess to true:

    { "allowUnprotectByApprovedProcess": true }

  3. Run the upgrade.

  4. Change allowUnprotectByApprovedProcess to false.

Related Articles
SentinelOne Installation - Windows
Windows Agent Installer Command Line Options
VDI and VM Deployment
Installing the Windows Agent Using an MSI Package
Auto Association of SentinelOne Endpoints to Users
Did this answer your question?