Overview
SentinelOne is an endpoint detection and response (EDR) platform that provides autonomous protection against threats. This guide covers agent deployment, verification, and management for Windows endpoints.
Who Should Use This Guide:
- Security engineers deploying endpoint protection
- IT administrators managing EDR rollouts
- SOC teams verifying agent health
- MSPs onboarding client environments
SentinelOne Agent Capabilities:
| Feature | Description |
|---|---|
| Autonomous Protection | Real-time threat prevention without cloud dependency |
| Behavioral AI | Detects unknown threats through behavior analysis |
| Rollback | Ransomware remediation through system rollback |
| Deep Visibility | Full endpoint telemetry for threat hunting |
| Remote Shell | Secure command execution on endpoints |
Requirements
System Requirements:
| Component | Requirement |
|---|---|
| Operating System | Windows 10/11 (1809+), Windows Server 2016/2019/2022 |
| RAM | 2GB minimum, 4GB recommended |
| Disk Space | 2GB free |
| Architecture | x64 (primary), x86 (legacy support) |
| Network | HTTPS/443 to management console |
Prerequisites:
| Prerequisite | Purpose |
|---|---|
| Console Access | Download installer, obtain site token |
| Admin Rights | Installation requires local admin |
| No Conflicting AV | Remove existing EDR/AV products |
| Network Connectivity | Agent must reach management console |
Process
Step 1: Download Agent Installer
Obtain the SentinelOne agent from the management console.
Download Process:
- Log in to SentinelOne Management Console
- Navigate to Sentinels → Downloads
- Under Endpoint Agents, select Windows
- Choose agent version:
- GA (General Availability): Recommended for production
- EA (Early Availability): For testing new features
- Download appropriate architecture:
SentinelInstaller_windows_64bit_v\<version\>.msi
- Save to accessible location
Verify Installer Integrity:
# Check file hash against console-provided SHA256
$installerPath = "C:\Temp\SentinelInstaller_windows_64bit.msi"
$hash = Get-FileHash -Path $installerPath -Algorithm SHA256
Write-Host "SHA256: $($hash.Hash)"
# Compare with hash shown in console Downloads pageStep 2: Obtain Site Token
Get the site token required for agent registration.
Process:
- In console, navigate to Settings → Sites
- Select target site (e.g., "Production", "Corporate")
- Click site name to open details
- Under Site Token, click Show Token
- Click Copy to clipboard
- Store securely (do not commit to version control)
Token Format:
- Length: 96-128 characters
- Characters: Alphanumeric (JWT format)
Important: Site tokens are sensitive credentials. Store securely and rotate if compromised.
Step 3: Prepare Target System
Ensure the endpoint is ready for installation.
Check for Conflicting Software:
# List installed security products
Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct |
Select-Object displayName, productState
# Common conflicts: McAfee, Symantec, Trend Micro, CrowdStrike
# Windows Defender will be automatically managed by SentinelOneVerify System Requirements:
# Check disk space (need 2GB+)
Get-PSDrive C | Select-Object @{N="FreeGB";E={[math]::Round($_.Free/1GB,2)}}
# Check RAM (need 2GB+)
[math]::Round((Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory/1GB,2)
# Check OS version
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, VersionTest Console Connectivity:
# Replace with your console hostname
Test-NetConnection -ComputerName "\<tenant\>.sentinelone.net" -Port 443Expected Result: TcpTestSucceeded should be True.
Step 4: Install Agent
Deploy the SentinelOne agent using silent installation.
Silent Installation:
# Define parameters
$installerPath = "C:\Temp\SentinelInstaller_windows_64bit.msi"
$siteToken = "<your-site-token>"
$logPath = "C:\Temp\SentinelOne-Install-$(Get-Date -Format 'yyyyMMdd').log"
# Execute installation
$process = Start-Process msiexec.exe -ArgumentList @(
"/i `"$installerPath`""
"/qn"
"SITE_TOKEN=`"$siteToken`""
"/l*v `"$logPath`""
) -Wait -PassThru -NoNewWindow
# Check result
if ($process.ExitCode -eq 0) {
Write-Host "[SUCCESS] Installation completed" -ForegroundColor Green
} elseif ($process.ExitCode -eq 3010) {
Write-Host "[SUCCESS] Installation completed - reboot required" -ForegroundColor Yellow
} else {
Write-Host "[ERROR] Installation failed: Exit code $($process.ExitCode)" -ForegroundColor Red
Write-Host "Review log: $logPath"
}Common MSI Exit Codes:
| Code | Meaning |
|---|---|
| 0 | Success |
| 1603 | Fatal error (check log for details) |
| 1618 | Another installation in progress |
| 1638 | Another version already installed |
| 3010 | Success, reboot required |
Step 5: Verify Service Status
Confirm the agent service is running.
Check Service:
# Wait for service to start (up to 2 minutes)
$maxAttempts = 24
$attempt = 0
do {
$service = Get-Service -Name "SentinelAgent" -ErrorAction SilentlyContinue
if ($service -and $service.Status -eq "Running") {
Write-Host "[SUCCESS] SentinelAgent service is running" -ForegroundColor Green
break
}
Start-Sleep -Seconds 5
$attempt++
Write-Host "Waiting for service... ($attempt/$maxAttempts)"
} while ($attempt -lt $maxAttempts)Expected Result: Service status shows "Running".
Step 6: Verify Agent Registration
Confirm the agent appears in the management console.
Local Verification:
# Check registry configuration
$regPath = "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent"
if (Test-Path $regPath) {
$config = Get-ItemProperty -Path $regPath
Write-Host "Management Server: $($config.ManagementServerUrl)"
Write-Host "Site ID: $($config.SiteId)"
Write-Host "Agent ID: $($config.AgentId)"
}
# Check agent version
$agentExe = Get-ChildItem "C:\Program Files\SentinelOne" -Recurse -Filter "SentinelAgent.exe" | Select-Object -First 1
Write-Host "Agent Version: $($agentExe.VersionInfo.FileVersion)"Console Verification:
- Log in to SentinelOne console
- Navigate to Sentinels → Agents
- Search for computer name or IP
- Verify:
- Status: Connected (green icon)
- Last Active: Within last 5 minutes
- Agent Version: Matches installed version
- Site: Correct site assignment
Expected Timeline:
- Agent appears in console: 30 seconds to 2 minutes
- Full asset inventory: 5-15 minutes
- Initial scan completion: 15-30 minutes
Step 7: Run Verification Script
Use a comprehensive verification script.
Verification Script:
function Test-SentinelOneAgent {
Write-Host "`n=== SentinelOne Agent Verification ===" -ForegroundColor Cyan
$results = @{}
# Check 1: Service status
$service = Get-Service -Name "SentinelAgent" -ErrorAction SilentlyContinue
if ($service -and $service.Status -eq "Running") {
Write-Host "[PASS] Service running" -ForegroundColor Green
$results.Service = $true
} else {
Write-Host "[FAIL] Service not running" -ForegroundColor Red
$results.Service = $false
}
# Check 2: Process running
$process = Get-Process -Name "SentinelAgent" -ErrorAction SilentlyContinue
if ($process) {
Write-Host "[PASS] Process active (PID: $($process.Id))" -ForegroundColor Green
$results.Process = $true
} else {
Write-Host "[FAIL] Process not found" -ForegroundColor Red
$results.Process = $false
}
# Check 3: Registry configuration
$regPath = "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent"
if (Test-Path $regPath) {
$config = Get-ItemProperty -Path $regPath
Write-Host "[PASS] Registry configured" -ForegroundColor Green
Write-Host " - Server: $($config.ManagementServerUrl)" -ForegroundColor Cyan
$results.Registry = $true
} else {
Write-Host "[FAIL] Registry not configured" -ForegroundColor Red
$results.Registry = $false
}
# Check 4: Console connectivity
try {
$consoleUrl = (Get-ItemProperty -Path $regPath).ManagementServerUrl
$consoleHost = ([System.Uri]$consoleUrl).Host
$connection = Test-NetConnection -ComputerName $consoleHost -Port 443 -WarningAction SilentlyContinue
if ($connection.TcpTestSucceeded) {
Write-Host "[PASS] Console connectivity verified" -ForegroundColor Green
$results.Connectivity = $true
} else {
Write-Host "[FAIL] Cannot reach console" -ForegroundColor Red
$results.Connectivity = $false
}
} catch {
Write-Host "[FAIL] Connectivity check failed" -ForegroundColor Red
$results.Connectivity = $false
}
# Summary
$passed = ($results.Values | Where-Object { $_ }).Count
$total = $results.Count
Write-Host "`n=== Summary: $passed/$total checks passed ===" -ForegroundColor Cyan
return ($passed -eq $total)
}
Test-SentinelOneAgentTroubleshooting
Common Issues:
| Symptom | Possible Cause | Solution |
|---|---|---|
| Installation fails (1603) | Conflicting AV or disk space | Remove conflicting software, free disk space |
| Agent not in console | Network blocked | Verify HTTPS/443 to console host |
| Service won't start | Driver issue | Check Event Log, reinstall agent |
| Wrong site assignment | Incorrect token | Uninstall, reinstall with correct token |
Diagnostic Commands:
# Check installation log
Select-String -Path "C:\Temp\SentinelOne-Install*.log" -Pattern "error|failed" -Context 2,3
# Check agent log
Get-Content "C:\ProgramData\SentinelOne\Logs\Agent.log" -Tail 50
# Check Windows Event Log
Get-WinEvent -LogName Application -MaxEvents 20 |
Where-Object { $_.ProviderName -like "*Sentinel*" }
# Test network connectivity
Test-NetConnection -ComputerName "\<tenant\>.sentinelone.net" -Port 443 -InformationLevel DetailedUninstall and Reinstall:
# Get product code
$product = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*SentinelOne*" }
# Uninstall
msiexec /x $product.IdentifyingNumber /qn /l*v "C:\Temp\sentinel-uninstall.log"
# Wait and reboot
Start-Sleep -Seconds 30
Restart-Computer
# Reinstall with correct token after rebootBest Practices
Deployment Best Practices:
| Practice | Description |
|---|---|
| Test First | Deploy to pilot group before mass rollout |
| Remove Conflicts | Uninstall existing AV/EDR before installation |
| Use Groups | Organize agents by department/location using site groups |
| Monitor Rollout | Track deployment progress in console |
Operational Best Practices:
| Practice | Description |
|---|---|
| Keep Updated | Maintain agents on supported versions |
| Monitor Alerts | Review threat detections promptly |
| Test Exclusions | Validate exclusion policies don't create gaps |
| Regular Audits | Verify all endpoints have agents deployed |
Verification Checklist
Pre-Installation:
- System requirements met
- Conflicting software removed
- Console connectivity verified
- Site token obtained
Post-Installation:
- Service running
- Process active
- Agent appears in console
- Status shows "Connected"
Operational:
- Policy applied correctly
- Exclusions configured (if needed)
- Alerts being monitored
- Agent version current
References
Last Updated: February 2026