SCENARIO
Deploying SentinelOne agents across Windows endpoints at scale using Active Directory Group Policy Objects (GPO) enables centralized, automated agent installation without requiring manual intervention on each workstation or server. This method is ideal for organizations with established AD infrastructure who need to ensure consistent endpoint protection coverage across hundreds or thousands of devices.
Use this method when:
- You have Active Directory domain-joined Windows endpoints
- You need to deploy agents to multiple computers simultaneously
- You want automated installation on new computers as they join the domain
- You need to ensure consistent deployment parameters (site token, management console URL)
REQUIREMENTS & ASSUMPTIONS
Prerequisites:
- Active Directory domain with functional Group Policy infrastructure
- Domain Administrator or Group Policy Management permissions
- SentinelOne Management Console access with Site Admin or higher role
- Network share accessible by target computers (e.g.,
\\domain.local\NETLOGONor dedicated share) - Windows installer (MSI) package for SentinelOne agent downloaded from the console
- Site token from SentinelOne console for agent registration
Assumed Environment:
- Target computers: Windows 10/11, Windows Server 2016/2019/2022
- Active Directory domain: Functional level 2012 R2 or higher
- SMB file sharing enabled between domain controllers and endpoints
- Firewall rules allow HTTPS (443) outbound to SentinelOne management console
- Sufficient disk space on target systems (minimum 2GB free)
Required Information:
- SentinelOne Management Console URL (e.g.,
https://yourtenant.sentinelone.net) - Site token (obtained from console: Settings → Sites → [Your Site] → Site Token)
- MSI download link or local MSI file path
PROCESS
Step 1: Download the SentinelOne agent installer
- Log in to the SentinelOne Management Console
- Navigate to Sentinels → Downloads
- Select Windows platform
- Choose the appropriate version (typically latest GA release)
- Download the MSI installer (e.g.,
SentinelInstaller_windows_64bit_v\<version\>.msi) - Verify the file hash against the console-provided SHA256 checksum:
Get-FileHash "C:\Temp\SentinelInstaller_windows_64bit_v23.4.2.487.msi" -Algorithm SHA256Step 2: Obtain the site token
- In the SentinelOne console, navigate to Settings → Sites
- Click on your target site name (e.g., "Production" or "Corporate")
- In the site details pane, locate Site Token
- Click Show Token and copy the value (format: alphanumeric string 96+ characters)
- Store securely - this token authenticates agents to your SentinelOne deployment
Step 3: Create a network share for agent deployment
- On a domain controller or file server, create a dedicated folder:
New-Item -Path "C:\Deployment\SentinelOne" -ItemType Directory -Force- Copy the MSI installer to this location:
Copy-Item "C:\Temp\SentinelInstaller_windows_64bit_v23.4.2.487.msi" -Destination "C:\Deployment\SentinelOne\"- Share the folder with read permissions for Domain Computers:
New-SmbShare -Name "SentinelOne" -Path "C:\Deployment\SentinelOne" -ReadAccess "DOMAIN\Domain Computers"- Verify share accessibility from a test endpoint:
Test-Path "\\DC01\SentinelOne\SentinelInstaller_windows_64bit_v23.4.2.487.msi"Step 4: Create the Group Policy Object
- Open Group Policy Management Console (
gpmc.msc) - Navigate to the OU containing target computers (e.g.,
domain.local → Computers → Workstations) - Right-click the OU and select Create a GPO in this domain, and Link it here
- Name the GPO:
SentinelOne Agent Deployment - Right-click the new GPO and select Edit
Step 5: Configure software installation policy
- In the Group Policy Management Editor, navigate to:
- Computer Configuration → Policies → Software Settings → Software Installation
- Right-click Software Installation → New → Package
- In the file browser, enter the UNC path:
\\DC01\SentinelOne\SentinelInstaller_windows_64bit_v23.4.2.487.msi - Select Advanced deployment method and click OK
- In the Deployment tab:
- Deployment type: Assigned
- Installation user interface: Basic
- Check Uninstall this application when it falls out of the scope of management (optional, based on policy)
- Click OK to save
Step 6: Configure MSI installation parameters with site token
- In the Group Policy Management Editor, navigate to:
- Computer Configuration → Preferences → Windows Settings → Registry
- Right-click → New → Registry Item
- Configure the registry item:
- Action: Create
- Hive: HKEY_LOCAL_MACHINE
- Key Path:
SOFTWARE\Policies\SentinelOne - Value name:
SiteToken - Value type: REG_SZ
- Value data:
[Paste your site token here]
- Click OK
Alternative method using transform file (MST):
If your organization uses MSI transforms for consistent deployments:
# Create a transform file with site token
msiexec /i "SentinelInstaller_windows_64bit_v23.4.2.487.msi" /qn SITE_TOKEN="your-site-token-here" /l*v "C:\Temp\sentinel-install.log"Then modify the software installation package properties to reference the MST file.
Step 7: Configure installation command-line parameters (optional)
For additional control over agent behavior during installation:
- In the GPO editor, return to Software Installation
- Right-click the SentinelOne package → Properties
- Navigate to the Modifications tab
- Add command-line parameters using the Deployment tab → Advanced button
- Common parameters:
SITE_TOKEN=<token>- Site registration tokenMSIRESTARTMANAGERCONTROL=Disable- Prevent automatic restarts/l*v "C:\BIN\LOGS-SentinelOne-Install.log"- Verbose logging
Full silent installation example:
msiexec /i SentinelInstaller_windows_64bit_v23.4.2.487.msi /qn SITE_TOKEN="your-token" MSIRESTARTMANAGERCONTROL=Disable /l*v "C:\BIN\LOGS-SentinelOne-Install.log"Step 8: Configure GPO scope and security filtering
- Close the Group Policy Management Editor
- In Group Policy Management, select the SentinelOne Agent Deployment GPO
- Navigate to the Scope tab
- Under Security Filtering, verify Authenticated Users or Domain Computers is listed
- (Optional) Create a security group for phased rollout:
- Create AD group:
SG-SentinelOne-Deployment-Phase1 - Add test computers to this group
- Remove Authenticated Users from security filtering
- Add SG-SentinelOne-Deployment-Phase1
- Create AD group:
- Under WMI Filtering (optional), apply OS-specific filters:
-- Example WMI filter for Windows 10/11 workstations only
SELECT * FROM Win32_OperatingSystem WHERE ProductType="1" AND Version LIKE "10.%"Step 9: Force Group Policy update on test systems
- On a test computer, open PowerShell as Administrator:
# Force immediate GPO update
gpupdate /force
# Verify GPO applied
gpresult /r /scope:computer
# Check for SentinelOne installation task
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Sentinel*"}
# Monitor installation log
Get-Content "C:\BIN\LOGS-SentinelOne-Install.log" -Tail 50 -Wait- Reboot the test computer to trigger installation (GPO software installation executes at startup)
Step 10: Monitor deployment progress
From SentinelOne Console:
- Navigate to Sentinels → Agents
- Filter by Last Active Date to see recently registered agents
- Verify agents show Connected status and correct Site assignment
- Check agent version matches deployed MSI
From Active Directory/SCCM:
- Use Group Policy Results Wizard to verify policy application:
# Generate GPO results for specific computer
gpresult /s COMPUTERNAME /h "C:\Temp\gpresult-COMPUTERNAME.html"- Check Event Viewer on target computers:
- Application log: Look for MsiInstaller events (Event ID 1033 = successful install)
- System log: Look for SentinelOne service startup
PowerShell verification script:
# Check SentinelOne agent status on remote computer
Invoke-Command -ComputerName TARGETPC -ScriptBlock {
Get-Service -Name "SentinelAgent" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent" -ErrorAction SilentlyContinue
}VERIFICATION
On target endpoint:
- Verify SentinelOne service is running:
Get-Service -Name "SentinelAgent"
# Expected output: Status should be "Running"- Check agent registration:
# Verify agent executable exists
Test-Path "C:\Program Files\SentinelOne\Sentinel Agent 23.4.2.487\SentinelAgent.exe"
# Check registry for site token
Get-ItemProperty -Path "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent" | Select-Object -Property SiteId, ManagementServerUrl- Verify network connectivity to management console:
Test-NetConnection -ComputerName "yourtenant.sentinelone.net" -Port 443From SentinelOne Console:
- Navigate to Sentinels → Agents
- Search for the target computer by hostname
- Verify:
- Status: Connected (green indicator)
- Last Active: Within last 5 minutes
- Agent Version: Matches deployed MSI version
- Site: Correct site assignment
- Policy: Appropriate policy applied (check under Actions → Show Actions)
GPO verification:
# On target computer, verify GPO applied
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\*" | Where-Object {$_.DeploymentName -like "*Sentinel*"}TROUBLESHOOTING
Issue: Agent not installing after GPO update
Symptoms: gpupdate /force completes but no SentinelOne service appears
Solutions:
- Verify computer account has read access to network share:
# Test from target computer as SYSTEM account
psexec -s -i cmd
# Then: dir \\DC01\SentinelOne- Check Event Viewer → Application log for Event ID 1000-1004 (MSI installer errors)
- Verify GPO scope includes target computer:
# On domain controller
Get-GPOReport -Name "SentinelOne Agent Deployment" -ReportType HTML -Path "C:\Temp\gpo-report.html"- Ensure computer has rebooted (software installation policies apply at startup)
Issue: Installation fails with error 1603
Symptoms: MSI installer returns generic error code 1603
Solutions:
- Check installation log for specific error:
Select-String -Path "C:\BIN\LOGS-SentinelOne-Install.log" -Pattern "error|failed|return value 3"-
Common causes:
- Insufficient disk space: Requires minimum 2GB free
- Antivirus interference: Temporarily disable competing EDR/AV products
- Corrupted MSI: Re-download installer and verify hash
- Previous installation remnants: Use SentinelOne uninstall tool first
-
Manual cleanup and retry:
# Remove previous installation artifacts
Remove-Item "C:\Program Files\SentinelOne" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item "HKLM:\SOFTWARE\SentinelOne" -Recurse -Force -ErrorAction SilentlyContinue
# Retry installation manually
msiexec /i "\\DC01\SentinelOne\SentinelInstaller_windows_64bit_v23.4.2.487.msi" /qn SITE_TOKEN="your-token" /l*v "C:\Temp\manual-install.log"Issue: Agent installs but shows "Not Connected" in console
Symptoms: Service running but agent not communicating with management console
Solutions:
- Verify site token is correct:
# Check configured token matches console
$agentToken = (Get-ItemProperty -Path "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent").Token
Write-Host "Configured token: $agentToken"
# Compare with console site token- Check firewall rules allow HTTPS outbound:
Test-NetConnection -ComputerName "yourtenant.sentinelone.net" -Port 443 -InformationLevel Detailed- Verify DNS resolution:
Resolve-DnsName "yourtenant.sentinelone.net"- Check proxy settings if corporate proxy is in use:
# Agent inherits system proxy settings
netsh winhttp show proxy
# Configure proxy if needed
netsh winhttp set proxy proxy-server="proxy.domain.local:8080" bypass-list="*.local"- Restart agent service:
Restart-Service -Name "SentinelAgent" -ForceIssue: GPO applies but installation doesn't trigger
Symptoms: GPO shows as applied in gpresult but no installation occurs
Solutions:
- Verify software installation policy is under Computer Configuration, not User Configuration
- Check that deployment type is Assigned, not Published (Published only works for User Configuration)
- Ensure target computer has rebooted after GPO application
- Manually trigger installation via scheduled task:
# Force software installation policy refresh
gpupdate /force /bootIssue: Installation succeeds but agent version is incorrect
Symptoms: Old agent version remains despite deploying newer MSI
Solutions:
- Configure GPO for automatic upgrade:
- Software Installation → Package Properties → Upgrades tab
- Add previous package version as "Upgrade package"
- Select "Uninstall the existing package, then install the upgrade package"
- Manually uninstall old version first:
# Find installed SentinelOne product code
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*SentinelOne*"} | Select-Object Name, Version, IdentifyingNumber
# Uninstall using product code
msiexec /x {PRODUCT-CODE-GUID} /qn /l*v "C:\Temp\sentinel-uninstall.log"Issue: Deployment fails on Windows Server systems
Symptoms: Workstations install successfully but servers fail
Solutions:
- Verify GPO is linked to correct OU containing server objects
- Check server editions are supported (Nano Server not supported)
- Ensure sufficient resources on servers (minimum 2GB RAM recommended)
- Check for conflicts with server-specific security software (Defender for Endpoint, third-party AV)
COMMANDS/SCRIPTS
Complete PowerShell deployment verification script:
<#
.SYNOPSIS
Verifies SentinelOne agent deployment status via GPO
.DESCRIPTION
Checks GPO application, agent installation, service status, and console connectivity
.PARAMETER ComputerName
Target computer to check (defaults to local computer)
.EXAMPLE
.\Verify-SentinelOneDeployment.ps1 -ComputerName "WKS-001"
#>
param(
[string]$ComputerName = $env:COMPUTERNAME
)
function Test-SentinelOneDeployment {
param([string]$Computer)
$results = @{
ComputerName = $Computer
GPOApplied = $false
AgentInstalled = $false
ServiceRunning = $false
ConsoleConnectivity = $false
AgentVersion = $null
SiteToken = $null
}
Write-Host "Checking SentinelOne deployment on $Computer..." -ForegroundColor Cyan
# Check GPO application
try {
$gpoResult = Invoke-Command -ComputerName $Computer -ScriptBlock {
gpresult /r /scope:computer | Select-String "SentinelOne"
} -ErrorAction Stop
if ($gpoResult) {
$results.GPOApplied = $true
Write-Host "[PASS] GPO applied" -ForegroundColor Green
}
}
catch {
Write-Host "[FAIL] Cannot verify GPO: $($_.Exception.Message)" -ForegroundColor Red
}
# Check agent installation
try {
$agentPath = Invoke-Command -ComputerName $Computer -ScriptBlock {
Get-ChildItem "C:\Program Files\SentinelOne" -Recurse -Filter "SentinelAgent.exe" -ErrorAction Stop | Select-Object -First 1
} -ErrorAction Stop
if ($agentPath) {
$results.AgentInstalled = $true
$results.AgentVersion = $agentPath.VersionInfo.FileVersion
Write-Host "[PASS] Agent installed - Version: $($results.AgentVersion)" -ForegroundColor Green
}
}
catch {
Write-Host "[FAIL] Agent not installed" -ForegroundColor Red
}
# Check service status
try {
$service = Invoke-Command -ComputerName $Computer -ScriptBlock {
Get-Service -Name "SentinelAgent" -ErrorAction Stop
} -ErrorAction Stop
if ($service.Status -eq "Running") {
$results.ServiceRunning = $true
Write-Host "[PASS] Service running" -ForegroundColor Green
}
else {
Write-Host "[WARN] Service not running - Status: $($service.Status)" -ForegroundColor Yellow
}
}
catch {
Write-Host "[FAIL] Service not found" -ForegroundColor Red
}
# Check console connectivity
try {
$connectivity = Invoke-Command -ComputerName $Computer -ScriptBlock {
$consoleUrl = (Get-ItemProperty -Path "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent" -ErrorAction Stop).ManagementServerUrl
Test-NetConnection -ComputerName ([System.Uri]$consoleUrl).Host -Port 443 -WarningAction SilentlyContinue
} -ErrorAction Stop
if ($connectivity.TcpTestSucceeded) {
$results.ConsoleConnectivity = $true
Write-Host "[PASS] Console connectivity verified" -ForegroundColor Green
}
else {
Write-Host "[FAIL] Cannot reach management console" -ForegroundColor Red
}
}
catch {
Write-Host "[FAIL] Console connectivity check failed: $($_.Exception.Message)" -ForegroundColor Red
}
# Retrieve site token
try {
$results.SiteToken = Invoke-Command -ComputerName $Computer -ScriptBlock {
(Get-ItemProperty -Path "HKLM:\SOFTWARE\SentinelOne\Sentinel Agent" -ErrorAction Stop).SiteId
} -ErrorAction Stop
Write-Host "[INFO] Site ID: $($results.SiteToken)" -ForegroundColor Cyan
}
catch {
Write-Host "[WARN] Cannot retrieve site token" -ForegroundColor Yellow
}
return $results
}
# Execute verification
$deploymentStatus = Test-SentinelOneDeployment -Computer $ComputerName
# Summary
Write-Host "`n=== DEPLOYMENT SUMMARY ===" -ForegroundColor Cyan
$deploymentStatus.GetEnumerator() | ForEach-Object {
Write-Host "$($_.Key): $($_.Value)"
}
# Overall status
$overallSuccess = $deploymentStatus.AgentInstalled -and $deploymentStatus.ServiceRunning -and $deploymentStatus.ConsoleConnectivity
if ($overallSuccess) {
Write-Host "`n[SUCCESS] SentinelOne deployment verified successfully" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAILURE] SentinelOne deployment incomplete - review errors above" -ForegroundColor Red
exit 1
}Batch deployment status report across multiple computers:
# Generate deployment report for all domain computers
$computers = Get-ADComputer -Filter {Enabled -eq $true} -SearchBase "OU=Workstations,DC=domain,DC=local" | Select-Object -ExpandProperty Name
$report = foreach ($computer in $computers) {
try {
$status = Invoke-Command -ComputerName $computer -ScriptBlock {
$service = Get-Service -Name "SentinelAgent" -ErrorAction SilentlyContinue
$version = $null
if ($service) {
$agentExe = Get-ChildItem "C:\Program Files\SentinelOne" -Recurse -Filter "SentinelAgent.exe" -ErrorAction SilentlyContinue | Select-Object -First 1
$version = $agentExe.VersionInfo.FileVersion
}
[PSCustomObject]@{
ServiceStatus = $service.Status
AgentVersion = $version
}
} -ErrorAction Stop
[PSCustomObject]@{
ComputerName = $computer
Status = "Online"
AgentStatus = $status.ServiceStatus
AgentVersion = $status.AgentVersion
}
}
catch {
[PSCustomObject]@{
ComputerName = $computer
Status = "Offline/Error"
AgentStatus = "N/A"
AgentVersion = "N/A"
}
}
}
# Export to CSV
$report | Export-Csv -Path "C:\Temp\SentinelOne-Deployment-Report-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
# Display summary
$report | Format-Table -AutoSize
Write-Host "`nTotal computers checked: $($report.Count)"
Write-Host "Agents running: $(($report | Where-Object {$_.AgentStatus -eq 'Running'}).Count)"
Write-Host "Report saved to: C:\Temp\SentinelOne-Deployment-Report-$(Get-Date -Format 'yyyyMMdd').csv"