Windows - Security - Install SentinelOne Agent

What the SentinelOne Agent Installer does

This Automox Worklet™ installs the SentinelOne agent on Windows endpoints. SentinelOne provides autonomous endpoint protection with real-time prevention, detection, and response capabilities powered by artificial intelligence and behavioral analysis.

The Worklet requires you to upload your organization-specific SentinelOne MSI installers to the Worklet payload. You must download these installers from the Packages section of your SentinelOne management console. The site token, also obtained from your SentinelOne console, registers the agent with your organization's platform instance.

The Worklet examines registry keys including HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall.

During remediation, the Worklet detects system architecture and selects the appropriate 32-bit or 64-bit installer. The installation runs with SITE_TOKEN, /NORESTART, and /QUIET arguments to register the agent silently without interrupting users.

Why deploy SentinelOne through Automox

SentinelOne endpoint protection is critical for defending against malware, ransomware, and advanced persistent threats. Manual agent deployment across hundreds or thousands of endpoints requires significant IT resources and delays security coverage.

Automating SentinelOne deployment through this Worklet enables rapid security rollout. You can deploy protection to new endpoints as they join your network, fill coverage gaps in your existing fleet, and respond quickly to security incidents requiring additional protection.

The Worklet provides visibility into which endpoints have SentinelOne installed, helping you identify unprotected endpoints and track security agent deployment progress across your organization.

How SentinelOne installation works

1. Evaluation phase: The Worklet searches Windows registry uninstall keys for "Sentinel Agent" in both 64-bit (Software\Microsoft\Windows\CurrentVersion\Uninstall) and 32-bit registry paths. If found, the endpoint is marked compliant. If not found, the endpoint proceeds to remediation.

2. Remediation phase: The Worklet detects system architecture and selects the corresponding MSI installer from the payload. It executes the installer with SITE_TOKEN=[your-token] /NORESTART /QUIET arguments, validates the exit code (0 for success, 3010 for success with reboot required, 1618 indicates restart needed before installation).

SentinelOne installation requirements

• Windows 7 or later

• Active SentinelOne subscription

• 32-bit and 64-bit SentinelOne MSI installers downloaded from your SentinelOne Packages section

• Site token from your SentinelOne management console

• Configure $32bitFilename, $64bitFilename, and $SITE_TOKEN variables in remediation code

• Administrative privileges for software installation

Expected state after SentinelOne installation

After successful remediation, the SentinelOne agent appears in the Windows Programs list and registry uninstall keys. The agent service starts automatically and registers with your SentinelOne management console using the configured site token.

The endpoint begins receiving protection immediately, with real-time threat detection and response capabilities active. The endpoint appears in your SentinelOne console for management and policy application. Subsequent Worklet runs will detect the existing installation and exit without action.

How to validate install sentinelone agent changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for install sentinelone agent.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-ChildItem, Get-ItemProperty, Where-Object.

4. Validate remediation effects from script operations such as Split-Path, Get-ChildItem, Get-ItemProperty, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for install sentinelone agent. This supports repeatable software lifecycle workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as Get-ChildItem, Get-ItemProperty, Where-Object and remediation operations such as Split-Path, Get-ChildItem, Get-ItemProperty. Use these indicators to verify that endpoint changes match intended policy outcomes.