rss logo

How to Deploy SentinelOne in an Active Directory Environment

SentinelOne logo

I was recently asked to deploy the latest SentinelOne the brand-new death antivirus from hell that kills XDR (Extended Detection and Response) in a Windows Workstation environment.

It's a modern security tool that uses AI to prevent, detect, and respond to software threats.

Cool features aside, I quickly realized there wasn’t a ready-to-use solution for deploying it across many machines using Group Policy.

So I rolled up my sleeves and figured one out—here’s how I did it.

Manual Installation

When launching the MSI installer for SentinelOne, the setup process prompts for a site token.

As a result, traditional MSI-based software deployment via Group Policy Object (GPO) is not directly applicable. I even attempted to use Orca to inject the TOKEN property manually (see https://docs.microsoft.com/), but without success.

SentinelOne installer prompting for site or group token during setup wizard.
  • You can pass the SITE_TOKEN as a property when running the msiexec command. Here's how:
    • /i: Installs the package.
    • /q: Quiet mode (no user interface).
    • /norestart: Prevents automatic reboot after installation.
C:\>msiexec /i "SentinelInstaller_windows.msi" /q /norestart SITE_TOKEN="ps3GpmsPqogCBKF0ANnRhmUVptppZlKPMncnl2CGNG6cbaHia3yRHw6aWRb12AeDSj5NpabG1T4A6XPWzOsHt62jAgwK8IL5l0JibeWa"

This is the exact command we'll include in our deployment script.

Batch Script

  • Below is a simple installation batch script that installs SentinelOne only if it is not already present on the system:
@echo off

REM check if "HKLM\Software\Sentinel Labs" registry key is present
reg query "HKLM\Software\Sentinel Labs"

REM if "HKLM\Software\Sentinel Labs" registry key is present, it means that sentinel has already been installed on this host, so go to the INSTALLED switch of the script
IF %ERRORLEVEL% == 0 goto INSTALLED

REM Copy SentinelInstaller_windows.msi installer from SYSVOL share to local TEMP folder WORKSTATION
copy \\std\sysvol\std.local\scripts\SentinelOne\SentinelInstaller_windows.msi c:\windows\temp\ /Z /Y

REM install msi package
msiexec /i "c:\windows\temp\SentinelInstaller_windows.msi" /q /norestart SITE_TOKEN="ps3GpmsPqogCBKF0ANnRhmUVptppZlKPMncnl2CGNG6cbaHia3yRHw6aWRb12AeDSj5NpabG1T4A6XPWzOsHt62jAgwK8IL5l0JibeWa"

REM if install is ok go to OK switch
IF %ERRORLEVEL% == 0 goto OK

REM if install fails go to ERROR switch
goto ERROR

:INSTALLED
echo "Already Installed"
goto END

:ERROR
echo "Install Error"
goto END

:OK
echo "Install OK"

:END
  • Here’s what the script does:
    • Checks whether the registry key HKLM\Software\Sentinel Labs exists. If it does, this indicates that SentinelOne is already installed, and the script exits.
    • If the key is not found, it copies the SentinelInstaller_windows.msi file from the Active Directory share to C:\Windows\Temp\.
    • It then proceeds to install the MSI package using msiexec with the required parameters.
  • On the Active Directory server, place both the batch script and the SentinelOne MSI installer in the following shared path C:\Windows\SYSVOL\sysvol\std.local\scripts\SentinelOne:
SYSVOL folder on Active Directory server showing batch script and SentinelOne MSI installer

Create a Group Policy Object

We will now create a Group Policy Object (GPO) that executes the installation script automatically when target computers start up.

  • Open the Active Directory Users and Computers console:
Opening the Active Directory Users and Computers console
  • Move the target computers to the appropriate Organizational Unit (OU), such as Workstations, where the GPO will be applied:
Moving computers into the Workstations OU in Active Directory
  • Open the Group Policy Management console:
Opening the Group Policy Management Console
  • Create a new Group Policy Object (GPO):
Creating a new Group Policy Object in the console
  • Assign a descriptive name to the new GPO (e.g., Deploy_SentinelOne):
Dialog box for naming a new GPO as 'Deploy - SentinelOne' in Group Policy Management
  • Edit the newly created GPO:
Right-click context menu showing the 'Edit' option for the 'Deploy - SentinelOner' GPO in Group Policy Management
  • Navigate to: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown), and right-click on Startup and select Properties.
Opening the properties of the Startup script section in Group Policy Management Editor
  • Click Add… and then Browse to select the previously created batch script:
Steps to add a startup script in GPO: opening properties, browsing for the batch file, and selecting Install_SentinelOne.bat

And that's all…