How to Deploy SentinelOne in an Active Directory Environment
- Last updated: Jun 26, 2025
I was recently asked to deploy the latest SentinelOne the brand-new death antivirus from hell that kills XDR (Extended Detection and Response) in a Windows Workstation environment.
It's a modern security tool that uses AI to prevent, detect, and respond to software threats.
Cool features aside, I quickly realized there wasn’t a ready-to-use solution for deploying it across many machines using Group Policy.
So I rolled up my sleeves and figured one out—here’s how I did it.
Manual Installation
When launching the MSI installer for SentinelOne, the setup process prompts for a site token.
As a result, traditional MSI-based software deployment via Group Policy Object (GPO) is not directly applicable. I even attempted to use Orca to inject the TOKEN
property manually (see https://docs.microsoft.com/), but without success.

- You can pass the SITE_TOKEN as a property when running the
msiexec
command. Here's how:/i
: Installs the package./q
: Quiet mode (no user interface)./norestart
: Prevents automatic reboot after installation.
C:\>msiexec /i "SentinelInstaller_windows.msi" /q /norestart SITE_TOKEN="ps3GpmsPqogCBKF0ANnRhmUVptppZlKPMncnl2CGNG6cbaHia3yRHw6aWRb12AeDSj5NpabG1T4A6XPWzOsHt62jAgwK8IL5l0JibeWa"
This is the exact command we'll include in our deployment script.
Batch Script
- Below is a simple installation batch script that installs SentinelOne only if it is not already present on the system:
@echo off
REM check if "HKLM\Software\Sentinel Labs" registry key is present
reg query "HKLM\Software\Sentinel Labs"
REM if "HKLM\Software\Sentinel Labs" registry key is present, it means that sentinel has already been installed on this host, so go to the INSTALLED switch of the script
IF %ERRORLEVEL% == 0 goto INSTALLED
REM Copy SentinelInstaller_windows.msi installer from SYSVOL share to local TEMP folder WORKSTATION
copy \\std\sysvol\std.local\scripts\SentinelOne\SentinelInstaller_windows.msi c:\windows\temp\ /Z /Y
REM install msi package
msiexec /i "c:\windows\temp\SentinelInstaller_windows.msi" /q /norestart SITE_TOKEN="ps3GpmsPqogCBKF0ANnRhmUVptppZlKPMncnl2CGNG6cbaHia3yRHw6aWRb12AeDSj5NpabG1T4A6XPWzOsHt62jAgwK8IL5l0JibeWa"
REM if install is ok go to OK switch
IF %ERRORLEVEL% == 0 goto OK
REM if install fails go to ERROR switch
goto ERROR
:INSTALLED
echo "Already Installed"
goto END
:ERROR
echo "Install Error"
goto END
:OK
echo "Install OK"
:END
- Here’s what the script does:
- Checks whether the registry key
HKLM\Software\Sentinel Labs
exists. If it does, this indicates that SentinelOne is already installed, and the script exits. - If the key is not found, it copies the
SentinelInstaller_windows.msi
file from the Active Directory share toC:\Windows\Temp\
. - It then proceeds to install the
MSI
package usingmsiexec
with the required parameters.
- Checks whether the registry key
- On the Active Directory server, place both the batch script and the SentinelOne MSI installer in the following shared path
C:\Windows\SYSVOL\sysvol\std.local\scripts\SentinelOne
:

Create a Group Policy Object
We will now create a Group Policy Object (GPO) that executes the installation script automatically when target computers start up.
- Open the Active Directory Users and Computers console:

- Move the target computers to the appropriate Organizational Unit (OU), such as Workstations, where the GPO will be applied:

- Open the Group Policy Management console:

- Create a new Group Policy Object (GPO):

- Assign a descriptive name to the new GPO (e.g.,
Deploy_SentinelOne
):

- Edit the newly created GPO:

- Navigate to: Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown), and right-click on Startup and select Properties.

- Click Add… and then Browse to select the previously created batch script:

And that's all…