Installing silently by using the Microsoft Windows Installer

If you want to perform a “silent” (also called unattended) installation of the Centrify Agent for Windows, you can do so by specifying the appropriate command line options and Microsoft Windows Installer (MSI) file to deploy. You must execute the commands on every Windows computer that you want to audit.

You can also use silent installation commands to automate the installation or upgrade of the Windows agent on remote computers if you use a software distribution product, such as Microsoft System Center Configuration Manager (SCCM), that enables you to run commands remotely to deploy software packages. However, only the command-line instructions are covered in this guide.

Configuring registry settings

When you perform a silent installation, several registry settings specific to the agent are configured by the default MSI file. In addition, a default transform (MST) file is provided for you to use if you join the computer to a zone as part of the installation procedure. When executed together, the default MSI and MST files ensure that the computer is joined to a zone, and that a default set of agent-specific registry keys is configured.

If your environment requires different or additional registry settings, you can edit the MST file before performing an installation. Then, when you execute the MSI and MST files to perform an installation, your customized registry settings are implemented. For details about how to edit the MST file, see Editing the default transform (MST) file.

Note:   If you do not join the computer to a zone during installation, you do not use the MST file. In this situation, you can create or edit registry keys manually after the installation finishes by using the , or the registry editor.

The following table describes the agent-specific registry settings that are available for you to configure during installation (by using the MST file) or after installation (by using the or the registry editor). Use the information in this table if you need to configure registry settings differently than how they are configured by the default MSI and MST files. Keep the following in mind as you review the information in the table:

  • The default MSI file is named Centrify Agent for Windows64.msi, and is located in the Agent folder in the Centrify download location.
  • The default MST file is named Group Policy Deployment.mst, and is located in the Agent folder in the Centrify download location.
  • All of the settings in the following table are optional, although some are included in the default MSI and MST files so that they are configured when the MSI and MST files execute during an installation.
  • Settings that are included in the default MSI and MST files are noted in the table.
  • Some settings are environment-specific, and therefore do not have a default value. Others are not environment-specific, and do have a default value.
  • The settings described in the table are located in the MSI file’s Property table.
  • The Setting column shows both the property name in the MSI file, and the name (in parentheses) of the registry key in the Windows registry.
Service Setting Description

Auditing and Monitoring

REG_MAX_FORMAT (MaxFormat)

Specifies the color depth of sessions recorded by the agent.

The color depth affects the resolution of the activity recorded and the size of the records stored in the audit store database when you have video capture auditing enabled. You can set the color depth to one of the following values:

  • 0 to use the native color depth on an audited computer.
  • 1 for a low resolution with an 8-bit color depth
  • 2 for medium resolution with a 16-bit color depth (default)
  • 4 for highest resolution with a 32-bit color

This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #1). The default value is 1.

Auditing and Monitoring

REG_DISK_CHECK_THRESHOLD (DiskCheckThreshold)

Specifies the minimum amount of disk space that must be available on the disk volume that contains the offline data storage file. You can change the percentage required to be available by modifying this registry key value.

This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #10).

The default value is 10, meaning that at least 10% of the disk space on the volume that contains the offline data storage file must be available. If this threshold is reached and there are no collectors available, the agent stops spooling data and audit data is lost.

Auditing and Monitoring

REG_SPOOL_DIR (SpoolDir)

Specifies the offline data storage location.

The folder location you specify will be where the agent saves (“spools”) data when it cannot connect to a collector.

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Auditing and Monitoring

REG_INSTALLATION_ID (InstallationId)

Specifies the unique global identifier (GUID) associated with the installation service connection point.

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Auditing and Monitoring

REG_LOG_LEVEL_DA (LogLevel)

Specifies what level of information, if any, is logged. Possible values are:

  • off
  • information
  • warning
  • error
  • verbose

This setting is included in the default MSI file. The default value is information.

Authentication & Privilege

REG_RESCUEUSERSIDS (RescueUserSids)

Specifies which users have rescue rights. Type user SID strings in a comma separated list. For example:

user1SID,user2SID,usernSID

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that the setting is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Authentication & Privilege

REG_LOG_LEVEL_DZ (LoggingLevel)

Specifies what level of information, if any, is logged. Possible values are:

  • off
  • information
  • warning
  • error
  • verbose

This setting is included in the default MSI file. The default value is information.

Authentication & Privilege

GPDeployment

Specifies whether the computer is joined to the zone where the computer was pre-created. This setting is used only during installation and does not have a corresponding registry key. Possible values are:

  • 0 - The computer is not joined to the zone.
  • 1 - The computer is joined to the zone.

This setting is included in the default transform (MST) file. To use it, you must execute the MST file when you execute the default MSI file. The default value is 1, meaning that the pre-created computer is joined to the zone.

Editing the default transform (MST) file

The default transform file, Group Policy Deployment.mst, enables you to specify registry key settings that are different from the default settings that are defined in the MSI file. You can use the Group Policy Deployment.mst file to customize a silent installation for a specific environment.

If you want to customize the agent settings for your environment, you should edit the Group Policy Deployment.mst file before executing the command to perform a silent installation. If you want to use the default settings specified in the MSI file, you can skip this section and go directly to Installing silently from the command line.

You must use the Orca MSI editor to edit the Group Policy Deployment.mst file. Orca is one of the tools available in the Windows SDK. If you do not have the Windows SDK or Orca installed on your computer, you can download and install it from this location: http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx.

To edit the default MST file:

  1. In the Agent folder in the Centrify download location, create a backup copy of the default Group Policy Deployment.mst file.
  2. Open a Command Prompt window and execute the following command to launch Orca:

    Orca.exe

  3. In Orca, select File > Open and open the Centrify Windows Agent64.msi file located in the Agent folder in the Centrify download location.

  4. In Orca, select Transform > Apply Transform.

  5. In Orca, navigate to the Agent folder in the Centrify download location and open Group Policy Deployment.mst.

    The file is now in transform edit mode, and you can modify data rows in it.

  6. In the Orca left pane, select the Property table.

    Notice that a green bar displays to the left of “Property” in the left pane. This indicates that the Property table will be modified by the MST file.

    The right pane displays the properties that configure registry keys when you execute the command to install the agent using the MSI file. Notice that the last property in the table, GPDeployment, is highlighted in a green box. This indicates that the GPDeployment property will be added to the MSI file by the MST file.

  7. In the right pane, edit or add properties as necessary to configure registry keys for your environment.
    PropertyDescription

    REG_MAX_FORMAT

    Sets the MaxFormat registry key to specify the color depth of sessions recorded by the agent.

    The color depth affects the resolution of the activity recorded and the size of the records stored in the audit store database when you have video capture auditing enabled.

    In the MSI file Property table, you can set the color depth to one of the following values:

    • #0 to use the native color depth on an audited computer.
    • #1 for a low resolution with an 8-bit color depth.
    • #2 for medium resolution with a 16-bit color depth.
    • #4 for highest resolution with a 32-bit color.

    The default value is #1. To edit this property, double-click the Value column and type a new value.

    REG_DISK_CHECK_THRESHOLD

    Sets the DiskCheckThreshold registry key to specify the minimum amount of disk space that must be available on the disk volume that contains the offline data storage file.

    In the MSI file Property table, the default value is #10, meaning that at least 10% of the disk space on the volume that contains the offline data storage file must be available. You can change the percentage required to be available. To edit this property, double-click the Value column and type a new value.

    REG_SPOOL_DIR

    Sets the SpoolDir registry key to specify the offline data storage location.

    The folder location you specify will be where the agent saves data when it cannot connect to a collector.

    To add a this property to the transform file, right-click anywhere in the property table, then select Add Row.

    REG_INSTALLATION_ID

    Sets the InstallationId registry key to specify the unique global identifier (GUID) associated with the installation service connection point.

    This property is not required if you are using the Installation group policy to identify the audit installation to use. If you are not using group policy to identify the audit installation, you can add a this property to the transform file. Right-click anywhere in the property table, then select Add Row to add the property and value to the file.

    REG_LOG_LEVEL_DA

    Sets the LogLevel registry key to specifies what level of information, if any, is logged. Possible values are:

    • off
    • information
    • warning
    • error
    • verbose

    The default value is information. To edit this property, double-click the Value column and type a new value.

  8. After you have made the necessary modifications, select Transform > Generate Transform to save your modifications to the default MST file.

    Be sure to save the MST file in the same folder as the MSI file. If the MST and MSI files are in different folders, the MST file will not execute when you execute the MSI file.

The MST file is now ready to be used as described in Installing silently from the command line.

Installing silently from the command line

If you want to perform a “silent” or unattended installation of the Centrify Agent for Windows, you can do so by specifying the appropriate command line options and Microsoft Windows Installer (MSI) file to deploy.

Before running the installation command, you should verify the computers where you plan to install meet the prerequisites described in Verify prerequisites. If the prerequisites are not met, the silent installation will fail. You should have also completed the following tasks:

  • Installed and configured the SQL Server management database and the SQL Server audit store database.
  • Installed and configured one or more collectors.
  • Configured and applied the Centrify DirectAudit Settings group policy that specifies the installation name.

You can use similar steps to install the Centrify Common Component using the Centrify Common Component64.msi file before you install the agent. If you install the common component first, information about the agent installation is recorded in a log file for troubleshooting purposes. However, you are not required to install the common component separately from the agent.

To install the Centrify Agent for Windows silently:

  1. Open a Command Prompt window or prepare a software distribution package for deployment on remote computers.
  2. Run the installer for the Centrify Agent for Windows package for a 64-bit architecture with the appropriate command line options.

    For example, to install the Centrify Common Component on a computer with 64-bit architecture, run the following command:

    msiexec /i "Centrify Common Component64.msi" /qn

    If you want to enable both auditing and access control features on a computer with a 64‑bit operating system and use the values defined in the Group Policy Deployment.mst file, you would run the following command:

    msiexec /i "Centrify Windows Agent64.msi" /qn TRANSFORMS="Group Policy Deployment.mst"