Installing the Centrify Agent for Windows silently on all domain computers by using group policy

You can use a group policy object (GPO) to automate the deployment of the Centrify Agent for Windows. Because automated installation fails if all the prerequisites are not met, be sure that all the computers on which you intend to install meet the requirements described in Verifying prerequisites.

Note:   If you install the Centrify Common Component before you install the agent, information about the installation of the agent can be captured in a log file for troubleshooting purposes.

To create a new group policy object for the deployment of the Centrify Agent for Windows:

  1. Prepare computer accounts in the appropriate zones using Access Manager or the PowerShell command New-CdmManagedComputer. See Preparing Windows computer accounts for more information.
  2. Copy the Centrify Agent for Windows64.msi and Group Policy Deployment.mst installer files to a shared folder on the domain controller or another location accessible from the domain controller.

    When you select a folder for the agent installer files, right-click and select Share with > Specific people to verify that the folder is shared with Everyone or with appropriate users and groups.

  3. Right-click on the Centrify Agent for Windows64.msi file, then select Edit with Orca.

  4. Select Transform > Apply Transform, then select Group Policy Deployment.mst from the same location as the Centrify Agent for Windows64.msi file.
  5. Select the Property table on the left hand side and add the following:

    Property Value



    (Ex: https://aaa1111.(Undefined variable: cloud-vars.tenant-url):443/) Note: You must include “https://” and “:443/”.


    Default Value = false

    REG_EFFECTIVE_ZONELESS_MFA_USERS Comma-Seperated user or group names, or enter * for All AD users




  6. Close Orca and save the changes as a new mst file.

    Make sure you save it in the same location as the msi file.

  7. On the domain controller, click Start > Administrative Tools > Group Policy Management.

  8. Select the domain or organizational unit that has the Windows computers where you want to deploy the Centrify Agent, right-click, then select Create a GPO in this domain, and Link it here.

  9. For example, you might have an organizational unit specifically for Centrify-managed Windows computers. You can create a group policy object and link it to that specific organizational unit.

  10. Type a name for the new group policy object, for example, Centrify Agent Deployment, and click OK.

  11. Right-click the new group policy object and click Edit.

  12. Expand Computer Configuration > Policies > Software Settings.

  13. Select Software installation, right-click, and select New > Package.

  14. Navigate to the folder you selected previously, then select the Centrify Agent for Windows64.msi file, and click Open.

  15. Select Advanced and click OK.

  16. Click the Modifications tab and click Add.

  17. Select the .mst file created previously, then click Open, and click OK.

  18. Close the Group Policy Management Editor, right-click the Centrify Agent Deployment group policy object, and verify that Link Enabled is selected.

    By default, when computers in the selected domain or organizational unit receive the next group policy update or are restarted, the agent will be deployed and the computer will be automatically rebooted to complete the deployment of the agent.

If you want to test deployment, you can open a Command Prompt window to log on to a Windows client as a domain administrator and force group policies to be updated immediately by running the following command:

gpupdate /force

After installation, all of the registry settings that were specified in the MSI and MST files are configured. If you need to further configure registry settings, use the registry editor to do so as described in Installing the Centrify Agent for Windows silently on remote Windows computers.