Installing the Centrify Agent for Windows silently on remote Windows computers

If you want to perform a “silent” (also called unattended) installation of the Centrify Agent for Windows, you can do so by specifying the appropriate command line options and Microsoft Windows Installer (MSI) file to deploy. You must execute the commands on every Windows computer that you want to manage or audit.

Note:   You can also use a silent installation to automate the installation or upgrade of the agent on remote computers if you use a software distribution product, such as Microsoft System Center Configuration Manager (SCCM), to deploy software packages. However, installing remotely in this way is not covered in this topic.

Deciding to install with or without joining the computer to a zone

Before you begin a silent installation, you should decide whether you will wait until later to join the computer to a zone, or join the computer to a zone as part of the installation procedure.

If you install without joining a zone during installation:

If you install and join a zone during installation:

  • You use a transform (MST) file that is provided with Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service to configure a default set of agent-specific registry keys during the silent installation.
  • You can optionally edit the MST file before performing the installation to customize agent-specific registry settings for your environment.
  • You can optionally use the registry editor to configure registry settings after the installation finishes.
  • See Configuring registry settings for details about the registry settings that you can configure by editing the MST file.
  • See Editing the default transform (MST) file for details about how to edit the MST file before you perform the installation.
  • See Installing and joining a zone silently for details about performing the installation.

Configuring registry settings

When you perform a silent installation, several registry settings specific to the agent are configured by the default MSI file. In addition, a default transform (MST) file is provided for you to use if you join the computer to a zone as part of the installation procedure. When executed together, the default MSI and MST files ensure that the computer is joined to a zone, and that a default set of agent-specific registry keys is configured.

If your environment requires different or additional registry settings, you can edit the MST file before performing an installation. Then, when you execute the MSI and MST files to perform an installation, your customized registry settings are implemented. For details about how to edit the MST file, see Editing the default transform (MST) file.

Note:   If you do not join the computer to a zone during installation, you do not use the MST file. In this situation, you can create or edit registry keys manually after the installation finishes by using the, or the registry editor.

The following table describes the agent-specific registry settings that are available for you to configure during installation (by using the MST file) or after installation (by using the or the registry editor). Use the information in this table if you need to configure registry settings differently than how they are configured by the default MSI and MST files. Keep the following in mind as you review the information in the table:

  • The default MSI file is named Centrify Agent for Windows64.msi, and is located in the Agent folder in the Centrify download location.
  • The default MST file is named Group Policy Deployment.mst, and is located in the Agent folder in the Centrify download location.
  • If you want to install the agent without the MFA login feature, use the Group Policy Deployment-PrivilegeOnly.mst, and is located in the Agent folder in the Centrify download location.
  • All of the settings in the following table are optional, although some are included in the default MSI and MST files so that they are configured when the MSI and MST files execute during an installation.
  • Settings that are included in the default MSI and MST files are noted in the table.
  • Some settings are environment-specific, and therefore do not have a default value. Others are not environment-specific, and do have a default value.
  • The settings described in the table are located in the MSI file’s Property table.
  • The Setting column shows both the property name in the MSI file, and the name (in parentheses) of the registry key in the Windows registry.
Service Setting Description

Auditing and Monitoring

REG_MAX_FORMAT (MaxFormat)

Specifies the color depth of sessions recorded by the agent.

The color depth affects the resolution of the activity recorded and the size of the records stored in the audit store database when you have video capture auditing enabled. You can set the color depth to one of the following values:

  • 0 to use the native color depth on an audited computer.
  • 1 for a low resolution with an 8-bit color depth
  • 2 for medium resolution with a 16-bit color depth (default)
  • 4 for highest resolution with a 32-bit color

This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #1). The default value is 1.

Auditing and Monitoring

REG_DISK_CHECK_THRESHOLD (DiskCheckThreshold)

Specifies the minimum amount of disk space that must be available on the disk volume that contains the offline data storage file. You can change the percentage required to be available by modifying this registry key value.

This setting is included in the default MSI file. In the registry, this setting is specified by a numeral (for example, 1). In the MSI file Property table, it is specified by the # character and a numeral (such as #10).

The default value is 10, meaning that at least 10% of the disk space on the volume that contains the offline data storage file must be available. If this threshold is reached and there are no collectors available, the agent stops spooling data and audit data is lost.

Auditing and Monitoring

REG_SPOOL_DIR (SpoolDir)

Specifies the offline data storage location.

The folder location you specify will be where the agent saves (“spools”) data when it cannot connect to a collector.

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Auditing and Monitoring

REG_INSTALLATION_ID (InstallationId)

Specifies the unique global identifier (GUID) associated with the installation service connection point.

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that it is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Auditing and Monitoring

REG_LOG_LEVEL_DA (LogLevel)

Specifies what level of information, if any, is logged. Possible values are:

  • off
  • information
  • warning
  • error
  • verbose

This setting is included in the default MSI file. The default value is information.

Authentication & Privilege

REG_RESCUEUSERSIDS (RescueUserSids)

Specifies which users have rescue rights. Type user SID strings in a comma separated list. For example:

user1SID,user2SID,usernSID

This setting is not included in the default MSI file. To use it, you must edit the default transform (MST) file so that the setting is processed together with the MSI file during installation, or create it manually in the registry after the installation finishes.

Authentication & Privilege

REG_LOG_LEVEL_DZ (LoggingLevel)

Specifies what level of information, if any, is logged. Possible values are:

  • off
  • information
  • warning
  • error
  • verbose

This setting is included in the default MSI file. The default value is information.

Authentication & Privilege

GPDeployment

Specifies whether the computer is joined to the zone where the computer was pre-created. This setting is used only during installation and does not have a corresponding registry key. Possible values are:

  • 0 - The computer is not joined to the zone.
  • 1 - The computer is joined to the zone.

This setting is included in the default transform (MST) file. To use it, you must execute the MST file when you execute the default MSI file. The default value is 1, meaning that the pre-created computer is joined to the zone.

Authentication & Privilege

ZONEDATA

Specifies the option to retrieve the zone data before the computer restarts. This option can be helpful in situations where you might lose connection to the domain after restarting, such as when you're using a VPN connection.

Possible values are:

  • YES
  • NO

The default value is NO in the default MSI file.

Editing the default transform (MST) file

This section describes how to edit the default transform (MST) file Group Policy Deployment.mst. You execute the MST file together with the installation (MSI) file during a silent installation if you want to join the computer to a zone as part of the installation.

The MST file specifies registry key settings that are different from those specified in the MSI file. You use the MST file to customize a silent installation for a specific environment. Using an MST file makes it unnecessary to edit registry keys manually after a silent installation.

Note:   By default, auditing features are installed when you install the Centrify Agent for Windows. The service is not enabled by default, but the service item in the configuration panel appears if the feature is enabled through group policy.

See Installing and joining a zone silently for instructions about how and when to execute the MST file.

To edit the default MST file:

  1. You will use the Orca MSI editor to edit the MST file. Orca is one of the tools available in the Windows SDK. If the Windows SDK (or Orca) is not installed on your computer, download and install it now from this location:

    https://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx

  2. Execute Orca.exe to launch Orca.

  3. In the Agent folder in the Centrify download location, copy Group Policy Deployment.mst so that you have a backup.

  4. In Orca, select File > Open and open the Centrify Agent for Windows64.msi file located in the Agent folder in the Centrify download location.

  5. In Orca, select Transform > Apply Transform.

  6. In Orca, navigate to the Agent folder in the Centrify download location and open Group Policy Deployment.mst.

    The file is now in transform edit mode, and you can modify data rows in it.

  7. In the Orca left pane, select the Property table.

    Notice that a green bar displays to the left of “Property” in the left pane. This indicates that the Property table will be modified by the MST file.

    The right pane displays the properties that configure registry keys when the MSI file executes. Notice that the last property in the table, GPDeployment, is highlighted in a green box. This indicates that the GPDeployment property will be added to the MSI file by the MST file.

    Note:   In order for the computer to join a zone during installation, the Group Policy Deployment.mst file must specify the GPDeployment property with a value of 1.

  8. In the right pane, edit or add properties as necessary to configure registry keys for your environment. See the table in Configuring registry settings for details about agent-specific properties that are typically set.
    • To edit an existing property, double click its value in the Value column and type a new value.

    • To add a new property, right-click anywhere in the property table and select Add Row.

  9. After you have made all necessary modifications, select Transform > Generate Transform to save your modifications to the default MST file.

    Be sure to save the MST file in the same folder as the MSI file. If the MST and MSI files are in different folders, the MST file will not execute when you execute the MSI file.

    The MST file is now ready to be used as described in Installing and joining a zone silently.

Installing silently without joining a zone

This section describes how to install the agent silently without joining the computer to a zone. This procedure includes configuring registry settings manually using the registry editor or a third-party tool.

Note:   To install the agent and join the computer to a zone during installation, see Installing and joining a zone silently for more information.

Check prerequisites:

  1. Verify that the computers where you plan to install meet the prerequisites described in Verifying prerequisites. If prerequisites are not met, the silent installation will fail.
  2. If you are installing audit and monitoring service, verify that the following tasks have been completed:
    1. Installed and configured the SQL Server management database and the SQL Server audit store database.

    2. Installed and configured one or more collectors.

    3. Configured and applied the Centrify DirectAudit Settings group policy that specifies the installation name.

To install the Centrify Agent for Windows silently without joining the computer to a zone:

  1. Open a Command Prompt window or prepare a software distribution package for deployment on remote computers.

    For information about preparing to deploy software on remote computers, see the documentation for the specific software distribution product you are using. For example, if you are using Microsoft System Center Configuration Manager (SCCM), see the Configuration Manager documentation.

  2. Run the installer for the Centrify Agent for Windows package. For example:
    msiexec /qn /i "Centrify Agent for Windows64.msi"

    By default, none of the services are enabled.

  3. Use the registry editor or a configuration management product to configure the registry settings for each agent. See the table in Configuring registry settings for details about agent-specific registry keys that you can set.

    For example, under HKEY_LOCAL_MACHINE\Software\Centrify\DirectAudit\Agent, you could set the DiskCheckThreshold key to a value other than the default value of 10%.

Installing and joining a zone silently

This section describes how to install the agent and join the computer to a zone at the same time. The procedure described here includes the following steps in addition to executing the MSI file:

  • You first prepare (pre-create) the Windows computer account in the appropriate zone.
  • You execute an MST file together with the MSI file to join the computer to a zone and configure registry settings during the installation.

Note:   Joining the computer to a domain is applicable only when you are enabling Authentication & Privilege features.
To install the agent without joining the computer to a zone during installation, see Installing silently without joining a zone for more information.

Check prerequisites:

  1. Verify that the computers where you plan to install meet the prerequisites described in Verifying prerequisites. If prerequisites are not met, the silent installation will fail.
  2. If you are enabling audit and monitoring service in addition to Authentication & Privilege, verify that the following tasks have been completed:
    1. Installed and configured the SQL Server management database and the SQL Server audit store database.

    2. Installed and configured one or more collectors.

    3. Configured and applied the Centrify DirectAudit Settings group policy that specifies the installation name.

To install the Centrify Agent for Windows and add a computer to a zone during installation:

  1. Prepare a computer account in the appropriate zone using Access Manager or the PowerShell command New-CdmManagedComputer. See Preparing Windows computer accounts for more information.
  2. You will use the default transform file Group Policy Deployment.mst in Step 3 to update the MSI installation file so that the computer is joined to the zone in which it was pre-created in Step 1. You can optionally modify Group Policy Deployment.mst to change or add additional registry settings during installation.

    If you want to edit Group Policy Deployment.mst to change or add additional registry settings and have not yet done so, edit it now as described in Editing the default transform (MST) file.

    In order for the computer to join the zone from Step 1, the Group Policy Deployment.mst file must specify the GPDeployment property with a value of 1.

  3. Run the following command:
    msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment.mst"

    By default, Centrify Privilege Elevation Service is enabled by joining a zone. If the zone is also configured with a platform instance (tenant), Identity Services Platform will also be enabled. If you want to enable auditing, configure the corresponding registry value in the Property page of the MST file: REG_CURRENT_INSTALLATION or via Group Policy.

    You can also choose to install the specify the option to retrieve the zone data before the computer restarts. This option can be helpful in situations where you might lose connection to the domain after restarting, such as when you're using a VPN connection. To specify that the agent retrieves zone data before the computer restarts, run the following command:

    msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment.mst" ZONEDATA="YES"

The computer will be restarted automatically to complete the deployment and start the agent.