Intune App Packaging

Deploy SentinelOne Agent via Intune | Win32 Guide

Published 17 March 2026 · 7 min read

SentinelOne is an AI-driven EDR platform deployed via a lightweight agent. Like CrowdStrike, the key to deployment is the site token that automatically registers the agent with your management console. This guide covers the full deployment including site token configuration, detection rules, and handling the passphrase requirement for uninstall.

Contents
  1. Prerequisites
  2. Download the agent installer
  3. Wrap with the Content Prep Tool
  4. Add the app in Intune
  5. Install and uninstall commands
  6. Detection rule
  7. Known gotchas

Prerequisites

Download the agent installer

Download the Windows agent from your SentinelOne management console:

Settings → Updates → Agent Versions → Download for Windows

Download the latest GA (Generally Available) release for Windows x64. The filename will be SentinelOneInstaller_windows_64bit_.exe.

⚠️
Download from your console, not the internet
SentinelOne agent installers are specific to your console version. Always download from your own console - using an installer from a different tenant or version will fail to register correctly.

Wrap with the Content Prep Tool

IntuneWinAppUtil.exe -c "C:\AppSource\SentinelOne" -s "SentinelOneInstaller_windows_64bit.exe" -o "C:\IntunePackages"

Add the app in Intune

Intune Admin Centre → Apps → Windows → + Add → Windows app (Win32)
  1. Upload the .intunewin file
  2. Name: SentinelOne Agent
  3. Publisher: SentinelOne, Inc.

Install and uninstall commands

⚙️
Program settings
Replace YOUR_SITE_TOKEN with the token from your SentinelOne console
Install command
SentinelOneInstaller_windows_64bit.exe /quiet /SITE_TOKEN=YOUR_SITE_TOKEN
Uninstall commandGet product code from Get-CimInstance Win32_Product after install; passphrase from console
MsiExec.exe /X{SentinelOne-Product-Code} /quiet /PASSPHRASE=your-passphrase
Install behaviour
System
Device restart behaviour
Determine behaviour based on return codes
💡
The uninstall passphrase
SentinelOne requires a passphrase to uninstall when anti-tamper is enabled. Set a consistent passphrase in your SentinelOne policy under Settings > Policies > Uninstall Password. Use this in your Intune uninstall command.

Detection rule

# Detect SentinelOne Agent
$svc = Get-Service -Name "SentinelAgent" -ErrorAction SilentlyContinue
if ($svc) { Write-Output "Detected: $($svc.Status)"; exit 0 } else { exit 1 }
💡
Test your detection rule first
Before deploying to users, install the app manually on a test device and verify the detection rule matches. Check the file path or registry key exists before assigning to a group.

Known gotchas

Agent version folder changes with each update

SentinelOne installs to C:\Program Files\SentinelOne\Sentinel Agent x.x.x.x - the version number is part of the folder name. This means file-based detection rules pointing at a specific path will break when the agent self-updates. Use the service-based PowerShell detection script instead for version-agnostic detection.

Anti-tamper blocking uninstall

If you deploy without configuring a passphrase and later need to uninstall, you will need to generate a one-time passphrase from the console for each device. Set a consistent passphrase in your policy before deployment to avoid this.

Frequently Asked Questions

Q: How do I deploy SentinelOne silently via Intune?

Use: SentinelOneInstaller.exe /quiet /SITE_TOKEN=your-site-token. The site token links the agent to your SentinelOne management console automatically. Get your site token from the SentinelOne console under Settings > Sites.

Q: Where do I find my SentinelOne site token?

Log in to your SentinelOne management console, go to Settings > Sites, select your site, and copy the Site Token shown in the site details panel. Each site has a unique token.

Q: How do I detect SentinelOne in Intune?

Use a file detection rule: check for SentinelAgent.exe in C:\Program Files\SentinelOne\Sentinel Agent . The version folder name changes with each release, so a registry check is more reliable for version-specific detection.

Q: Does SentinelOne require a reboot after deployment?

SentinelOne may require a reboot to load the kernel driver. It typically returns exit code 3010 when a reboot is needed. Set Intune restart behaviour to handle this return code.

More App Packaging Guides
Deploy CrowdStrike Falcon via Intune Deploy Malwarebytes via Intune Deploy Wireshark via Intune
Installer typeEXE (proprietary)
Site token requiredYes - from SentinelOne console
Silent installYes - /quiet /SITE_TOKEN
Reboot requiredSometimes - return code 3010
Uninstall passphraseRequired when anti-tamper enabled
// need intune set up properly?
Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - app deployment, compliance policies, Conditional Access, and full documentation handed over at the end.

View Packages
#intune #app-packaging #win32