How to install agent using GPO?

Last Updated On 22 Aug 2025 |

40 minutes read |

How to Install/Uninstall/Migrate agents using GPO light-weight tool?

Windows GPO is a powerful and versatile tool. Agent can be installed, uninstalled or migrated using the GPO light-weight tool.

Advantages:

The GPO Lightweight Tool is a simple and user-friendly tool for configuring Group Policy Objects (GPO) to deploy agent installations, whether through startup processes or scheduled tasks.
It also allows to uninstall/ re-install agents through GPO without complexity on configuring the GPO.

Disadvantages:

The disadvantages of the GPO startup script and scheduled task methods are inherited.

Note:

The GPO lightweight tool only supports .EXE files and does not support .MSI files.
Kindly use account with Domain Admin credentials .
If a new GPO policy is applied, the installation for existing installed agents will be skipped on all machines. The remaining agents will be installed according to the new policy.

Follow the steps given below to create a Group policy and link it with OUs and Domains:

Steps:

1. Select the account details

Open the Domain Controller of the required AD in which the GPO needs to be configured.
To download the GPO tool click here.
Execute the Tool As an administrator
Select "Continue with above details" and click next.

- If you encounter an error in fetching the domain or domain controller name or if you would like to execute the tool from another machine instead of the domain controller machine, select the enter details manually option. Kindly use account with domain admin credentials privilege.

To get the domain or OU Distinguished name, follow these steps:

Under Administrative tools, open the active directory users and computers.

Under Administrative tools, open the active directory users and computers.

Under View, enable Advanced Features.

Right click on the OU / Domain and Select Properties -> Attribute Editor -> distinguishedName -> View

Right click on the OU / Domain and Select Properties -> Attribute Editor -> distinguishedName -> View

2. Choose the required action

Select the required action ( Installation \ Uninstallation \Migration)

$Select the required action ( Installation \ Uninstallation \Migration)$

If you choose installation, For the agent installer EXE, follow these steps:

- Open the server web console.
- Navigate to Agent -> Computers
- Select the required remote office
- Click Download Agent and add the downloaded file in the tool.

download agent for agent installation via gpo light weight tool

If you choose uninstallation use the AgentCleanupToolClient.exe. Follow the steps given in this document to generate the Cleanup tool.

uninstall agent via gpo light weight tool

If you choose migration, use Agent Installer exe and AgentCleanupToolClient.exe. Follow the steps given in this document to generate the Cleanup tool.

For the agent installer EXE, follow these steps:

Open the server web console.
Navigate to Agent -> Computers
Select the required remote office
Click Download Agent and add the downloaded file in the tool.

3. Choose the Policy details

- Enter the Name of the GPO [eg : MEECAgentInstall ] -> Enter the policy type [Startup or scheduler ] -> Select the Script type [powershell script is always recommended]

Enter the Name of the GPO [eg : MEECAgentInstall ] -> Enter the policy type [Startup or scheduler ] -> Select the Script type [powershell script is always recommended]

4. Link the GPO

- To apply policy to entire domain, select "Entire Domain".
- To apply the policy to a specific OU , enter the OU distinguished names and click next. (To obtain the OU distinguished name, refer to the first step.)

5. Confirm the details

- Confirm the policy details and click next
- The policy has been successfully created

Note: If the start up policy is configured, restart the endpoints and check the status and if the scheduler policy is created it will be applied in the endpoints within 90 mins.

To test the policy in a machine Immediately after creation, follow the steps below:

Open the client machine -> Command prompt as an admin and execute the command gpupdate /force

Open the client machine -> Command prompt as an admin and execute the command gpupdate /force

- Once the policy update is completed restart the machine if the "Start-up" policy is configured.
- For "Immediate Task" policy will be applied once the policy update is completed.

How to install Agents Using GPO Scheduler?

Agents can now be installed in an Active Directory environment using the scheduler option. When the installation process is initiated with the Scheduler, it is triggered in the time specified while configuring the same, unlike a normal GPO script where the installation happens when a device is turned on or when a user logs in. Windows GPO Tool can be used to install agents via scheduler.

If a new GPO policy is applied, the installation for existing installed agents will be skipped on all machines. The remaining agents will be installed according to the new policy.

Advantages:

Automatically installs the agent more quickly, as it executes during the next GPO refresh cycle, unlike GPO Startup which requires computer restart

Disadvantages:

Complex to configure via traditional GPO editor.

For Endpoint Central version 10.1.2124.1 and above, it is recommended to use exe based agent installation.

Steps

How to install agents in .exe format using GPO Scheduler?

1. Download the agent package

Open the server web console.
Navigate to Agent -> Computers
Select the required remote office
Click the Download Agent button
Rename the file to LocalOffice_Agent.exe

Download the script(SHA 256 Checksum: Loading...)
and place it in a folder.
Open the AD machine to configure GPO.
GPO configuration - Creating/Provisioning Network Share
Log on to the Windows Server machine as an administrator.
Open the Server Manager Console by selecting it from the Administrative Tools menu.
From the Server Manager Dashboard, select File and storage devices.
Now, open the Shares tab, select SYSVOL and click on Open Share.

Server Manager Console for agent installation in gpo scheduler

Navigate to the scripts folder and create a new folder.
Paste the InstallAgentgposched.ps1 and LocalOffice_Agent.exe downloaded above into the created folder.
Now copy the network path, as it is needed in later steps. Network file path format - \\Domain name\SysVol\Domain name\Policies\{ID}\Machine\Scripts\Startup

place script and exe file in the created folder for agent installation via gpo scheduler

Create a GPO to identify targets for deployment
- Open the Group Policy Management Console (GPMC) by opening Run (Windows key + R) and typing gpmc.msc.
- Once in the GPMC, right-click on your target "organizational unit" (typically a domain), and select 'Create a GPO in this domain, and Link it here' option.
Enter a Name for the new GPO. For example, "MEDC_DC_agent_installation". Once the new GPO is created, you can see it in the GPMC in the left navigation pane, under Group Policy Objects.
Create a scheduled task to execute the deployment and installation of the Windows Agent
- Open the Group Policy Management Editor by right-clicking on the newly created GPO and selecting Edit.
- In the editor navigation tree, under Computer Conﬁguration, click Preferences -> Control Panel Settings; then right-click Scheduled Tasks.
- Now, click on New -> Select Immediate Task (At least Windows 7).
In the New Task dialog box enter a name and a description (if needed). Under Security options, click the Change User or Group button.
In the dialog box that appears, enter "system" in the text box, then click Check Names. Conﬁrm that you have the correct values and click OK.
Make sure that the system object resolves to the value "NT Authority\System," as shown in the Security Options group.
Kindly ensure that,
- 'Run whether user is logged on or not' is selected.
- 'Run with the highest privileges' is selected.
- 'Conﬁgure for:' is set to Windows Vista or Windows Server 2008.
Click on the Actions tab and then click New. In the New Action dialog box, set the Action drop-down to Start a program. In the Program/script text box, enter the network ﬁle path to the shared folder that was created earlier. Then provide the arguments and Start in folder details and click OK.

enter the network ﬁle path to the shared folder that was created earlier for agent installation via gpo scheduler

Program/Script: powershell.exe
Add arguments: -ExecutionPolicy Bypass -File \\DCNAME.zoho.com\SYSVOL\zoho.com\scripts\agent_reinstallation\InstallAgent.ps1
Start In: \\DCNAME.zoho.com\SYSVOL\zoho.com\scripts\agent_reinstallation\
**(replace \\domain.com\SYSVOL\domain.com\scripts\agent_reinstallation\psinstallagent.ps1) with the network path you copied earlier.
In the Conditions tab, select the checkbox for Start only if the following network connection is available, then select Any connection. Finally, click APPLY and OK

Note:

Test it in a few test machines before mass deployment.
Execute the command gpupdate /force on the client machine with admin privileges to trigger the GPO task.
The task result can be viewed on the task scheduler tool in the client machine.
If the scheduled task fails, remove the computer name from the network path. For example, if the network path copied earlier is \\DCNAME.zoho.com\SYSVOL\zoho.com\scripts\agent_reinstallation\psinstallagent.ps1, remove the computer name and change it to \\zoho.com\SYSVOL\zoho.com\scripts\agent_reinstallation\psinstallagent.ps1 and check again.

Troubleshooting steps

Please reach out to support with the below files if issue persists.

GPO result from the client machine.
- In client machine, open command prompt with administrator mode.
- In command prompt, navigate to C:\ and run the command gpresult /h gprep.html
- Kindly upload gprep.html file under C:\ from the client machine.
Event Logs
Export and upload application and system event viewer logs

How to install agents in .msi format?

To download the agent package, Navigate to the server web console ->Agent ->Deployment ->Agent Installation
Under Using Directory Services, in the GPO tab, click on Download Agent.
Select the required office.
Download the Zip file, extract it and follow the steps given below

Note:This can be a local office or a remote office depending on which computers you want to install agents in.

Creating/Provisioning Network Share:

Log on to the Windows Server machine as an administrator.
Open the Server Manager Console by selecting it from the Administrative Tools menu.
From the Server Manager Dashboard, select File and Storage Services.
Now, open the Shares tab, click on Tasks and select New Share.

On clicking, a New Share Wizard opens up. In the wizard, click on Select Proﬁle, select the option SMB Share - Quick, then click Next.
On the Shared Location tab, enter the ﬁle path to the shared folder that is created for deploying the agent installer, then click Next.

Endpoint Central: Selecting Share Location in GPO

On the Specify share name tab, enter a name for your share. Enter a share description, if needed.
The wizard will now automatically create the local and remote ﬁle paths in the share.
After this, click Next to configure the settings.
On the Conﬁgure share settings wizard page, accept the default options in Other Settings (Allow caching of share)and Click Next.

Endpoint Central: Configuring other settings in GPO

On the Specify permission to control access page, accept the default permissions and click Next.
On the Conﬁrm selections page, review your selections, then click Create.
The new public share is now visible in the Shares pane (It is recommendable to make the network share accessible to everyone).
Now, right-click on the share and select Open Share.
Download the agent installable from the server web console by navigating to Agent-->Agent Installation-->GPO-->Download Agent.
Also, copy the text from this page and save it as installagentscript.vbs.
Place UEMSAgent.msi, UEMSAgent.mst,DMRootCA.crt, DMRootCA-Server.crt and installagentscript.vbs ﬁle in the share.

Kindly include DCAgentServerInfo.json file only if the build version is 10.1.2124.1 and above.

Note: Be sure to capture and store the full network ﬁle path (not the local path), it is needed in the later steps.

Endpoint Central: Agent Installable Path

Create a GPO to identify targets for deployment

Open the Group Policy Management Console (GPMC) by opening Run (Windows key + r) and typing gpmc.msc.
Once in the GPMC, right-click on your target "organizational unit" (typically a domain), and select Create a GPO in this domain, and Link it here option.

Endpoint Central: Creating GPO for agent installation

Enter a Name for the new GPO. For example, "Desktopcentral_agent_install."
Note: By default, the GPO applies to all users and computers that successfully authenticate to the Active Directory domain that you selected.
Once the new GPO is created, you can see it in the GPMC in the left navigation pane, under Group Policy Objects.

Note: You can modify the scope of computers to which the agent is deployed and installed by changing the Security Filtering values for the new GPO.

Create a scheduled task to execute the deployment and installation of the Windows Agent

Open the Group Policy Management Editor by right-clicking on the new GPO you created, and selecting Edit.
In the editor navigation tree, under Computer Conﬁguration, click Preferences > Control Panel Settings; then, right-click Scheduled Tasks.
Now, click on New and select Immediate Task (At least Windows 7).

Endpoint Central: Creating new task in GPO for agent installation

This opens the New Task dialog box. Enter a Name and a description (if needed).
Under Security options, click the Change User or Group button.
In the dialog box that appears, enter "system" in the text box, then click Check Names. Conﬁrm that you have the correct values and click OK.
Make sure that the system object resolves to the value "NT Authority\System," as shown in the Security Options group.
Also ensure the following:
- Ensure that Run whether user is logged on or not is selected.
- Ensure that Run with highest privileges is selected.
- Ensure that Conﬁgure for: is set to Windows Vista or Windows Server 2008.
Click on the Actions tab and then click New.
In the New Action dialog box, set the Action drop-down to Start a program. In the Program/script text box, enter the network ﬁle path to the shared folder that was created earlier. Then provide the arguments and Start in folder details and click OK.

Endpoint Central: Defining action for new task in gpo for agent installation

Program/script:
\\computer_name\DCAgentShare\installagentscript.vbs

Add arguments:
UEMSAgent.msi UEMSAgent.mst (for below 10.0.653 version)
UEMSAgent.msi UEMSAgent.mst DMRootCA.crt DMRootCA-Server.crt(for versions after 10.0.653)

Start in:
\\computer_name\DCAgentShare\

In Conditions tab, select the checkbox for Start only if the following network connection is available, then select Any connection.
Finally, click OK

You have now successfully initiated agent installation using GPO Scheduler.

How to install agents using Startup Script?

Windows startup script is a script that runs automatically when the operating system starts up. It is used to trigger the agent installation process automatically when a machine boots up. This ensures that the agent is installed before the user logs in, providing seamless deployment across multiple systems. Windows GPO Tool can be used to install agents using Startup Script

If a new GPO policy is applied, the installation for existing installed agents will be skipped on all machines. The remaining agents will be installed according to the new policy.

Advantages:

Common method of agent installation through traditional GPO editor.
It allows for customization with additional parameters or scripts during GPO configuration for agent installation.

Disadvantages:

Requires a system restart for the GPO policy to apply, delaying agent installation until then.
In remote work environments with machines connected through VPN, this method may not be suitable if the VPN is not connected during the restart.
Complex to configure via traditional GPO editor

For Endpoint Central versions 10.1.2124.1 and above, it is recommended to use exe based installation.

Steps

How to install agents in .exe format?

1.Download the agent package

Open the server web console.
Navigate to theAgent > Computers
Select the required remote office
Click the Download Agent button
Rename the file to LocalOffice_Agent.exe

download agent exe format in gpo scheduler

2. Download the script (SHA 256 Checksum: 04679135660bfad833b5093d9df5474ae4353fffd5165df7870dacd2d7afd5c1) and place it in the folder.

3. Create a GPO to identify targets for deployment

Open the Group Policy Management Console (GPMC) by opening Run (Windows key + R) and typing gpmc.msc .
Once in the GPMC, right-click on your target "organizational unit" (typically a domain), and select 'Create a GPO in this domain, and Link it here' option.

Once in the GPMC, right-click on your target organizational and select GPO in this link it

Note: To install agents selectively on a few devices

Click on the Scope tab
Under Security Filtering section, click Add
In the Select User, Computer, or Group dialog box, click Object Types
Select specific computer object types
Click OK
Specify the computer names
Click on Check Names
Click Ok

4. Enter a Name for the new GPO. For example, "EC_Agent_Install". Once the new GPO is created, you can see it in the GPMC in the left navigation pane, under Group Policy Objects.

5. Create a start-up task to execute the deployment and installation of the Windows Agent.

Open the Group Policy Management Editor by right-clicking on the new GPO you created, and selecting Edit.
Expand Computer Configuration --> Policies --> Windows Settings --> Scripts(Startup/Shutdown).
Right click Startup and click Properties and switch to PowerShell Scripts.

Click Show File
Paste the Installagent.ps1 and LocalOffice_Agent.exe downloaded above into the created folder.

place the agent file and powershell script in folder

Now copy the network path, as it is needed in later steps. Network path format - \\Domain name\SysVol\Domain name\Policies\{ID}\Machine\Scripts\Startup

Note: If the files can't be placed in the shared UNC folder path, open folder and with local path and paste the files.

Open Server manager -> File and storage services -> Shares
Copy the Local Path of SYSVOL
Open the SYSVOL folder and respective script folder Eg: C:\Windows\SYSVOL\sysvol\Domain\Policies\{853CF422-03F1-4C6A-8C3C-9F941F40E23B}\Machine\Scripts\Startup

Open Server manager -> File and storage services -> Shares

Browse and navigate to the location, copy the full path (\\Domain name\SysVol\Domain name\Policies\{ID}\Machine\Scripts\Startup) of PSInstallAgent.ps1 script.
In the Startup Properties dialog box, click Add.
Make sure to select "PowerShell Scripts". Then specify the path (copied location) and the script as shown below:

Make sure to select powershell then specify the path

Script name:\\domain.com\SysVol\ \Policies\{id}\Machine\Scripts\Startup\Installagent.ps1 (Replace \\domain.com\SysVol\domain.com\Policies {id}\Machine\Scripts\Startup with the network path you copied earlier.
Script parameters:LocalOffice_Agent.exe (exe file name)

Note: As an alternative to the execution of PowerShell, you can also execute VBscript script for agent installation using GPO

1. Download the
VB script (SHA 256 Checksum: 5a2477fa5004f14cfca46f8392c4d952f245edb61bf7dd0363959d6a48209f03) and place it in the folder.
2. Place it in the Script folder as mentioned above.
3. Select "Scripts".
4. Change the script and parameters as below.

Script Name: \\domain.com\SysVol\domain.com\Policies\{id}\Machine\Scripts\Startup\Installagent.vbs (*replace \\domain.com\SysVol\domain.com\Policies\{id}\Machine\Scripts\Startup with the network path you copied earlier.
Script Parameters: LocalOffice_Agent.exe

6. Click OK to close the Add a Script dialog box

7. Click OK to close the Startup Properties dialog box

8. Close the Group Policy Object Editor

9. Close the Group Policy Management dialog box

10. The script will be executed when the client computers reboot

Troubleshooting steps:

Ensure the network path is accessible from the endpoints and check if the required files for installation are present in the shared folder.

Reach out to support with the below files if issue persists.

1. GPO result from the client machine.

In client machine, open command prompt with administrator mode.
In command prompt, navigate to C:\ and run the command gpresult /h gprep.html
Kindly upload gprep.html file under C:\ from the client machine.

2. Event Logs
Export and upload application and system event viewer logs

How to install agents .msi format?

Note: Ensure that the network has a Domain based setup and not Workgroup setup. You can map the script to the entire domain even if you have installed the agents in a few client computers as the script will install the agent only in the computers in which the agent is not installed.

Download the Zip file, extract it and follow the steps given below
- Navigate to the server web console, -> Agent -> Agent Installation.
- Under Using Directory Services, in the GPO tab, click on Download Agent.
- Select the required office.
  Note: This can be a local office or a remote office depending on which computers you want to install agents in.
Save the .msi & .mst file in this path \\Domain name\SysVol\Domain name\Policies\{ID}\Machine\Scripts\Startup. Kindly include DCAgentServerInfo.json file only if the build version is 10.1.2124.1 and above.

Kindly include DCAgentServerInfo.json file only if the build version is 10.1.2124.1 and above.

How to obtain { ID } Value :-

Click on start>Run
Enter gpmc.msc
Click OK
Right click the domain to select, create and link a GPO here
Specify a name for the GPO
Select the GPO

Note: These steps need to be followed if you wish to install agents in a select few devices (refer this image). Do not follow these steps if you want to install agents in all the devices.

Click on the Scope tab
Under Security Filtering section, click Add
In the Select User, Computer, or Group dialog box, click Object Types
Select specific computer object types
Click OK
Specify the computer names
Click on Check Names
Click OK

Right click the GPO and click on Edit.

Note: As an alternative to the execution of VBscript, you can execute PowerShell script for agent installation using GPO.

For executing VBScript, follow these steps (refer this image):
Kindly include DCAgentServerInfo.json file only if the build version is 10.1.2124.1 and above.
Specify the script arguments as:
- "UEMSAgent.msi UEMSAgent.mst DMRootCA.crt"
- If SSL third party certificate is not uploaded in the server, Admin -> Security Settings -> Import SSL Certificates,the below files should be added along with Agent installer files:-
  DMRootCA.crt DMRootCA-Server.crt

Specify the script arguments as
"UEMSAgent.msi UEMSAgent.mst DMRootCA.crt DMRootCA-Server.crt"
For executing PowerShell script, follow these steps and refer this image):
Kindly include DCAgentServerInfo.json file only if the build version is 10.1.2124.1 and above.
"UEMSAgent.msi UEMSAgent.mst DMRootCA.crt"
"UEMSAgent.msi UEMSAgent.mst DMRootCA.crt DMRootCA-Server.crt"
Click OK to close the Add a Script dialog box
Click OK to close the Startup Properties dialog box
Close the Group Policy Object Editor
Close the Group Policy Management dialog box

Note: The script can be deployed to all the computers in the domain. It is to be noted that the target shouldn't be a user group.

Notes

Set the file association properties of .vbs files to Microsoft Windows (r) based script host in all the client computers. This ensures that the script is executed successfully. Do not modify the file association properties to open in a text editor as the execution of the script will fail.
You can leave the GPO object installed indefinitely to ensure that the agent is installed in future client computers.
This will not re-install the agent that is already installed as the script is programmed to ensure that it doesn't re-install agents that are already installed. This will not cause any problems during startup.
You also do not need to update and download the UEMSAgent.msi file every time the server is updated to a new version. The agent is programmed to check for new versions from the server and upgrade itself automatically. When an agent is installed, it updates itself automatically when new versions are released.

You have now installed an agent in client computers using a GPO.
Configuring IP Scope will help you while you deploy agents using GPO
- If IP scope is configured for all the remote offices created in the server, administrators can directly download local office UEMSAgent.msi and deploy it in all remote offices using GPO.
- IP scope has an automatic intelligence to detect computers within the specified IP range and reinstall the appropriate agent for the remote office.

Was this document helpful?

Yes

Visit our community

Post your questions in the forum