Recommended Configuration Change to Mitigate a Potential Attack Bypassing SentinelOne EDR.

Posted on May 7, 2025 by pavanmudalagi

To improve control and security around Windows Agent upgrades and downgrades, we recommend enabling Local Upgrade Authorization. Turn it on for your Sites in the Management Console.

Why It Matters

Local Upgrade Authorization acts as a safeguard when Windows Agents are upgraded or downgraded locally. When this setting is enabled for a Site, local upgrade actions are only allowed during approved timeframes and if the Site has been authorized in advance. If these conditions aren’t met, the upgrade or downgrade attempt will be blocked — helping prevent unauthorized or unintended changes.

This is especially useful in environments where Agents are deployed or updated using tools like SCCM, Intune, N-Sight, N-Central or Group Policy, offering an added layer of protection and reducing the risk of accidental or unmanaged updates.

Key Details

  • Available for Windows Agent versions 22.3+
  • Only supported with SentinelOneInstaller EXE packages
  • MSI installers are not supported — attempts using them will fail
  • Applies to upgrades done via:
    • Double-clicking the installer
    • Running it from the command line
    • Using deployment tools

How to Get Started


Local Upgrade Authorization can be turned on at Account, Site or Group level from the Management Console. It is recommended to enable this setting for all non inherited policies. Once enabled, upgrade windows and Site-level authorization must be configured for local actions to succeed.
To determine if a policy is inheriting or not, and enable the setting:

1. At the top left of the Console, click the arrow to open the Scopes panel and select a scope, either Account, Site or Group.
2. In the Sentinels toolbar, click Policy.
3. If the icon at the top of the policy says Inhertied from global | account | site default policy, this policy is inherited and you do not need to make a change.
4. If the icon at the top of the policy says Last modified <time> ago, this policy is not inherited. In the Agent settings, set Local Upgrade/Downgrade: Online Authorization to ON.

As it may be a time-intensive process to enable this setting across all non-inherited policies, N-able has created a script which will automate this process. Click EDR Enable Online Authorization to download the script package containing the PowerShell script and instruction PDF.

Please refer to the ⁠documentation on enabling Local Upgrade Authorization.

Additional Recommendation:

To further enhance your security, we advise updating all EDR agents to the latest version. Utilising the auto-upgrade functionality can ensure smooth and timely updates. For more details, please refer to our updated documentation.

Please note:

Enabling the Upgrade authorization modifies the approval process within the Management Console, making it necessary for approvals to be in place before local upgrades can occur. This increases accountability and auditability in upgrade processes.

Activating local upgrade authorization might affect automated scripts that perform upgrades or downgrades, especially those using tools like SCCM or similar deployment mechanisms. As these scripts traditionally execute upgrades without additional prompts, requiring authorization could necessitate script modifications.

This entry was posted in EDR, N-central, N-sight. Bookmark the permalink.