Starting with SentinelOne Windows Agent 25.2 SP1 / 25.2.5.437, the standard EXE installer no longer supports the previous double-click GUI flow for entering the site token.

Previously, admins could double-click the EXE installer and paste the token into a prompt. Going forward, the EXE installer must be run using command-line parameters or deployed through a software distribution platform.

Why this changed

This update is part of SentinelOne’s Guardian installer / SentinelInstallerDriver security hardening. It improves protection around installer and upgrade workflows and helps reduce exposure to Bring Your Own Installer (BYOI) bypass attacks.

Supported installation methods

EXE installer via elevated Command Prompt

SentinelOneInstaller.exe -t <SITE_TOKEN>

MSI installer via command line or deployment tool

msiexec /i SentinelOneInstaller.msi SITE_TOKEN=<SITE_TOKEN>

The MSI package can also be deployed through tools such as:

• RMM platforms
• MDM platforms
• Microsoft Intune
• Microsoft SCCM
• Other software distribution tools

What remains unchanged

The installed SentinelOne agent is functionally the same. This change only affects how the installer is launched and authorized.

Important notes

• The double-click GUI token prompt will not be reintroduced for this installer line.
• EXE upgrades run silently by default.
• The -q parameter is no longer required.
• Tokens must be provided using -t.
• The MSI installer is unchanged.

Recommended action

Update any deployment scripts, internal documentation, and support guidance that reference the old double-click GUI installation flow. Administrators should now use command-line installation or standard deployment tools for SentinelOne Windows Agent installations.