Installing the Windows agent

To manage your devices in Absolute, you first need to download and install the Secure Endpoint Agent on each device. After the agent is installed, it contacts the Absolute Monitoring Center to receive a unique identifier. A device record is then created in the database and the device information detected by the agent is made available in the Secure Endpoint Console.

On Windows devices, you can install the Secure Endpoint Agent in the following ways:

  • Direct installation: used to install the agent on individual devices not connected through a network. This method requires hands-on contact with each target device.
  • Batch installation: used to install the agent on multiple devices, either locally or remotely.

To ensure that your Windows devices are compatible with the agents, you need to meet the following requirements:

If you want to ensure that the agent survives accidental or malicious tampering, confirm that your Windows devices support Persistence technology.

BitLocker Drive Encryption (BitLocker) is a full-disk encryption feature included in most versions of the Windows operating system. BitLocker is designed to protect data by providing encryption for the operating system drive and fixed data drives.

Temporary suspension of BitLocker

The Secure Endpoint Agent is compatible with BitLocker. However, depending on the version of Absolute Persistence® Absolute Persistence® technology is embedded in the BIOS of most Windows devices during the manufacturing process. The Persistence module is activated during theSecure Endpoint Agent’s first connection to the Absolute Monitoring Center. This software checks the status of the agent and initiates self-healing to restore the agent if it's missing, damaged, or tampered with. embedded in the device's firmware, BitLocker may need to be temporarily suspended during Persistence activation and deactivation:

  • Persistence 2.0 devices

    When BitLocker is enabled on a device with Absolute Persistence 2.0, BitLocker is not suspended during Persistence activation or deactivation.

  • Persistence 1.0 devices

    When BitLocker is enabled on a device with Absolute Persistence 1.0, BitLocker is temporarily suspended when Persistence is activated, which occurs during the first agent call after the agent is installed. BitLocker is enabled automatically when the device is restarted. This process is also used when Persistence is deactivated, which occurs when the device is unenrolled from your account.

    If a user is logged in to a device during activation of Persistence 1.0, the user sees a message stating that a restart is required. If the user chooses to Postpone the restart and then logs off before the restart occurs, the device restarts after the postpone action's timer runs out. Similarly, if a user is logged in during deactivation of firmware persistence, the user sees the same message.

    For more detailed information, see Knowledge Base article 000001587.

The agent is fully compatible with full-disk, and file and folder encryption products. If you use a full-disk encryption product other than BitLocker, such as McAfee Drive Encryption™, ensure that you install the agent before you install and enable full-disk encryption on the device. For more information, see Knowledge Base article 000001446.

Before you begin the agent installation process:

  • Use a virus-scanning program to ensure that your hardware is free from viruses.
  • Ensure that the device is connected to the Internet.

You can deploy the Secure Endpoint Agent on your Windows devices using either of the following installers:

  • Full agent installer
  • Core agent installer

Choosing an installer depends on a number of factors, including your network configuration and whether you are installing the agent locally or remotely.

To learn more about the two installers and how to download them, see Downloading the Secure Endpoint Agent.

To extract the installer:

  1. Complete the steps to download the Windows installer of your choice.

    Account-specific installers are downloaded in the following zip files:

    • Full agent: AbsoluteWinFullAgent-<agent version>-<account_id>.zip
    • Core agent: AbsoluteWinCoreAgent-<agent version>-<account_id>.zip

  2. From the location where you saved the downloaded zip file, extract its contents to a local folder, a network drive, or to removable media such as a USB device.

    Each download package contains the following files:

    Installer Package contents
    Full agent
    • AbsoluteFullAgent.msi: Windows MSI installer for the full agent
    • AbsoluteCoreAgent.msi: Windows MSI installer for the core agent
    • AbsoluteAgent.dat: text file containing your account metadata
    • AbsoluteAgent.sig: signature file
    • AbtPS_SDK_<version>.zip: zip file containing the Persistence Status Monitor. You can use this tool to force a call to the Absolute Monitoring Center.
    • A readme.txt file for each supported language that includes information about the contents of the agent installation package and how to install and test the agent.

    • AbsoluteAgent.checksums: file containing the SHA-256 hash of the installers

      You can use a hash verification tool, such as CertUtil, to verify that the contents of the AbsoluteFullAgent.msi and AbsoluteCoreAgent.msi installers have not been altered during download. For more information about CertUtil, see Microsoft documentation.

    Core agent
    • AbsoluteCoreAgent.msi: Windows MSI installer for the core agent
    • AbsoluteAgent.dat: text file containing your account metadata
    • AbsoluteAgent.sig: signature file

    • AbsoluteAgent.checksums: file containing the SHA-256 hash of the installer

      You can use a hash verification tool, such as CertUtil, to verify that the contents of the AbsoluteCoreAgent.msi installer has not been altered during download. For more information about CertUtil, see Microsoft documentation.

    Before you run the installer, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

You can use the command line or the InstallShield wizard to run the installer locally on a Windows device.

You must have Administrator privileges to install the agent.

Using the command line to silently install the agent on a Windows device eliminates the need to respond to prompts in the InstallShield Wizard.

To install the agent using the command line:

  1. Open a Command Prompt window as an administrator. For example:

    1. Click Start and enter cmd.
    2. Right-click cmd or Command Prompt, and then click Run as administrator.
    3. On the User Access Control dialog, click Yes. The Administrator: Command Prompt window opens.

    For information about other ways to open a Command Prompt window as an administrator, refer to Windows documentation.

  2. Navigate to the location where you extracted the downloaded zip file.

    If you have copied the .msi file to another location, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

  3. Do one of the following depending on the installer you want to use:

    Installer Command

    Full agent

    • To run the installer in silent mode, enter:

      Copy 
      msiexec.exe -i AbsoluteFullAgent.msi /qn

    • To run the installer and specify the installation log, type:

      Copy 
      msiexec.exe -i AbsoluteFullAgent.msi /L*v <path to log file>
    Core agent

    • To run the installer in silent mode, type:

      Copy 
      msiexec.exe /i AbsoluteCoreAgent.msi /qn

    • To run the installer and specify the installation log, type:

      Copy 
      msiexec.exe /i AbsoluteCoreAgent.msi /L*v <path to log file>

To install the agent on a device using the InstallShield wizard:

  1. Navigate to the location where you extracted the downloaded zip file.

    If you have copied the .msi file to another location, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

  2. Depending on the installer that you want to use, right-click one of the following files and click Run as administrator:

    • AbsoluteFullAgent.msi
    • AbsoluteCoreAgent.msi

    The InstallShield wizard opens.

    If the Run as administrator option is not available in the right-click menu, follow the steps in Using the command line to install the agent.

  3. If the User Account Control dialog shows, click Yes to permit the install file to be installed.
  4. Click Next and then click Install to start the installation.
  5. Click Finish to complete the installation and exit the InstallShield wizard.

After installation, the agent contacts the Absolute Monitoring Center and receives a unique identifier. You can verify that the agent was successfully installed in the following ways:

You can verify that an agent is activated by downloading the Persistence Status Monitor and triggering an agent call.

If you downloaded the full agent installer, the Persistence Status Monitor is included in the download package, so you don't need to download it separately. For details about running the tool, refer to the Help topic or the user guide included in the downloaded package.

You can verify that an agent is activated by reviewing the Activation report in the Secure Endpoint Console.

To verify the agent installation using the console:

  1. Log in to the Secure Endpoint Console as an Administrator.
  2. On the navigation bar, click Reports.
  3. Under Categories, click Device, and then click Activation to open the Activation report.

It may take several minutes to process the device's information and make it available in the console. The data in the Activation report is sorted in descending order by Activation date, so the newly activated device should show at or near the top of the result grid. If it doesn't show, the device has failed to contact the Absolute Monitoring Center. If so, you can trigger an agent call.

There are several methods that you can employ to install the Secure Endpoint Agent on multiple devices:

You can use disk imaging to deploy an unactivated Secure Endpoint Agent to new or repurposed devices.

For detailed information about including the Secure Endpoint Agent in a disk image, see Working with the Windows Image Prep Tool and the following Knowledge Base article: Including the Secure Endpoint Agent in a Disk Image for deployment.

You can use Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune to deploy the agent to a group of computers on a network. Both Secure Endpoint Agent installers are supported.

If your organization intends to use either of these tools to deploy the agent, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file.

For more information, refer to the respective tool's documentation.

Both the full agent installer and the core agent installer conform to industry standards for MSI files, which enables network administrators to deploy the agent onto their devices using Active Directory.

If your organization intends to use this tool to deploy the agent, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file.

For more information, refer to Active Directory documentation.