Installing the Windows agent

To manage your devices in Absolute, you first need to download and install the Secure Endpoint Agent on each device. After the agent is installed, it contacts the Absolute Monitoring Center to receive a unique identifier. A device record is then created in the database and the device information detected by the agent is made available in the Secure Endpoint Console.

On Windows devices, you can install the Secure Endpoint Agent in the following ways:

  • Direct installation: used to install the agent on individual devices not connected through a network. This method requires hands-on contact with each target device.
  • Batch installation: used to install the agent on multiple devices, either locally or remotely.

To ensure that your Windows devices are compatible with the agents, you need to meet the following requirements:

If you want to ensure that the agent survives accidental or malicious tampering, confirm that your Windows devices support Persistence technology.

BitLocker Drive Encryption (BitLocker) is a full-disk encryption feature included in most versions of the Windows operating system. BitLocker is designed to protect data by providing encryption for the operating system drive and fixed data drives.

Temporary suspension of BitLocker

The Secure Endpoint Agent is compatible with BitLocker. However, depending on the version of Absolute Persistence® Absolute Persistence® technology is embedded in the BIOS of most Windows devices during the manufacturing process. The Persistence module is activated during theSecure Endpoint Agent’s first connection to the Absolute Monitoring Center. This software checks the status of the agent and initiates self-healing to restore the agent if it's missing, damaged, or tampered with. embedded in the device's firmware, BitLocker may need to be temporarily suspended during Persistence activation and deactivation:

  • Persistence 2.x.x.x devices

    When BitLocker is enabled on a device with Absolute Persistence 2.0.0.0 and higher, BitLocker is not suspended during Persistence activation or deactivation.

  • Persistence 1.0 devices

    When BitLocker is enabled on a device with Absolute Persistence 1.0, BitLocker is temporarily suspended when Persistence is activated, which occurs during the first agent call after the agent is installed. BitLocker is enabled automatically when the device is restarted. This process is also used when Persistence is deactivated, which occurs when the device is unenrolled from your account.

    If a user is logged in to a device during activation of Persistence 1.0, the user sees a message stating that a restart is required. If the user chooses to Postpone the restart and then logs off before the restart occurs, the device restarts after the postpone action's timer runs out. Similarly, if a user is logged in during deactivation of firmware persistence, the user sees the same message.

    For more detailed information, see Knowledge Base article 000001587.

The agent is fully compatible with full-disk, and file and folder encryption products. If you use a full-disk encryption product other than BitLocker, such as McAfee Drive Encryption™, ensure that you install the agent before you install and enable full-disk encryption on the device. For more information, see Knowledge Base article 000001446.

Installation of the Secure Endpoint Agent on a Windows device requires Administrator privileges.

You can deploy the Secure Endpoint Agent on your Windows devices using either of the following installers:

  • Full agent installer
  • Core agent installer

Choosing an installer depends on a number of factors, including your network configuration and whether you are installing the agent locally or remotely.

To learn more about the two installers and how to download them, see Downloading the Secure Endpoint Agent.

Each download package contains the following files:

Installer Package contents
Full agent
  • AbsoluteFullAgent.msi: Windows MSI installer for the full agent
  • AbsoluteCoreAgent.msi: Windows MSI installer for the core agent
  • AbsoluteAgent.dat: text file containing your account metadata
  • AbsoluteAgent.sig: signature file
  • A readme.txt file for each supported language that includes information about the contents of the agent installation package and how to install and test the agent

  • AbsoluteAgent.checksums: file containing the SHA-256 hash of the installers

    You can use a hash verification tool, such as CertUtil, to verify that the contents of the AbsoluteFullAgent.msi and AbsoluteCoreAgent.msi installers have not been altered during download. For more information about verifying a SHA-256 file hash on a Windows device, see Microsoft documentation.

Core agent
  • AbsoluteCoreAgent.msi: Windows MSI installer for the core agent
  • AbsoluteAgent.dat: text file containing your account metadata
  • AbsoluteAgent.sig: signature file
  • A readme.txt file for each supported language that includes information about the contents of the agent installation package and how to install the agent

  • AbsoluteAgent.checksums: file containing the SHA-256 hash of the installer

    You can use a hash verification tool, such as CertUtil, to verify that the contents of the AbsoluteCoreAgent.msi installer has not been altered during download. For more information about verifying a SHA-256 file hash on a Windows device, see Microsoft documentation.

Before you run the installer, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

Before you begin the agent installation process:

  • Use a virus-scanning program to ensure that your hardware is free from viruses.
  • Ensure that the device is connected to the Internet.
  • If you are installing the agent using the full agent installer, ensure that PowerShell is enabled on the device. If PowerShell is disabled, installation will not be successful.

The installer is packaged in a zip file. Before running the installer, you may need to extract (unzip) the zip file.

Ensure that you extract the installer zip file if:

  • You are signed in to the Windows device as a Standard user, or

  • You plan to run the installer at the command line

You do not need to extract the zip file if you are signed in as an Administrator and you plan to run the installer using the InstallShield wizard.

To extract the installer:

  1. Complete the steps to download the Windows installer of your choice.

    Account-specific installers are downloaded in the following zip files:

    • Full agent: AbsoluteWinFullAgent-<agent version>-<account_id>.zip
    • Core agent: AbsoluteWinCoreAgent-<agent version>-<account_id>.zip

  2. From the location where you saved the downloaded zip file, extract its contents to a local folder, a network drive, or to removable media such as a USB device.

You can use the command line or the InstallShield wizard to run the installer locally on a Windows device.

Administrator privileges are required to run the installer.

Using the command line to silently install the agent on a Windows device eliminates the need to respond to prompts in the InstallShield Wizard.

To install the agent using the command line:

  1. Ensure that you have extracted the downloaded zip file.

    If you copied the .msi file to another location, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

  2. Open a Command Prompt window as an administrator. For example:

    1. Click Start and enter cmd.
    2. Right-click cmd or Command Prompt, and then click Run as administrator.
    3. On the User Access Control dialog, click Yes. The Administrator: Command Prompt window opens.

    For information about other ways to open a Command Prompt window as an Administrator, refer to Windows documentation.

  3. Use the CD command to navigate to the location where you extracted the downloaded zip file.

    For example:

    Copy 
    cd C:\Users\<username>\Desktop\ABSAgent

  4. Do one of the following depending on the installer you want to use:

    Installer Command

    Full agent

    • To run the installer in silent mode, enter:

      Copy 
      msiexec.exe -i AbsoluteFullAgent.msi /qn

    • To run the installer and specify the installation log, type:

      Copy 
      msiexec.exe -i AbsoluteFullAgent.msi /L*v <path to log file>
    Core agent

    • To run the installer in silent mode, type:

      Copy 
      msiexec.exe /i AbsoluteCoreAgent.msi /qn

    • To run the installer and specify the installation log, type:

      Copy 
      msiexec.exe /i AbsoluteCoreAgent.msi /L*v <path to log file>

To install the agent on a device using the InstallShield wizard:

  1. Do one of the following:
    • If you are signed in to the device as an Administrator:

      1. Navigate to the location where you downloaded the zip file and open it.

        If you copied the .msi file to another location, ensure that the AbsoluteAgent.dat and AbsoluteAgent.sig files are in the same folder as the .msi file. Agent installation cannot be completed if these files are not present.

      2. Depending on the installer that you want to use, double-click one of the following files:
        • AbsoluteFullAgent.msi

        • AbsoluteCoreAgent.msi

      The InstallShield wizard opens.

    • If you are signed in to the device as a Standard user:

      1. Extract (unzip) the downloaded installer zip file, if it is not already extracted.

      2. Navigate to the location where you extracted the zip file.

      3. Depending on the installer that you want to use, right-click one of the following files and click Run as administrator:

      • AbsoluteFullAgent.msi
      • AbsoluteCoreAgent.msi

      The InstallShield wizard opens.

      If the Run as administrator option is not available in the right-click menu, you failed to extract the installer zip file.

  2. If the User Account Control dialog shows, click Yes to permit the install file to be installed.
  3. Click Next and then click Install to start the installation.
  4. Click Finish to complete the installation and exit the InstallShield wizard.

After installation, the agent contacts the Absolute Monitoring Center and receives a unique identifier. You can verify that the agent was successfully installed in the following ways:

You can verify that an agent is activated by downloading the Persistence Status Monitor and triggering an agent call.

You can verify that an agent is activated by reviewing the Activation report in the Secure Endpoint Console.

To verify the agent installation using the console:

  1. Log in to the Secure Endpoint Console as an Administrator.
  2. On the navigation bar, click Reports.
  3. Under Categories, click Device, and then click Activation to open the Activation report.

It may take several minutes to process the device's information and make it available in the console. The data in the Activation report is sorted in descending order by Activation date, so the newly activated device should show at or near the top of the result grid. If it doesn't show, the device has failed to contact the Absolute Monitoring Center. If so, you can trigger an agent call.

There are several methods that you can employ to install the Secure Endpoint Agent on multiple devices:

You can use disk imaging to deploy an unactivated Secure Endpoint Agent to new or repurposed devices.

For detailed information about including the Secure Endpoint Agent in a disk image, see Working with the Windows Image Prep Tool and the following Knowledge Base article: Including the Secure Endpoint Agent in a Disk Image for deployment.

You can use Microsoft System Center Configuration Manager (SCCM) or Microsoft Intune to deploy the agent to a group of computers on a network. Both Secure Endpoint Agent installers are supported.

For more information, refer to the respective tool's documentation.

Both the full agent installer and the core agent installer conform to industry standards for MSI files, which enables network administrators to deploy the agent onto their devices using Active Directory.

For more information, refer to Active Directory documentation.

It's best practice to avoid backing up a device with an activated Secure Endpoint Agent. Restoring the backup may lead to unexpected outcomes, depending on the policies, actions, and rules deployed to the backed up device.

If you want to create a backup, ensure that you:

  • Exclude the following folders/files from the backup:
    • <System directory>\rpcnet.exe
    • ProgramData\CTES\
  • Reinstall the Secure Endpoint Agent after the backup is restored.