Video Screencast Help

Deploy DLP Endpoint Agent By Active Directory GPO

Created: 03 Jun 2012 • Updated: 04 Jun 2012 | 15 comments
Language Translations
yang_zhang's picture
+9 9 Votes
Login to vote

To deploy DLP Endpoint Agent on an enterprise environment that already has Active Directory, you can create a mst file and use Group Policy Objects (GPO) to deploy the agent.

You need to the tool named ORCA to create the MST file.

Here are the steps:

1. Right click the AgentInstall.msi, select 'Edit with Orca'.

2. Choose 'Transform' menu, select 'New Transform':

3. Select 'Property' under the 'Tables' list:

4. Choose 'Tables' menu, select 'Add Row':

5. For the value of 'Property', type 'ENDPOINTSERVER', for the value of 'Value', type the hostname or IP address of the endpoint server:

6. Click 'OK' to add this row to the 'Property' table, so, the 'Property' table should look like this:

7. Choose 'Transform' menu, select 'Generate Transform':

An .mst file will be saved.

8. Create a bat file to use the msiexec command and use the mst file:

the command of the bat file looks like this:

msiexec /i \\dc\dlp\AgentInstall.msi TRANSFORMS=\\dc\dlp\AgentInstall.mst /q

9. Edit the Group Policy of the AD, select the bat script created on step 8 for the startup script:

Then, during the startup of the client machine, the DLP Endpoint Agent will be installed by the startup script:

Comments 15 CommentsJump to latest comment

kishorilalWipro's picture

BUt yang , Will it install DLp Agents on all machines. Please explian.And due to start up script will it installation precess every time when user loging.

Login to vote
yang_zhang's picture

Good question.

The Startup Script is a part of the GPO, that's mean, this script will be deploy to the OU. So, all the machine under this OU will run this script to install the DLP agent.

And, here I just write a very simple script, you can add some if-then-else in the begining of the script to determine whether the DLP agent had been installed on this endpoint.

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.
Login to vote
JustinAndersen's picture

So does this install only once via GPO or does it check every time you start up?

Login to vote
UFO's picture

ORCA - is that the utility from Microsoft Windows SDK?


Login to vote
patriot3w's picture

good job. should put inside DLP document.

Login to vote
NetUser's picture

Is there some way to add the uninstall password to the transform file?

How can we deploy this and also configure the uninstall password?

Login to vote
consoleadmin's picture

Really nice and helpful Article.


Login to vote
McDude's picture

Can you please tell me how to create the transform file to include the encryption key? Should I just add a row and use the Property of "encryption key" with a value of "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ?

Also can you write out the batch file that will check for an installed instance and then ignore installation if present?

I apologize as I am a noob to these Transform files.


Login to vote
N Manoj's picture

Nice Artical ......With Steps

Manoj N

Login to vote
m@ntec's picture

HI, it  not yet clear with me. since this is a startup script.

Please explain due to startup script will it installation process, every time when user login in?


it will deploy just once, and is it okay to remove gpo, once there is an agent????


Login to vote
DLP Works's picture

Hi Yang,

Can you please help us how to deploy DLP 12.5.1 agent through with AD ?? Since this time a lot of certificates are required for installation, i am not able to figure out how we do it for this version.

Thanks in advance..

Login to vote
alplechaty's picture

I agree the 12.5.1 agent is much more of a pain to install. Any suggestions or methods anyone used to get this to install via GPO is greatly apprecaited.

Login to vote
r.woodard's picture

It would seem we just need to add the new parameters to the Transform. I have not tested this using a .mst as shown in the steps above, but adding the following values the same way as you added the ENDPOINTSERVER as shown above, I think it may work. Here are the Properties that I know of that you can try adding via Orca:

ENDPOINTSERVER (shown above)








Login to vote