Onboard Windows devices with AgentP in unattended or kiosk mode

In this topic, you will learn how to run Portnox™ AgentP in unattended mode or kiosk mode.

Note: To learn about different AgentP operating and installation modes, see the following topic: AgentP working and installation modes.

Install AgentP in unattended mode

In this section, you will learn how to install AgentP in unattended mode. User interaction is only necessary if AgentP cannot be onboarded automatically.

Important: AgentP unattended enrollment is only possible if the Windows device is a member of Active Directory or Azure (Entra ID), and Portnox Cloud is integrated with Active Directory or Azure.

If you run AgentP in unattended enrollment mode, AgentP checks if the device is a member of Active Directory or Azure, and then sends AD/Azure identification data to Portnox Cloud (for example, the tenant ID, device ID, domain, user name, computer name). If the identification data matches the data in Cloud, AgentP can onboard in Portnox Cloud automatically using this data with no need of user interaction.

  1. Download the AgentP installation file from the download page. 
    > curl -o agentp.msi
"https://clear.portnox.com/enduser/DownloadAgentPForOsAndPackageType?osType=2&packageType=Windows_x64"

    Replace Windows_x64 with Windows_x86 if you have a 32-bit architecture.

  2. Run the installation from the command prompt with a parameter for unattended installation. 
    > msiexec /i agentp.msi /qn

When the onboarding window appears, one of two things can happen:

  • If AgentP finds that the device/user are already onboarded, the onboarding window disappears after 5 to 20 seconds (after enrollment is complete), and AgentP is automatically enrolled.
  • Otherwise, you must follow the steps in the onboarding window to enroll the current user manually. Until then, AgentP will not be enrolled.

Install AgentP in unattended mode with no user interaction

In this section, you will install AgentP in unattended mode using the logged-in Windows user. This procedure assumes that the computer was onboarded using UEM/MDM software and already has access to the secure network.

  1. Download the AgentP installation file from the download page. 
    > curl -o agentp.msi
"https://clear.portnox.com/enduser/DownloadAgentPForOsAndPackageType?osType=2&packageType=Windows_x64"

    Replace Windows_x64 with Windows_x86 if you have a 32-bit architecture.

  2. Optional: Configure the Windows registry settings for AgentP to hide the icon from the notification area (system tray). 
    > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Portnox AgentP"
/v "TrayIcon" /t REG_SZ /d "hide" /f
  3. Run the installation from the command prompt with parameters for unattended installation and unattended enrollment. 
    > msiexec /i agentp.msi /qn UI_LAUNCH=1
  4. Optional: Check the AgentP logs to confirm that AgentP is running in unattended mode.

    The log file will contain an entry: Running in unattended mode.

    To learn how to access AgentP logs, see the following topic: How to collect AgentP logs for support.

Note: If AgentP cannot recognize the user/device as onboarded, it will show the onboarding window after it’s installed, even if you follow all the steps above. To make sure that no onboarding window is shown, ensure that your endpoint management software first onboards the user/device, and only then run AgentP installation. If the user/device is onboarded (can connect to the company network), and the onboarding window still appears, examine the AgentP logs for an underlying cause.

Switch to unattended enrollment mode

If you already installed Agent in interactive mode, you can change its configuration so that it runs in unattended mode (without user interaction).

  1. Change the Windows registry settings for AgentP to enable unattended enrollment. 
    > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Portnox AgentP"
/v "Mode" /t REG_SZ /d "umode" /f
  2. Restart the AgentP service. 
    > net stop PortnoxAgentP
> net start PortnoxAgentP
Important: If AgentP is already enrolled manually, before you switch to unattended mode, you must manually unenroll it by clicking on the Deactivate button in the AgentP user interface. Otherwise, AgentP will remain enrolled with the manually onboarded user and will not automatically switch to the current Active Directory or Azure user.

Switch to kiosk mode

If you already have AgentP installed in default (single-user) mode, you can change its configuration so that it runs in kiosk mode.

Important: This mode works only with authentication repositories that support computer accounts: Microsoft Azure (Entra ID) and Active Directory. This mode cannot be used with Okta Workforce Identity or Google Workspace.
  1. Configure the Windows registry settings for AgentP to work in kiosk mode. 
    > reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Portnox AgentP"
/v "Etype" /t REG_SZ /d "computer_account" /f
  2. Restart the AgentP service. 
    > net stop PortnoxAgentP
> net start PortnoxAgentP