How do I deploy the Nanitor Agent via GPO Software Installation (MST transform)?

This article covers deploying the Windows agent through Active Directory's native Software Installation policy, using an MSI transform (.mst) to supply the enrollment details.

Why a transform is needed

The Nanitor agent MSI needs two properties to install unattended and enrol:

• SIGNUP_URL — your organization's per-tenant enrollment URL
• ACCEPTEULA — set to yes

When you install from a command line you pass these directly (msiexec /i ... SIGNUP_URL="..." ACCEPTEULA="yes"). But Group Policy Software Installation deploys a bare MSI — there is nowhere to type a command line. An agent deployed without these properties installs but never enrols.

The fix is an MSI transform (.mst): a small file that sets those properties, applied to the MSI at install time. Both properties are public and secure in the Nanitor MSI, so a transform can set them and they survive the elevated install that Group Policy performs.

Prerequisites

• Domain Administrator rights, or rights to create and link a GPO on the target Organizational Unit (OU)
• The Nanitor agent MSI — download from Nanitor (How do I download the Agent?) or directly from https://nanitor.io/agents/nanitor-agent-latest_amd64.msi (or _i386.msi)
• Your organization's signup URL (Finding your Setup URL)
• An MSI editor that can author a transform. Orca is the standard free choice — it ships in the Windows SDK; install the SDK, then run Orca-x86_en-us.msi from its bin\... subfolder. Friendlier free alternatives such as Super Orca or InstEd work too, as does a commercial packaging suite such as Advanced Installer or InstallShield. The steps below use Orca.
• A network share readable by the Domain Computers group, to hold the MSI and the transform

Step 1: Build the transform in Orca

1. Copy the agent MSI to your deployment share, for example \\dc01\NanitorDeploy\nanitor-agent.msi.
2. Open the MSI in Orca (right-click the MSI → Edit with Orca, or launch Orca and open the file).
3. From the menu, choose Transform → New Transform. Orca is now recording your changes into a transform.
4. In the left-hand table list, select the Property table.
5. Right-click in the property list and choose Add Row. Add:
   • Property = SIGNUP_URL, Value = your full signup URL
   • Property = ACCEPTEULA, Value = yes
6. Choose Transform → Generate Transform and save it next to the MSI as \\dc01\NanitorDeploy\nanitor-agent.mst.
7. Close Orca without saving the MSI itself — the settings live in the transform, not the MSI.

Step 2: Create and link the GPO

1. On a Domain Controller, run gpmc.msc to open the Group Policy Management Console.
2. Right-click the OU containing the target computers and select Create a GPO in this domain, and Link it here. Name it, for example, Nanitor Agent (Software Installation).

Step 3: Add the package with the transform

1. Right-click the new GPO and select Edit.
2. Navigate to Computer Configuration → Policies → Software Settings → Software installation.
3. Right-click and choose New → Package.
4. Browse to the MSI using its UNC path (\\dc01\NanitorDeploy\nanitor-agent.msi), not a local drive letter.
5. When prompted for the deployment method, choose Advanced (this is the only option that exposes the Modifications tab — Assigned skips it).
6. On the Modifications tab, click Add and select nanitor-agent.mst.
7. Click OK. The package is now assigned to computers in scope.

Step 4: Scope, pilot, and roll out

1. Use security filtering or link to a small pilot OU first so the rollout reaches only a test group initially.
2. On a pilot machine, run gpupdate /force and reboot — assigned software installs during startup, so a restart is required (a policy refresh alone will not install it).
3. Confirm the machine enrols under the correct organization in Nanitor.
4. Once the pilot succeeds, widen the GPO scope.

Important caveats

• Reboot required. Assigned MSIs install at boot; there is no "install now" without a restart. If that is a problem, use the scheduled-task method in the main GPO article instead.
• Do not manage agent versions through GPO. The agent updates itself after installation (see Agent Auto Update Process). Treat this package as a one-time installer; do not push new MSI versions through Software Installation, or GPO and the self-updater will fight.
• One transform per organization. The signup URL is organization-specific, so each organization needs its own MSI/MST pairing or its own GPO.

Verification

• On a target machine, check the Nanitor Agent service is present and running (Get-Service -Name "Nanitor Agent").

• Confirm signup from an administrative prompt:

  & "C:\Program Files\Nanitor\Nanitor Agent\nanitor-agent-bin.exe" info
  

• In Nanitor, confirm the device has checked in under the correct organization.

Removing the agent

Managed removal is one of the reasons to use GPO Software Installation. There are two approaches:

• Automatic removal when out of scope. When you add the package (or later, via the package's Properties → Deployment tab), tick Uninstall this application when it falls out of the scope of management. The agent is then removed at the next reboot whenever you unlink the GPO or the computer leaves the targeted OU.
• Forced removal. Right-click the package under Software installation and choose All Tasks → Remove, then select Immediately uninstall the software from users and computers. Targeted machines uninstall the agent at their next reboot.

See Also

• How do I deploy the Nanitor Agent across a domain using Active Directory (GPO)?
• How do I install/distribute the Nanitor Agent on Windows?
• Finding your Setup URL
• How do I download the Agent?
• Agent Auto Update Process
• The Windows agent is not installing