Skip to content
Contact us Customer portal Sign in
  • There are no suggestions because the search field is empty.

💻Safetica On-Prem: How to install Safetica Client via Microsoft Configuration Manager

Learn how to distribute and install Safetica Client to multiple devices using Microsoft Configuration Manager (formerly known as System Center Configuration Manager (SCCM)).

 

Applies to: Safetica On-Prem

 

Introduction

When you manage a large number of devices, installing Safetica Client manually on each device is not practical. Microsoft Configuration Manager lets you package the Safetica Client installer as an application, distribute it to your environment, and install it silently to target devices.

This approach gives you full control over the installation process: you choose when the installer runs, whether and when devices restart, and how updates are applied. Safetica Client connects to your Safetica server immediately after installation, but device protection only becomes fully active after a restart.

Key benefits:

  • Silent, unattended deployment across any number of devices.
  • Restart timing controlled by your own maintenance windows (no unexpected restarts).
  • Update lifecycle managed entirely through Configuration Manager, independent of Safetica console.

 

 

Prerequisites

  • Access to the Configuration Manager console.
  • Access to the Safetica server where the Safetica Client installer file is stored.
  • You know the hostname or IP address of the server running Safetica Management Service.
  • You have at least one Distribution Point accessible by target devices.
  • You have configured antivirus exclusions for Safetica Client on target devices.

❗ Antivirus exclusions

Before running the installation, configure antivirus exclusions for Safetica Client. Without exclusions, your antivirus software may block the installation or individual Safetica components. In a silent, unattended deployment, this can result in a failed installation with no visible error message. Learn how to set up antivirus exceptions for Safetica Client here.

 

 

Limitations

When Safetica Client is installed and managed via Configuration Manager, the update lifecycle is fully owned by your IT team. Safetica console cannot independently initiate an update to a newer Safetica Client version – you must package each new version as a new Configuration Manager application and deploy it through the standard workflow described below.

 

 

Choose the right installer

For installation via the Configuration Manager, you must use the full Safetica Client installer directly (not the Downloader Agent).

File  What it does  Suitable for Configuration Manager? 
safetica_agent.msi  Lightweight agent that registers the device in Safetica Maintenance Console, then downloads and installs the full Safetica Client afterwards. No, you have no control over the full installation; restart cannot be managed.
safetica_endpoint_client_x64.msi  Full Safetica Client installer. Installs Safetica Client in a single step and connects directly to the Safetica server. Yes, full control over the installation and restart lifecycle.

 

 

Recommended rollout process

Before installing to all target devices:

  1. Install to a single test device (pilot collection).
  2. Go to Monitoring > Deployments in the Configuration Manager console and verify that the installation completed successfully.
  3. Open Safetica console and verify that the device appears in the Devices section and is sending data.
  4. Schedule a restart of the test device.
  5. Confirm in Safetica console that the device status changes to OK and full device protection is active.
  6. Install to all target devices (full target collection).

 

 


How to install Safetica Client via Configuration Manager 

Step 1: Prepare the installer source file 

The full Safetica Client installer is located on the Safetica server at:

C:\ProgramData\Safetica Management Service\Files\safetica_endpoint_client_x64.msi

  1. Open the Safetica server file system and navigate to: C:\ProgramData\Safetica Management Service\Files\.
  2. Copy safetica_endpoint_client_x64.msi to a file server (Distribution Point) from which Configuration Manager distributes content to target devices.

 ✍️ Verify that target devices have read access to the shared location before proceeding. 

 

Step 2: Create the application in Configuration Manager

  1. Open the Configuration Manager console.
  2. Go to Software Library > Application Management > Applications.
  3. Click Create Application.
  4. Select MSI as the application type. Configuration Manager will automatically read metadata from the MSI file (name, version, Product Code).
  5. Configure the Deployment Type with the following install command: msiexec /i "safetica_endpoint_client_x64.msi" /qn REBOOT=ReallySuppress STSERVER=<hostname_or_IP>

The STSERVER parameter is mandatory. Without it, Safetica Client installs but does not connect to Safetica console.

Install command parameters:

Parameter  Description 
/qn  Silent installation with no UI. 
REBOOT=ReallySuppress  Suppresses restart even if the installer internally requests one. You manage the restart separately via your Configuration Manager maintenance window. 
STSERVER=<hostname_or_IP>  Hostname or IP address of the server running Safetica Management Service. This parameter is required. 

Example: If your Safetica Management Service runs on a server with hostname safetica-srv.corp.local, the install command is:

msiexec /i "safetica_endpoint_client_x64.msi" /qn REBOOT=ReallySuppress STSERVER=safetica-srv.corp.local

 

Step 3: Configure the detection method 

Configuration Manager uses the MSI Product Code to detect whether the application is already installed on a device. This value is read automatically from the MSI file, no manual configuration is needed.

✍️ The Product Code changes with each new Safetica release. When you create a new Configuration Manager package for an updated version, verify that the detection method references the new Product Code.

 

Step 4: Distribute content to Distribution Points

Distribute the application content to your Distribution Points so that target devices can access the installer.

  1. Right-click the application in the Configuration Manager console.
  2. Click Distribute Content.
  3. Select the Distribution Point group.
  4. Go to the Monitoring tab.
  5. Verify that content distribution completed successfully on all selected Distribution Points. 

 

Step 5: Deploy to a device collection

  1. Right-click the application in the Configuration Manager console.
  2. Click Deploy.
  3. Select the target device collection.
  4. Set Deployment Purpose to Required (forced silent installation in the background).
  5. Set User Experience to Install for system (not for the signed-in user).
  6. Do not set Restart behavior to any specific action (manage restart separately via maintenance window).

❗ Restart your devices

After you finish the five steps above, Safetica Client is installed and connects to your Safetica server, but device protection is not yet fully active.

The Safetica kernel driver fully activates only after a restart. The REBOOT=ReallySuppress parameter prevents an immediate restart during installation, so you must schedule a restart of target devices in your next available maintenance window. Device protection is only active after restart. 

 

 

How to update Safetica Client via Configuration Manager 

✍️ After a successful Configuration Manager update deployment, the device may show as Outdated in the Devices section until the device is restarted. This is expected behavior – the status clears automatically after restart.

 

Limitations

  • For each Safetica Client update, prepare a new Configuration Manager package with the updated MSI file and the corresponding new Product Code.
  • Schedule the Configuration Manager update deployment together with a restart task in the same maintenance window. Full activation of the updated Safetica Client requires a restart.
  • Do not combine Configuration Manager-managed updates with update management through Safetica console (Devices section). Use one method consistently to avoid conflicts.

 

Step 0: Allow updates in Safetica Maintenance Console

Before deploying an update via Configuration Manager, you must allow updates for the target devices in Safetica Maintenance Console.

Without this setting, the Configuration Manager deployment completes successfully on the Configuration Manager side, but Safetica blocks the update internally.

  1. Open Safetica Maintenance Console.
  2. Go to Maintenance > Endpoint Settings > Allowed Actions.
  3. Set the Update toggle to Allow for the target devices.
  4. Proceed with the standard Configuration Manager deployment steps described above.

 

 

FAQ

Q: What happens if I omit the STSERVER parameter from the install command?

A: Safetica Client installs successfully, but it does not connect to your Safetica server. The device does not appear in Safetica console, and no policies or protection are applied. You would need to reinstall with the correct parameter.

 

Q: Can I update Safetica Client from Safetica console if I installed it via Configuration Manager?

A: No. When you manage installation through Configuration Manager, the update lifecycle belongs to your IT team. Do not combine Configuration Manager updates with console-initiated updates – use one method consistently to avoid conflicts.

 

Q: Why does my device show as Outdated in Safetica console after a successful Configuration Manager update?

A: This is expected behavior. After a Configuration Manager update deployment, the device shows as Outdated until it is restarted. The status clears automatically after the device restarts and the updated Safetica Client fully activates.

 

Q: Do I need to change the detection method when deploying a new Safetica Client version?

A: Yes. The MSI Product Code changes with each new Safetica release. When you create a new Configuration Manager package for an updated version, verify that the detection method references the new Product Code.