How can the transform file be edited to perform an Audit-Only installation of the Centrify Agent for Windows?Answer:
Using the Orca.exe tool, an administrator or technician can edit certain properties of the Centrify Agent. This will allow for the agent to install with the auditing features only. The steps are listed below.
The default transform file,
Group Policy Deployment.mst, enables one to specify registry key settings that are different from the default settings that are defined in the MSI file. The
Group Policy Deployment.mst file will be used to cause a silent or attended installation for a specific environment.
In order to customize the agent settings for deployment, the
Group Policy Deployment.mst file needs to be edited before executing the command to perform the installation. If the default settings are desired, then skip this section and go directly to Installing silently from the command line.
The Orca MSI editor must be used to edit the
Group Policy Deployment.mst file. Orca is one of the tools available in the Windows SDK. If the Windows SDK or Orca is not installed, it can be downloaded and installed from this location: http://msdn.microsoft.com/en-us/library/aa370557(v=vs.85).aspx.
*Please note that Orca is not a Centrify product and is not supported by Centrify, please contact the appropriate vendor if there are questions or issues with Orca*
1. Open Orca.exe and go to File -> Open -> Centrify Agent for Windows64
2. Next, choose Transform -> Apply Transform and choose the Group Policy Deployment.mst file:
3. In the left pane of Orca, scroll down to the 'Property' table and set the following values:
REG_MAX_FORMAT to 2
REG_DISK_CHECK_THRESHOLD to 10
Add the following properties and values by right clicking ->Add Row:
REG_SPOOL_DIR to. “C:\ProgramData\Centrify\DirectAudit\Spool”
REG_INSTALLATION_ID to “2df5da49-31ec-4b66-b81a-d6be2f83c3cc”
An example of how the Property Table should look is shown below:
Note that the installation ID is specific to the Centrify Direct Audit installation. If the installation ID is not known, it can be found by taking the following steps:
a. Go to the Auditing Collector Server and open the Audit Collector Control Panel:
b. Go to the Troubleshooting tab and click Diagnostics. Look for the Installation ID in the diagnostic file. This value will be entered into the REG_INSTALLATION_ID field above.
4. Back to Orca, now choose the CustomAction table. Select the SetINSTALLEVEL action and change the value for INSTALLLEVEL from 1000 to 3
5. After the above modifications are complete, click Transform -> Generate Transform and save it with a slightly different name so that it can be reverted back to the original .mst file if necessary. Example: "Group Policy Deployment New.mst"
6. Open a command prompt as administrator and run the following command: C:\> msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment New.mst"
The machine will immediately reboot as the service is getting activated during this process.
After logging back into the machine, go to the Centrify Agent Configuration. Here it will be seen that the only the Auditing Service is installed and the Auditing Installation should be present.*Optional* Disabling Additional Credential Providers
There may be instances when a registry key will need to be disabled during the installation. An example of this is if the Centrify CLSID is interfering with another product's MFA features. This can also be done with Orca.exe
In the transform file, before the final transform file is generated, use Ctrl-F (find) to search for the registry key that should be removed. Once it is found, right-click and choose "Drop Row." But be very careful to ensure the correct registry key is getting removed. Please also consider backing up the registry before doing this.
More information about disabling additional credential providers can be found here:https://centrify.force.com/support/Article/KB-8757-How-to-exclude-other-credential-providers-to-prevent-bypassing-windows-agent-MFA