Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-11191: Performing an audit-only installation of the Centrify Agent for Windows

Auditing and Monitoring Service ,  

10 December,18 at 10:07 PM

Question: How can the transform file be edited to perform an Audit-Only installation of the Centrify Agent for Windows?

Answer: Using the Orca.exe tool, an administrator or technician can edit certain properties of the Centrify Agent. This will allow for the agent to install with the auditing features only. The steps are listed below.


The default transform file, Group Policy Deployment.mst, enables one to specify registry key settings that are different from the default settings that are defined in the MSI file. The Group Policy Deployment.mst file will be used to cause a silent or attended installation for a specific environment.

In order to customize the agent settings for deployment, the Group Policy Deployment.mst file needs to be edited before executing the command to perform the installation. If the default settings are desired, then skip this section and go directly to Installing silently from the command line.

The Orca MSI editor must be used to edit the Group Policy Deployment.mst file. Orca is one of the tools available in the Windows SDK. If the Windows SDK or Orca is not installed, it can be downloaded and installed from this location:

*Please note that Orca is not a Centrify product and is not supported by Centrify, please contact the appropriate vendor if there are questions or issues with Orca*


1. Open Orca.exe and go to File -> Open -> Centrify Agent for Windows64

User-added image

2. Next, choose Transform -> Apply Transform and choose the Group Policy Deployment.mst file:

User-added image

3. In the left pane of Orca, scroll down to the 'Property' table and set the following values:


Add the following properties and values by right clicking ->Add Row: 
REG_SPOOL_DIR to. “C:\ProgramData\Centrify\DirectAudit\Spool” 
REG_INSTALLATION_ID to “2df5da49-31ec-4b66-b81a-d6be2f83c3cc”

An example of how the Property Table should look is shown below:

User-added image

Note that the installation ID is specific to the Centrify Direct Audit installation. If the installation ID is not known, it can be found by taking the following steps:

a.  Go to the Auditing Collector Server and open the Audit Collector Control Panel:

User-added image

b. Go to the Troubleshooting tab and click Diagnostics. Look for the Installation ID in the diagnostic file. This value will be entered into the REG_INSTALLATION_ID field above.

User-added image

4. Back to Orca, now choose the CustomAction table. Select the SetINSTALLEVEL action and change the value for INSTALLLEVEL from 1000 to 3

User-added image

5. After the above modifications are complete, click Transform -> Generate Transform and save it with a slightly different name so that it can be reverted back to the original .mst file if necessary. Example: "Group Policy Deployment New.mst"

User-added image

6. Open a command prompt as administrator and run the following command:

      C:\> msiexec /i "Centrify Agent for Windows64.msi" /qn TRANSFORMS="Group Policy Deployment New.mst" 

The machine will immediately reboot as the service is getting activated during this process.

After logging back into the machine, go to the Centrify Agent Configuration. Here it will be seen that the only the Auditing Service is installed and the Auditing Installation should be present.

User-added image

*Optional* Disabling Additional Credential Providers

There may be instances when a registry key will need to be disabled during the installation. An example of this is if the Centrify CLSID is interfering with another product's MFA features. This can also be done with Orca.exe

In the transform file, before the final transform file is generated, use Ctrl-F (find) to search for the registry key that should be removed. Once it is found, right-click and choose "Drop Row." But be very careful to ensure the correct registry key is getting removed. Please also consider backing up the registry before doing this.

User-added image

More information about disabling additional credential providers can be found here: