Skip to main content
Matrix42 Self-Service Help Center

EgoSecure Agent I: Windows

Distribute EgoSecure Agent

With the power of Matrix42 Secure Unified Endpoint Management, you can benefit from combining the capabilities of a modern enterprise mobility management solution with all the capabilities that EgoSecure Data Protection provides on your Windows device fleet. Within this guide, we will configure and generate a *.msi package with the EgoSecure Management Console and import the generated package into Silverback for distributing the EgoSecure Agent to your managed Windows 10/11 devices. Please note that when the EgoSecure Server is installed, a MSI package is automatically generated with the default settings and stored in the EgoSecure Server installation directory. Once the Server is updated, the MSI package is regenerated automatically and placed in the selected location on the EgoSecure Server computer.


  • Before you start, please review the following Documents and manuals
  • The distributed Ego Secure Agent platform (x64) must match the used Windows version (x64)

Create and Configure Package

  • Open your EgoSecure Console
  • Login with your administrative credentials
  • Navigate to Installation
  • Select Create MSI Package
  • Configure now the available settings of the MSI package with the following options:
Setting Options Description
EgoSecure Agent components installation
Install network driver for WLAN control
  • Do not install
  • Immediately
  • After Restart

Select if and when to install the kernel driver for WLAN control (esndislwf.sys). The following options are available:

Do not install: The WLAN control on the client remains disabled.

Immediately (not recommended): The driver is installed shortly after the MSI installation. Warning! The client network connection is temporary interrupted.

After restart: The driver is installed the first time the Client is restarted after the MSI installation

Possible data loss with immediate WLAN control installation If for the setting Install network driver for WLAN control you select Immediately, the client network connection is temporarily interrupted after the Agent installation. This can lead to data loss. To install the WLAN control after the restart of the EgoSecure Agent, select After restart.

Install kernel driver for CD/DVD control
  • Enabled or Disabled
Install the kernel driver (escdflt.sys) to encrypt on CD/DVD disks and control disk writing performed by third-party applications.
EgoSecure Agent service
Protect EgoSecure Agent service and files
  • Enabled or Disabled
Protects the EgoSecure Agent service from being stopped and the EgoSecure Agent system files from being removed and renamed. Once a user tries to stop the EgoSecure Agent service, all device types listed under Storage group are blocked.
EgoSecure Agent UI
Hide tray icon
  • Enabled or Disabled
Enable the option to make the EgoSecure Agent interface invisible. Users do not see any notifications, assigned permissions, etc. They can only use options available in the Windows Explorer context menu for encryption, Secure Erase, and Antivirus.
Tray UI language
  • e.g. English

Define the language of the EgoSecure Agent interface that is applied only during the first Agent installation. A user is permitted to change this language. The automatic language selection is performed in the following priority:

  1. User-defined language (user key in the registry)
  2. Language specified when generating the MSI package
  3. System language for the computer
  4. English (if nothing above matches)
EgoSecure overlay icons priority
  • Low
  • Normal
  • High
  • Highest

Define whether EgoSecure overlay icons have priority over other applications in Windows Explorer. Overlay icons identify an encryption type of files and folders. The following levels of adding EgoSecure Shell Icon Overlay Identifiers to the registry are available:

Low - adding z at the beginning of EgoSecure identifiers, no changes to the identifiers of other applications.

Normal - adding EgoSecure identifiers without spaces, no changes to the identifiers of other applications.

High - adding EgoSecure identifiers with spaces, no changes to the identifiers of other applications.

Highest - adding EgoSecure identifiers with spaces at the beginning, deleting spaces at the beginning of identifiers of other applications

Uninstall/Update password
  • e.g. Pa$$w0rd_Install
Optionally set a password required from users if they want to perform Agent uninstallation or update locally.
Check the password on
  • Uninstall
  • Update
Select which operation with Agent is protected from unauthorized access: uninstallation or update
Rights for communication devices
Apply after restart only
  • Enabled or Disabled
Define whether the rights for communication devices are applied shortly after the Agent installation or after a computer restart.
Write rights and settings into the MSI file (Offline Clients)
Export access control rights
  • Enabled or Disabled
Export access rights defined in User management and Computer management under Control | Devices and ports tab
Export permitted devices
  • Enabled or Disabled
Export a list of device permissions defined under Permitted devices | Permitted device models and under Permitted devices | Individual device permissions.
Export encryption settings
  • Enabled or Disabled
Export encryption types and encryption keys (including their private part) permitted for users or computers
Export only public part of keys
  • Enabled or Disabled
Only having a public part of keys, a user is not permitted to decrypt, and therefore, open files encrypted on other Agents. Note: Files encrypted internally on this Agent can be decrypted.
Export EgoSecure Antivirus settings
  • Enabled or Disabled
Distribute AV signatures to selected computers via the MSI package not to overload the network; global antivirus exclusions are also applied. If proxy server settings are defined under Administration | Servers | Mail, proxy and others and the Use proxy server check box is set under Product settings | EgoSecure Antivirus | Update settings, proxy server settings are written. The proxy server settings will be used later for signature update on the Client side via the Internet (if update from the EgoSecure Server is not possible). For details, see Installing Antivirus via MSI
Selection of objects

A double-click will open the selection pane

Select the objects (user/computer) for which the rights and settings selected in this section are exported to the MSI file.
Write authentication certificate for SSL communication to MSI
Add authentication certificate
  • Enabled or Disabled
Enable the option to add an Agent authentication certificate and its private key to the MSI package. The area with this option is greyed out if SSL is disabled. 
  • e.g. Pa$$w0rd
Enter a password to protect an Agent authentication certificate and its private key. This password is required from users during a local Agent installation/update or a remote Agent installation/update via script/software enrollment tools. Use only printable characters of the ASCII table.
  • After configuration, press Generate
  • Wait until the MSI package created successfully message and locate the output location

Review Output

  • Open Windows Explorer and navigate to your output location
    • e.g. C:\Program Files\EgoSecure\EgoSecure Server\MSI
  • Review the listed files and acknowledge that the *.msi and batch files are available for different architecture versions
  • Right-click depending on your target architecture version, either the install or install_x64 batch file
  • Press Edit
  • You should see now something similar to the following:
start /B msiexec /i ESAgentSetup_x64.msi /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" PKCS12_PASS=""
  • Copy the following part into your clipboard

Intregrate Agent

Add to App Portal

  • Open Silverback Management Console
  • Login with Administrative credentials
  • Navigate to App Portal
  • Select Windows
  • Press New Application
  • Change Scope to Device
  • Enter as Name e.g. EgoSecure Agent 
  • Enter a description
  • Select Choose File 
    • Navigate to your output folder and select your architecture version, e.g. ESAgentSetup_x64.msi
    • Double click the *.msi package
  • Upload your icon (optional)
  • Press the edit box for Installation Parameters 
  • Enter your adjusted installation parameters
    • e.g. with the sample MSI installation parameters:
/quiet /l* AgentInstall.log REINSTALL="ALL" REINSTALLMODE="vamus" ADMINPWD="" PKCS12_PASS="Pa$$w0rd"
  • Press OK
  • Enable Automatically push to managed devices
  • Press Save
  • Wait until the uploading process is finished 

Create a Tag

  • Navigate to Tags
  • Click New Tag
  • Enter a name, e.g. EgoSecure Agent
  • Under Enabled Features enable Apps
  • Under Device Types enable Windows
  • Enable Auto Population (optional)
  • Press Save

With activation of the Auto Population checkbox, all Windows devices will receive this tag when they check-in.  You can use also a more granular configuration for Auto Population for the tag assignment. Please note that it is recommend first to assign the Tag later manually to some test devices, before starting an automatic roll-out with this tag.  

Add EgoSecure Agent

  • Navigate to Apps
  • Select Assign More Apps
  • Select EgoSecure Agent Agent
  • Click Add Select Apps
  • Press Save & Close

Assign Tag (optional)  

If you have not enabled the Auto Population for the Tag, navigate now to Definition, press Associated Devices and assign devices by selecting the Attach More device option. As an alternative navigate to the Devices Tab, locate your device and use the quick action to assign the Tag manually.

Initialize and Review

Perform a device sync

  • On your Windows 10/11 device
  • Press Start
  • Open Settings
  • Select Accounts
  • Press Access work or school
  • Open the Silverback Profile
  • Press Info 
  • Scroll Down to Device sync status and perform a sync 

Agent Installation 

  • After the Device sync the device should have the Tag assigned in Silverback Management Console
    • Review the Tag Assignment in Silverback (optional)
  • The agent will now be transferred to the device. It may take some time. Please be patient 
  • Reopen the Silverback Profile to see under Applications the status
    • e.g. EnforcementCompleted
    • e.g. DownloadInProgress 
  • Check hidden folder on device for C:\ProgramData\EgoSecure
  • After a couple of time the EgoSecure Agent icon should appear on the bottom right
  • Was this article helpful?