How to package & mass deploy the VMware vRealize Operations Endpoint Agent to Windows computers using Microsoft Configuration Manager.


  • vROps is installed and cluster is online.
  • A dedicated agent account with the ‘AgentManager’ role is configured in vROps.
  • If a custom certificate is required instead of the default self generated certificate, this is configured.

Download vROps EPOps installation files

Install LinuxVSM

LinuxVSM is an application which makes it easier to download installation files from the VMware website, however if you prefer to use the website, skip to next step but use the My VMware website to locate and download the endpoint agent .exe installer (v6.7 download link)

To install it, run the following commands from a Linux installation (also works on Ubuntu from the Windows 10 store).

The timezone listed should be changed to your timezone.

Full installation and usage instructions are available at LinuxVSM on Github.

apt-get (or yum) update
git clone
cd aac-lib/vsm
chmod 755
./ 'Europe/London' (use your TZ)
/usr/local/bin/ -mr -y -c -u <myvmwareuser> -p <myvmwarepw>

Download the EPOps agent files

If using LinuxVSM, at the linux prompt run the following command, replacing with your username and password from the My VMware website.

/usr/local/bin/ -mr -y -c -u <myvmwareusername> -p <myvmwarepassword>

then navigate through the menu structure to navigate to where vROps downloads are located, for example:

  • Datacenter_Cloud_Infrastructure_VMware_vCloud_Suite_2017 or
  • Datacenter_Cloud_Infrastructure_VMware_vSphere_with_Operations_Management_6_7

then select vROps and then the vRealize End Point Operations Windows Agent 64 bit (exe file), e.g.

  • vRealize-Endpoint-Operations-Management-Agent-x86-64-win-6.7.0-7947327.exe

Create a standard agent configuration file

Instead of using this method, there is an option to manually add the password value using ep-agent.bat to add a property and encrypt it, however although it will look like it has stored it in the file correctly it will fail to authenticate to the server due to a mismatch.

Run the downloaded installer and enter the information when requested (either manually via the GUI interface, or by using the command line, ref Installing an End Point Operations Management Agent Silently on a Windows Machine).

Once complete, an configuration file will be created which includes all the required information (including encrypted agent password) for distributing to other computers.

It may seem that you could just call the silent installer direct via ConfigMgr, however this has the downside that the password is unencrypted in the command and thus logfiles (depending on deployment system used), and the windows agent often requires ep-agent.bat setup to be called from the command line after the installer has run to register it with the server correctly.

If you prefer this method, adding the ep-agent steps listed below at ‘Create an installation batch file ' as post install steps to run after the silent install is another option.

Command line installation

Replace the values with those required, the /SILENT flag will show a progress bar, remove the /SILENT to show the GUI, or replace with /VERYSILENT to be completely hidden. Refer to the GUI installation section below for where to retrieve the certificate thumbprint.:

vRealize-Endpoint-Operations-Management-Agent-x86-64-win-6.7.0-7947327.exe -serverAddress -username endpointagent -password demopassword -serverCertificateThumbprint '70:3C:BC:31:65:C7:52:98:32:B8:2D:4D:B2:81:BE:D8:C2:A7:AC:E4' /SILENT

GUI installation

Replace the server address with the address of your vROps standalone or cluster FQDN.

In the next step, enter the username and password for the endpoint agent account configured in vROps.

For the next step (adding the certificate thumbprint), the certificate thumbprint can be retrieved using the following guidance in the official vROps user guide:

‘To view the certificate thumbprint value, log into the vRealize Operations Manager Administration interface at https://IP Address/admin and click the SSL Certificate icon located on the right of the menu bar. Unless you replaced the original certificate with a custom certificate, the second thumbprint in the list is the correct one. If you did upload a custom certificate, the first thumbprint in the list is the correct one.’

You now have a standard agent configuration file that can be used to deploy the agent. The image below illustrate the lines added.

Prepare the directory for distribution

The files unique to this client must be removed before packaging for distribution, to do this, run the following commands (replacing the drive and paths to where you installed the agent):

cd %systemdrive%\ep-agent\bin
ep-agent stop
ep-agent remove
rmdir /s ..\data
del ..\log\*.* /s

Next run the following command from an administrator powershell prompt to send the agent folder to a compressed file, altering the output path (e.g. below it assumes a directory called build exists in the root of the system drive (usually C:), and the agent version to match the version downloaded above:

Compress-Archive'$env:systemdrive\ep-agent' '$env:systemdrive\build\'

Once the zip file has been created, remove the %systemdrive%\ep-agent directory. The agent stores the unique token for this computer in the EPOps agent folder at %ProgramData\VMware% thus it is safe to remove this directory as if and when the agent is installed to this computer again, it will reuse the same token avoiding any duplicates in vROps).

Create an installation batch file

Create a new text file called install.ps1 and add the following commands to it, replacing the InstalledVersion value is simply the version from the filename of the agent you downloaded with the full stops removed.

Expand-Archive -Path -DestinationPath $env:systemdrive\ -Force
cd %systemdrive%\ep-agent\bin\
.\ep-agent.bat install
.\ep-agent.bat setup
.\ep-agent.bat setup
New-ItemProperty -Path HKLM:\SOFTWARE\VMware\EPOps Agent -Name InstalledVersion -PropertyType DWord -Value 6707947327

Create a second test file called uninstall.ps1, with the following commands:

cd %systemdrive%\ep-agent\bin\
.\ep-agent.bat stop
.\ep-agent.bat remove
Remove-ItemProperty -Path HKLM:\SOFTWARE\VMware\EPOps Agent -Name InstalledVersion

Add to Microsoft ConfigMgr / SCCM

Copy the zip file and the batch file to your configuration manager applications source directory (e.g. applications\vmware\epops-agent\6.7.0-7947327).

Create the application in configuration manager as a manually configured application, with the following information:

  • Install program: powershell.exe install.ps1
  • Uninstall program: powershell.exe uninstall.ps1
  • Detection: Registry, HKLM:\SOFTWARE\VMware\EPOps the Agent key InstalledVersion is ‘greater than or equal’ the version as per your install script above.

Deploy the agent

Distribute the content and deploy the package as normal (to some test computers first), once confirmed that the application installs, the %systemdrive%\ep-agent directory appears, and that the agent appears in vROps (search for the server name and you will see an EPOPS entry, if doesn’t appear immediately, check again in a few minutes), then you can distribute the agent to your other computers.

Updating the agent

To update the agent in the future, repeat the above with the new version, but changing the install and uninstall files with the new agent version, and marking the configuration manager package as superceding the previous version, with the new package, and selecting to uninstall the previous version.

Whilst it’s advisable to continue to use Config Mgr to deploy agent updates (to avoid the complication of having one method for initial installation and a different method for updating), if you wish to use vROps itself to update agents by uploading an agent PAK file, as long as the registry key above isn’t removed, Config Mgr won’t try and re-install the agent.

Alternate packaging option

If you have access to an MSI builder, such as EMCO Package Builder, rather than using a zip file and ps1 install and uninstall files, you can package it all into an MSI, specifying the installation directory, and adding the ep-agent stop / remove commands from the install / uninstall scripts above as after and before uninstall steps.

If using this approach, you can also skip creating registry keys and use the product code of the MSI package instead.