Windows MDM Deployment
Overview
AI Endpoint Shield can be deployed enterprise-wide on Windows through any MDM or endpoint management platform that can run PowerShell scripts as SYSTEM (for example Microsoft Intune, Workspace ONE, ManageEngine, Kandji for Windows, or custom RMM tools).
A single install.ps1 script downloads a generic ZIP from Akto-hosted storage, installs or upgrades the agent, applies your credentials, and keeps devices current via a version manifest.
Why use MDM deployment?
Zero-touch deployment — no manual installs on each laptop
Centralized credentials — API token and guardrails URL passed as script parameters (not embedded in the ZIP)
Automatic updates — devices check a version manifest on each script run
MDM-agnostic — same script and parameters across vendors
No per-customer installer builds — one ZIP per release works for all tenants
For macOS, use Jamf MDM Deployment. For Automox Worklets on Windows, see Automox Deployment.
Architecture
Script execution
SYSTEM / LocalSystem (not the logged-on user)
PowerShell
64-bit (powershell.exe, not 32-bit WOW64)
Installer payload
Generic ZIP per version (hosted by Akto)
Credentials
AKTO_API_TOKEN + AKTO_API_BASE_URL via MDM script parameters or environment variables
Auto-update
latest.json manifest URL (provided by Akto)
Install location
C:\Program Files\Akto Endpoint Shield\
Services
Scheduled tasks MCPEndpointShieldHTTP, MCPEndpointShieldAgent, MCPEndpointShieldDetector, MCPEndpointShieldSystemProxy
Config
Per-user and SYSTEM config.env under .akto-endpoint-shield\config\
This path uses ZIP + install.ps1, not an MSI or per-tenant .exe installer.
Prerequisites
1. AKTO_API_TOKEN
From the Akto platform (Atlas / guardrails onboarding)
Store as a secret in your MDM where supported
2. AKTO_API_BASE_URL
Guardrails URL, e.g.
https://<account-id>-guardrails.akto.io
3. MANIFEST_URL
Provided by Akto during onboarding
HTTPS URL to
latest.jsonfor auto-update
4. INSTALLER_URL (optional)
Direct HTTPS URL to the ZIP — fallback if the manifest cannot be fetched
5. MDM capabilities
Your platform must support:
Running a PowerShell script on Windows 10/11
Execution as SYSTEM (elevated machine context)
64-bit PowerShell
Recurring execution (daily recommended) for updates
Passing script arguments or environment variables to the script
6. Network
Managed devices need HTTPS access to:
MANIFEST_URLand the ZIP host (often*.amazonaws.com)https://<account-id>-guardrails.akto.iohttps://ultron.akto.io(default data ingestion endpoint)
Scripts
Akto provides:
install.ps1
Install, upgrade, configure
uninstall_windows.ps1
Remove agent, tasks, and config (separate MDM assignment)
install.ps1 parameters
Positional arguments (space-separated when your MDM supports a single parameter string):
$1
MANIFEST_URL
Yes*
HTTPS URL to latest.json
$2
INSTALLER_URL
No
Direct ZIP URL if manifest fetch fails
$3
AKTO_API_TOKEN
Yes
API token
$4
AKTO_API_BASE_URL
Yes
Guardrails base URL
* Required unless only INSTALLER_URL / INSTALLER_PATH is used.
Example (with ZIP fallback):
Example (manifest only) — local test in PowerShell:
Environment variables (MANIFEST_URL, AKTO_API_TOKEN, AKTO_API_BASE_URL, FORCE_REINSTALL, etc.) are also supported if your MDM sets them instead of positional args.
Deploy via your MDM
Devices → Scripts → Add → Windows 10 and later
Upload
install.ps1Run as logged-on user: No | 64-bit PowerShell: Yes
Paste script parameters (manifest, optional ZIP URL, token, base URL)
Assign to groups; schedule daily for auto-update
Review Device status under the script assignment
Create a PowerShell remediation or custom script policy
Run as SYSTEM / LocalSystem with highest privileges
Use 64-bit PowerShell
Pass the four arguments (or set equivalent environment variables)
Schedule at least daily on enrolled Windows devices
Use your MDM's script success/failure reporting for validation
If your MDM passes a single space-delimited string, confirm in a pilot that the token maps to argument 3 and the base URL to argument 4. Akto onboarding can provide a parameter string tested for your platform.
Schedule and scope
Pilot
5–10 devices
Daily, 1 week
Rollout
Engineering / security
Daily
Production
All Windows endpoints
Daily
The script skips downloading the ZIP when the installed version already matches the manifest. Daily runs are safe and pick up new Akto releases automatically.
Force full redeploy: set FORCE_REINSTALL=true (environment variable) on the script assignment.
What happens on the device
Fetches
latest.jsonfromMANIFEST_URLCompares manifest
versionwithakto-endpoint-shield.exe --versionIf needed, downloads ZIP, stops tasks, deploys to
C:\Program Files\Akto Endpoint Shield\Writes
config.envfor interactive users and SYSTEMRegisters and starts scheduled tasks
MCP client and hook settings are controlled from the Akto dashboard after install.
Updates and rollback
Updates: Akto updates
latest.json; devices upgrade on the next script run — no MDM policy change requiredRollback: Akto points
latest.jsonto an older versioned ZIP pathEmergency: Pass a specific ZIP URL as argument 2 (
INSTALLER_URL)
Verification
On a pilot device (Administrator PowerShell):
Also confirm success in your MDM script reporting and that the device appears under Akto → Endpoint Shield.
Checklist
Troubleshooting
Script fails immediately
Not running as SYSTEM or 32-bit PowerShell
Use 64-bit PowerShell as SYSTEM
Wrong config / token
Arguments shifted in MDM
Fix parameter string; test locally with explicit "" for arg 2
No upgrade
Manifest version mismatch
Contact Akto to align manifest and published ZIP
No processes running
Tasks failed or binary exited
Check %ProgramData%\akto-endpoint-shield\logs\*-wrapper.log
Download errors
Firewall / proxy
Allow HTTPS to manifest and ZIP URLs
See Whitelist Paths for EDR exclusions (e.g. SentinelOne).
File locations
C:\Program Files\Akto Endpoint Shield\akto-endpoint-shield.exe
Main binary
C:\Program Files\Akto Endpoint Shield\start-akto-mode.ps1
Task wrapper
%USERPROFILE%\.akto-endpoint-shield\config\config.env
User configuration
%ProgramData%\akto-endpoint-shield\logs\
Install and wrapper logs
Get support
In-app Intercom on the Akto dashboard
support@akto.io
For MANIFEST_URL and release artifacts, contact your Akto account team.
Last updated