https://dmtechops.com/tags/sentinelone/ Recent content in Sentinelone on Darren Mair Hugo -- gohugo.io en-us darren@example.com (Darren Mair) darren@example.com (Darren Mair) Wed, 06 May 2026 00:00:00 +0000 https://dmtechops.com/p/automating-sentinelone-deployment-across-azure-vms/ Wed, 06 May 2026 00:00:00 +0000darren@example.com (Darren Mair) https://dmtechops.com/p/automating-sentinelone-deployment-across-azure-vms/ <img src="https://dmtechops.com/p/automating-sentinelone-deployment-across-azure-vms/banner-sentinelone-deployment.svg" alt="Featured image of post Automating SentinelOne Deployment Across Azure VMs" /><p>This guide walks through how to automate SentinelOne deployment across Azure virtual machines by using the <code>Sentinel_Check_&amp;_Install_v1.ps1</code> script. The script scans subscriptions, skips excluded workloads, checks existing SentinelOne extensions, optionally repairs failed deployments, resolves secrets from secure runtime sources, and exports a CSV summary for audit and follow-up.</p> <h2 id="what-the-script-does">What the script does </h2><p>At a high level, the script:</p> <ol> <li>Authenticates to Azure with <code>Connect-AzAccount</code>.</li> <li>Enumerates one or more subscriptions.</li> <li>Maps each subscription to a SentinelOne site token based on the subscription name.</li> <li>Filters out excluded regions and VM names.</li> <li>Checks whether each VM is running.</li> <li>Detects whether the SentinelOne extension is already installed.</li> <li>Flags failed extension provisioning states.</li> <li>Resolves the SentinelOne API key and site tokens from parameters, environment variables, or Azure Key Vault.</li> <li>Installs or reinstalls the SentinelOne extension where needed.</li> <li>Writes a CSV report covering every decision the run made.</li> </ol> <h2 id="before-you-run-it">Before you run it </h2><p>You need the following in place first:</p> <table> <thead> <tr> <th>Requirement</th> <th>Why it matters</th> </tr> </thead> <tbody> <tr> <td>Azure PowerShell modules, especially <code>Az.Accounts</code>, <code>Az.Compute</code>, and <code>Az.Resources</code></td> <td>The script relies on <code>Get-AzSubscription</code>, <code>Get-AzVM</code>, <code>Get-AzVMExtension</code>, <code>Set-AzVMExtension</code>, and related commands.</td> </tr> <tr> <td>Rights to read subscriptions and manage VM extensions</td> <td>The script installs and removes Azure VM extensions.</td> </tr> <tr> <td>SentinelOne console API key</td> <td>Required by the extension install process and now supplied securely at runtime.</td> </tr> <tr> <td>SentinelOne site tokens for each environment</td> <td>The script picks a token by matching subscription names such as <code>prod</code>, <code>preprod</code>, <code>qa</code>, and <code>dev</code>.</td> </tr> <tr> <td>A safe test scope</td> <td>Start with a limited subscription list and <code>-WhatIf</code> before broad rollout.</td> </tr> </tbody> </table> <blockquote class="alert alert-note"> <div class="alert-header"> <span class="alert-icon">📝</span> <span class="alert-title">Note</span> </div> <div class="alert-body"> <p>The script no longer requires hard-coded secrets in the file. Supply the SentinelOne API key and site tokens through explicit parameters, environment variables, or Azure Key Vault.</p> </div> </blockquote> <h2 id="step-1-review-the-parameters">Step 1: Review the parameters </h2><p>The script exposes operational parameters for VM targeting and secret-resolution parameters for secure execution.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="k">param</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string[]</span><span class="p">]</span> <span class="nv">$SubscriptionIds</span> <span class="p">=</span> <span class="vm">@</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string[]</span><span class="p">]</span> <span class="nv">$ExcludedLocations</span> <span class="p">=</span> <span class="vm">@</span><span class="p">(</span><span class="s1">&#39;ukwest&#39;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string[]</span><span class="p">]</span> <span class="nv">$ExcludedVMNames</span> <span class="p">=</span> <span class="vm">@</span><span class="p">(</span><span class="s1">&#39;ufwduks001v&#39;</span><span class="p">,</span> <span class="s1">&#39;ufwduks002v&#39;</span><span class="p">,</span> <span class="s1">&#39;uavsjbtempuks001&#39;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$SentinelOneConsoleAPIKey</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$ProdSiteToken</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$PreProdSiteToken</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$QaSiteToken</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$DevSiteToken</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$KeyVaultName</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$KeyVaultSubscriptionId</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">switch</span><span class="p">]</span> <span class="nv">$AutoStartVMs</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">switch</span><span class="p">]</span> <span class="nv">$ReinstallFailedExtensions</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="no">string</span><span class="p">]</span> <span class="nv">$CsvPath</span> <span class="p">=</span> <span class="s2">&#34;.\SentinelCheck_Results_</span><span class="p">$((</span><span class="nb">Get-Date</span><span class="p">).</span><span class="py">ToString</span><span class="p">(</span><span class="s1">&#39;yyyyMMdd_HHmmss&#39;</span><span class="p">))</span><span class="s2">.csv&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>Use them like this:</p> <table> <thead> <tr> <th>Parameter</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>SubscriptionIds</code></td> <td>Limits the run to specific subscriptions. If empty, the script scans every subscription visible to the signed-in account.</td> </tr> <tr> <td><code>ExcludedLocations</code></td> <td>Prevents deployment in selected Azure regions.</td> </tr> <tr> <td><code>ExcludedVMNames</code></td> <td>Skips known exception VMs.</td> </tr> <tr> <td><code>SentinelOneConsoleAPIKey</code> and site token parameters</td> <td>Optional explicit secret inputs for ad hoc runs.</td> </tr> <tr> <td><code>KeyVaultName</code></td> <td>Enables direct secret lookup from Azure Key Vault.</td> </tr> <tr> <td><code>KeyVaultSubscriptionId</code></td> <td>Lets the script switch to a different subscription before reading Key Vault secrets.</td> </tr> <tr> <td><code>AutoStartVMs</code></td> <td>Starts stopped VMs so they can be remediated.</td> </tr> <tr> <td><code>ReinstallFailedExtensions</code></td> <td>Removes failed SentinelOne extensions and installs a fresh copy.</td> </tr> <tr> <td><code>CsvPath</code></td> <td>Controls where the execution report is written.</td> </tr> </tbody> </table> <h2 id="step-2-provide-secrets-securely">Step 2: Provide secrets securely </h2><p>The script now resolves secrets in this order:</p> <ol> <li>Explicit parameter values.</li> <li>Environment variables.</li> <li>Azure Key Vault secrets.</li> </ol> <p>That means you can use the same script in three common ways without editing the file.</p> <h3 id="option-a-environment-variables">Option A: Environment variables </h3><p>For automation platforms, environment variables are the simplest integration point:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nv">$env:SENTINELONE_API_KEY</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PREPROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_QA</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_DEV</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>The script also accepts alternate names such as <code>SENTINELONE_CONSOLE_API_KEY</code> and <code>SENTINELONE_SITE_TOKEN_PROD</code>, but the shorter names above are the cleanest standard.</p> <h3 id="option-b-azure-key-vault">Option B: Azure Key Vault </h3><p>If you want the script to resolve secrets directly from Key Vault, provide the vault name and optionally the subscription that hosts the vault:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="p">.\</span><span class="n">Sentinel_Check_</span><span class="p">&amp;</span><span class="n">_Install_v1</span><span class="p">.</span><span class="py">ps1</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-SubscriptionIds</span> <span class="s1">&#39;00000000-0000-0000-0000-000000000000&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-KeyVaultName</span> <span class="s1">&#39;kv-sentinelone-prod&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-KeyVaultSubscriptionId</span> <span class="s1">&#39;11111111-1111-1111-1111-111111111111&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-WhatIf</span> </span></span></code></pre></td></tr></table> </div> </div><p>By default, the script looks for these Key Vault secret names:</p> <table> <thead> <tr> <th>Secret</th> <th>Default name</th> </tr> </thead> <tbody> <tr> <td>SentinelOne console API key</td> <td><code>sentinelone-console-api-key</code></td> </tr> <tr> <td>Production site token</td> <td><code>sentinelone-site-token-prod</code></td> </tr> <tr> <td>Pre-production site token</td> <td><code>sentinelone-site-token-preprod</code></td> </tr> <tr> <td>QA site token</td> <td><code>sentinelone-site-token-qa</code></td> </tr> <tr> <td>Development site token</td> <td><code>sentinelone-site-token-dev</code></td> </tr> </tbody> </table> <h3 id="option-c-explicit-parameters">Option C: Explicit parameters </h3><p>This is useful for a one-off run, but it is the least desirable option for shared automation because secrets can leak into command history or logs.</p> <h2 id="step-3-confirm-the-subscription-to-token-mapping">Step 3: Confirm the subscription-to-token mapping </h2><p>The script decides which site token to use by checking the subscription name:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="kd">function</span><span class="w"> </span><span class="nb">Get-SentinelSiteTokenForSubscription</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">param</span><span class="p">([</span><span class="no">string</span><span class="p">]</span> <span class="nv">$SubscriptionName</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">$name</span> <span class="p">=</span> <span class="nv">$SubscriptionName</span><span class="p">.</span><span class="py">ToLowerInvariant</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nv">$name</span> <span class="o">-match</span> <span class="s1">&#39;preprod&#39;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$PreProdSiteToken</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nv">$name</span> <span class="o">-match</span> <span class="s1">&#39;prod&#39;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$ProdSiteToken</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nv">$name</span> <span class="o">-match</span> <span class="s1">&#39;qa&#39;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$QaSiteToken</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nv">$name</span> <span class="o">-match</span> <span class="s1">&#39;dev&#39;</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$DevSiteToken</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nv">$ProdSiteToken</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>This is simple and effective, but only if your Azure subscription naming standard is consistent. Validate that every targeted subscription name contains one of those environment markers. If not, expand the matching rules before rollout.</p> <h2 id="step-4-run-a-dry-run-first">Step 4: Run a dry run first </h2><p>Because the script uses <code>SupportsShouldProcess = $true</code>, you can validate scope with <code>-WhatIf</code>.</p> <p>Example dry run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nv">$env:SENTINELONE_API_KEY</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PREPROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_QA</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_DEV</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">.\</span><span class="n">Sentinel_Check_</span><span class="p">&amp;</span><span class="n">_Install_v1</span><span class="p">.</span><span class="py">ps1</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-SubscriptionIds</span> <span class="s1">&#39;00000000-0000-0000-0000-000000000000&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-ExcludedLocations</span> <span class="s1">&#39;ukwest&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-ExcludedVMNames</span> <span class="s1">&#39;legacy-vm-01&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-WhatIf</span> </span></span></code></pre></td></tr></table> </div> </div><p>During this phase, review:</p> <ol> <li>Which subscriptions are discovered.</li> <li>How many VMs are excluded.</li> <li>Which VMs are marked <code>WouldInstall</code>.</li> <li>Whether any subscriptions default to the wrong site token.</li> </ol> <h2 id="step-5-understand-the-vm-checks">Step 5: Understand the VM checks </h2><p>For each VM, the script performs four important decisions:</p> <ol> <li>Is the VM in scope after location and name exclusions?</li> <li>Is the VM currently running?</li> <li>Does a SentinelOne VM extension already exist?</li> <li>Is the existing extension healthy or failed?</li> </ol> <p>Stopped VMs are not installed by default. They are logged with status <code>VMStopped</code>, and only started when <code>-AutoStartVMs</code> is provided.</p> <h2 id="step-6-install-or-repair-the-extension">Step 6: Install or repair the extension </h2><p>When the script finds a VM without a SentinelOne extension, it installs the correct extension based on OS type:</p> <table> <thead> <tr> <th>OS</th> <th>Publisher</th> <th>Extension type</th> </tr> </thead> <tbody> <tr> <td>Windows</td> <td><code>SentinelOne.WindowsExtension</code></td> <td><code>WindowsExtension</code></td> </tr> <tr> <td>Linux</td> <td><code>SentinelOne.LinuxExtension</code></td> <td><code>LinuxExtension</code></td> </tr> </tbody> </table> <p>If an existing SentinelOne extension is present but the provisioning state is failed, the script can remove and reinstall it when <code>-ReinstallFailedExtensions</code> is enabled.</p> <p>Example live run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="nv">$env:SENTINELONE_API_KEY</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_PREPROD</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_QA</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$env:S1_SITE_TOKEN_DEV</span> <span class="p">=</span> <span class="s1">&#39;&lt;secure value&gt;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">.\</span><span class="n">Sentinel_Check_</span><span class="p">&amp;</span><span class="n">_Install_v1</span><span class="p">.</span><span class="py">ps1</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-SubscriptionIds</span> <span class="s1">&#39;00000000-0000-0000-0000-000000000000&#39;</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-ReinstallFailedExtensions</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-AutoStartVMs</span> <span class="p">\</span> </span></span><span class="line"><span class="cl"> <span class="n">-CsvPath</span> <span class="s1">&#39;.\reports\sentinelone-deployment.csv&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="step-7-read-the-output-categories">Step 7: Read the output categories </h2><p>The CSV report is the operational record of the run. Expect these statuses:</p> <table> <thead> <tr> <th>Status</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>AlreadyInstalled</code></td> <td>SentinelOne extension already exists and does not show failed provisioning.</td> </tr> <tr> <td><code>ProvisioningFailed</code></td> <td>Existing extension was detected in a failed state.</td> </tr> <tr> <td><code>Installed</code></td> <td>SentinelOne was installed during the run.</td> </tr> <tr> <td><code>ReinstalledAfterFailure</code></td> <td>Failed extension was removed and reinstalled successfully.</td> </tr> <tr> <td><code>WouldInstall</code></td> <td>Dry-run result produced by <code>-WhatIf</code>.</td> </tr> <tr> <td><code>VMStopped</code></td> <td>VM was skipped because it was not running.</td> </tr> <tr> <td><code>InspectionFailed</code></td> <td>Extension inspection could not complete.</td> </tr> <tr> <td><code>InstallFailed</code> or <code>ReinstallFailed</code></td> <td>Installation or remediation failed and needs follow-up.</td> </tr> <tr> <td><code>SkippedSubscription</code></td> <td>Subscription processing failed or token mapping could not be resolved.</td> </tr> </tbody> </table> <p>This report is suitable for service desk handoff, remediation tracking, or import into a workbook.</p> <h2 id="step-8-roll-out-safely-in-phases">Step 8: Roll out safely in phases </h2><p>For a production rollout, use a staged approach:</p> <ol> <li>Run against one non-production subscription with <code>-WhatIf</code>.</li> <li>Run live in non-production and review the CSV output.</li> <li>Enable <code>-ReinstallFailedExtensions</code> only after confirming the extension settings are correct.</li> <li>Expand to production subscriptions in controlled batches.</li> <li>Keep the exclusion lists under change control so exceptions stay visible.</li> </ol> <h2 id="step-9-harden-the-script-before-long-term-use">Step 9: Harden the script before long-term use </h2><p>The script already has good operational structure, but a few changes would make it safer and easier to maintain:</p> <ol> <li>Keep secrets outside the script and rotate them through Key Vault or pipeline secret stores.</li> <li>Log to a structured output folder rather than the current working directory.</li> <li>Make environment mapping explicit in configuration instead of matching on free-text subscription names.</li> <li>Add transcript logging for change evidence.</li> <li>Run it from an automation account, pipeline agent, or scheduled management host instead of a workstation.</li> </ol> <h2 id="recommended-operating-model">Recommended operating model </h2><p>If you want to turn this from an admin script into a repeatable control, use this pattern:</p> <ol> <li>Store API keys and site tokens in Key Vault.</li> <li>Trigger the script from Azure DevOps or another automation runner.</li> <li>Pass <code>SubscriptionIds</code> from pipeline variables.</li> <li>Publish the CSV as a pipeline artifact.</li> <li>Review failures and stopped VMs as a separate remediation queue.</li> </ol> <h2 id="final-thoughts">Final thoughts </h2><p>This script is a good foundation for bulk SentinelOne deployment because it combines discovery, filtering, secure secret resolution, installation, remediation, and reporting in one flow. The biggest remaining operational concern is governance around subscription naming, rollout control, and evidence capture rather than secret storage in the script itself. Validate token mapping carefully, keep execution scoped, and use <code>-WhatIf</code> plus phased rollout to move from manual installs to controlled automation.</p> https://dmtechops.com/p/running-sentinelone-deployment-safely-from-azure-devops/ Wed, 06 May 2026 00:00:00 +0000darren@example.com (Darren Mair) https://dmtechops.com/p/running-sentinelone-deployment-safely-from-azure-devops/ <p>This companion guide shows how to run the SentinelOne deployment script from Azure DevOps without storing API keys or site tokens in source control. The pipeline pattern below uses secure variables or Azure Key Vault, limits execution scope, publishes the CSV result, and keeps rollout controls explicit.</p> <h2 id="architecture-at-a-glance">Architecture at a glance </h2><p>The production pattern is simple:</p> <ol> <li>Store the SentinelOne API key and site tokens as protected secrets.</li> <li>Run the PowerShell script from an Azure DevOps pipeline agent.</li> <li>Pass only the subscription scope and operational switches at runtime.</li> <li>Publish the generated CSV report as a build artifact.</li> <li>Review failures, stopped VMs, and exceptions outside the pipeline.</li> </ol> <h2 id="what-changed-in-the-script">What changed in the script </h2><p>The deployment script now supports three secret sources, in this order:</p> <ol> <li>Explicit PowerShell parameters.</li> <li>Environment variables.</li> <li>Azure Key Vault secrets.</li> </ol> <p>That means the pipeline does not need to edit the script before each run. It only needs to inject the correct values at execution time.</p> <h2 id="recommended-secret-names">Recommended secret names </h2><p>If you use environment variables, align with the names the script already resolves:</p> <table> <thead> <tr> <th>Secret</th> <th>Environment variable</th> </tr> </thead> <tbody> <tr> <td>SentinelOne console API key</td> <td><code>SENTINELONE_API_KEY</code></td> </tr> <tr> <td>Production site token</td> <td><code>S1_SITE_TOKEN_PROD</code></td> </tr> <tr> <td>Pre-production site token</td> <td><code>S1_SITE_TOKEN_PREPROD</code></td> </tr> <tr> <td>QA site token</td> <td><code>S1_SITE_TOKEN_QA</code></td> </tr> <tr> <td>Development site token</td> <td><code>S1_SITE_TOKEN_DEV</code></td> </tr> </tbody> </table> <p>If you use Azure Key Vault, the script defaults to these secret names:</p> <table> <thead> <tr> <th>Secret</th> <th>Key Vault secret name</th> </tr> </thead> <tbody> <tr> <td>SentinelOne console API key</td> <td><code>sentinelone-console-api-key</code></td> </tr> <tr> <td>Production site token</td> <td><code>sentinelone-site-token-prod</code></td> </tr> <tr> <td>Pre-production site token</td> <td><code>sentinelone-site-token-preprod</code></td> </tr> <tr> <td>QA site token</td> <td><code>sentinelone-site-token-qa</code></td> </tr> <tr> <td>Development site token</td> <td><code>sentinelone-site-token-dev</code></td> </tr> </tbody> </table> <h2 id="option-1-use-azure-devops-secret-variables">Option 1: Use Azure DevOps secret variables </h2><p>This is the quickest secure starting point if you are not yet standardised on Key Vault.</p> <p>Create a variable group with secret variables for:</p> <ol> <li><code>SENTINELONE_API_KEY</code></li> <li><code>S1_SITE_TOKEN_PROD</code></li> <li><code>S1_SITE_TOKEN_PREPROD</code></li> <li><code>S1_SITE_TOKEN_QA</code></li> <li><code>S1_SITE_TOKEN_DEV</code></li> </ol> <p>Then reference that group from the pipeline.</p> <h2 id="option-2-use-azure-key-vault">Option 2: Use Azure Key Vault </h2><p>For longer-term operations, Key Vault is the better pattern because it separates secret lifecycle management from the pipeline definition.</p> <p>In that model:</p> <ol> <li>The pipeline service connection reads secrets from Key Vault.</li> <li>The pipeline exports those values as environment variables for the script.</li> <li>The script runs unchanged.</li> </ol> <p>You can also let the script read Key Vault directly by passing <code>-KeyVaultName</code> and, if required, <code>-KeyVaultSubscriptionId</code>. In Azure DevOps, I prefer retrieving secrets in the pipeline first because it keeps the execution contract visible in one place.</p> <h2 id="production-ready-pipeline-example">Production-ready pipeline example </h2><p>The YAML below is designed for a manually triggered operational run. It supports dry runs, targeted subscription scope, optional remediation of failed extensions, and CSV artifact publishing.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pr</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">subscriptionIds</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Subscription IDs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">excludedLocations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Excluded locations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;ukwest&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">excludedVmNames</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Excluded VM names</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;ufwduks001v,ufwduks002v,uavsjbtempuks001&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">autoStartVMs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Auto-start stopped VMs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">reinstallFailedExtensions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Reinstall failed extensions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">whatIf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Dry run only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">sentinelone-deployment-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scriptPath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">scripts/Sentinel_Check_&amp;_Install_v1.ps1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">reportPath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">$(Build.ArtifactStagingDirectory)/sentinelone/SentinelCheck_Results.csv</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pool</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vmImage</span><span class="p">:</span><span class="w"> </span><span class="l">windows-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">DeploySentinelOne</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy SentinelOne</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">job</span><span class="p">:</span><span class="w"> </span><span class="l">RunDeployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Run deployment script</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">checkout</span><span class="p">:</span><span class="w"> </span><span class="l">self</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">task</span><span class="p">:</span><span class="w"> </span><span class="l">AzurePowerShell@5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Run SentinelOne deployment script</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">inputs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">azureSubscription</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;sc-azure-platform-prod&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ScriptType</span><span class="p">:</span><span class="w"> </span><span class="l">InlineScript</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">azurePowerShellVersion</span><span class="p">:</span><span class="w"> </span><span class="l">LatestVersion</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">Inline</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $subscriptionIds = @() </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.subscriptionIds }}&#39;.Trim()) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $subscriptionIds = &#39;${{ parameters.subscriptionIds }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $excludedLocations = &#39;${{ parameters.excludedLocations }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> $excludedVmNames = &#39;${{ parameters.excludedVmNames }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments = @{ </span></span></span><span class="line"><span class="cl"><span class="sd"> SubscriptionIds = $subscriptionIds </span></span></span><span class="line"><span class="cl"><span class="sd"> ExcludedLocations = $excludedLocations </span></span></span><span class="line"><span class="cl"><span class="sd"> ExcludedVMNames = $excludedVmNames </span></span></span><span class="line"><span class="cl"><span class="sd"> CsvPath = &#39;$(reportPath)&#39; </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.autoStartVMs }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;AutoStartVMs&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.reinstallFailedExtensions }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;ReinstallFailedExtensions&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.whatIf }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;WhatIf&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> &amp; &#39;$(Build.SourcesDirectory)/$(scriptPath)&#39; @scriptArguments</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SENTINELONE_API_KEY</span><span class="p">:</span><span class="w"> </span><span class="l">$(SENTINELONE_API_KEY)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_PROD</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_PROD)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_PREPROD</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_PREPROD)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_QA</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_QA)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_DEV</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_DEV)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">task</span><span class="p">:</span><span class="w"> </span><span class="l">PublishBuildArtifacts@1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Publish SentinelOne report</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">succeededOrFailed()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">inputs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PathtoPublish</span><span class="p">:</span><span class="w"> </span><span class="l">$(Build.ArtifactStagingDirectory)/sentinelone</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ArtifactName</span><span class="p">:</span><span class="w"> </span><span class="l">sentinelone-report</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">publishLocation</span><span class="p">:</span><span class="w"> </span><span class="l">Container</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="key-pipeline-decisions">Key pipeline decisions </h2><p>This example deliberately makes a few opinionated choices:</p> <table> <thead> <tr> <th>Decision</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td><code>trigger: none</code></td> <td>Deployment should be an intentional operational action, not a CI side effect.</td> </tr> <tr> <td>Manual parameters</td> <td>Operators can narrow scope without editing YAML.</td> </tr> <tr> <td><code>whatIf</code> defaults to <code>true</code></td> <td>Safe by default. Live execution is a conscious change.</td> </tr> <tr> <td><code>condition: succeededOrFailed()</code> on artifact publish</td> <td>You still want the CSV output when some installs fail.</td> </tr> <tr> <td>Windows hosted agent</td> <td>Keeps execution consistent with Azure PowerShell task behavior.</td> </tr> </tbody> </table> <h2 id="key-vault-backed-variable-groups">Key Vault-backed variable groups </h2><p>If you already use Azure Key Vault with Azure DevOps variable groups, the pipeline gets even cleaner. In that setup:</p> <ol> <li>Link the variable group to your Key Vault.</li> <li>Map the Key Vault secrets to the same variable names used above.</li> <li>Keep the YAML unchanged.</li> </ol> <p>This avoids duplicating secret values between Azure DevOps and Key Vault.</p> <h2 id="guardrails-i-recommend-in-production">Guardrails I recommend in production </h2><p>For a real enterprise rollout, add these controls around the pipeline:</p> <ol> <li>Restrict who can queue the pipeline.</li> <li>Separate non-production and production service connections.</li> <li>Use approvals for production stages if you later split the pipeline into environments.</li> <li>Log the approved subscription list for every execution.</li> <li>Keep exception VM names and excluded regions under review.</li> </ol> <h2 id="recommended-repository-structure">Recommended repository structure </h2><p>The pipeline is easier to maintain when the repo structure is explicit:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">azure-pipelines/ </span></span><span class="line"><span class="cl"> sentinelone-deployment.yml </span></span><span class="line"><span class="cl">scripts/ </span></span><span class="line"><span class="cl"> Sentinel_Check_&amp;_Install_v1.ps1 </span></span><span class="line"><span class="cl">docs/ </span></span><span class="line"><span class="cl"> sentinelone-runbook.md </span></span></code></pre></td></tr></table> </div> </div><p>If the script currently lives outside source control, move it into a controlled repository before putting the pipeline into service. That gives you traceability for every operational change.</p> <h2 id="operational-runbook-flow">Operational runbook flow </h2><p>The process for an operator should be straightforward:</p> <ol> <li>Queue the pipeline.</li> <li>Start with a non-production subscription and dry run enabled.</li> <li>Review the pipeline log and generated CSV.</li> <li>Re-run live only after the dry-run scope looks correct.</li> <li>Review failed installs, stopped VMs, and skipped subscriptions separately.</li> </ol> <h2 id="final-thoughts">Final thoughts </h2><p>The safest way to run the SentinelOne deployment script is to treat it like an operational control, not an admin laptop task. Azure DevOps gives you repeatability, approvals, artifacts, and audit history. Combined with the script’s new secret-resolution logic, that gives you a workable production model without putting credentials in the repo.</p>