This topic provides step-by-step instructions for deploying the Check Point SASE on Windows endpoints managed by Microsoft Intune. It covers packaging the SASE MSI as a Win32 app and configuring silent installation with workspace, region, and tenant token parameters for zero-touch provisioning.
Check Point SASE is a cloud-native Secure Access Service Edge platform within the Hybrid Mesh Network Security pillar, providing secure internet access via an integrated Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA) to private resources, and application-level access controls. The installed on endpoints enforces these policies locally and tunnels traffic through the Check Point global PoP infrastructure.
Deploying through Microsoft Intune enables organizations to push the agent silently to managed Windows devices, eliminating manual enrollment steps and ensuring security posture from first login.
Note -
The Check Point SASE was originally developed under the Perimeter 81 brand. While the product is now branded as Check Point SASE under the Hybrid Mesh Network Security pillar, the Windows MSI installer filename uses the convention Harmony_SASE_x.x.x.xxx.msi. Some registry entries and service names may still reference legacy Perimeter 81 or SaferVPN identifiers. These appear in this topic only where technically required.
Note -
Unlike macOS, the Windows automatically installs and trusts the per-tenant TLS inspection root certificate during agent installation. No separate certificate deployment via Intune is required. The Check Point SASE certificate download in the portal (Devices > Downloads > Certificates) is scoped to macOS only. If you are deploying to macOS endpoints, see Deploying the Agent with Jamf Pro (macOS).
Prerequisites
Active Microsoft 365 subscription with Intune. Global Administrator or Intune Administrator role required.
Windows 10 version 1607 or later, or Windows 11. Enterprise, Pro, or Education editions.
Target devices must be enrolled in Intune (Entra ID joined or Hybrid Entra ID joined).
Active Check Point SASE subscription with administrator access to the Check Point Infinity Portal.
version 11.5 or later recommended for Transparent Internet Access support.
Microsoft Win32 Content Prep Tool (
IntuneWinAppUtil.exe) downloaded from GitHub.Endpoints must reach
*.perimeter81.comand*.checkpoint.com. For the complete list of required URLs, ports, and protocol details, see sk182251.
Note -
If you are managing deployment via Intune, disable the auto-update client setting in the Check Point SASE web console (Settings > General) to prevent looping installation issues when Intune and the SASE auto-updater conflict.
Download the SASE Agent and Generate Tenant Token
Download the Windows MSI Installer
Log in to the Check Point Infinity Portal and navigate to the Check Point SASE .
Go to Devices > Downloads and select the Agents tab.
Download the Windows agent installer. The file is named
Harmony_SASE_x.x.x.xxx.msi(wherex.x.x.xxxis the version number).Note the version number and save the MSI to a working directory on your admin workstation.
For more information, see Downloads.
Generate the Tenant Token (for Transparent Internet Access)
On the same Devices > Downloads page, locate the Installation Key section.
Generate a unique installation key (tenant token). This key is visible only to Admin users.
Copy and securely store the tenant token. You will embed it in the Intune install command.
Note -
The tenant token enables Transparent Internet Access (agent v11.5+), which enforces SWG policies immediately upon installation without requiring end-user sign-in. Private Access remains restricted until the user authenticates. For more information, see Deploying the Agent.
Package the SASE Agent for Intune
Microsoft Intune requires Win32 apps to be packaged in .intunewin format using the Microsoft Win32 Content Prep Tool. This applies even though the is distributed as an MSI, because the Win32 app type offers richer control over install commands, detection rules, and dependencies.
Download the Win32 Content Prep Tool
Download
IntuneWinAppUtil.exefrom the Microsoft GitHub repository.Save it to a working directory (for example,
C:\IntuneTools\).
Prepare the Source Folder
Create a source folder (for example,
C:\IntuneApps\CPSASE\Source\).Copy the downloaded
Harmony_SASE_x.x.x.xxx.msifile into this folder.Create an output folder (for example,
C:\IntuneApps\CPSASE\Output\).
Create the .intunewin Package
Open a command prompt and run the Content Prep Tool:
IntuneWinAppUtil.exe ^
-c "C:\IntuneApps\CPSASE\Source" ^
-s "Harmony_SASE_x.x.x.xxx.msi" ^
-o "C:\IntuneApps\CPSASE\Output" ^
-q-c- Source folder containing the MSI-s- The setup file (MSI) within the source folder-o- Output folder for the .intunewin package-q- Quiet mode (suppress prompts)
The tool produces a file named Harmony_SASE_x.x.x.xxx.intunewin in the output folder.
Create the Win32 App in Intune
Add the Application
In the Intune admin center, go to Apps > Windows.
Click Add and select Windows app (Win32) as the app type.
Click Select, then upload the
.intunewinfile from the previous phase.
App Information
Enter the following values on the App information tab:
Name - Check Point SASE Agent
Description - Check Point SASE agent for secure internet and private access
Publisher - Check Point Software Technologies Ltd.
App version - (match the MSI version, for example 12.6.0)
Category - Security (optional)
Program Configuration
This is where the silent install command embeds all SASE configuration. The MSI accepts workspace, region, and tenant token as command-line properties, eliminating the need for a separate pre-install script.
Install command:
msiexec /quiet /i "Harmony_SASE_x.x.x.xxx.msi" WORKSPACE="your-workspace-name" REGION="US" TENANT_TOKEN="your-tenant-token-here"Note -
Replace your-workspace-name with your organization's SASE workspace identifier, set REGION to your data residency region (US, EU, AU, or IN), and paste your full tenant token. If the device username does not match the user email address (verify by running whoami /upn), add an EMAIL parameter: EMAIL="user@domain.com".
Uninstall command:
msiexec /x "Harmony_SASE_x.x.x.xxx.msi" /quietConfigure the remaining program settings:
Install behavior - System (installs in SYSTEM context)
Device restart behavior - App install may force a device restart
Detection Rules
Detection rules tell Intune how to verify the agent was installed successfully. Choose one of the following methods:
Option A: MSI Product Code (simplest)
Select MSI as the rule type. Intune auto-populates the product code from the .intunewin package. Enable MSI product version check and set the operator to "Greater than or equal to" with the version you are deploying.
Option B: File-Based Detection
Rule type - File
Path -
C:\Program Files\Harmony SASEFile or folder -
Harmony SASE.exeDetection method - File or folder exists
Option C: Registry-Based Detection
Rule type - Registry
Key path -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ProductCode}Value name -
DisplayNameDetection method - String comparison - Equals - Harmony SASE
Tip -
The MSI product code detection method is the most reliable and requires the least maintenance. If the product code changes with a new version, update the detection rule when you upload the new MSI.
Requirements
Operating system architecture - 64-bit (or both 32-bit and 64-bit if needed)
Minimum operating system - Windows 10 1607
Click Next through Dependencies and Supersedence (leave empty unless replacing a prior version). Click Next to proceed to Assignments.
Assign and Deploy
On the Assignments tab, under Required, click Add group.
Select the Entra ID device group(s) that should receive the .
Click Select, then Next.
Review the summary and click Create.
Intune deploys the app on the next device sync. The installs silently with the workspace, region, and tenant token parameters embedded in the MSI command, enabling immediate SWG protection.
Note -
If you prefer users to install on demand rather than a forced push, add the group under Available for enrolled devices instead of Required. The app appears in the Company Portal for self-service installation.
Verification and Troubleshooting
Verify a Successful Deployment
The Check Point SASE appears in the system tray and connects to the nearest PoP without certificate errors.
In Intune admin center, go to Apps > Monitor > App install status and confirm the app shows as Installed for targeted devices.
On the endpoint, open
certlm.mscand verify the SASE root certificate appears under Trusted Root Certification Authorities > Certificates (installed automatically by the agent).
Common Issues
Symptom | Resolution |
|---|---|
TLS certificate errors in browsers after SASE connects | The agent should install the root certificate automatically. Verify the cert is present in |
Agent installs but does not auto-connect | Verify the |
Intune reports installation failed | Check the Intune Management Extension log on the endpoint: |
Agent auto-update loop with Intune | Disable auto-update in the Check Point SASE console: Settings > General > Update Client toggle off. |
Detection rule fails after successful install | Verify the detection method. If using file-based detection, confirm the actual install path matches. If using MSI product code, verify the code matches with: |
| Add the |
Useful Diagnostic Commands
# Check if the SASE agent is installed (PowerShell)
Get-WmiObject Win32_Product | Where-Object {
$_.Name -like "*Harmony*SASE*"
} | Select Name, Version
# Verify the root certificate is in the Trusted Root CA store
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {
$_.Subject -like "*Check Point*" -or $_.Subject -like "*SASE*"
}
# Check the SASE agent service
Get-Service | Where-Object { $_.DisplayName -like "*Harmony*" -or
$_.DisplayName -like "*Perimeter*" -or $_.DisplayName -like "*SASE*" }
# Force Intune sync
Start-Process -FilePath "ms-device-enrollment:?mode=mdm"
# View Intune Management Extension logs
Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" -Tail 50MSI Command-Line Reference
WORKSPACE- Your organization's Check Point SASE workspace identifier (for example, "acme-corp")REGION- Data residency region:US(America),EU(Europe),AU(Australia),IN(India)TENANT_TOKEN- Installation token from the SASE portal for Transparent Internet Access (v11.5+)EMAIL- Optional. User email for Transparent Registration whenwhoami /upndoes not match
Full silent install example:
msiexec /quiet /i "Harmony_SASE_12.6.0.xxxx.msi" WORKSPACE="acme-corp" REGION="US" TENANT_TOKEN="eyJhbG..."Silent uninstall:
msiexec /x "Harmony_SASE_12.6.0.xxxx.msi" /quietCheck install status (useful for scripted deployments):
start /wait msiexec /quiet /i "Harmony_SASE_12.6.0.xxxx.msi" WORKSPACE="acme-corp" REGION="US" TENANT_TOKEN="eyJhbG..."
echo %errorlevel%For additional MSI parameters and OS-specific commands, see Deploying the Agent.
Transparent Internet Access (Silent Deployment)
Starting with Check Point SASE version 11.5, the Transparent Internet Access feature enforces internet security policies immediately upon agent installation, without requiring any end-user interaction. When deployed via Intune:
The remote installation process bypasses both device and member registration.
Users receive the latest security policies even if they have not signed in to the agent.
Internet Access policy enforcement begins as soon as the agent is running, providing SWG protection from the moment of deployment.
Private Access remains restricted until the user authenticates and registers on the platform.
Transparent Internet Access requires the WORKSPACE, REGION, and TENANT_TOKEN parameters to be passed during installation, which is handled through the msiexec install command in the Win32 app configuration. For more information, see Deploying the Agent.