Skip to main content

Quilr Endpoint Agent — ManageEngine Endpoint Central Deployment Guide (Windows / MSI)

Subtitle: Silent mass deployment of the Quilr Endpoint Agent CA trust chain, MSI installer, and browser extension using the ManageEngine Endpoint Central (formerly Desktop Central) "Install MSI/EXE Software" computer configuration.

Version: 2026.05.21

Table of Contents

  1. Overview
  2. Prerequisites
  3. Part 1 — Download and Stage the Install Bundle
  4. Part 2 — Add the MSI to the Software Repository
  5. Part 3 — Deploy the Quilr CA Certificates (Custom Script Configuration)
  6. Part 4 — Create the "Install MSI Software" Configuration
  7. Part 5 — Force-Install the Quilr Browser Extension (Edge + Chrome)
  8. Key Fields and Identifiers
  9. Validation and Testing
  10. Troubleshooting
  11. Rollback
  12. Summary
  13. References — ManageEngine Documentation

1. Overview

This guide walks a ManageEngine Endpoint Central (formerly Desktop Central) administrator through deploying the Quilr Endpoint Agent for Windows to a fleet of managed computers. The Windows agent ships as an MSI that installs a Windows service plus a Windows Filtering Platform (WFP) callout driver for on-device traffic interception.

The deployment uses Endpoint Central's Software Deployment module: you add the MSI to the Software Repository once, then push it with an Install MSI/EXE Software computer configuration to a target group. The Endpoint Central agent on each computer downloads the package from the repository and runs the install silently under the System User account — no end-user interaction.

The deployment order is: CA certificates first, then the MSI. The agent validates TLS against Quilr's internal CA, so the Windows machine trust store must be populated before the service starts its first outbound connection. The browser extension (Part 5) is independent and can be deployed in parallel.

Browser coverage note. On Windows, the agent-interceptor configuration excludes msedge.exe and chrome.exe from the endpoint agent — that traffic is captured by the Quilr browser extension instead (Part 5), avoiding double-capture. Every other process (native apps, Firefox, custom HTTP clients) is captured by the endpoint agent's WFP driver.

Endpoint Central terminology used in this guide:

Endpoint Central conceptWhat it is
Software RepositoryThe store (Network Share or HTTP) holding packages that agents download before installing
PackageAn MSI/EXE definition created under Software Deployment → Package Creation → Packages
ConfigurationA computer- or user-level action (here: Install MSI/EXE Software) defined → targeted → deployed
Custom ScriptA computer configuration that runs a script/command (used here to import the CA certs)
TargetThe custom group / OU / domain / set of computers a configuration is applied to

Benefits:

  • Silent, zero-touch rollout to thousands of Windows endpoints from a single configuration.
  • Quilr root and intermediate CAs trusted machine-wide before the agent runs.
  • WFP driver and service installed under System User — no user interaction, no logged-in user required.
  • Package stored once in the repository and reused across pilot → production targets.
  • Browser extension force-installed in Edge and Chrome with no user opt-out.

2. Prerequisites

RequirementDetails
Endpoint Central serverManageEngine Endpoint Central with the Software Deployment module licensed
Admin roleAn Endpoint Central role with Software Deployment + Configuration write permissions
Agent enrollmentTarget computers have the Endpoint Central agent installed and showing as Managed / contacted
Software RepositoryA configured Network Share or HTTP repository reachable by agents (or distribution servers for remote offices)
Target groupA custom group / OU for the rollout — e.g. WIN-Quilr-Pilot
Signed installerquilr-endpoint-agent.msi is Authenticode-signed by Quilr; the WFP driver inside is WHQL/EV-signed
Network egressEndpoints can reach the Quilr distribution host and control plane (see URL Exception List — AI Apps / Non-AI Apps companion guides for SSL-bypass entries)
Bundle downloadLatest Windows bundle obtained from Quilr support (Part 1)

3. Part 1 — Download and Stage the Install Bundle

Step A. Obtain the bundle

The Windows install bundle is distributed by Quilr support. Contact your Quilr support representative to request the download URL and any associated checksum for the current production build (architecture path: windows/64).

  1. Request the bundle URL from Quilr support (support@quilr.ai or your assigned contact).
  2. Download the zip on the workstation you use to administer Endpoint Central.
  3. Verify the checksum provided by Quilr before extracting.
  4. Unzip into a clean staging directory.

Step B. Bundle contents

quilr-endpoint-agent-install-bundle-win/
├── certs/
│   ├── quilr-ea-intermediate-ca.crt
│   └── quilr-root-ca.crt
└── quilr-endpoint-agent.msi
FilePurposeEndpoint Central objectDeploy order
certs/quilr-root-ca.crtQuilr root CA — anchor of trustCustom Script config → machine Root store1
certs/quilr-ea-intermediate-ca.crtQuilr intermediate CA — chains to the rootCustom Script config → machine Intermediate (CA) store1
quilr-endpoint-agent.msiInstalls the Quilr Endpoint Agent service + WFP driverSoftware Repository packageInstall MSI Software config2

Order of operations: Always deploy (1) the two CA certificates, then (2) the MSI configuration. When the MSI lands after the trust store is populated, the agent's first TLS handshake against the Quilr control plane succeeds — no failed handshake, no retry loop.

Step C. Place the source files where Endpoint Central can reach them

Copy the MSI (and the two .crt files) to a path the Endpoint Central server / repository can read:

  • Network Share repository — copy to the configured UNC share, e.g. \\EPC-SERVER\SoftwareRepository\Quilr\.
  • HTTP repository / Local upload — keep the files on the admin workstation; you will upload via the browser in Part 4.

4. Part 2 — Add the MSI to the Software Repository

Create the package once; you reuse it in the Install configuration (Part 6) and for any future version bumps.

Step A. Start a new Windows package

  1. Software Deployment tab → Package Creation → Packages → Add Package → Windows.
  2. Package Name: Quilr Endpoint Agent.
  3. Package Type: MSI/MSP.
  4. License Type: Commercial (or per your agreement).

Step B. Locate the installable

  1. Locate Installable: choose one —
    • From Shared Folder — point to the UNC path where you staged the MSI (Network Share repository), e.g. \\EPC-SERVER\SoftwareRepository\Quilr\quilr-endpoint-agent.msi.
    • From Local ComputerBrowse to quilr-endpoint-agent.msi on the admin workstation (uploads into the HTTP repository).
  2. MSI/MSP File Name: auto-filled as quilr-endpoint-agent.msi.

Step C. MSI properties (silent install)

FieldValue
MSI/MSP File Namequilr-endpoint-agent.msi
MST File Name(leave blank unless Quilr provides a transform)
MSI/MSP Properties (install)(blank — Endpoint Central runs MSIs silently; add KEY=VALUE pairs only if Quilr specifies them)

Silent install: Endpoint Central installs MSI packages silently by default (no /qn needed — that is handled by the platform). Only add space-separated PROPERTY=VALUE pairs in MSI/MSP Properties if Quilr support provides custom MSI properties.

Step D. Advanced settings and package properties (optional)

  • Advanced Settings: leave Exit Code defaults; set Architecture to 64-bit; raise Maximum Time Limit for Installation (Hours) if your fleet is slow.
  • Package Properties: Application Name Quilr Endpoint Agent, Version (per the build, e.g. 2026.05.08), Vendor Quilr AI.
  • Pre-Deployment / Post-Deployment Activities: not required for a standard install.

Step E. Save

Click Add Package. The package now appears under Software Deployment → Packages, ready to be referenced by a configuration.

5. Part 3 — Deploy the Quilr CA Certificates (Custom Script Configuration)

The agent validates TLS against Quilr's internal CA, so the root and intermediate must be in the Windows machine cert stores before the agent runs. Use an Endpoint Central Custom Script computer configuration that runs certutil under System.

Step A. Stage the two .crt files

Copy quilr-root-ca.crt and quilr-ea-intermediate-ca.crt to a share Endpoint Central can attach to the script (the Custom Script configuration lets you associate files that are copied to the endpoint before the command runs).

Step B. Create the Custom Script configuration

  1. Configurations → Add Configuration → Configuration → (Computer) → Custom Script.
  2. Name: Quilr CA Trust.
  3. Script Type: Batch File (.bat) or PowerShell.
  4. Associate the two .crt files so they are copied to the endpoint, and set the command:
:: Runs as System; %~dp0 is the script's copied location on the endpoint
certutil -addstore -f Root  "%~dp0quilr-root-ca.crt"
certutil -addstore -f CA    "%~dp0quilr-ea-intermediate-ca.crt"
  1. Define Target: add the WIN-Quilr-Pilot group.
  2. Deploy.

Why a script: certutil -addstore Root imports into the machine Trusted Root store and -addstore CA into the Intermediate Certification Authorities store — exactly the two anchors the agent needs. The configuration runs under the System account, so no logged-in user is required.

Step C. Verify the certs landed

On a pilot device (elevated PowerShell / cmd):

certutil -store Root | findstr /i quilr   # root present
certutil -store CA   | findstr /i quilr   # intermediate present
Test-NetConnection claude.ai -Port 443

In the Endpoint Central console, the configuration's status should show Applied / Success on the pilot device before you deploy the MSI in Part 6.

6. Part 4 — Create the "Install MSI Software" Configuration

Deploy the MSI after the CA configuration has applied. This is the configuration described in the ManageEngine "Installing MSI Software" help topic.

Step A. Name the configuration

  1. Configurations → Add Configuration → Configuration → (Computer) → Install MSI/EXE Software.
  2. Name: Quilr Endpoint Agent — Install. Add a description.

Step B. Define configuration

FieldValue
Package typeMSI
MSI Package NameQuilr Endpoint Agent (the package from Part 2)
Operation TypeInstall Completely
Install asSystem User
Allow user to interact with installation windowNo (silent)

Operation Type options are Install Completely, Advertise, and Remove. Use Install Completely for a full silent install. Remove is what you switch to for rollback (Part 11).

Step C. Scheduler (optional)

Set a schedule time for the operation, with an optional expiry date, if you want the install to run in a maintenance window rather than at the next agent refresh.

Step D. Deployment settings

FieldRecommended value
Installation OptionDuring or After Startup (installs at next boot, and immediately if already running)
Install Between(optional) restrict to a maintenance window, e.g. 22:00–05:00
Allow Users to Skip DeploymentNo (set a forced-deployment date if you must allow skips)
Reboot PolicyDo not reboot (the agent does not require a reboot; choose a reboot option only if your build's release notes call for one)

Step E. Define target

Use Define Target to add the WIN-Quilr-Pilot custom group (or OU / domain / specific computers).

Step F. Deploy

Click Deploy to push immediately, or Save as Draft to stage it. Agents install on their next refresh cycle (or trigger a manual agent refresh on a pilot box). Track per-computer state under the configuration's status view (Applied / Yet to Apply / Failed / Retry in Progress).

7. Part 5 — Force-Install the Quilr Browser Extension (Edge + Chrome)

Because the agent-interceptor config excludes msedge.exe and chrome.exe on Windows, those two browsers are covered by the Quilr browser extension. Force-install it via a Registry computer configuration that writes the ExtensionInstallForcelist policy keys. (If you license Browser Security Plus, you can manage extensions there instead.)

Step A. Microsoft Edge — ExtensionInstallForcelist

  1. Configurations → Add Configuration → Configuration → (Computer) → Registry.
  2. Name: Quilr Extension — Edge Force Install.
  3. Add the value:
    • Key: HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist
    • Value name: 1
    • Type: REG_SZ
    • Value data: <edge-extension-id>;https://edge.microsoft.com/extensionwebstorebase/v1/crx
  4. Define Target: WIN-Quilr-Pilot. Deploy.

Step B. Google Chrome — ExtensionInstallForcelist

  1. New Registry configuration: Quilr Extension — Chrome Force Install.
  2. Add the value:
    • Key: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
    • Value name: 1
    • Type: REG_SZ
    • Value data: <chrome-extension-id>;https://clients2.google.com/service/update2/crx
  3. Define Target: WIN-Quilr-Pilot. Deploy.

Get the exact extension ID and update URL from Quilr support. For a self-hosted extension, use <extension-id>;https://<quilr-update-host>/updates.xml as the value data.

Step C. Verify

On a pilot device, open edge://extensions and chrome://extensions — the Quilr extension must be present, enabled, and marked Installed by your organization (no remove button).

8. Key Fields and Identifiers

FieldValue
Installer (MSI)quilr-endpoint-agent.msi
Repository package nameQuilr Endpoint Agent (Part 2)
Root CA filecerts/quilr-root-ca.crt → machine Root store (certutil -addstore Root)
Intermediate CA filecerts/quilr-ea-intermediate-ca.crt → machine CA / Intermediate store (certutil -addstore CA)
Architecture path (CDN)windows/64
Bundle downloadObtain from Quilr support (support@quilr.ai)
Browser extension ID + update URLObtain from Quilr support
Endpoint Central target (suggested)WIN-Quilr-Pilot (promote to WIN-Quilr-Production after validation)
Operation Type (install)Install Completely
Operation Type (rollback)Remove
Windows service nameConfirm with Quilr support — typically a System service in the quilrai family

9. Validation and Testing

CA chain present (run first):

certutil -store Root | findstr /i quilr   # root present
certutil -store CA   | findstr /i quilr   # intermediate present

MSI installed:

Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* ,`
              HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Get-ItemProperty | Where-Object DisplayName -like '*Quilr*' |
  Select-Object DisplayName, DisplayVersion

Service + WFP driver running:

Get-Service | Where-Object { $_.Name -match 'quilrai|quilr' }
netsh wfp show state | findstr /i quilr

Live intercept (functional test): In Firefox or a native app (not Edge/Chrome — those go through the extension), reach a monitored AI host (e.g. send a prompt). Confirm the event appears in the Quilr console.

Browser extension active: edge://extensions and chrome://extensions show the Quilr extension Installed by your organization, enabled.

Endpoint Central reporting:

  • The Install MSI Software configuration status = Applied / Success per computer.
  • The Quilr CA Trust Custom Script configuration = Applied / Success.
  • The Edge/Chrome Registry configurations = Applied / Success.

Agent logs: the Windows agent writes logs under its ProgramData directory (in the quilrai family, e.g. %PROGRAMDATA%\quilrai\logs\) and emits to the Windows Event Log. Confirm the exact path with Quilr support / the Windows release notes — it is not assumed here.

10. Troubleshooting

SymptomLikely causeFix
certutil -store Root shows no Quilr certCustom Script config not applied, or -addstore used the wrong storeConfirm the script imports root with -addstore Root and intermediate with -addstore CA; re-deploy / refresh the agent
Agent service won't start / TLS errors in Event LogCA chain incomplete (intermediate missing)Confirm both certs imported (certutil -store Root and -store CA); the intermediate is required to chain the leaf
Configuration stuck at Yet to ApplyAgent hasn't refreshed since deploymentTrigger a manual agent refresh on the endpoint, or wait for the next refresh cycle
Configuration reports FailedPackage not reachable, MSI error (1603 generic / 1618 another install in progress), or wrong architectureConfirm the package downloaded to the agent's repository cache; check the endpoint's MSI logs under %WINDIR%\Temp\; re-deploy
Package never downloads to the endpointSoftware Repository (Network Share / HTTP) unreachable from the agent or distribution serverVerify the repository path/URL and that the agent (or its distribution server) can reach it
Browser shows "Cannot verify identity" for a monitored hostUpstream SWG (Netskope / Zscaler / etc.) is decrypting the same hostAdd the host to the SWG's SSL-bypass list — see the URL Exception List — AI Apps (or Non-AI Apps) companion guide
Edge/Chrome traffic not captured at allExpected — Edge/Chrome are excluded from the endpoint agent on WindowsConfirm the browser extension (Part 5) is force-installed and enabled; the extension, not the WFP driver, covers those browsers
Extension missing from edge://extensionsRegistry force-list policy not applied, or wrong extension ID / update URLRe-check the ExtensionInstallForcelist value (ID;UPDATE_URL) against what Quilr support provided; re-deploy

For deeper diagnostics, see the Quilr Endpoint Agent Troubleshooting Guide and the logsamples/ folder.

11. Rollback

  1. Uninstall the agent: edit the Install MSI Software configuration and change Operation Type to Remove (using the same Quilr Endpoint Agent package), then re-deploy to WIN-Quilr-Pilot. Endpoint Central runs the MSI uninstall on the next refresh.
  2. Remove the browser-extension policy: delete (or suspend) the Edge/Chrome Registry configurations so ExtensionInstallForcelist is no longer enforced.
  3. Remove the CAs: deploy a Custom Script that runs certutil -delstore Root <thumbprint-or-name> and certutil -delstore CA <thumbprint-or-name> (or suspend the Quilr CA Trust config and clean up).
  4. Confirm clean state:
    • certutil -store Root | findstr /i quilr returns nothing
    • certutil -store CA | findstr /i quilr returns nothing
    • Get-Service | ? Name -match 'quilrai|quilr' returns nothing
    • Quilr extension absent from edge://extensions / chrome://extensions

12. Summary

StepActionWhere in Endpoint Central
1Obtain Windows install bundle (MSI + certs)Request URL from Quilr support
2Add the MSI to the Software RepositorySoftware Deployment → Package Creation → Packages → Add Package → Windows
3Deploy the two CA certs (run first)Configurations → Custom Script (certutil -addstore)
4Create the Install MSI Software config (run second)Configurations → Install MSI/EXE Software
5Force-install the Quilr browser extension (Edge + Chrome)Configurations → Registry (ExtensionInstallForcelist)
6Define target = WIN-Quilr-Pilot; validate certs → MSI → extensionEach configuration → Define Target
7Promote to WIN-Quilr-ProductionRe-target the configurations

13. References — ManageEngine Documentation

SectionManageEngine documentation
§6 Install MSI/EXE Software configurationInstalling MSI Software
§4 Create software packages (MSI)Create Software Packages
§2 Software Repository (Network Share / HTTP)Software Repository
§2 Configuring software repositoriesConfiguring Software Repositories
§4 Manage MSI filesManage MSI Files
§3/§5 Custom Script & Registry configurationsComputer Configurations
§6 Defining targets for a configurationDefining Targets

Microsoft Intune counterpart: for an Intune-based rollout, use the companion Quilr Endpoint Agent — Microsoft Intune Deployment Guide (Windows / MSI).

End of document — Quilr AI | Adapt AI Securely