Cloud Gateways Switching WiFi Physical Security Integrations
What's New Support
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Physical Security Integrations

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. People & Role Management
  4. UniFi Endpoint

Deploying UniFi Endpoint For Windows at Scale

MDM solutions (such as Microsoft Intune) or Group Policy (via registry configuration) can be used to deploy UniFi Endpoint across Windows devices at scale. The MSI installer supports pre-configured settings to ensure consistent application behavior aligned with organizational policies.

This article outlines the general deployment process and available MSI configuration properties. For an overview of UniFi Endpoint, see this article.

Deploying UniFi Endpoint 

To deploy UniFi Endpoint at scale:

  1. Download the UniFi Endpoint Windows Installer (64-bit MSI) file here.
  2. Perform a silent installation using msiexec.
  3. Tip: If you are using Fabric you can define the  ORG_DOMAIN property and enforce it ENFORCE_CONFIG_ORG_DOMAIN=1 to ensure users can only login to your Fabric.
  4. Configure any other optional MSI properties from the table below.
  5. Deploy through your preferred MDM or Group Policy workflow.

The example below performs a silent installation of UniFi Endpoint, enables launch at startup, enforces the example.ui.com domain for enrollment, and enforces VPN auto-connect.

msiexec /i "UniFi Endpoint.msi" /quiet /norestart ORG_DOMAIN=example.ui.com ENFORCE_CONFIG_ORG_DOMAIN=1 LAUNCH_AT_STARTUP=1 CONNECT_VPN_ON_STARTUP=1 ENFORCE_CONFIG_CONNECT_VPN_ON_STARTUP=1

Note: The EXE installer does not forward MDM configuration properties to the MSI. For bulk deployment with pre-configured settings, use the MSI package directly with msiexec, or pre-set the registry values via Group Policy Preferences or MDM registry push.

MSI Properties - Configuration

These MSI properties configure the initial application behavior. Values are written to the HKLM registry during installation and serve as defaults for all users on the machine.

MSI Property Registry Value (HKLM) Default Description
ORG_DOMAIN OrgDomain (empty) Organization domain for onboarding. When set, the Welcome screen pre-fills this domain so users do not need to enter it manually. Example: example.ui.com.
CHECK_UPDATE CheckUpdate 1 Enable automatic update checks. 1 = enabled, 0 = disabled.
LAUNCH_AT_STARTUP LaunchAtStartup 1 Launch the application automatically when the user logs in. 1 = enabled, 0 = disabled.
CONNECT_WIFI_ON_STARTUP ConnectWiFiOnStartup 0 Automatically connect to the assigned Wi-Fi network on application startup. 1 = enabled, 0 = disabled.
CONNECT_VPN_ON_STARTUP ConnectVpnOnStartup 0 Automatically connect to the assigned VPN on application startup. 1 = enabled, 0 = disabled.
AUTO_RECONNECT_WIFI AutoReconnectWiFi 0 Automatically reconnect to the assigned Wi-Fi network if the connection drops. 1 = enabled, 0 = disabled.
LAUNCH_AFTER_INSTALL (not persistent) 0 Launch UniFi Endpoint immediately after installation completes. The app is launched as the logged-in user with standard (non-elevated) privileges, not as the SYSTEM account that runs the installer. 1 = launch after install, 0 = do not launch. This only affects the single install run; it is not stored as a persistent setting.
ADD_DESKTOP_SHORTCUT (not persistent) 1 Create a desktop shortcut for UniFi Endpoint during install. 1 = create shortcut, 0 = do not create shortcut. This only affects the install run; existing shortcuts from previous installs are not removed.
INSTALLFOLDER InstallLocation %ProgramFiles%\UniFi Identity Standard\ Installation directory path.

MSI Properties - Enforcement Locks

Enforcement locks prevent users from changing specific settings through the application UI. When a setting is enforced, the HKLM value is used and any HKCU user preference is ignored (though preserved for when the lock is later removed).

MSI Property Registry Value (HKLM) Default Description
ENFORCE_CONFIG_ORG_DOMAIN EnforceConfigOrgDomain 0 Organization domain. 1 = locked, 0 = user can configure.
ENFORCE_CONFIG_CHECK_UPDATE EnforceConfigCheckUpdate 0 Auto-update check. When enforced with CHECK_UPDATE=0, manual update checks are also blocked.
ENFORCE_CONFIG_LAUNCH_AT_STARTUP EnforceConfigLaunchAtStartup 0 Launch at startup. 1 = locked, 0 = user can configure.
ENFORCE_CONFIG_CONNECT_WIFI_ON_STARTUP EnforceConfigConnectWiFiOnStartup 0 Wi-Fi auto-connect on startup. 1 = locked, 0 = user can configure.
ENFORCE_CONFIG_CONNECT_VPN_ON_STARTUP EnforceConfigConnectVpnOnStartup 0 VPN auto-connect on startup. 1 = locked, 0 = user can configure.

Set any enforcement lock to 1 to prevent users from overriding that setting. Set to 0 (default) to allow user control.
Note: When a setting is enforced, the toggle for that setting is disabled in the application's Settings panel with a tooltip "This setting is managed by your organization".

Was this article helpful?