Check Pointintermediate

How to Deploy Check Point Harmony Endpoint Agent

Deploy Check Point Harmony Endpoint agent using manual, automatic, or enterprise methods. Complete guide with Infinity Portal steps and troubleshooting.

12 min readUpdated January 2025

Want us to handle this for you?

Get expert help →

Check Point Harmony Endpoint provides comprehensive endpoint protection with anti-malware, anti-ransomware, threat emulation, and EDR capabilities managed through the cloud-based Infinity Portal. This guide covers multiple deployment methods to help you protect your organization's endpoints.

Prerequisites

Before deploying Harmony Endpoint, ensure you have:

  • Infinity Portal access with administrator permissions
  • Active Harmony Endpoint license assigned to your tenant
  • Network connectivity allowing outbound HTTPS (port 443) to Check Point cloud services
  • Administrative rights on target endpoints
  • Supported operating system: Windows 10/11, Windows Server 2016+, macOS 10.15+, or supported Linux distributions

Understanding Deployment Options

Harmony Endpoint offers several deployment methods to suit different environments:

MethodBest ForRequirements
Tiny AgentQuick deployment, small environmentsInternet connectivity during install
Offline PackageAir-gapped networks, custom deploymentsPre-downloaded full package
Deployment AgentLarge AD environments, remote pushDomain-joined initiator machine
Microsoft IntuneCloud-managed Windows devicesIntune enrollment
Group Policy/SCCMEnterprise Windows environmentsAD infrastructure

The Tiny Agent is a lightweight installer (under 1MB) that downloads and installs components based on your deployment policy.

Step 1: Download the Tiny Agent

  1. Log in to the Infinity Portal at https://portal.checkpoint.com
  2. Navigate to Harmony Endpoint from the left menu
  3. Click Overview in the dashboard
  4. Click Download Endpoint from the top banner
  5. Select Harmony Endpoint Security Client for your target OS (Windows, macOS, or Linux)
  6. Note the version number for your records
  7. Click DOWNLOAD to save the Tiny Agent installer

Step 2: Configure the Software Deployment Policy

Before deploying agents, configure which components will be installed:

  1. In Infinity Portal, go to Policy > Deployment Policy
  2. Click Software Deployment
  3. Select the capabilities to deploy:
    • Anti-Malware - Core antivirus protection
    • Anti-Bot - Botnet detection and prevention
    • Anti-Ransomware - Ransomware attack prevention
    • Threat Emulation - Sandboxing for unknown files
    • Forensics - Attack investigation and reporting
    • Zero-Phishing - Phishing URL protection
    • Compliance - Endpoint compliance checking
  4. Click Save and then Install Policy

Step 3: Install the Agent on Endpoints

Interactive Installation:

  1. Copy the downloaded installer to the target endpoint
  2. Run the installer as Administrator:
    • Right-click the installer file
    • Select Run as administrator
  3. Follow the installation wizard prompts
  4. Wait for component download and installation to complete
  5. Restart if prompted (typically not required)

Silent Installation (Command Line):

EndpointSetup.exe /s /v"/qn"

For installations requiring a proxy:

EndpointSetup.exe /s /v"/qn PROXY_ADDR=proxy.company.com PROXY_PORT=8080"

Step 4: Verify Installation

  1. In the Infinity Portal, go to Asset Management > Computers
  2. Search for the endpoint by hostname or IP address
  3. Verify the endpoint shows:
    • Connection status: Connected (green indicator)
    • Deployed components: Match your deployment policy
    • Client version: Current version number

On the endpoint itself, verify the Harmony Endpoint icon appears in the system tray with a green checkmark.

Method 2: Deploy Using Offline Package

For environments without internet access or when you need a complete pre-packaged installer:

Step 1: Create the Offline Package

  1. In Infinity Portal, go to Policy > Deployment Policy > Software Deployment
  2. Click Download Endpoint > Offline Package
  3. Select all required components
  4. Click Create Package
  5. Download the generated package (may be several hundred MB)

Step 2: Deploy the Package

The offline package includes all components and the Initial Client. Deploy using:

Manual installation:

setup.exe /s /v"/qn"

Network share deployment:

  1. Copy the package to a network share accessible by target endpoints
  2. Run the installer from the share or copy locally first
  3. Use login scripts or scheduled tasks for automated deployment

Method 3: Deploy Using Deployment Agent (Remote Push)

For large Active Directory environments, use a Deployment Agent to push installations remotely.

Step 1: Configure the Deployment Agent

  1. Select a domain-joined Windows machine to serve as the Deployment Agent
  2. Install the Harmony Endpoint client on this machine first
  3. In Infinity Portal, go to Policy > Deployment Policy > Deployment Agent
  4. Click Set Deployment Agent
  5. Select the machine from the list and confirm

Step 2: Prepare Target Endpoints

Ensure target machines meet these requirements:

  • Domain-joined to the same Active Directory
  • Windows Remote Management (WinRM) enabled
  • File and Printer Sharing enabled
  • Administrative share access (C$ or ADMIN$)

Step 3: Initiate Remote Installation

  1. In Infinity Portal, go to Asset Management > Unprotected Assets
  2. Use the Active Directory scanner to discover unprotected endpoints
  3. Select endpoints for installation
  4. Click Install and monitor progress in the deployment status

Method 4: Deploy Using Microsoft Intune

Step 1: Prepare the MSI Package

  1. Download the Tiny Agent (EndpointSetup.exe)
  2. Create an MSI wrapper using the Check Point conversion tool:
EndpointSetup.exe /c /t:C:\Temp\EPExtract
cd C:\Temp\EPExtract
msiexec /a EPS.msi TARGETDIR=C:\Temp\EPSOutput /qn

Step 2: Upload to Intune

  1. In Microsoft Intune admin center, go to Apps > Windows
  2. Click Add and select Line-of-business app
  3. Upload the MSI file
  4. Configure app information:
    • Name: Check Point Harmony Endpoint
    • Publisher: Check Point Software Technologies
  5. Assign to device groups
  6. Monitor deployment in Intune

Method 5: Deploy Using Group Policy

Step 1: Create a Software Distribution Point

  1. Copy the offline installer package to a network share
  2. Set share permissions for Domain Computers to Read
  3. Set NTFS permissions for Domain Computers to Read & Execute

Step 2: Create the GPO

  1. Open Group Policy Management Console
  2. Create a new GPO linked to the appropriate OU
  3. Navigate to Computer Configuration > Policies > Software Settings > Software Installation
  4. Right-click and select New > Package
  5. Browse to the network share and select the MSI
  6. Choose Assigned deployment method
  7. Configure any additional options (upgrades, removal behavior)

Step 3: Verify Deployment

  1. Run gpupdate /force on a test endpoint
  2. Restart the endpoint to trigger software installation
  3. Verify installation in Infinity Portal

Post-Deployment Configuration

Assign Endpoints to Virtual Groups

  1. In Infinity Portal, go to Asset Management > Virtual Groups
  2. Create groups based on:
    • Department or location
    • Device type (workstation vs. server)
    • Security requirements
  3. Assign policies to virtual groups

Configure Client Settings

  1. Go to Policy > Client Settings
  2. Configure options such as:
    • Tray icon visibility
    • User notifications
    • Password protection for client operations
    • Automatic updates

Troubleshooting Common Issues

Agent Not Appearing in Portal

Symptoms: Installation completes but endpoint does not appear in Infinity Portal.

Solutions:

  1. Verify internet connectivity to *.checkpoint.com on port 443
  2. Check firewall rules allow outbound HTTPS traffic
  3. Verify proxy settings if applicable: 
    netsh winhttp show proxy
  4. Review installation logs at C:\Windows\Temp\Check Point\
  5. Restart the Check Point Endpoint Security service: 
    net stop TracSrvWrapper
net start TracSrvWrapper

Installation Fails

Symptoms: Installer returns error or fails silently.

Solutions:

  1. Verify administrative privileges
  2. Check available disk space (minimum 2GB required)
  3. Remove conflicting security software
  4. Run installer with logging: 
    EndpointSetup.exe /v"/l*v C:\Temp\HEP_install.log"
  5. Review the log file for specific error codes

Components Not Downloading

Symptoms: Tiny Agent installs but components fail to download.

Solutions:

  1. Verify software deployment policy is installed
  2. Check endpoint is assigned to a virtual group
  3. Verify network connectivity and bandwidth
  4. Review component download status in the endpoint's local console
  5. Force policy download from the system tray icon

Service Not Starting

Symptoms: Check Point services fail to start after installation.

Solutions:

  1. Check Event Viewer for service startup errors
  2. Verify system date/time is accurate (required for certificate validation)
  3. Run the Check Point diagnostic tool: 
    "C:\Program Files (x86)\CheckPoint\Endpoint Security\Common\CPInfo.exe"
  4. Contact Check Point support with diagnostic output if issues persist

Uninstalling Harmony Endpoint

To remove Harmony Endpoint from an endpoint:

Using Control Panel

  1. Open Settings > Apps > Apps & features
  2. Find Check Point Endpoint Security
  3. Click Uninstall
  4. Enter the uninstall password if configured
  5. Restart when prompted

Silent Uninstall

msiexec /x {Product-GUID} /qn UNINSTALL_PASSWORD=your_password

Note: Obtain the Product GUID from the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Next Steps

After successful deployment:

  1. Configure security policies - Set up threat prevention and access policies
  2. Create exclusions - Add necessary antivirus exclusions for business applications
  3. Enable threat hunting - Activate EDR capabilities for advanced threat detection
  4. Set up alerts - Configure notification rules for security events
  5. Train administrators - Ensure IT staff understand the Infinity Portal interface

Additional Resources

Need help with your Check Point Harmony Endpoint deployment? Inventive HQ provides expert Check Point implementation services, from initial deployment to ongoing management and optimization. Contact us for a free consultation.

Frequently Asked Questions

Find answers to common questions

Harmony Endpoint supports Windows 10/11 and Windows Server 2016-2022, macOS 10.15+, and various Linux distributions. Endpoints require at least 2GB RAM, 2GB free disk space, and outbound HTTPS (port 443) connectivity to Check Point cloud services. The Tiny Agent installer is less than 1MB and downloads components based on your deployment policy.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Configure Firewall Rules in Check Point SmartConsole

Learn how to create and manage firewall rules in Check Point SmartConsole. Step-by-step guide covering access control policies, services, and best practices.

Read More →

How to Configure Anti-Phishing Policies in Harmony Email

Step-by-step guide to configure anti-phishing protection, confidence thresholds, and exception lists in Check Point Harmony Email.

Read More →

How to Configure DLP in Harmony Email & Collaboration

Learn to configure Data Loss Prevention (DLP) policies in Check Point Harmony Email to protect sensitive data in emails and attachments.

Read More →
Back to Check Point