MSI deployment

The OpsMerge Windows agent ships as a signed MSI for unattended deployment. This article covers GPO, Intune, and the general MSI command-line so you can wire it into whichever deployment tool you already use.

For one-off interactive installs, the PowerShell one-liner is faster. The MSI is for fleets.

Regional ingest hosts

This article uses ingest-eu.opsmerge.cloud throughout — the EU cell's agent ingest host. If your OpsMerge tenant is in another region (e.g. US), use the ingest hostname for your region (ingest-us.opsmerge.cloud, and so on) — shown in OpsMerge → Add agent, pre-filled correctly for your tenant.

Download the MSI

1. In OpsMerge, open the client whose endpoints will be enrolled.
2. Click Add agent.
3. In the dialog, generate a multi-use token (single-use tokens won't work across a multi-machine rollout).
4. Click Download MSI.

The file is named opsmerge-agent.msi and signed with our code-signing certificate. SmartScreen and Defender SmartScreen accept it without a warning.

Command-line install

The MSI uses two properties to register with OpsMerge — both required:

Property	Value	Required
RMM_SERVER	https://ingest-eu.opsmerge.cloud	yes
RMM_TOKEN	The multi-use token from OpsMerge	yes

Silent install:

msiexec /i opsmerge-agent.msi /qn ^
  RMM_SERVER="https://ingest-eu.opsmerge.cloud" ^
  RMM_TOKEN="YOUR-MULTI-USE-TOKEN"

The /qn flag is fully silent (no UI). Use /qb if you want a progress bar without prompts.

Uninstall:

msiexec /x opsmerge-agent.msi /qn

Or by product code if you don't have the MSI to hand:

wmic product where "name='OpsMerge Agent'" call uninstall /nointeractive

Group Policy (GPO) deployment

1. Copy the MSI to a UNC path readable by domain computers (e.g. \\dc01\NETLOGON\opsmerge-agent.msi).
2. In Group Policy Management Editor, edit the GPO that targets your endpoints.
3. Computer Configuration → Policies → Software Settings → Software installation.
4. Right-click Software installation → New → Package.
5. Browse to the UNC path; pick Assigned when prompted.
6. Important: the default GPO MSI install doesn't pass properties. Use one of these patterns instead:
   • A transform (.mst). Generate an MST with Orca or InstEd that sets RMM_SERVER and RMM_TOKEN. Attach it under Modifications when you assign the package.
   • A wrapper script. Skip the built-in MSI policy and use a GPO startup script that calls msiexec /i ... RMM_SERVER=... RMM_TOKEN=.... Easier than building a transform, and you can edit the token without re-generating the MST.

Multi-use tokens have a validity window

Tokens default to 24-hour expiry. For a GPO rollout that spans more than a day, set the expiry longer (or generate a fresh token mid-rollout and update the GPO).

Intune deployment

1. Intune admin centre → Apps → Windows → Add → Line-of-business app.

2. Upload opsmerge-agent.msi.

3. App information: pre-filled from the MSI metadata. Confirm and continue.

4. Command-line arguments (this is the key step — Intune ignores Property=Value pairs by default):

   RMM_SERVER="https://ingest-eu.opsmerge.cloud" RMM_TOKEN="YOUR-MULTI-USE-TOKEN"

5. Assignments: target the device group(s) you want enrolled.

6. Review + create.

Intune installs silently in the system context — no operator needed at the endpoint.

Don't put the token in plain Intune assignment notes

Intune properties are visible to anyone with read access to the app. If your IT helpdesk has read access to the Intune tenant, they can see the token. Use multi-use tokens with short expiry and rotate them between rollouts.

PDQ Deploy, Action1, Ninite Pro, etc.

Any MSI-aware deployment tool works. The pattern is identical:

msiexec /i opsmerge-agent.msi /qn RMM_SERVER="..." RMM_TOKEN="..."

If your tool has an "MSI properties" field, paste RMM_SERVER=... RMM_TOKEN=... there instead of building a custom command.

SCCM / MECM

Use the MSI as a Standard program in an Application package:

• Installation program: msiexec /i "opsmerge-agent.msi" /qn RMM_SERVER="https://ingest-eu.opsmerge.cloud" RMM_TOKEN="YOUR-TOKEN"
• Detection method: Registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ with DisplayName = OpsMerge Agent. Or by MSI Product Code (in the MSI summary stream).
• Install behaviour: Install for system.
• User experience: Hidden.

Verifying deployment

After deployment, in OpsMerge:

1. Open Agents in the left sidebar.
2. Filter by the client you deployed against.
3. New endpoints appear within 30 seconds of finishing install. Big rollouts (50+ endpoints) come in waves over a few minutes.

If a machine ran the MSI but never appears in OpsMerge, see Troubleshooting agents.

What the MSI does under the hood

If you need to defend the install to your security team:

1. Drops rmm-agent.exe and rmm-updater.exe to C:\Program Files\RMM\.
2. Writes the agent config to C:\ProgramData\rmm\rmm-agent.yml populated from the MSI properties.
3. Installs RMMAgent and RMMUpdater Windows services, both running as LOCAL SYSTEM.
4. Starts the service. The service then registers with ingest-eu.opsmerge.cloud and pulls down any client-specific config.

There's no reboot required and no kernel driver involved.

Next

• Updates & rollouts — how the deployed agent updates itself going forward
• Troubleshooting agents