Installing the CSE Desktop App for Windows (MSI)

Updated on

Prerequisites
Mutual Exclusion Scenarios
- MSI Install Is Blocked When the EXE Is Already Installed
- EXE Install Is Blocked When the MSI Is Already Installed
Install Scenarios
What Gets Installed
Built-in MSI Flags
Configuration Properties
- Zero-Touch Deployment
- App Behavior
Upgrade Scenarios
Auto-Updates
Uninstall Scenarios
Troubleshooting
- Exit Codes

The CSE Desktop App for Windows is available as an MSI package, providing a standardized installation method compatible with enterprise MDM platforms such as Microsoft Intune. The MSI installer is the recommended deployment method for managed Windows environments and replaces the legacy EXE-based zero-touch script workflow.

The MSI installer is only supported for desktop app versions 4.3.0 and later. Earlier versions must continue to use the EXE-based installer.

Warning: The MSI and EXE installers are mutually exclusive. You must uninstall any existing EXE-based installation before installing the MSI, and vice versa.

Prerequisites

Before installing, ensure the following:

The target machine has an administrator account (the installer requires UAC elevation).
There is no prior SonicWall CSE installation present. If one exists, uninstall it first.
The machine has no pending reboot. If needed, clear pending reboot state before proceeding:

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations /f

Mutual Exclusion Scenarios

The MSI and EXE installers are mutually exclusive. Each blocks the other from installing alongside it on the same device.

MSI Install Is Blocked When the EXE Is Already Installed

If the EXE-based installation is present and you attempt to run the MSI installer:

Expected:

Error dialog: “Installation blocked: SonicWall Cloud Secure Edge is already installed via the EXE installer. Please uninstall the existing version before installing the MSI.”
The MSI installer aborts without making changes.

To proceed, uninstall the existing EXE-based installation first.

EXE Install Is Blocked When the MSI Is Already Installed

If the MSI installation is present and you run the EXE installer:

Expected:

Error dialog: “Installation blocked. This device already has SonicWall Cloud Secure Edge installed via the MSI installer…”
The EXE installer aborts without making changes.

To proceed, uninstall the existing MSI installation first.

Install Scenarios

Clean Fresh Install (Interactive)

msiexec /i sonicwallcse-<version>.msi

Expected:

Windows Installer progress UI appears.
Files are installed at C:\Program Files\SonicWall Cloud Secure Edge\.
Start Menu and Desktop shortcuts are created.
Three services are created and started: sonicwall-cse-admin, sonicwall-cse-wgs, sonicwall-cse-updater.
The app UI launches at the end of installation.
No reboot prompt appears.

Verify:

Get-Service sonicwall-cse-admin, sonicwall-cse-wgs, sonicwall-cse-updater
Test-Path "C:\Program Files\SonicWall Cloud Secure Edge\SonicWall Cloud Secure Edge.exe"

Clean Fresh Install (Silent)

msiexec /i sonicwallcse-<version>.msi /quiet /norestart /l*v install.log

Expected:

No UI and no prompts.
Services are started.
The app does not launch automatically (silent installs skip the launch action).
Exit code 0.

Zero-Touch Install (Full Enterprise Deployment)

msiexec /i sonicwallcse-<version>.msi /quiet /norestart ^
  INVITE_CODE=<invite_code> ^
  DEPLOYMENT_KEY=<deployment_key> ^
  DEPLOY_USER=<username> ^
  DEPLOY_EMAIL=<user@example.com> ^
  DEVICE_OWNERSHIP=C ^
  IS_MANAGED_DEVICE=true ^
  DEVICE_MANAGER_NAME=<mdm_vendor> ^
  /l*v install.log

Expected:

Files are installed and services are started.
C:\ProgramData\SonicWallCSE\mdm-config.json is written with the supplied values.
The device is automatically staged with the SonicWall Command Center shortly after install.

Verify:

Get-Content "C:\ProgramData\SonicWallCSE\mdm-config.json" | ConvertFrom-Json

Zero-Touch via Intune / Azure AD (Auto User Derivation)

Applicable to Azure AD-joined devices. Deploy via Intune with only INVITE_CODE, DEPLOYMENT_KEY, DEVICE_OWNERSHIP=C, IS_MANAGED_DEVICE=true, DEVICE_MANAGER_NAME=Intune, and MULTI_USER=false:

msiexec /i sonicwallcse-<version>.msi /quiet /norestart ^
  INVITE_CODE=<invite_code> ^
  DEPLOYMENT_KEY=<deployment_key> ^
  DEVICE_OWNERSHIP=C ^
  IS_MANAGED_DEVICE=true ^
  DEVICE_MANAGER_NAME=Intune ^
  MULTI_USER=false

Expected:

The installer derives the signed-in user’s identity from the Azure AD join information on the device.
mdm-config.json is populated with the derived user email and the username portion before @ as the deploy user.

Verify:

(Get-Content "C:\ProgramData\SonicWallCSE\mdm-config.json" | ConvertFrom-Json).mdm_deploy_email

Install with Windows Firewall Rule

msiexec /i sonicwallcse-<version>.msi /quiet ALLOW_APP=true

Expected:

A firewall rule named SonicWall-CSE-App is created: outbound-allow, all profiles, any protocol, program = the app executable.

Verify:

Get-NetFirewallRule -DisplayName "SonicWall-CSE-App" | Format-List

Install with Launch Skipped

msiexec /i sonicwallcse-<version>.msi SKIP_LAUNCH=1

Expected:

The interactive install UI appears, install completes, and services start.
The app does not auto-launch (differentiates from /quiet — the user still sees the install UI).

What Gets Installed

After a successful installation, the following are created:

Application files: C:\Program Files\SonicWall Cloud Secure Edge\
Start Menu and Desktop shortcuts
Three Windows services:
- sonicwall-cse-admin
- sonicwall-cse-wgs
- sonicwall-cse-updater

User data and configuration are stored in C:\ProgramData\SonicWallCSE\ and are preserved across upgrades and uninstalls.

Built-in MSI Flags

The following standard msiexec flags control installer behavior at the command line:

Flag	Purpose
`/quiet`	Fully silent — no UI. App does not auto-launch.
`/passive`	Progress bar only, no user interaction.
`/norestart`	Never reboot automatically; return code signals if reboot is needed.
`/l*v <path>`	Verbose log (includes property values; `DEPLOYMENT_KEY` is redacted).
`MSIRESTARTMANAGERCONTROL=Disable`	Skip the RestartManager close-app dialog.

Configuration Properties

All properties are optional unless your deployment requires zero-touch staging or specific app behavior. Pass properties as KEY=VALUE on the msiexec command line.

Zero-Touch Deployment

Property	Default	Description
`INVITE_CODE`	(empty)	Admin invite code. Required to trigger `mdm-config.json` write.
`DEPLOYMENT_KEY`	(empty)	Deployment key. Required (with `INVITE_CODE`) to trigger device staging. Redacted from logs.
`DEPLOY_USER`	(empty)	Staged user name. Auto-derived from Azure AD if `MULTI_USER=false`.
`DEPLOY_EMAIL`	(empty)	Staged user email. Auto-derived from Azure AD if `MULTI_USER=false`.
`DEVICE_OWNERSHIP`	`S`	`C` = Corporate, `S` = Shared, `E` = Employee.
`DEVICE_MANAGER_NAME`	(empty)	MDM vendor identifier (e.g. `Intune`, `Jamf`, `Kandji`, `Airwatch`).
`IS_MANAGED_DEVICE`	`false`	Set to `true` for MDM-managed devices.
`MULTI_USER`	`true`	Set to `false` to auto-derive user identity from Azure AD JoinInfo registry.

App Behavior

Property	Default	Description
`CA_CERTS_PREINSTALLED`	`false`	Skip CA certificate installation (use if certs are deployed via GPO).
`SKIP_CERT_SUPPRESSION`	`false`	Do not suppress certificate warnings.
`HIDE_SERVICES`	`false`	Hide the Services list in the app UI.
`DISABLE_QUIT`	`false`	Prevent users from quitting the app.
`START_AT_BOOT`	`true`	Launch the app at Windows startup.
`AUTO_LOGIN`	`false`	Automatically log in on app start.
`HIDE_ON_START`	`true`	Start the app minimized to the system tray.
`DISABLE_AUTO_UPDATE`	`false`	Disable the auto-updater service.
`ALLOW_MULTIORG`	`false`	Enable multiple-organization support.
`ALLOW_APP`	`false`	Create a Windows Firewall outbound-allow rule for the app.
`ST_OVER_443`	`false`	Pre-enable Service Tunnel over port 443 for restricted-network environments (schools, government, financial services) where non-standard ports are blocked. The user-side toggle in the app takes precedence if overridden.
`SKIP_LAUNCH`	`0`	Set to `1` to prevent the app from launching after an interactive install.

Upgrade Scenarios

The MSI installer supports in-place upgrades. Existing configuration, staged certificates, and tokens are preserved during upgrade.

In-Place Upgrade to a Newer Version

msiexec /i sonicwallcse-<new_version>.msi /quiet /norestart

Expected:

Windows Installer detects the older version and silently replaces it with the new version.
Existing mdm-config.json, staged certificates, and tokens are preserved.

Reinstall the Same Version

msiexec /i sonicwallcse-<version>.msi REINSTALL=ALL REINSTALLMODE=vomus /quiet

Expected:

Forces a reinstall of files and registry entries without requiring an uninstall first.

Downgrade Prevention

Attempting to install an older MSI over a newer installed version is blocked.

msiexec /i sonicwallcse-<older_version>.msi

Expected:

Error dialog: “A newer version of SonicWall Cloud Secure Edge is already installed.”
The install aborts. The existing newer version remains intact.

Auto-Updates

The sonicwall-cse-updater service handles automatic updates. It polls the SonicWall release server, verifies the downloaded installer’s signature, and applies the update silently without launching the app. No action is required from end users or administrators.

To disable auto-updates, pass DISABLE_AUTO_UPDATE=true at install time.

Uninstall Scenarios

Uninstall by File Path

msiexec /x sonicwallcse-<version>.msi /quiet /norestart /l*v uninstall.log

Uninstall by ProductCode (When the MSI File Is No Longer Available)

$pc = (Get-WmiObject Win32_Product |
       Where-Object { $_.Name -like "*SonicWall Cloud Secure Edge*" }).IdentifyingNumber
msiexec /x $pc /quiet /norestart /l*v uninstall.log

Uninstall from Programs and Features

Navigate to Settings → Apps → Installed apps, search for SonicWall, and select Uninstall.

Expected for All Uninstall Methods

Services are stopped and deleted: sonicwall-cse-admin, sonicwall-cse-wgs, sonicwall-cse-updater.
All files are removed from C:\Program Files\SonicWall Cloud Secure Edge\.
All registry entries for the application are removed.
Shortcuts are removed from the Start Menu and Desktop.
The firewall rule SonicWall-CSE-App is not removed automatically (Windows Installer does not own it). Remove it manually:
Remove-NetFirewallRule -DisplayName "SonicWall-CSE-App" -ErrorAction SilentlyContinue
C:\ProgramData\SonicWallCSE\ is not removed (user data is preserved across uninstalls).

Verify:

Get-Service sonicwall-cse-admin, sonicwall-cse-wgs, sonicwall-cse-updater -ErrorAction SilentlyContinue
Test-Path "C:\Program Files\SonicWall Cloud Secure Edge"

Both should return not found / $False.

Troubleshooting

For any failed installation, re-run with verbose logging and review the output:

msiexec /i sonicwallcse-<version>.msi /l*v install.log

Symptom	Likely Cause	Resolution
Install fails with error 1603	Custom action failure	Search `install.log` for `Return value 3`. Check that `INVITE_CODE` contains no special characters, and that the Windows Firewall service is running.
Unexpected reboot prompt on fresh install	Pending reboot state from prior install	Clear `PendingFileRenameOperations` (see Prerequisites) and retry.
`mdm-config.json` not written	`INVITE_CODE` is empty	Provide a non-empty `INVITE_CODE`. The file is only written when an invite code is supplied.
Services fail to start	Missing dependency, DLL error, or signature issue	Check the SonicWall logs under `C:\ProgramData\SonicWallCSE\`.
“Installation blocked: already installed via EXE installer”	EXE-based install detected	Uninstall the existing EXE-based installation before running the MSI.

Exit Codes

Code	Meaning
`0`	Success
`1602`	User cancelled
`1603`	Fatal error — review install log
`1618`	Another installation already in progress
`1619`	MSI file not found or unreadable
`1620`	MSI invalid or corrupted
`1625`	Installation blocked by system policy
`1633`	Platform mismatch (for example, x64 MSI on x86 Windows)
`1641`	Reboot initiated by installer
`3010`	Installation complete — reboot recommended