🧩 Overview
Some partners are currently experiencing an issue where Liongard Agents overwrite one another in the platform. This occurs when multiple devices share the same Windows MachineGuid, causing the platform’s deduplication logic to treat distinct machines as the same agent record.
Liongard is actively developing a permanent platform-level fix. Until that is released, this KB outlines a temporary mitigation using a PowerShell-based installation process and the MSI DEVICEID flag to prevent agent overwrites entirely.
The attached script:
Detects MachineGuid conflicts
Optionally removes an existing agent before reinstalling
Generates a unique device ID when required
Installs the Liongard Agent using that unique identity
Writes an installer log and a full transcript log of the console output
📎 Script attached: LiongardAgentInstaller_DeviceID.txt
🛠️ Current Status
Permanent Fix (In Development)
Liongard is building a platform-level solution that will:
Correctly handle duplicate identifiers
Improve deduplication logic
Reduce reliance on MachineGuid during agent linking
Temporary Mitigation (Use Immediately)
The provided PowerShell installer, combined with the MSI DEVICEID parameter, ensures each installed agent has a unique identity, preventing overwrites even on systems with duplicated MachineGuids.
The script also includes:
An optional pre-uninstall step to remove an existing Liongard Agent
The ability to include or omit the Environment parameter in the MSI install
Clear console messaging for install success/failure
A transcript file capturing all console output for later review
Agent 5.1 Availability
Until the static link is updated, partners should use:
https://agents.static.liongard.com/LiongardAgent5.1.1.msi
Once 5.1 is published to the standard URL, partners should return to using:
https://agents.static.liongard.com/LiongardAgent-lts.msi
✅ Partner Instructions for Using the Script
1. Download
The script is provided as a .txt file. Partners should:
Download the file
Open it in a text editor
Update the configuration values near the top of the script
Save it as a
.ps1PowerShell scriptDeploy it via RMM
2. Update Required Variables
Near the top of the script, you’ll find the partner configuration section:
InstancePrefix– e.g.,us1,us2,us3,eu1ApiTokenKey/ApiTokenSecret– Liongard API token for querying existing agentsAgentTokenKey/AgentTokenSecret– Liongard Agent install key/secretEnvironment– Liongard Environment name (often an RMM org/site variable)EnablePreUninstall–$true= attempt to uninstall any existing Liongard Agent before installation$false= keep the existing agent if present and skip reinstallation
IncludeEnvironmentValue–$true= passLIONGARDENVIRONMENT="<Environment>"to the MSI$false= omit the Environment parameter during install
Folder– Working directory (default:C:\Liongard)InstallerUrl– URL to the Liongard Agent MSI (currently 5.1 static link)
The script validates required values and will throw an error if any of the placeholder values (e.g. REPLACE_WITH_...) are still present.
Note: If IncludeEnvironmentValue is set to $true, Environment must be populated. If you intentionally omit the environment mapping, set IncludeEnvironmentValue = $false.
3. RMM Deployment Notes
The script is designed to be deployed via RMM systems that can execute PowerShell scripts, including:
NinjaOne
ConnectWise Automate
Datto RMM
SyncroMSP
Any other PowerShell-capable RMM
Important:
When you are including the Environment parameter, the RMM’s client/org/site name should match the Liongard Environment Name exactly (or you should map it to the correct Liongard environment value via variables).
🧭 Partner Action Items
Use this script on endpoints affected by the overwrite behavior
Decide whether to:
Use pre-uninstall (
$EnablePreUninstall = $true) for a clean reinstall, orKeep it idempotent (
$EnablePreUninstall = $false), where the script skips installation if the Agent is already present
Verify in Liongard that:
Agents are no longer overwriting each other
Each device is represented as a unique agent
When reporting issues to Liongard Support, include:
C:\Liongard\AgentInstall.logThe transcript log (e.g.,
C:\Liongard\LiongardAgentInstaller_DeviceID_YYYYMMDD_HHmmss.log)Hostname and MachineGuid
Environment name
Also:
Ensure Sysprep is used in imaging workflows
Reimage or correct OEM devices known to ship with duplicated MachineGuids
🔍 Root Cause Explained
Why does Agent overwrite occur?
Liongard Agents identify themselves using the Windows MachineGuid. When multiple endpoints share the same MachineGuid, the platform sees them as the same device, and they all attach to a single Agent record.
This leads to:
Device details flipping between endpoints
Inspectors reporting from whichever endpoint checked in last
Apparent “overwrite” behavior rather than duplicate agents
Common Causes of Shared MachineGuids
Imaging without Sysprep
Golden images/clones preserve the same MachineGuid
VM templates not generalized
Cloned VMs inherit the template’s MachineGuid
OEM devices with duplicate GUIDs
Some vendors ship hardware with repeated MachineGuid values
Broken or placeholder registry keys
HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuidis missing or invalid
Why this didn’t happen in the past
Previously:
Uninstalling and reinstalling the Agent could create duplicate Agent records
This was fixed by treating MachineGuid as the primary identity and reusing an existing record when MachineGuid matches
That fix works correctly for reinstalls on the same machine, but it creates a new edge case when different machines share the same MachineGuid. In those cases:
All machines legitimately reattach to the same Agent record
No duplicates are created—just overwrites
The current script/workaround solves this by assigning a stable, unique DEVICEID per machine, even when their MachineGuid values collide.
💡 How the Workaround Prevents Overwrites
The MSI installer supports:
DEVICEID=<value>
The PowerShell script:
Reads the local MachineGuid
Falls back to the system UUID if needed
Queries Liongard’s
/api/v1/agentsendpoint to see how that identity is currently usedDetects when the local MachineGuid matches an existing Agent but with a different hostname (overwrite risk)
Generates a new GUID-based
DEVICEIDin those casesPasses
DEVICEID=<generated GUID>tomsiexec
As a result, each endpoint gets its own unique DEVICEID, so even if MachineGuids are duplicated, the platform can keep the agents separate.
💻 PowerShell Installer Script Overview
The attached script (LiongardAgentInstaller_DeviceID.txt) contains all logic needed to prevent Agent overwrites and to log what happened during each run.
1. Partner Configuration Validation
The script calls Assert-ConfigurationValue for all required values:
InstancePrefixApiTokenKey/ApiTokenSecretAgentTokenKey/AgentTokenSecretEnvironment(only whenIncludeEnvironmentValue = $true)
If any configuration is missing or still contains placeholder values, the script throws an error and stops.
2. Existing Agent Handling (Pre-Uninstall vs Idempotent Mode)
Pre-uninstall enabled (
$EnablePreUninstall = $true):The script attempts to uninstall any existing Liongard Agent using standard MSI/uninstall logic.
It logs the uninstall outcome and, if the Agent is still detected afterward, aborts the installation.
Pre-uninstall disabled (
$EnablePreUninstall = $false):If an Agent is already installed, the script stops and skips installation to keep the run idempotent.
If no Agent is detected, it proceeds with the install.
3. Liongard API Query
The script calls:
https://<InstancePrefix>.app.liongard.com/api/v1/agents
It retrieves existing agents and uses:
Hostnames / FQDNs
MachineGuid values
to determine if installing on this machine would create an overwrite scenario.
4. Machine Identity Resolution
The script:
Reads
MachineGuidfromHKLM\SOFTWARE\Microsoft\Cryptography\MachineGuidIf missing or invalid, it falls back to
Win32_ComputerSystemProduct’s UUID
This ensures the script always has a usable identity source, even on broken or misconfigured systems.
5. Overwrite Detection and DEVICEID Selection
Based on the API results and local identity:
If the MachineGuid is already in use by a different hostname, the script considers it an overwrite risk
In that case, a new GUID is generated and used as the
DEVICEIDfor this installationThat
DEVICEIDis passed to the MSI so Liongard treats this as a distinct Agent
6. Agent Installation, Logging, and Transcript
The script:
Ensures the working folder (default
C:\Liongard) existsDownloads the MSI from the configured
InstallerUrlBuilds the
msiexeccommand with:LIONGARDURLLIONGARDACCESSKEYLIONGARDACCESSSECRETLIONGARDAGENTNAME(hostname)LIONGARDENVIRONMENT(only ifIncludeEnvironmentValue = $trueandEnvironmentis set)DEVICEGUIDwhen a unique override is required
Writes the MSI log to:
C:\Liongard\AgentInstall.log
Starts a PowerShell transcript at the beginning of the run using:
C:\Liongard\LiongardAgentInstaller_DeviceID_YYYYMMDD_HHmmss.log
At the end of the run, it:
Parses the MSI log for the summary and exit code
Re-checks whether the Agent is detected on the system
Prints a clear success message when:
MSI result is 0 or 3010, and
The Agent is detected
Prints detailed warning messages if:
MSI returned a non-zero status, or
The Agent is not detected
The script then sets an appropriate exit code, which RMM tools can use to detect failures, and cleanly stops the transcript.
✔️ Summary
This KB addresses the Liongard Agent overwrite issue caused by shared MachineGuid values and describes a robust PowerShell-based workaround.
The script:
Detects overwrite risk using Liongard’s API
Can optionally uninstall an existing Agent before reinstalling
Assigns a unique per-machine DEVICEID when needed
Supports installs with or without the Environment parameter
Writes to
C:\Liongard\AgentInstall.logGenerates a script transcript log (
LiongardAgentInstaller_DeviceID_YYYYMMDD_HHmmss.log) for full run visibilityPrints clear success/failure messages and returns useful exit codes for RMM monitoring
Until the permanent platform fix is released, this script + DEVICEID approach is the recommended way to prevent Agent overwrites on endpoints with duplicate MachineGuids.