1. Download the installer from the Kaspersky Endpoint Security 10 for Windows downloads page.
2. Extract the application installation files.
3. Run the setup.exe file.
4. Follow the Wizard’s instructions.

Step 1: Checking software and hardware requirements

The Installation Wizard checks whether:

• Software and hardware requirements are met.
• The user has the rights to install the application.

If the PC meets all the requirements, the Setup Wizard searches for incompatible applications. If any are found, you can remove them manually. 

If a previous version of Kaspersky Endpoint Security 10 for Windows is found, it is automatically removed. Information about activation and application settings are saved and applied during installation of the new version.

Step 2: The initial setup window

The initial setup window informs you that the installation of Kaspersky Endpoint Security 10 for Windows is about to begin. To continue the installation, click Next.

Step 3: End User License Agreement

Read the End User License Agreement. If you accept all the terms, check the box I accept the terms of the End User License Agreement.

Step 4: Select the installation type

Select an installation type:

• Basic installation: The protection components Application Privilege Control and Vulnerability Monitor are installed.
• Standard installation: Protection components and control components are installed.
• Custom installation: Select the components to install and specify the directory in which to install the application.

Step 5: Custom installation

This screen only appears if you have selected Custom installation.

Select the Kaspersky Endpoint Security 10 for Windows protection components to be installed.

By default, all components are selected for installation except:

• BadUSB Attack Prevention
• Drive Encryption
• File Encryption
• Microsoft Bitlocker Manager
• KATA Endpoint Sensor

File Anti-Virus is a mandatory component for installation. 

Step 6: Select the destination folder

This step is only available if you selected Custom installation.

In this step, you can specify the path to the folder where the application will be installed. To select the folder, click Browse.

By default, Kaspersky Endpoint Security 10 for Windows is installed in.

• For 32-bit operating systems: Disk:\Program Files\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\ 
• For 64-bit operating systems: Disk:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\

Step 7: Exclusions from the scan scope

This step is only available if you selected Custom installation.

Add recommended areas to the trusted zone so that Kaspersky Endpoint Security 10 for Windows does not scan them. To do so, select the checkbox:

• Exclude areas that are recommended by Kaspersky Lab from virus scan scope
• Exclude areas that are recommended by Microsoft from virus scan scope The checkbox is already selected when installing Kaspersky Endpoint Security 10 for Windows for file servers. 

Step 8: Preparation for installation

If you are installing Kaspersky Endpoint Security 10 for Windows for file servers via Windows Remote Desktop, we recommend clearing the checkbox Protect the installation process . 

If you are working with Citrix Provisioning Services and need to install drivers in Citrix PVS compatibility mode, select the checkbox Ensure compatibility with Citrix Provisioning Services. 

So as not to add the path to the .exe file in the command line, select the checkbox Add the path to the file avp.com to the system variable %PATH%. If this option is enabled, to start Kaspersky Endpoint Security 10 for Windows from the command line you will only need to enter the name of the .exe file and the command to start the particular task.

Step 9: Application installation

Installing the application can take some time. Please wait for it to complete.

Using the Initial Configuration Wizard, activate Kaspersky Endpoint Security 10 for Windows and collect information about applications included in the operating system. 

You can install Kaspersky Endpoint Security 10 for Windows via the command line:

• In the interactive mode that requires user’s participation.
• In the silent mode.

Installation in the interactive mode

To install the application in the interactive mode:

1. Open the command line on the client device.
2. Run the following command:
   • msiexec /i <package path>\<package name>

     Example:

     msiexec /i C:\KES10SP2\kes10winsp2.msi
   • <path to setup.exe>\setup.exe

     Example:

     C:\KES10SP2\setup.exe

Installation in the silent mode

To install the application in the silent mode:

1. Open the command line on the client device.
2. Run the following command:
   • msiexec /i <package path>\<package name> EULA=1 KSN=1 KLPASSWD=<password> KLPASSWDAREA=<protected area> ALLOWREBOOT=1 /qn

     Example:

     msiexec /i C:\KES10SP2\kes10winsp2.msi EULA=1 KSN=1 KLPASSWD=test KLPASSWDAREA=EXIT ALLOWREBOOT=0 /qn
   • setup.exe /pEULA=1 /pKSN=1 /pKLPASSWD=<password> /pKLPASSWDAREA=<protected area> /pALLOWREBOOT=1 /s

     Example:

     C:\KES10SP2\setup.exe /pEULA=1 /pKSN=0 /pKLPASSWD=test /pKLPASSWDAREA=SET /pALLOWREBOOT=1 /s

   Where:

   EULA=1 means acceptance of the End User License Agreement. The installation will not proceed if EULA=0.

   KSN=1 means you agree to participate in the Kaspersky Security Network (KSN). This is a mandatory parameter and has no default value.

   KLPASSWD sets a password authorizing certain actions with the application and modification of application settings.

   KLPASSWDAREA is used in combination with KLPASSWD and can be one of the following:

   • SET — set a password to modify the application settings.
   • EXIT — set a password to exit the application.
   • DISPROTECT — set a password to disable protection components and stop scan tasks.
   • DISPOLICY — set a password to disable the Kaspersky Security Center 10 policy.
   • UNIST — set a password to remove the application from the device.
   • DISCONTRL — set a password to disable control components (Application Startup Control, Application Privilege Control, Vulnerability Monitor, Device Control, Web Control).
   • REMOVELIC — set a password to remove the license.
   
   

   ALLOWREBOOT=1 — you agree to automatically reboot the computer if necessary. If the ALLOWREBOOT parameter is not included into the command, ALLOWREBOOT=0 is set by default.

In Kaspersky Security Center 10, you can install Kaspersky Endpoint Security 10 for Windows on client devices using remote installation tasks:

• Group tasks for managed devices located in the same administration group.
• Tasks for selected devices which can be chosen from any group of managed devices. 

For the remote installation task to run correctly on the client device on which Network Agent is not installed, the following ports must be opened: TCP 139 and 445, UDP 137 and 138. By default, these ports are opened on all client devices included in the domain. They are opened automatically by the remote deployment preparation utility, riprep.exe.

Installation through the group task

1. Open Kaspersky Security Center 10.
2. Select an administration group, e.g. Managed devices. Go to the Tasks tab and click Create a task.

3. Select Kaspersky Security Center 10 Administration Server → Install application remotely.

4. Select the installation package or create a new one. 
5. Select the check box Install Network Agent along with this application if necessary. Select the Network Agent version.

6. Adjust the remote installation settings.
7. Select the operating system restart options.
8. Select the user account for running the task. 
9. Configure the task schedule. 
10. Enter a name for the task. 
11. If necessary, select the checkbox Run task after Wizard finishes. Click Finish.
12. Run the task manually or wait until it runs according to the schedule.

The task of  Kaspersky Endpoint Security 10 for Windows remote installation will be started. You can track its progress on the Tasks tab.  

Installation through the task for device selections

1. Open Kaspersky Security Center 10.
2. Go to Tasks. Click Create a task. 

3. Select Kaspersky Security Center 10 Administration Server → Install application remotely. 
4. Select the installation package or create a new one. For instructions, see this article.
5. Select the checkbox Install Network Agent along with this application if necessary.
6. Adjust the remote installation settings.
7. Select the operating system restart options.
8. Configure the relocation settings for device upon the installation of Network Agent. 
9. Select the devices to which the task will be applied:
   • Select networked devices discovered by Administration Server Select devices that the Administration Server has detected.
   • Specify device addresses manually, or import addresses from list . Specify NetBIOS names, DNS names, IP addresses and ranges.
   • Assign task for device selection . Specify the device selection. 
   • Assign task to an administration group . Assign the task to the existing group of managed computers.

10. Select the user account for running the task.
11. Configure the task schedule. 
12. Enter the name for the task.
13. If necessary, select the checkbox Run task after Wizard finishes. Click Finish.
14. Run the task manually or wait until it runs according to the schedule.

The task of  Kaspersky Endpoint Security 10 for Windows remote installation will be started. You can track its progress on the Tasks tab.  

To install or update Kaspersky Endpoint Security 10 for Windows on devices in a doman, use group policies.

Installation through Active Directory group policies

1. Create a shared folder on a device in the domain and move the installation file in the MSI format to it.
   To automatically deploy Kaspersky Endpoint Security 10 for Windows in a network, also copy the following files into the same folder:
   • setup.ini configuration file
   •  install.cfg configuration file
   • Key file
2. Open the Group Policy Management console using the command gpmc.msc.
3. Go to Group policy Objects. Open the object for editing.
4. Go to Computer configuration → Policies → Software settings → Software installation.
5. In the context menu, select New → Package. 

6. Specify the path to the installation file in the shared folder. Click Open.
7. Select Assigned. Click OK.

Upgrade through Active Directory group policies

1. Open the Group Policy Management console using the command gpmc.msc.
2. Go to Group policy Objects. Open the object for editing.
3. Go to Computer configuration → Policies → Software settings → Software installation.
4. Create the installation package for the new application version.
5. Open the package properties. 
6. Go to the Update tab. Click Add.
7. Select the installation package for the earlier version. Click OK.

After the group policy is applied on the devices, Kaspersky Endpoint Security 10 for Windows will be upgraded at the next system restart on the managed devices.

It is simpler to install Kaspersky Endpoint Security 10 for Windows and Network Agent using Active Directory group policies via Kaspersky Security Center 10. 

To install the application:

1. Create an installation package. 
   A Kaspersky Endpoint Security 10 for Windows installation package is created automatically when installing the full version of Kaspersky Security Center 10.
2. Go to Tasks. Click Create a task.
3. Select Kaspersky Security Center 10 Administration Server → Install application remotely.
4. Choose Kaspersky Endpoint Security 10 for Windows.
5. Select the check box Install Network Agent along with this application. Select the Network Agent version.
6. Clear the check boxes Using Network Agent and Using operating system resources by means of Administration Server.
7. Select the check box Assign Network Agent installation in the Active Directory group policies.

8. Follow the remaining steps of the task wizard.
   At the step Selecting an account to run the task, specify an account that has permissions for creating group policies. 
9. Run the task manually or want until it runs according to the schedule.

Special considerations

• Kaspersky Endpoint Security 10 for Windows is installed on client devices from the shared network folder, KL Share. In the Kaspersky Security Center 10. Installation folder, another folder is created containing the .msi file for the application being installed.
• New devices will be added to the security after the task is run the next time. If the Run missed tasks check box is selected in the task schedule, the devices are added to the security group immediately.
• Devices are deleted from the security group after the task is run the next time.
• When a task is deleted from Active Directory, the respective policy, the respective link to the policy, and the respective security group are also deleted.

If you want to employ another installation scheme using Active Directory, you can configure the required settings manually. This may be necessary in the following cases:

• When the administrator does not have permissions to make changes to the Active Directory of certain domains.
• When the original installation package is stored on a separate network resource.
• When it is necessary to link a group policy to specific Active Directory units. 

There are some optional schemes for installation via Active Directory:

• If installation is to be performed directly from the Kaspersky Security Center 10 shared folder, in the Active Directory group policy properties you must specify the .msi file located in the exec subfolder of the installation package folder for the required application.
• If the installation package has to be located on another network resource, copy the contents of the exec subfolder to it.