Installing the application locally using the Wizard
The interface of the application Setup Wizard consists of a sequence of windows corresponding to the application installation steps.
To install the application or upgrade the application from a previous version using the Setup Wizard:
- Copy the distribution kit folder to the user's computer.
- Run setup_kes.exe.
The Setup Wizard starts.
Preparing for installation
Before installing Kaspersky Endpoint Security on a computer or upgrading it from a previous version, the following conditions are checked:
- presence of software with which Kaspersky Endpoint Security may have compatibility issues (the list of software is available in the incompatible.txt file that is included in the distribution kit).
- Whether or not the hardware and software requirements are met.
- Whether or not the user has the rights to install the software product.
If any one of the previous requirements is not met, a relevant notification is displayed on the screen. For example, a notification about incompatible software (see the figure below).
Removing incompatible software
If the computer meets the listed requirements, the Setup Wizard searches for Kaspersky applications that could lead to conflicts when running at the same time as the application being installed. If such applications are found, you are prompted to remove them manually.
If the detected applications include previous versions of Kaspersky Endpoint Security, all data that can be migrated (such as activation data and application settings) is retained and used during installation of Kaspersky Endpoint Security 12.8 for Windows, and the previous version of the application is automatically removed. This applies to the following application versions:
- Kaspersky Endpoint Security 11.10.0 for Windows (build 11.10.0.399).
- Kaspersky Endpoint Security 11.11.0 for Windows (build 11.11.0.452).
- Kaspersky Endpoint Security 12.0 for Windows (build 12.0.0.465).
- Kaspersky Endpoint Security 12.1 for Windows (build 12.1.0.506).
- Kaspersky Endpoint Security 12.2 for Windows (build 12.2.0.462).
- Kaspersky Endpoint Security 12.3 for Windows (build 12.3.0.493).
- Kaspersky Endpoint Security 12.4 for Windows (build 12.4.0.467).
- Kaspersky Endpoint Security 12.5 for Windows (build 12.5.0.539).
- Kaspersky Endpoint Security 12.6 for Windows (build 12.6.0.438).
- Kaspersky Endpoint Security 12.7 for Windows (build 12.7.0.533).
Configuration of Kaspersky Endpoint Security
Choosing the configuration of the application
Standard mode. The default configuration. This configuration lets you use all components of the application, including components that provide support for Detection and Response solutions. This configuration is used for comprehensive protection of the computer from a variety of threats, network attacks, and fraud.
Endpoint Detection and Response Agent. In this configuration, you can only install the components that provide support for Detection and Response solutions: Endpoint Detection and Response (KATA), Managed Detection and Response (MDR), Network Detection and Response (KATA), as well as Kaspersky Unified Monitoring and Analysis Platform (KUMA). This configuration is needed if a third-party Endpoint Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent configuration compatible with third-party EPP applications.
Light Agent to protect virtual environments. This configuration is intended for the application that is used as part of the Kaspersky Security for Virtualization Light Agent solution. Light Agent must be installed on each virtual machine that needs to be protected using the solution. In this configuration, you cannot use Data Encryption components or Adaptive Anomaly Control. If you are installing Light Agent on a virtual machine template that will be used to create nonpersistent virtual machines, select the Protect VDI infrastructure check box (VDI stands for Virtual Desktop Infrastructure). The VDI protection mode helps optimize the performance of Kaspersky Endpoint Security on nonpersistent virtual machines. In this mode, Light Agent declines application updates that require restarting the virtual machine. When receiving application updates that require a restart, Light Agent generates an event about needing to update the template of the protected virtual machines.
Kaspersky Endpoint Security components
During the installation process, you can select the components of Kaspersky Endpoint Security that you want to install (see the figure below). The File Threat Protection component is a mandatory component that must be installed. You cannot cancel its installation.
Selecting application components to install
By default, all application components are selected for installation except the following components:
You can change the available application components after the application is installed. To do so, you need to run the Setup Wizard again and choose to change the available components.
If you need to install Detection and Response components, Kaspersky Endpoint Security supports the following configurations:
- Endpoint Detection and Response Optimum only
- Endpoint Detection and Response Expert only
- Endpoint Detection and Response (KATA) only
- Network Detection and Response (KATA) only
- Sandbox only
- Endpoint Detection and Response Optimum and Sandbox
- Endpoint Detection and Response Expert and Sandbox
- Endpoint Detection and Response (KATA) and Sandbox
- Network Detection and Response (KATA) and Endpoint Detection and Response (KATA)
- Network Detection and Response (KATA) and Managed Detection and Response
Kaspersky Endpoint Security verifies the selection of components before installing the application. If the selected configuration of Detection and Response components is not supported, Kaspersky Endpoint Security cannot be installed.
Selecting the folder for installing the application
You can change the installation path of Kaspersky Endpoint Security on a client computer. By default, the application is installed in the %ProgramFiles(x86)%\Kaspersky Lab\KES.12.8 folder.
Configuring the trusted zone
Starting with Kaspersky Endpoint Security 12.6 for Windows, scan exclusions and trusted applications are added to the trusted zone. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers.
Starting with Kaspersky Endpoint Security 12.8 for Windows, you can install the application in Light Agent mode for protecting virtual environments. Predefined scan exclusions and trusted applications can help you quickly configure Kaspersky Endpoint Security in Citrix and VMware virtual environments.
You can also configure the trusted zone later in policy properties: scan exclusions and trusted applications.
Advanced settings
Advanced application installation settings
Protect the application installation process. Installation protection includes protection against replacement of the distribution package with malicious applications, blocking access to the installation folder of Kaspersky Endpoint Security, and blocking access to the system registry section containing application keys. However, if the application cannot be installed (for example, when performing remote installation with the help of Windows Remote Desktop), you are advised to disable protection of the installation process.
Ensure compatibility with Citrix PVS. You can enable support of Citrix Provisioning Services to install Kaspersky Endpoint Security to a virtual machine.
Add the path to the file avp.com to the system variable %PATH%. You can add the installation path to the %PATH% variable for convenient use of the command line interface.
