Forced deployment through the remote installation task of Kaspersky Security Center
Dec 4, 2023
To perform initial deployment of Network Agents or other applications, you can force installation of selected installation packages by using the remote installation task of Kaspersky Security Center—provided that each device has a user account(s) with local administrator rights and at least one device with Network Agent installed acts as a distribution point in each subnet.
In this case, you can specify target devices either explicitly (with a list), or by selecting the Kaspersky Security Center administration group to which they belong, or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on, or when they are moved to the target administration group.
Forced installation consists of delivery of installation packages to distribution points, subsequent copying of files to the admin$ resource on each of the target devices, and remote registration of supporting services on those devices. Delivery of installation packages to distribution points is performed through a Kaspersky Security Center feature that ensures network interaction. The following conditions must be met in this case:
- Target devices are accessible from the distribution point side.
- Name resolution for target devices function properly on the network.
- The administrative shares (admin$) remain enabled on target devices.
- The Server system service is running on target devices (by default, it is running).
- The following ports are open on target devices to allow remote access through Windows tools: TCP 139, TCP 445, UDP 137, and UDP 138.
- On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
- On target devices, the access sharing and security model are set as Classic – local users authenticate as themselves, it can be in no way Guest only – local users authenticate as Guest.
- Target devices are members of the domain, or uniform accounts with administrator rights are created on target devices in advance.
Devices in workgroups can be adjusted in accordance with the above requirements by using the riprep.exe utility, which is described on Kaspersky Technical Support website.
During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.
When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.
Automatic installation is a simplified way to create tasks for forced installation of applications. To do this, open the administration group properties, open the list of installation packages and select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.
To allow forced installation, you should make sure that distribution points are present in each of the isolated subnets hosting target devices.
Note that this installation method places a significant load on devices acting as distribution points. Therefore, it is recommended that you select powerful devices with high-performance storage units as distribution points. Moreover, the free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.