How to Deploy Kaspersky Endpoint Security via KSC

This guide walks through deploying Kaspersky Endpoint Security for Business to managed endpoints using Kaspersky Security Center (KSC). KSC is the central console: its Administration Server holds the policies, packages and tasks, and a small Network Agent on each device carries instructions and telemetry between the endpoint and the server. The flow below is the same whether you use the MMC-based Administration Console or the browser-based KSC Web Console; menu paths may differ slightly by version.

For full deployment, configuration, support and integration in Saudi Arabia, see our Kaspersky deployment and support service.

Prerequisites

• KSC Administration Server installed and reachable, with the backing DBMS configured and the Administration Server certificate in place.
• The Kaspersky Endpoint Security for Windows management plug-in installed in KSC (and the Web Console plug-in if you use the Web Console).
• Target devices reachable on the network; for push installation, admin shares and File and Printer Sharing reachable, and a domain or local administrator account that can install software.
• TCP ports open between agents and the Administration Server: 13000 (SSL) and 14000 (non-SSL), plus 13291 for the Administration Console.
• Any incumbent/competing antivirus removed from targets to avoid driver conflicts.

Step 1 — Import the installation packages

In the Administration Console go to Advanced → Remote installation → Installation packages (Web Console: Discovery & deployment → Deployment & assignment → Installation packages). Create packages for:

• The current Kaspersky Endpoint Security for Windows distribution.
• The matching Network Agent distribution.

KSC can download the latest packages directly from Kaspersky servers, or you can import a downloaded distribution kit. Network Agent is what lets the server manage the device, so it is installed alongside (or before) KES.

Step 2 — Create the remote installation task

Run Install application remotely from the Administration Server node (or create a task under Tasks → Add of type Install application remotely). In the wizard:

1. Select the Kaspersky Endpoint Security installation package. The wizard will also install Network Agent together with KES; if Network Agent is already present, it is not reinstalled.
2. Choose the deployment method. The default and most reliable on a managed network is Using Network Agent; for first-touch devices that have no agent yet, KES/Network Agent can be pushed Using operating system resources through the admin share, which requires the admin account from the prerequisites.
3. Select the devices or administration group to target (for example a pilot group first).
4. Set the schedule — Manually, At specified time, or the common When new devices are detected for automatic onboarding.
5. Provide the account with rights to install, and choose whether to restart the device automatically if required.

Run the task and watch its results per device. KSC reports success, in-progress and failed states with an error reason you can act on.

Step 3 — Verify the Network Agent connection

Once a device reports in, confirm the agent is talking to the server. Network Agent ships two command-line utilities. On Windows the default folder is:

C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\

On Linux (64-bit) it is /opt/kaspersky/klnagent64/bin/. Open an elevated command prompt in that folder and run klnagchk to display the connection settings and force a check against the Administration Server:

klnagchk

To write the result to a log file and trigger a synchronization (heartbeat) with the server:

klnagchk -logfile C:\Temp\klnagchk.log -sendhb

Useful klnagchk switches:

• -logfile <file> — write the connection-settings report to a log file.
• -sp — show the proxy-server authentication password.
• -savecert <path> — save the certificate used to access the Administration Server to a file.
• -restart — start Network Agent after the utility finishes.
• -sendhb — start synchronization (a heartbeat) between Network Agent and the Administration Server.

Step 4 — Re-point an agent with klmover (when needed)

If a device shows as not connected, was imaged from a template, or must be moved to a different Administration Server (for example a branch promoted to its own server), use klmover from the same Network Agent folder, elevated. The syntax is:

klmover [-address <server address>] [-pn <port>] [-ps <SSL port>] [-nossl] [-cert <path to certificate>]

To connect the agent to a server by DNS name over the default SSL port (13000):

klmover -address ksc.yourdomain.local -ps 13000

What the switches mean:

• -address <server address> — IP or DNS name of the Administration Server to connect to.
• -pn <port> — non-encrypted connection port (default 14000).
• -ps <SSL port> — SSL connection port (default 13000).
• -nossl — use a non-encrypted connection.
• -cert <path> — use the specified certificate file to authenticate to the Administration Server.

klmover requires local administrator rights. On Linux 64-bit the same utility is at /opt/kaspersky/klnagent64/bin/klmover. After re-pointing, run klnagchk -sendhb to confirm the device synchronizes and reappears in the correct administration group.

Step 5 — Build the protection policy

Go to Managed devices → Policies (Web Console: Devices → Policies & profiles) and create a policy for Kaspersky Endpoint Security for Windows. At minimum, enable and tune:

• File Threat Protection, Web Threat Protection, Mail Threat Protection and Network Threat Protection.
• Behavior Detection, Exploit Prevention and the Remediation Engine — these three together provide the core anti-ransomware behavior and rollback.
• Host Intrusion Prevention (HIPS), plus Application, Device and Web Control as your policy requires (for example blocking unauthorized USB storage).
• Kaspersky Security Network (KSN) for cloud reputation, or a local/Private KSN where telemetry must stay on-premises.
• Password protection so users cannot disable or uninstall the agent locally.

Use the lock icon on each setting to enforce it (preventing local override), and create policy profiles for servers vs. workstations so each device class gets an appropriate rule set.

Step 6 — Create the scan and update tasks

Under Managed devices → Tasks (Web Console: Devices → Tasks), add tasks for Kaspersky Endpoint Security:

• Update — keep anti-virus databases and application modules current; schedule frequently (for example every few hours), ideally from a KSC-hosted update repository so endpoints do not each pull from the internet.
• Malware Scan / Critical Areas Scan — a daily Critical Areas Scan plus a weekly Full Scan is a common baseline; schedule outside business hours and use the run skipped tasks option for laptops that are off at the scheduled time.
• Find Vulnerabilities and Required Updates — where the vulnerability/patch capability is licensed.

Step 7 — Validate the deployment

Confirm that the targeted devices appear under Managed devices with an OK protection status, the policy is applied, the Update task has run (databases current), and a scan has completed at least once. Check the Report on protection status and Report on Kaspersky software versions for stragglers. Resolve any not connected devices using the klnagchk/klmover steps above.

Conclusion

You now have Kaspersky Endpoint Security delivered through KSC with a verified Network Agent connection, an enforced protection policy, and scheduled update and scan tasks. For production rollouts at scale — distributed Administration Servers, distribution points, SIEM integration and NCA-aligned hardening — see our Kaspersky deployment and support service, browse the SKYLINE Marketplace, or contact us on +966 50 993 9334.