Remote installation of operating systems and applications

Kaspersky Security Center allows you to create operating system images and deploy them on client devices on the network, as well as perform remote installation of applications by Kaspersky or other vendors.

To create images of operating systems, you must install the Windows ADK and the Windows PE add-on for the Windows ADK tools on the Administration Server. We recommend that you install the latest versions of the Windows ADK and the Windows PE add-on for the Windows ADK. You can create an image of any version of Windows operating system that meets the requirements of the Kaspersky Security Center.

Capturing images of operating systems

Kaspersky Security Center can capture operating system images from devices and transfer those images to the Administration Server. Such images of operating systems are stored on the Administration Server in a dedicated folder. The operating system image of a reference device is captured and then created through an installation package creation task.

The functionality of operating system image capturing has the following features:

• An operating system image cannot be captured on a device on which Administration Server is installed.
• During capture of an operating system image, the sysprep.exe utility resets the settings of the reference device. If you want to restore the settings of the reference device, select the Create backup copy of the device state check box in the Operating System Image Creation Wizard.
• The image capturing process provides for a restart of the reference device.

Deploying images of operating systems on new devices

You can use the images received for deployment on new networked devices on which no operating system has been installed yet. A technology named Preboot eXecution Environment (PXE) is used in this case. You select a networked device that will act as PXE server. This device must meet the following requirements:

• Network Agent must be installed on the device.
• A DHCP server cannot be active on the device because a PXE server uses the same ports as a DHCP server.
• The network segment that includes the device must not contain any other PXE servers.

The following conditions must be met to deploy an operating system:

• A network card must be mounted on the device.
• The device must be connected to the network.
• The Network boot option must be selected in BIOS when booting the device.

Deployment of an operating system is performed as follows:

1. The PXE server establishes a connection with the new client device while the latter is booting up.
2. The client device becomes included in Windows Preinstallation Environment (WinPE).

   Adding the device to WinPE may require configuration of the set of drivers for WinPE.

3. The client device is registered on Administration Server.
4. The administrator assigns the client device an installation package with an operating system image.

   The administrator can add required drivers to the installation package with the operating system image. The administrator can also specify a configuration file with the operating system settings (answer file) that is to be applied during installation.

5. The operating system is deployed on the client device.

The administrator can manually specify the MAC addresses of client devices that have not yet been connected, and assign them the installation package with the operating system image. When the selected client devices connect to the PXE server, the operating system is automatically installed on those devices.

Deploying images of operating systems on devices where another operating system has already been installed

Deployment of images of operating systems on client devices where another operating system has already been installed is performed through the remote installation task for specific devices.

Installing applications by Kaspersky and other vendors

The administrator can create installation packages of any applications, including those specified by the user, and install the applications on client devices through the remote installation task.

Creating images of operating systems

Images of operating systems are created using the task of removing the operating system image of the reference device.

To create the operating system image making task:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.
2. Click the Create installation package button to run the New Package Wizard.
3. In the Select installation package type window of the Wizard, click the Create an installation package with the operating system image button.
4. Follow the instructions of the Wizard.

When the Wizard finishes, an Administration Server task is created named Create installation package upon reference device OS image. You can view the task in the Tasks folder.

When the Create installation package upon reference device OS image task is complete, an installation package is created that you can use to deploy the operating system on client devices through a PXE server or the remote installation task. You can view the installation package in the Installation packages folder.

Installing images of operating systems

Kaspersky Security Center allows you to deploy WIM images of desktop and server-based Windows operating systems on devices within an organization's network.

The following methods can be used to retrieve an operating system image that would be deployable by using Kaspersky Security Center tools:

• Import from the install.wim file included in the Windows distribution package
• Capturing an image from a reference device

Two scenarios are supported for deployment of operating system images:

• Deployment on a "clean" device, that is, without any operating system installed
• Deployment on a device running Windows

The Administration Server implicitly features a service image of Windows Preinstallation Environment (Windows PE), which is always used both for capturing operating system images, and for their deployment. All drivers required for proper functioning of all target devices must be added to WinPE. Generally, chipset drivers required for the functioning of Ethernet networking interface must be added.

The following requirements must be met in order to implement scenarios of image deployment and capture:

• Windows Automated Installation Kit (WAIK) version 2.0, or later, or Windows Assessment and Deployment Kit (WADK) must be installed on the Administration Server. If the scenario allows for installing or capturing images on Windows XP, WAIK must be installed.
• A DHCP server must be available on the network where the target device is located.
• The shared folder of the Administration Server must be open for reading from the network where the target device is located. If the shared folder is located on the Administration Server, access is required for the KlPxeUser account (this account is created automatically while running the Administration Server Installer). If the shared folder is located outside the Administration Server, access must be granted to everyone.

When selecting the operating system image to be installed, the administrator must explicitly specify the CPU architecture of the target device: x86 or x86-64.

Configuring the KSN proxy server address

By default, the domain name of the Administration Server coincides with the KSN proxy server address. If you change the domain name for the Administration Server, you have to specify the correct KSN proxy server address to prevent a loss of connection between host devices and KSN.

To configure the KSN proxy server address:

1. In the console tree, go to Advanced → Remote installation → Installation packages.
2. In the context menu of Installation packages, select Properties.
3. In the window that opens, specify the new KSN proxy server address in the General tab.
4. Click the Apply button.

From now on, the specified address is used as the KSN proxy server address.

Adding drivers for Windows Preinstallation Environment (WinPE)

To add drivers for Windows Preinstallation Environment (WinPE):

1. In the Remote installation folder in the console tree, select the Deploy device images subfolder.
2. In the workspace of the Deploy device images folder, click the Additional actions button and select Configure driver set for Windows Preinstallation Environment (WinPE) in the drop-down list.

   The Windows Preinstallation Environment drivers window opens.

3. In the Windows Preinstallation Environment drivers window click the Add button.

   The Select driver window opens.

4. In the Select driver window, select a driver from the list.

   If the necessary driver is missing from the list, click the Add button and specify the driver name and folder of the driver distribution package in the Add driver window that opens.

   You can select a folder by clicking the Browse button.

   In the Add driver window, click OK.

5. In the Select driver window, click OK.

   The driver will be added to the Administration Server repository. When added to the repository, the driver is displayed in the Select driver window.

6. In the Windows Preinstallation Environment drivers window, click OK.

The driver will be added to Windows Preinstallation Environment (WinPE).

Adding drivers to an installation package with an operating system image

To add drivers to an installation package with an operating system image:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.
2. From the context menu of an installation package with an operating system image, select Properties.

   The installation package properties window opens.

3. In the installation package properties window, select the Additional drivers section.
4. Click the Add button in the Additional drivers section.

   The Select driver window opens.

5. In the Select driver window, select drivers that you want to add to the installation package with the operating system image.

   You can add new drivers to the Administration Server repository by clicking the Add button in the Select driver window.

6. Click OK.

Added drivers are displayed in the Additional drivers section of the properties window of the installation package with the operating system image.

Configuring sysprep.exe utility

The sysprep.exe utility is intended to prepare the device for creation of an operating system image.

To configure sysprep.exe utility:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.
2. From the context menu of an installation package with an operating system image, select Properties.

   The installation package properties window opens.

3. In the installation package properties window, select the sysprep.exe settings section.
4. In the sysprep.exe settings section, specify a configuration file to be used during deployment of the operating system on the client device:
   • Use default configuration file. Select this option to use the answer file generated by default during capture of the operating system image.
   • Specify custom values of main settings. Select this option to specify values for settings through the user interface.
   • Specify configuration file. Select this option to use a custom answer file.
5. To apply the changes made, click the Apply button.

Deploying operating systems on new networked devices

To deploy an operating system on new devices that have not yet had any operating system installed:

1. In the Remote installation folder in the console tree, select the Deploy device images subfolder.
2. Click the Additional actions button and select Manage the list of PXE servers on the network in the drop-down list.

   The Properties: Deploy device images window opens, on the PXE servers section.

3. In the PXE servers section, click the Add button and, in the PXE servers window that opens, select the device that will be used as PXE server.

   The device that you added is displayed in the PXE servers section.

4. In the PXE servers section select a PXE server and click the Properties button.
5. In the properties window of the selected PXE server, on the PXE server connection settings tab configure connection between Administration Server and the PXE server.
6. Boot the client device on which you want to deploy the operating system.
7. In the BIOS of the client device, select the Network boot installation option.

   The client device connects to the PXE server and is then displayed in the workspace of the Deploy device images folder.

8. In the Actions section, click the Assign installation package link to select the installation package that will be used for the operating system installation on the selected device.

   After you added the device and assigned the installation package to it, the operating system deployment starts automatically on this device.

9. To cancel the operating system deployment on the client device, click the Cancel OS image installation link in the Actions section.

To add devices by MAC address:

• In the Deploy device images folder, click Add device MAC address to open the New device window, and specify the MAC address of the device that you want to add.
• In the Deploy device images folder, click Import MAC addresses of devices from file to select the file containing a list of MAC addresses of all devices on which you want to deploy an operating system.

Deploying operating systems on client devices

To deploy an operating system on client devices with another operating system already installed:

1. In the console tree, open the Remote installation folder and click the Deploy installation package on managed devices (workstations) link to run the Protection Deployment Wizard.
2. In the Select installation package window of the Wizard specify an installation package with an operating system image.
3. Follow the instructions of the Wizard.

When the Wizard completes its operation, a remote installation task is created for installing the operating system on client devices. You can start or stop the task in the Tasks folder.

Creating installation packages of applications

Expand all | Collapse all

To create an application installation package:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.
2. Click the Create installation package button to run the New Package Wizard.
3. In the Select installation package type window of the Wizard, click one of the following buttons:
   • Create an installation package for a Kaspersky application. Select this option if you want to create an installation package for a Kaspersky application.
   • Create an installation package for the specified executable file. Select this option if you want to create an installation package for a third-party application by using an executable file. Typically, the executable file is a setup file of the application.
     • Copy entire folder to the installation package

       Select this option if the executable file is accompanied with additional files required for the application installation. Before you enable this option, make sure that all of the required files are stored in the same folder. If this option is enabled, the application adds the entire contents of the folder, including the specified executable file, to the installation package.

     • Specify installation parameters

       For successful remote installation, most applications require the installation to be performed in silent mode. If this is the case, you must specify the parameter for a silent installation.

       Configure the installation settings:

       • Executable file command line

         If the application requires additional parameters for a silent installation, specify them in this field. Refer to the vendor's documentation for details.

         You can also enter other parameters.

       • Convert settings to recommended values for applications recognized by Kaspersky Security Center 13.1

         The application will be installed with the recommended settings, if information about the specified application is contained in the Kaspersky database.

         If you entered parameters in the Executable file command line field, they are rewritten with the recommended settings.

         By default, this option is enabled.

         The Kaspersky database is created and maintained by Kaspersky analysts. For each application that is added to the database, Kaspersky analysts define optimal installation settings. The settings are defined to ensure successful remote installation of an application to a client device. The database is updated on the Administration Server automatically when you run the Download updates to the repository of the Administration Server task.

   • Select an application from the Kaspersky database to create an installation package. Select this option if you want to select the required third-party application from the Kaspersky database to create an installation package. The database is created automatically when you run the Download updates to the repository of the Administration Server task; the applications are displayed in the list.
   • Create an installation package with the operating system image. Select this option if you have to create an installation package with an image of the operating system of a reference device.

     When the Wizard finishes, an Administration Server task is created with the name Create installation package upon reference device OS image. When this task is completed, an installation package is created that you can use to deploy the operating system image through a PXE server or the remote installation task.

4. Follow the instructions of the Wizard.

When the Wizard finishes, an installation package is created that you can use to install the application on client devices. You can view the installation package by selecting Installation packages in the console tree.

Issuing a certificate for installation packages of applications

To issue a certificate for the installation package of an application:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.

   The Remote installation folder is a subfolder of the Advanced folder by default.

2. In the context menu of the Installation packages folder, select Advanced.

   This opens the properties window of the Installation packages folder.

3. In the properties window of the Installation packages folder, select the Sign stand-alone packages section.
4. In the Sign stand-alone packages section, click the Specify button.

   The Certificate window.

5. In the Certificate type field, specify the public or private certificate type:
   • If the PKCS #12 container value is selected, specify the certificate file and the password.
   • If the X.509 certificate value is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
6. Click OK.

A certificate for the installation package of the application is issued.

Installing applications on client devices

To install an application on client devices:

1. In the console tree, open the Remote installation folder and click Deploy installation package on managed devices (workstations) to run the Protection Deployment Wizard.
2. In the Select installation package window of the Wizard specify the installation package of an application that you want to install.
3. Follow the instructions of the Wizard.

When the Wizard finishes, a remote installation task is created to install the application on client devices. You can start or stop the task in the Tasks folder.

Using the Protection Deployment Wizard, you can install Network Agent on client devices running Windows, Linux, and macOS.

To manage 64-bit security applications using Kaspersky Security Center on devices running Linux operating systems, you must use the 64-bit Network Agent for Linux. You can download the necessary version of Network Agent from the Technical Support website.

Before remote installation of Network Agent on a device running Linux, you have to prepare the device.