Deploy Kaspersky Endpoint Security Cloud with PowerShell

Last updated: Dec 17, 2020

I had to deploy Kaspersky Endpoint Security Cloud to replace a standard Kaspersky Enpoint Security architecture. To do this, I used the Microsoft psexec tool: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec and a PowerShell script.

Network share

We need a network share (accessible to all) in which to place KESC.exe and the batch script deploy.bat.

From an Active Directory, we can use the NETLOGON share located in the c:\Windows\SYSVOL\sysvol\domain.fqdn\scripts folder of each DC:

Screenshot of the SYSVOL folder path in Windows containing the scripts for deploying Kaspersky via PowerShell.

We will copy our KAV installer and our deploy.bat script:

Batch Script

The batch file will create two registry keys:
- HKLM\Software\KasperskyLab\KESCloud\NetAgentVersion where I indicate the version number (here the version number 2).
- HKLM\Software\KasperskyLab\KESCloud\AutoPackageInstalled, indicates that installation has been completed, thus avoiding the need to redeploy the package on a machine.

I've used the official script as an example: https://support.kaspersky.com/13693.

Instructions

Modify the red line accoring your infrastructure.

deploy.bat

@echo off
REM ECHO ON

REM if HKLM\Software\KasperskyLab missing, create Key
REG QUERY HKLM\Software\KasperskyLab
IF %ERRORLEVEL% == 1 REG ADD HKLM\Software\KasperskyLab
REG QUERY HKLM\Software\KasperskyLab\KESCloud
IF %ERRORLEVEL% == 1 REG ADD HKLM\Software\KasperskyLab\KESCloud

REM If HKLM\Software\KasperskyLab\KESCloud\NetAgent DWORD equal to 1 KESC switch else go to NETAGENT switch
REG QUERY HKLM\Software\KasperskyLab\KESCloud /v NetAgentVersion | FIND "0x2"
IF %ERRORLEVEL% == 1 GOTO INSTALL
GOTO END

:INSTALL
ECHO Installing
REG ADD HKLM\Software\KasperskyLab\KESCloud /v NetAgentVersion /t REG_DWORD /f /D 2
\\std.local\netlogon\KAV\KESC.exe -s
REG ADD HKLM\Software\KasperskyLab\KESCloud /v AutoPackageInstalled /t REG_DWORD /f /D 1
:END
ECHO Finish
set /p=Hit Enter to continue...

PowerShell Script

This PowerShell script checks whether the host is available (via a ping command). If so, the psexec.exe tool will be used to run the deploy.bat batch on the target computer.

Instructions

Now, the PowerShell script I ran from the AD. We need to set the following variables:

$computers: add the names of the computers you want to migrate to this list
$domain: Active Directory domain name
$user: Active Directory domain administrator
$password: $user password
$share: Share containing the deploy.bat batch
$psexec: full path to psexec.exe

Deploy.ps1

###########################
# author : shebangthedolphins.net
# version : 1.2
# date : 2020.12
# role : deploy Kaspersky Endpoint Security Cloud
# other : launch it with domain admin user rights.
# updates :
#       - 1.0 (2018/02) : First version    
#       - 1.1 (2020/09) : Add variables and comments
#       - 1.2 (2020/12) : Updates, variables corrections

#VARIABLES
$computers = @("COMPUTER15","COMPUTER85","COMPUTER86","COMPUTER98","COMPUTER16","COMPUTER19")
$domain = "std.local"
$user = "administrator"
$password = "Mypassword"
$share = "\\std.local\netlogon\KAV\"
$psexec = "c:\Users\std\psexec.exe"

Foreach ($computer in $computers)
{
    Write-Host "Work on $computer"
    ping -n 1 "$computer" | findstr "TTL" #check if computer is available
    if ($LASTEXITCODE -eq '0') #if yes, let's start deployment
    {
	 & "$psexec" "/accepteula" "\\$computer" "-u" "$domain\$user" "-p" "$password" "$share\deploy.bat"
	 #Start-Process -FilePath ($psexec) -ArgumentList ("/accepteula" + " \\" + $computer + " -u " + $domain + "\" + $user + " -p " + $password + " " + $share + "\" + "deploy.bat") # -Wait
    }
    else
    {
	    Write-Host "$computer cannot be reached"
    }
}

Computing

Music

Misc

Deploy Kaspersky Endpoint Security Cloud with PowerShell

Network share

Batch Script

Instructions

deploy.bat

PowerShell Script

Instructions

Deploy.ps1