Deploy with Windows
Deploying Keeper EPM on Windows
This page explains how to deploy Keeper Endpoint Privilege Manager (EPM) to Windows devices. It covers how to install the agent, connect it to your Keeper environment, choose the appropriate deployment method (such as Intune, GPO, or scripts), and confirm that everything is working correctly.
Overview
On Windows, Keeper EPM is installed as a background service that runs on each device. It operates continuously to enforce your organization’s security policies without requiring user intervention.
You can think of it as the “engine” behind policy enforcement. It:
Receives policies from the Keeper Admin Console
Monitors user activity and system behavior
Applies controls such as elevation, MFA, or approval when required
This allows Keeper to enforce security in real time while keeping the user experience as seamless as possible.
How You Can Deploy It
Depending on your environment, you can choose the deployment method that best fits your infrastructure:
Microsoft Intune → Best for cloud-managed devices
Group Policy (GPO) → Best for on-premises Active Directory environments
Scripts (PowerShell, SCCM, etc.) → Most flexible option for custom or hybrid deployments
Regardless of the method you choose, the underlying process remains the same:
Install the agent
Start the service
Register the device
Validate that everything is working correctly
This consistent workflow ensures predictable and reliable deployment across all environments.
Deployment Packages (Recommended)
The easiest way to deploy Keeper is by using a deployment package from the Keeper Admin Console. This package bundles everything needed to onboard a device and simplifies the rollout process.
A deployment package typically includes:
The Windows installer (.MSI file)
A registration token
Configuration details, such as grouping and targeting
In most environments, this is the standard and recommended method for deploying Keeper at scale.
Windows-Specific Notes
A few key points help explain how Keeper operates on Windows. Installation is performed using a standard MSI installer, and once installed, the agent runs as a background Windows service. This allows it to operate continuously without requiring user interaction.
Keeper integrates directly with core Windows security mechanisms, including User Account Control (UAC) and native process monitoring and elevation workflows. This deep integration enables Keeper to control administrative privileges in a secure and seamless way, without disrupting the normal user experience.
Supported Windows Versions
Keeper EPM supports modern Windows environments, including:
Windows 11
Windows Server 2025
Always verify compatibility with your environment before rollout.
Environment Considerations
Ensure that local HTTPS communication on port 6889 is allowed, as it is required for the agent’s operation and health checks. For automated deployments, using a silent installation method is recommended to ensure a consistent and non-interactive rollout across endpoints.
Domain Controller Installation Not Supported
Keeper Endpoint Privilege Manager (EPM) cannot be installed on Windows Domain Controllers. The installer actively blocks installation on Domain Controllers and will display the error:
"This software cannot be installed on a Domain Controller."
Domain Controllers serve a specialized role in Active Directory environments and are not supported endpoints for the EPM agent. If you need to manage privilege policies across your domain, install the EPM agent on member workstations and servers rather than on the Domain Controller itself.
⚠️ Directory Integration Required
EPM policies targeting user and group collections depend on AD or Entra ID sync to function correctly. The epm scim command requires an Active Directory integration in the Keeper Admin Console before use. If this integration is not configured, collections will be incomplete and policy enforcement will not apply as expected.
Visit this Commander CLI: Endpoint Privilege Manager Commands for more information.
Before You Start (Prerequisite Checklist)
The Keeper MSI installer
A registration token from the Admin Console
Optional (but recommended):
A deployment script for automation
Deployment Steps
Download and Unpack
Download the installer via the Keeper Admin Console UI or use the PowerShell commands:
Install and Register the Agent
There are two ways to register a Windows device.
Option 1: Inline Registration (during install)
You can register the device at the same time you install it:
In silent mode, the system restarts automatically after installation. To postpone the restart and manage it separately (e.g. through Intune or SCCM):
powershell
When using /norestart, the agent will not be active until the machine is restarted. The deployment token is stored in the registry and will be used automatically on the next restart.
x.x.x.xxx should be replaced with the .msi file's version number, and "YOUR_TOKEN_HERE" should be replaced with the token value from your deployment package.
Option 2: Post-Install Registration (Recommended)
Install first, then register separately:
This is the recommended method, especially for:
Intune
GPO
Scripts
Manually Unregistering an Agent
To unregister an agent from the Keeper server without uninstalling it — for example, to move it to a different deployment group or to force a clean re-registration — run the following from an elevated PowerShell prompt:
powershell
The main service must be running before executing this command. After unregistration completes, the agent will no longer appear as registered in the Admin Console. To re-register, run the KeeperRegistrationHelper with a valid deployment token.
Example Script
Here’s a simple, reliable deployment script:
Replace YOUR_TOKEN_HERE with your actual token.
Deployment Methods
Choose the method that fits your environment.
Deploy with Microsoft Intune (Cloud)
Best for modern, cloud-managed devices.
Steps:
Package the installer as a Win32 app (.intunewin)
Upload it to Intune
Configure install command:
Set detection rules:
File:
OR Service:
Assign to device groups
Always start with a pilot group before full rollout.
Restart Behavior in Intune
When deploying as a Win32 app, Intune recognizes the following MSI exit codes and handles them accordingly:
3010
Installation succeeded; restart required
Configure your Intune assignment's restart behavior policy to trigger a restart
1641
Installation succeeded; restart was initiated by the installer
No additional restart configuration needed — the device will restart automatically
Configure your Win32 app assignment's Restart behavior setting to match your organization's restart policy. If you are using /norestart in the install command to manage restarts separately, expect exit code 3010 and ensure your restart policy handles it.
The agent will not be active until the restart completes, regardless of which exit code is returned.
Deploy with Group Policy (GPO)
Best for traditional Active Directory environments.
Option 1: MSI Deployment
Path:
Limitation: This installs the software but does NOT register the device
Option 2: Startup Script (Recommended)
Use a startup script to install and register.
Examples
PowerShell:
CMD:
This ensures devices are fully configured.
Deploy with Scripts / SCCM / MECM
Best for flexible or hybrid environments.
You can use:
PowerShell
SCCM / MECM
Other deployment tools
Examples
PowerShell:
CMD:
Validate Deployment
After deployment, check a device to confirm everything is working.
1. Check Service Status
PowerShell:
CMD:
Expected — PowerShell: Status: Running | CMD: STATE : 4 RUNNING
2. Health Check
PowerShell:
CMD:
Expected: {"status": "running"}
This confirms the service is running and responsive.
3. Check Registration
PowerShell:
CMD:
Expected:
Agent is registered
Deployment ID is present
4. Check Plugins (Optional)
PowerShell:
CMD:
Expected:
KeeperAPI running
KeeperPolicy running
These are the core components that enforce your policies.
Note:
curl.exeis available natively in both PowerShell and CMD on Windows 10 and Windows 11. In PowerShell,curl(without the.exe) is an alias forInvoke-WebRequestand will not behave the same way — always usecurl.exeexplicitly in PowerShell. If you are on an older Windows version, install curl separately or useInvoke-WebRequest -Uri https://localhost:6889/health -SkipCertificateCheckas an alternative.
What Happens After Installation
After installation, the Keeper service starts automatically and the agent begins collecting basic system data, such as applications and user activity. The Keeper Client UI (system tray icon) may appear for users, but typically requires no interaction. The agent prepares for policy enforcement in the background, and users generally will not notice any changes unless a policy is triggered.
Default Behavior After Deployment
After deployment, the agent runs in Monitor mode by default, meaning policies are evaluated but not actively enforced. This allows you to safely test and validate policy behavior before enabling enforcement.
What the User Experiences
From the user’s perspective, installation is typically silent and requires no interaction. After deployment, users only encounter prompts when necessary—such as for elevation, MFA, or approval—ensuring a smooth experience while still maintaining strong security controls.
What the Installer Does
The installer performs the following steps in sequence. No services are started and no processes are launched until the system restarts.
Copy files
All application files are copied to the installation directory (default: C:\Program Files\Keeper Security\Endpoint Privilege Management)
Register services
The Keeper Endpoint Privilege Manager and KeeperWatchdog services are registered as automatic-start Windows services
Write deployment token
The REGISTRATION_CODE value is written to the registry at HKLM\SOFTWARE\Keeper Security\Endpoint Privilege Manager\RegCode
Restart
The system restarts — automatically in /quiet mode, with a prompt otherwise
Restart Behavior
A restart is required after install, upgrade, or uninstall. The restart behavior depends on whether you use silent or interactive mode:
Silent install (/quiet)
Restarts automatically
Add /norestart
Interactive install (wizard)
Prompts the user to restart
Decline and restart later
Silent upgrade (/quiet)
Restarts automatically
Add /norestart
Silent uninstall (/quiet)
Restarts automatically
Add /norestart
The agent will not be active until the restart completes, regardless of how the restart is handled.
After Restart, Windows starts both services automatically on boot. The following sequence then occurs:
Services start
Windows starts the Keeper Endpoint Privilege Manager and KeeperWatchdog services automatically
Plugins load
The main service loads its plugins: KeeperApi, KeeperLogger, KeeperPolicy, KeeperUSession
Registration
The agent reads the deployment token from the registry and registers with the Keeper server
Token cleanup
After successful registration, the token is removed from the registry
Inventory
Basic inventory collection runs and reports to the server
Upgrading from a Previous Version
Upgrading the agent requires running the new installer from an elevated (administrator) command prompt or PowerShell. The installer removes the previous version and installs the new version in a single operation. Registration state and agent data are preserved during upgrade.
Upgrade Command
To postpone the restart and manage it separately through your deployment tool:
Replace x.x.x.xxx with the actual version number of the new MSI.
Important: Elevation Is Required
Upgrades must be run from an elevated command prompt. The following methods will not work for upgrades:
Double-clicking the MSI file directly
Running
msiexecfrom a non-elevated command prompt or terminalRunning from a non-elevated terminal, even with an administrator account
Always open your command prompt or PowerShell using Run as administrator before running the upgrade command.
What Happens During Upgrade
The installer stops the currently running agent services and processes.
The previous version is removed. Agent data and registration state are preserved.
New files are installed and services are re-registered.
The system restarts — automatically in silent mode, with a prompt otherwise.
After restart, the updated agent services start and resume normal operation.
Uninstalling the Agent
The agent can be uninstalled through Windows Settings → Apps → Installed Apps, or via the command line.
Command-Line Uninstall
Run from an elevated command prompt:
Replace x.x.x.xxx with the version number of the currently installed MSI.
Automatic Unregistration
By default, uninstalling the agent also automatically unregisters it from the Keeper server. This cleans up the agent record in the Admin Console and releases the deployment slot.
To uninstall without unregistering the agent — for example, when reimaging a machine and planning to re-register it later — set the UNREGISTER_AGENT property to false:
UNREGISTER_AGENT
true
When true, the agent unregisters from the Keeper server during uninstall. Set to false to skip unregistration.
Logs (For Troubleshooting)
Logs are stored at:
Log files follow a daily naming pattern, e.g. KeeperLoggerYYYYMMDD.log. Files are retained for 15 days by default before being automatically deleted. The retention period is configurable via the Logger plugin settings (log.retention.days).
If you have customized the installation path, look for the KeeperLogger\Log subdirectory relative to your installation root, or check the Logger plugin configuration for the log.file.path setting.
Important Notes & Common Adjustments
Protect Your Token
Registration tokens are sensitive credentials and should be handled securely at all times. They should not be stored in plain text, and instead should be managed using secure deployment tools or secret management systems. Additionally, tokens should be rotated periodically or whenever there is a risk of exposure to maintain security.
Service Timing
If registration fails, it may be because the service has not fully initialized yet. In these cases, increasing the delay between installation and the registration step—typically from 20 seconds to 40–60 seconds—can help ensure the service is ready before attempting registration.
Intune Detection Rules
If Intune detection rules are configured incorrectly, a deployment may be reported as successful even when the agent was not properly installed or is not functioning. It is important to carefully verify detection rules to ensure they accurately confirm a successful installation.
Pilot First
Always begin with a pilot deployment by rolling out to a small test group first. This allows you to validate behavior, confirm that policies function as expected, and ensure a smooth user experience before expanding the deployment more broadly.
Troubleshooting
Service not starting
Check Windows Event Viewer
Confirm installation completed
Device not registering
Verify token is correct
Check network connectivity
Ensure service is running
Deployment shows success but isn’t working
Review detection rules
Validate service + registration manually
Summary
Deploying Keeper EPM on Windows allows you to:
Roll out the agent across your organization at scale
Integrate with tools like Intune, GPO, and SCCM
Enforce least privilege without disrupting users
Regardless of method, every deployment follows the same core steps: Install → Start → Register → Validate
Last updated
Was this helpful?