# Deploy with Windows

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FJAVpYo2mNDgAL4i67nJH%2Fimage.png?alt=media&#x26;token=5fe7adf7-7c78-4362-9c7d-c10b33bc186c" alt=""><figcaption></figcaption></figure>

This page explains how to deploy Keeper Endpoint Privilege Manager (EPM) to Windows devices. It covers how to install the agent, connect it to your Keeper environment, choose the appropriate deployment method (such as Intune, GPO, or scripts), and confirm that everything is working correctly.

### Overview

On Windows, Keeper EPM is installed as a background service that runs on each device. It operates continuously to enforce your organization’s security policies without requiring user intervention.

You can think of it as the “engine” behind policy enforcement. It:

* Receives policies from the Keeper Admin Console
* Monitors user activity and system behavior
* Applies controls such as elevation, MFA, or approval when required

This allows Keeper to enforce security in real time while keeping the user experience as seamless as possible.

#### How You Can Deploy It

Depending on your environment, you can choose the deployment method that best fits your infrastructure:

* **Microsoft Intune** → Best for cloud-managed devices
* **Group Policy (GPO)** → Best for on-premises Active Directory environments
* **Scripts (PowerShell, SCCM, etc.)** → Most flexible option for custom or hybrid deployments

Regardless of the method you choose, the underlying process remains the same:

* Install the agent
* Start the service
* Register the device
* Validate that everything is working correctly

This consistent workflow ensures predictable and reliable deployment across all environments.

### Deployment Packages (Recommended)

The easiest way to deploy Keeper is by using a deployment package from the Keeper Admin Console. This package bundles everything needed to onboard a device and simplifies the rollout process.

A deployment package typically includes:

* The Windows installer (.MSI file)
* A registration token
* Configuration details, such as grouping and targeting

In most environments, this is the standard and recommended method for deploying Keeper at scale.

### Windows-Specific Notes

A few key points help explain how Keeper operates on Windows. Installation is performed using a standard MSI installer, and once installed, the agent runs as a background Windows service. This allows it to operate continuously without requiring user interaction.

Keeper integrates directly with core Windows security mechanisms, including User Account Control (UAC) and native process monitoring and elevation workflows. This deep integration enables Keeper to control administrative privileges in a secure and seamless way, without disrupting the normal user experience.

#### Supported Windows Versions

Keeper EPM supports modern Windows environments, including:

* Windows 11
* Windows Server 2025

Always verify compatibility with your environment before rollout.

#### Environment Considerations

Ensure that local HTTPS communication on port 6889 is allowed, as it is required for the agent’s operation and health checks. For automated deployments, using a silent installation method is recommended to ensure a consistent and non-interactive rollout across endpoints.

### Before You Start (Prerequisite Checklist)

* The **Keeper MSI installer**
* A **registration token** from the Admin Console

Optional (but recommended):

* A deployment script for automation

## Deployment Steps

{% stepper %}
{% step %}

#### **Download and Unpack**

Download the installer via the Keeper Admin Console UI or use the PowerShell commands:

```
Invoke-WebRequest -Uri "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerWindows.zip" -OutFile "KeeperPrivilegeManagerWindows.zip"
Expand-Archive -Path "KeeperPrivilegeManagerWindows.zip" -DestinationPath "."
Set-Location "windows"
```

{% endstep %}

{% step %}

#### Install and Register the Agent

There are two ways to register a Windows device.

#### Option 1: Inline Registration (during install)

You can register the device at the same time you install it:

```
msiexec /i KeeperPrivilegeManager.msi REGISTRATION_CODE="YOUR_TOKEN_HERE"
```

#### Option 2: Post-Install Registration (Recommended)

Install first, then register separately:

```
"C:\Program Files\KeeperPrivilegeManager\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

This is the **recommended method**, especially for:

* Intune
* GPO
* Scripts

#### Example Script (Best Practice)

Here’s a simple, reliable deployment script:

```
# Install silently
Start-Process msiexec.exe -ArgumentList "/i KeeperPrivilegeManager.msi /quiet /norestart" -Wait

# Give the service time to start
Start-Sleep -Seconds 20

# Register the device
Start-Process "C:\Program Files\KeeperPrivilegeManager\KeeperRegistrationHelper.exe" `
    -ArgumentList "--token YOUR_TOKEN_HERE" -Wait
```

Replace YOUR\_TOKEN\_HERE with your actual token.

#### Deployment Methods

Choose the method that fits your environment.

#### Deploy with Microsoft Intune (Cloud)

Best for modern, cloud-managed devices.

**Steps:**

1. Package the installer as a **Win32 app (.intunewin)**
2. Upload it to Intune
3. Configure install command:

```
powershell.exe -ExecutionPolicy Bypass -File install.ps1
```

4. Set detection rules:
   * File:

     ```
     C:\Program Files\KeeperPrivilegeManager\KeeperPrivilegeManager.exe
     ```
   * OR Service:

     ```
     KeeperPrivilegeManager
     ```
5. Assign to device groups

Always start with a **pilot group** before full rollout.

#### Deploy with Group Policy (GPO)

Best for traditional Active Directory environments.

**Option 1: MSI Deployment**

**Path:**

```
Computer Configuration → Policies → Software Installation
```

**Limitation:** This installs the software but **does NOT register the device**

**Option 2: Startup Script (Recommended)**

Use a startup script to install and register:

```
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

timeout /t 20

"C:\Program Files\KeeperPrivilegeManager\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

This ensures devices are fully configured.

#### Deploy with Scripts / SCCM / MECM

Best for flexible or hybrid environments.

You can use:

* PowerShell
* SCCM / MECM
* Other deployment tools

Example:

```
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

Start-Sleep -Seconds 20

"C:\Program Files\KeeperPrivilegeManager\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

{% endstep %}

{% step %}

#### Validate Deployment

After deployment, check a device to confirm everything is working.

#### 1. Check Service Status

```
Get-Service -Name "KeeperPrivilegeManager"
```

Expected:

```
Status: Running
```

#### 2. Health Check

```
curl -k https://localhost:6889/health
```

This confirms the service is running and responsive.

#### 3. Check Registration

```
curl -k https://localhost:6889/api/Keeper/registration
```

Expected:

* Agent is registered
* Deployment ID is present

#### 4. Check Plugins (Optional)

```
curl -k https://localhost:6889/api/plugins
```

Expected:

* KeeperAPI running
* KeeperPolicy running

These are the core components that enforce your policies.
{% endstep %}
{% endstepper %}

### What Happens After Installation

After installation, the Keeper service starts automatically and the agent begins collecting basic system data, such as applications and user activity. The Keeper Client UI (system tray icon) may appear for users, but typically requires no interaction. The agent prepares for policy enforcement in the background, and users generally will not notice any changes unless a policy is triggered.

#### Default Behavior After Deployment

After deployment, the agent runs in Monitor mode by default, meaning policies are evaluated but not actively enforced. This allows you to safely test and validate policy behavior before enabling enforcement.

#### What the User Experiences

From the user’s perspective, installation is typically silent and requires no interaction. After deployment, users only encounter prompts when necessary—such as for elevation, MFA, or approval—ensuring a smooth experience while still maintaining strong security controls.

### Logs (For Troubleshooting)

Logs are stored at:

```
C:\ProgramData\Keeper\Logs\
```

Logs are automatically rotated, with retention typically lasting from several days to a few weeks depending on configuration. These logs are an important resource for troubleshooting and can help diagnose installation issues, registration problems, and policy behavior.

### Important Notes & Common Adjustments

#### Protect Your Token

Registration tokens are sensitive credentials and should be handled securely at all times. They should not be stored in plain text, and instead should be managed using secure deployment tools or secret management systems. Additionally, tokens should be rotated periodically or whenever there is a risk of exposure to maintain security.

#### Service Timing

If registration fails, it may be because the service has not fully initialized yet. In these cases, increasing the delay between installation and the registration step—typically from 20 seconds to 40–60 seconds—can help ensure the service is ready before attempting registration.

#### Intune Detection Rules

If Intune detection rules are configured incorrectly, a deployment may be reported as successful even when the agent was not properly installed or is not functioning. It is important to carefully verify detection rules to ensure they accurately confirm a successful installation.

#### Pilot First

Always begin with a pilot deployment by rolling out to a small test group first. This allows you to validate behavior, confirm that policies function as expected, and ensure a smooth user experience before expanding the deployment more broadly.

### Troubleshooting

#### Service not starting

* Check **Windows Event Viewer**
* Confirm installation completed

#### Device not registering

* Verify token is correct
* Check network connectivity
* Ensure service is running

#### Deployment shows success but isn’t working

* Review detection rules
* Validate service + registration manually

### Summary

Deploying Keeper EPM on Windows allows you to:

* Roll out the agent across your organization at scale
* Integrate with tools like Intune, GPO, and SCCM
* Enforce least privilege without disrupting users

Regardless of method, every deployment follows the same core steps:\
**Install → Start → Register → Validate**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/endpoint-privilege-manager/deployment/deploy-with-windows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.