# Deploy with Windows

<figure><img src="/files/ZY7v5tiirumA97Y6N6ll" alt=""><figcaption></figcaption></figure>

This page explains how to deploy Keeper Endpoint Privilege Manager (EPM) to Windows devices. It covers how to install the agent, connect it to your Keeper environment, choose the appropriate deployment method (such as Intune, GPO, or scripts), and confirm that everything is working correctly.

### Overview

On Windows, Keeper EPM is installed as a background service that runs on each device. It operates continuously to enforce your organization’s security policies without requiring user intervention.

You can think of it as the “engine” behind policy enforcement. It:

* Receives policies from the Keeper Admin Console
* Monitors user activity and system behavior
* Applies controls such as elevation, MFA, or approval when required

This allows Keeper to enforce security in real time while keeping the user experience as seamless as possible.

#### How You Can Deploy It

Depending on your environment, you can choose the deployment method that best fits your infrastructure:

* **Microsoft Intune** → Best for cloud-managed devices
* **Group Policy (GPO)** → Best for on-premises Active Directory environments
* **Scripts (PowerShell, SCCM, etc.)** → Most flexible option for custom or hybrid deployments

Regardless of the method you choose, the underlying process remains the same:

* Install the agent
* Start the service
* Register the device
* Validate that everything is working correctly

This consistent workflow ensures predictable and reliable deployment across all environments.

### Deployment Packages (Recommended)

The easiest way to deploy Keeper is by using a deployment package from the Keeper Admin Console. This package bundles everything needed to onboard a device and simplifies the rollout process.

A deployment package typically includes:

* The Windows installer (.MSI file)
* A registration token
* Configuration details, such as grouping and targeting

In most environments, this is the standard and recommended method for deploying Keeper at scale.

### Windows-Specific Notes

A few key points help explain how Keeper operates on Windows. Installation is performed using a standard MSI installer, and once installed, the agent runs as a background Windows service. This allows it to operate continuously without requiring user interaction.

Keeper integrates directly with core Windows security mechanisms, including User Account Control (UAC) and native process monitoring and elevation workflows. This deep integration enables Keeper to control administrative privileges in a secure and seamless way, without disrupting the normal user experience.

#### Supported Windows Versions

Keeper EPM supports modern Windows environments, including:

* Windows 11
* Windows Server 2025

Always verify compatibility with your environment before rollout.

#### Environment Considerations

Ensure that local HTTPS communication on port 6889 is allowed, as it is required for the agent’s operation and health checks. For automated deployments, using a silent installation method is recommended to ensure a consistent and non-interactive rollout across endpoints.

{% hint style="danger" %}
**Domain Controller Installation Not Supported**

Keeper Endpoint Privilege Manager (EPM) **cannot be installed on Windows Domain Controllers.** The installer actively blocks installation on Domain Controllers and will display the error:

*"This software cannot be installed on a Domain Controller."*

Domain Controllers serve a specialized role in Active Directory environments and are not supported endpoints for the EPM agent. If you need to manage privilege policies across your domain, install the EPM agent on member workstations and servers rather than on the Domain Controller itself.
{% endhint %}

{% hint style="warning" %}
**⚠️ Directory Integration Required**

EPM policies targeting user and group collections depend on AD or Entra ID sync to function correctly. The `epm scim` command requires an Active Directory integration in the Keeper Admin Console before use. If this integration is not configured, collections will be incomplete and policy enforcement will not apply as expected. \
\
Visit this [Commander CLI: Endpoint Privilege Manager Commands](/keeperpam/commander-cli/command-reference/endpoint-privilege-manager-commands.md) for more information.&#x20;
{% endhint %}

### Before You Start (Prerequisite Checklist)

* The **Keeper MSI installer**
* A **registration token** from the Admin Console

Optional (but recommended):

* A deployment script for automation

## Deployment Steps

{% stepper %}
{% step %}
**Download and Unpack**

Download the installer via the Keeper Admin Console UI or use the PowerShell commands:

```powershell
Invoke-WebRequest -Uri "https://keepersecurity.com/pam/pedm/core/latest/KeeperPrivilegeManagerWindows.zip" -OutFile "KeeperPrivilegeManagerWindows.zip"
Expand-Archive -Path "KeeperPrivilegeManagerWindows.zip" -DestinationPath "."
Set-Location "windows"
```

{% endstep %}

{% step %}
**Install and Register the Agent**

There are two ways to register a Windows device.

**Option 1: Inline Registration (during install)**

You can register the device at the same time you install it:

```powershell
msiexec /i KeeperPrivilegeManager-x.x.x.xxx.msi REGISTRATION_CODE="YOUR_TOKEN_HERE" /l*v install.txt /quiet
```

In silent mode, the system restarts automatically after installation. To postpone the restart and manage it separately (e.g. through Intune or SCCM):

powershell

```powershell
msiexec /i KeeperPrivilegeManager-x.x.x.xxx.msi REGISTRATION_CODE="YOUR_TOKEN_HERE" /l*v install.txt /quiet /norestart
```

When using `/norestart`, the agent will not be active until the machine is restarted. The deployment token is stored in the registry and will be used automatically on the next restart.

{% hint style="info" %}
x.x.x.xxx should be replaced with the .msi file's version number, and "YOUR\_TOKEN\_HERE" should be replaced with the token value from your deployment package.
{% endhint %}

**Option 2: Post-Install Registration (Recommended)**

Install first, then register separately:

```powershell
C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe
```

This is the **recommended method**, especially for:

* Intune
* GPO
* Scripts

**Manually Unregistering an Agent**

To unregister an agent from the Keeper server without uninstalling it — for example, to move it to a different deployment group or to force a clean re-registration — run the following from an **elevated** PowerShell prompt:

powershell

```powershell
cd "C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperUnregistrationHelper"
.\KeeperUnregistrationHelper.exe 2>&1 | Out-Host
```

The main service must be running before executing this command. After unregistration completes, the agent will no longer appear as registered in the Admin Console. To re-register, run the `KeeperRegistrationHelper` with a valid deployment token.

**Example Script**

Here’s a simple, reliable deployment script:

```powershell
# Install silently
Start-Process msiexec.exe -ArgumentList "/i KeeperPrivilegeManager.msi /quiet /norestart" -Wait

# Give the service time to start
Start-Sleep -Seconds 20

# Register the device
Start-Process "C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe" `
    -ArgumentList "--token YOUR_TOKEN_HERE" -Wait
```

Replace YOUR\_TOKEN\_HERE with your actual token.

#### Deployment Methods

Choose the method that fits your environment.

**Deploy with Microsoft Intune (Cloud)**

Best for modern, cloud-managed devices.

**Steps:**

1. Package the installer as a **Win32 app (.intunewin)**
2. Upload it to Intune
3. Configure install command:

```powershell
powershell.exe -ExecutionPolicy Bypass -File install.ps1
```

4. Set detection rules:
   * File:

     ```
     C:\Program Files\KeeperPrivilegeManager\KeeperPrivilegeManager.exe
     ```
   * OR Service:

     ```
     KeeperPrivilegeManager
     ```
5. Assign to device groups

Always start with a **pilot group** before full rollout.

**Restart Behavior in Intune**

When deploying as a Win32 app, Intune recognizes the following MSI exit codes and handles them accordingly:

<table><thead><tr><th width="88.33331298828125">Exit Code</th><th width="254">Meaning</th><th>Action Required</th></tr></thead><tbody><tr><td><code>3010</code></td><td>Installation succeeded; restart required</td><td>Configure your Intune assignment's restart behavior policy to trigger a restart</td></tr><tr><td><code>1641</code></td><td>Installation succeeded; restart was initiated by the installer</td><td>No additional restart configuration needed — the device will restart automatically</td></tr></tbody></table>

Configure your Win32 app assignment's **Restart behavior** setting to match your organization's restart policy. If you are using `/norestart` in the install command to manage restarts separately, expect exit code `3010` and ensure your restart policy handles it.

The agent will not be active until the restart completes, regardless of which exit code is returned.

**Deploy with Group Policy (GPO)**

Best for traditional Active Directory environments.

**Option 1: MSI Deployment**

**Path:**

```
Computer Configuration → Policies → Software Installation
```

**Limitation:** This installs the software but **does NOT register the device**

**Option 2: Startup Script (Recommended)**

Use a startup script to install and register.

**Examples**

**PowerShell:**

```powershell
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

Start-Sleep -Seconds 20

"C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

**CMD:**

```cmd
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

timeout /t 20

"C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

This ensures devices are fully configured.

**Deploy with Scripts / SCCM / MECM**

Best for flexible or hybrid environments.

You can use:

* PowerShell
* SCCM / MECM
* Other deployment tools

**Examples**

**PowerShell:**

```powershell
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

Start-Sleep -Seconds 20

"C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

**CMD:**

```cmd
msiexec /i KeeperPrivilegeManager.msi /quiet /norestart

timeout /t 20

"C:\Program Files\Keeper Security\Endpoint Privilege Management\Jobs\bin\KeeperRegistrationHelper\KeeperRegistrationHelper.exe" --token "YOUR_TOKEN_HERE"
```

{% endstep %}

{% step %}
**Validate Deployment**

After deployment, check a device to confirm everything is working.

**1. Check Service Status**

**PowerShell:**

```powershell
Get-Service -Name "Keeper Endpoint Privilege Manager"
```

**CMD:**

```cmd
sc query "Keeper Endpoint Privilege Manager"
```

Expected — PowerShell: `Status: Running` | CMD: `STATE : 4 RUNNING`

***

**2. Health Check**

**PowerShell:**

```powershell
curl.exe -k https://localhost:6889/health
```

**CMD:**

```cmd
curl -k https://localhost:6889/health
```

Expected: `{"status": "running"}`

This confirms the service is running and responsive.

***

**3. Check Registration**

**PowerShell:**

```powershell
curl.exe -k https://localhost:6889/api/Keeper/registration
```

**CMD:**

```cmd
curl -k https://localhost:6889/api/Keeper/registration
```

Expected:

* Agent is registered
* Deployment ID is present

***

**4. Check Plugins (Optional)**

**PowerShell:**

```powershell
curl.exe -k https://localhost:6889/api/plugins
```

**CMD:**

```cmd
curl -k https://localhost:6889/api/plugins
```

Expected:

* KeeperAPI running
* KeeperPolicy running

These are the core components that enforce your policies.

{% hint style="info" %}
Note:

* <mark style="color:$tint;">`curl.exe`</mark> <mark style="color:$tint;">is available natively in both PowerShell and CMD on Windows 10 and Windows 11. In PowerShell,</mark> <mark style="color:$tint;">`curl`</mark> <mark style="color:$tint;">(without the</mark> <mark style="color:$tint;">`.exe`</mark><mark style="color:$tint;">) is an alias for</mark> <mark style="color:$tint;">`Invoke-WebRequest`</mark> <mark style="color:$tint;">and will not behave the same way — always use</mark> <mark style="color:$tint;">`curl.exe`</mark> <mark style="color:$tint;">explicitly in PowerShell. If you are on an older Windows version, install curl separately or use</mark> <mark style="color:$tint;">`Invoke-WebRequest -Uri https://localhost:6889/health -SkipCertificateCheck`</mark> <mark style="color:$tint;">as an alternative.</mark>
  {% endhint %}
  {% endstep %}
  {% endstepper %}

### What Happens After Installation

After installation, the Keeper service starts automatically and the agent begins collecting basic system data, such as applications and user activity. The Keeper Client UI (system tray icon) may appear for users, but typically requires no interaction. The agent prepares for policy enforcement in the background, and users generally will not notice any changes unless a policy is triggered.

#### Default Behavior After Deployment

After deployment, the agent runs in Monitor mode by default, meaning policies are evaluated but not actively enforced. This allows you to safely test and validate policy behavior before enabling enforcement.

#### What the User Experiences

From the user’s perspective, installation is typically silent and requires no interaction. After deployment, users only encounter prompts when necessary—such as for elevation, MFA, or approval—ensuring a smooth experience while still maintaining strong security controls.

#### **What the Installer Does**

The installer performs the following steps in sequence. No services are started and no processes are launched until the system restarts.

<table><thead><tr><th width="207.33331298828125">Step</th><th>Description</th></tr></thead><tbody><tr><td>Copy files</td><td>All application files are copied to the installation directory (default: <code>C:\Program Files\Keeper Security\Endpoint Privilege Management</code>)</td></tr><tr><td>Register services</td><td>The <strong>Keeper Endpoint Privilege Manager</strong> and <strong>KeeperWatchdog</strong> services are registered as automatic-start Windows services</td></tr><tr><td>Write deployment token</td><td>The <code>REGISTRATION_CODE</code> value is written to the registry at <code>HKLM\SOFTWARE\Keeper Security\Endpoint Privilege Manager\RegCode</code></td></tr><tr><td>Restart</td><td>The system restarts — automatically in <code>/quiet</code> mode, with a prompt otherwise</td></tr></tbody></table>

#### **Restart Behavior**

A restart is required after install, upgrade, or uninstall. The restart behavior depends on whether you use silent or interactive mode:

<table><thead><tr><th width="217.66668701171875">Scenario</th><th>Default behavior</th><th>To suppress</th></tr></thead><tbody><tr><td>Silent install (<code>/quiet</code>)</td><td>Restarts automatically</td><td>Add <code>/norestart</code></td></tr><tr><td>Interactive install (wizard)</td><td>Prompts the user to restart</td><td>Decline and restart later</td></tr><tr><td>Silent upgrade (<code>/quiet</code>)</td><td>Restarts automatically</td><td>Add <code>/norestart</code></td></tr><tr><td>Silent uninstall (<code>/quiet</code>)</td><td>Restarts automatically</td><td>Add <code>/norestart</code></td></tr></tbody></table>

> The agent will not be active until the restart completes, regardless of how the restart is handled.

**After Restart,** Windows starts both services automatically on boot. The following sequence then occurs:

<table><thead><tr><th width="140">Step</th><th>Description</th></tr></thead><tbody><tr><td>Services start</td><td>Windows starts the Keeper Endpoint Privilege Manager and KeeperWatchdog services automatically</td></tr><tr><td>Plugins load</td><td>The main service loads its plugins: KeeperApi, KeeperLogger, KeeperPolicy, KeeperUSession</td></tr><tr><td>Registration</td><td>The agent reads the deployment token from the registry and registers with the Keeper server</td></tr><tr><td>Token cleanup</td><td>After successful registration, the token is removed from the registry</td></tr><tr><td>Inventory</td><td>Basic inventory collection runs and reports to the server</td></tr></tbody></table>

### **Upgrading from a Previous Version**

Upgrading the agent requires running the new installer from an **elevated** (administrator) command prompt or PowerShell. The installer removes the previous version and installs the new version in a single operation. Registration state and agent data are preserved during upgrade.

#### **Upgrade Command**

```powershell
msiexec /i KeeperPrivilegeManager-x.x.x.xxx.msi /l*v upgrade.txt /quiet
```

To postpone the restart and manage it separately through your deployment tool:

```powershell
msiexec /i KeeperPrivilegeManager-x.x.x.xxx.msi /l*v upgrade.txt /quiet /norestart
```

Replace `x.x.x.xxx` with the actual version number of the new MSI.

**Important: Elevation Is Required**

Upgrades must be run from an **elevated** command prompt. The following methods **will not work** for upgrades:

* Double-clicking the MSI file directly
* Running `msiexec` from a non-elevated command prompt or terminal
* Running from a non-elevated terminal, even with an administrator account

Always open your command prompt or PowerShell using **Run as administrator** before running the upgrade command.

#### **What Happens During Upgrade**

1. The installer stops the currently running agent services and processes.
2. The previous version is removed. Agent data and registration state are preserved.
3. New files are installed and services are re-registered.
4. The system restarts — automatically in silent mode, with a prompt otherwise.
5. After restart, the updated agent services start and resume normal operation.

### **Uninstalling the Agent**

The agent can be uninstalled through **Windows Settings → Apps → Installed Apps**, or via the command line.

#### **Command-Line Uninstall**

Run from an **elevated** command prompt:

```powershell
msiexec /x KeeperPrivilegeManager-x.x.x.xxx.msi /l*v uninstall.txt /quiet
```

Replace `x.x.x.xxx` with the version number of the currently installed MSI.

#### **Automatic Unregistration**

By default, uninstalling the agent also automatically unregisters it from the Keeper server. This cleans up the agent record in the Admin Console and releases the deployment slot.

To uninstall without unregistering the agent — for example, when reimaging a machine and planning to re-register it later — set the `UNREGISTER_AGENT` property to `false`:

```powershell
msiexec /x KeeperPrivilegeManager-x.x.x.xxx.msi UNREGISTER_AGENT="false" /l*v uninstall.txt /quiet
```

<table><thead><tr><th width="179">Property</th><th width="101.33331298828125">Default</th><th>Description</th></tr></thead><tbody><tr><td><code>UNREGISTER_AGENT</code></td><td><code>true</code></td><td>When <code>true</code>, the agent unregisters from the Keeper server during uninstall. Set to <code>false</code> to skip unregistration.</td></tr></tbody></table>

### Logs (For Troubleshooting)

Logs are stored at:

```
C:\Program Files\Keeper Security\Endpoint Privilege Manager\Plugins\bin\KeeperLogger\Log
```

Log files follow a daily naming pattern, e.g. `KeeperLoggerYYYYMMDD.log`. Files are retained for **15 days** by default before being automatically deleted. The retention period is configurable via the Logger plugin settings (`log.retention.days`).

If you have customized the installation path, look for the `KeeperLogger\Log` subdirectory relative to your installation root, or check the Logger plugin configuration for the `log.file.path` setting.

### Important Notes & Common Adjustments

#### Protect Your Token

Registration tokens are sensitive credentials and should be handled securely at all times. They should not be stored in plain text, and instead should be managed using secure deployment tools or secret management systems. Additionally, tokens should be rotated periodically or whenever there is a risk of exposure to maintain security.

#### Service Timing

If registration fails, it may be because the service has not fully initialized yet. In these cases, increasing the delay between installation and the registration step—typically from 20 seconds to 40–60 seconds—can help ensure the service is ready before attempting registration.

#### Intune Detection Rules

If Intune detection rules are configured incorrectly, a deployment may be reported as successful even when the agent was not properly installed or is not functioning. It is important to carefully verify detection rules to ensure they accurately confirm a successful installation.

#### Pilot First

Always begin with a pilot deployment by rolling out to a small test group first. This allows you to validate behavior, confirm that policies function as expected, and ensure a smooth user experience before expanding the deployment more broadly.

### Troubleshooting

#### Service not starting

* Check **Windows Event Viewer**
* Confirm installation completed

#### Device not registering

* Verify token is correct
* Check network connectivity
* Ensure service is running

#### Deployment shows success but isn’t working

* Review detection rules
* Validate service + registration manually

### Summary

Deploying Keeper EPM on Windows allows you to:

* Roll out the agent across your organization at scale
* Integrate with tools like Intune, GPO, and SCCM
* Enforce least privilege without disrupting users

Regardless of method, every deployment follows the same core steps:\
**Install → Start → Register → Validate**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/deployment/deploy-with-windows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.