One of the main features that Bitdefender Endpoint Security Tools provides is the possibility to be installed remotely on endpoints, process called deployment.

For the Bitdefender Endpoint Security Tools deployment task to complete successfully on target systems, you need to comply with the following configuration prerequisites:

1. OS requirements
   • Make sure the target endpoints meet the minimum system requirements, according to the GravityZone Installation Guide. For some endpoints, you may need to install the latest operating system service pack available or free up disk space. Compile a list of endpoints that do not meet the necessary requirements so that you can exclude them from management.
   • When deploying the agent through a Linux relay, the following additional conditions must be met:
     • The Relay endpoint must have installed the Samba package (smbclient) version 4.1.0 or above, and the net binary/command to deploy Windows agents.

       Note: The net binary/command is usually delivered with the samba-client and / or samba-common packages. On some Linux distributions (such as CentOS 7.4), the net command is only being installed when installing the full Samba suite (Common + Client + Server). Make sure that your Relay endpoint has the net command available.

     • Target Windows endpoints must have Administrative Share and Network Share enabled.
     • Target Linux and Mac endpoints must have SSH enabled and firewall disabled.
2. Administrative privileges

   The installation requires administrative privileges. Make sure you have the necessary credentials at hand for all computers.

   You must also define the User Account Control (UAC) settings according to the target endpoint configuration:

   • For Windows 8.1 and 10 systems, you need full administrative privileges (the credentials of the built-in administrator account or a domain user account). For more information on how to successfully deploy BEST to Windows 8.1 and 10 stations, please refer to this KB article.
   • For target systems that are part of a Workgroup, you must disable UAC only if you are using other administrative rights credentials except the built-in domain Administrator account when configuring the deployment task. If the deployment task is configured to authenticate with the built-in domain Administrator account (and default UAC settings on the account were not changed in by group policy), it will run without having to change the UAC settings.
   • For target systems that are part of an Active Directory Domain, in addition to the previous recommendations, if the administrator wants to configure the task and provide the deployment credentials of users that are members of the Domain Admins security group, a GPO can be configured to apply this security group with the following settings:

     [Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options]

     Policy	Setting
     User Access Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	Elevate without prompting
     User Access Control: Detect application installations and prompt for elevation	Disable
     User Access Control: Run all administrators in Admin Approval Mode	Enable

      
     
      

     Note: As security best practice, after the deployment cycle is finished, revert the settings to their defaults. For the UAC default configurations, refer to this Microsoft article.

   • For Windows 7, 8 and 10 systems, you will need to disable User Account Control (UAC), as follows:
     1. Go to Start> Control Panel> User Accounts
     2. Click Change User Account Control Settings
     3. Set UAC on Never Notify and then click OK
        
        
         
3. Connectivity requirements

   On all workstations and servers that you want to manage, which need to have network connectivity to the GravityZone appliance, you will have to configure the firewall to allow the following communication ports, used by the security components:

   • 8443: the communication port between the GravityZone console and Bitdefender Endpoint Security Tools. This port must be allowed on all network computers
   • 7074: the communication port used for deployment and update via a Relay.

     Note: These ports must not be used by any other application installed in the network.

   It is recommended to use a static IP address for the relay server. If you do not set a static IP, use the machine's hostname.

   Configure each workstation not to use sharing wizard as follows:

   In Windows 7:

   1. Go to Start > Computer > Organize > Layout and select Menu bar;
   2. Click Tools and go to Folder options... > View;
   3. Clear the Use Sharing Wizard check box in the advanced settings list;
   4. Click OK.

   In Windows 8 and 8.1:

   1. Go to Computer > View > Options;
   2. In the Folder options window, click the View tab;
   3. Clear the Use Sharing Wizard check box in the advanced settings list;
   4. Click OK.

   In Windows 10:

   1. Go to This PC > View > Options;
   2. Click the View tab;
   3. Clear the Use Sharing Wizard check box in the advanced settings list;
   4. Click OK.
      
      
      In Window 10 you can also use PowerShell commands to disable the sharing wizard as follows:
      $key = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
Set-ItemProperty $key SharingWizard 0
Stop-Process -processname explorer
   • Make sure that the File and Printer Sharing protocol is enabled. This service is using TCP ports 139, 445 and UDP ports 137, 138. To verify if the File and Printer Sharing protocol is enabled:
     1. Go to Start > Control Panel > Network and Sharing Center;
     2. Identify which network connection is established and click it;
     3. Click Properties;
        
        
         

     Note: For the connection to be successful: Disable the Windows Firewall, or configure it to allow traffic through File and Printer Sharing protocol. To disable Windows Firewall, open Control Panel > Windows Firewall and click Off. Allow ICMP traffic (so you can successfully PING the workstation). To check that the network stations are correctly configured: Ping the respective network station; Try to log on to the administrative share.

4. Third-party security software removal

Uninstall (not just disable) any existing antimalware, firewall or Internet security software from computers. Running the security agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

Many of the incompatible security programs are automatically detected and removed at installation time.

To learn more and to check the list of the security software detected by Bitdefender Endpoint Security Tools for Windows operating systems (Windows 7 / Windows Server 2008 R2 and later), refer to this KB article.

If you want to deploy the security agent on a computer with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, please access this KB article.

• How to troubleshoot the client software deployment on Windows 8.1/10/2012 and above
• Bitdefender GravityZone (On-premises) Communication Ports