Directly contact our Support Team

How to prepare workstations for BEST remote deployment

One of the main features that Bitdefender Endpoint Security Tools provides is the possibility to be installed remotely on endpoints, process called deployment.

For the Bitdefender Endpoint Security Tools deployment task to complete successfully on target systems, you need to comply with the following configuration prerequisites:

  1. OS requirements
    • Make sure the target endpoints meet the minimum system requirements, according to the GravityZone Installation Guide. For some endpoints, you may need to install the latest operating system service pack available or free up disk space. Compile a list of endpoints that do not meet the necessary requirements so that you can exclude them from management.
    • Bitdefender Endpoint Security Tools does not support remote deployment on legacy Windows operating systems, including Windows XP and Windows Vista families.
    • When deploying the agent through a Linux relay, the following additional conditions must be met:
      • The relay must have installed the Samba package (smbclient) version 4.1.0 or above, so that it can deploy Windows agents;
      • Target Windows endpoints must have Administrative Share and Network Share enabled;
      • Target Linux and Mac endpoints must have SSH enabled and firewall disabled.
  2. Administrative privileges

    The installation requires administrative privileges. Make sure you have the necessary credentials at hand for all computers.

    You must also define the User Account Control (UAC) settings according to the target endpoint configuration:

    • For Windows 8.1 and 10 systems, you need full administrative privileges (the credentials of the built-in administrator account or a domain user account). For more information on how to successfully deploy BEST to Windows 8.1 and 10 stations, please refer to this KB article.
    • For target systems that are part of a Workgroup, you must disable UAC only if you are using other administrative rights credentials except the built-in domain Administrator account when configuring the deployment task. If the deployment task is configured to authenticate with the built-in domain Administrator account (and default UAC settings on the account were not changed in by group policy), it will run without having to change the UAC settings.
    • For target systems that are part of an Active Directory Domain, in addition to the previous recommendations, if the administrator wants to configure the task and provide the deployment credentials of users that are members of the Domain Admins security group, a GPO can be configured to apply this security group with the following settings:

      [Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options]

      Policy Setting
      User Access Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
      User Access Control: Detect application installations and prompt for elevation Disable
      User Access Control: Run all administrators in Admin Approval Mode Enable
         
       

       

      note

      Note:
      As security best practice, after the deployment cycle is finished, revert the settings to their defaults. For the UAC default configurations, refer to this Microsoft article.
    • For Windows 7, 8 and 10 systems, you will need to disable User Account Control (UAC), as follows:
      1. Go to Start> Control Panel> User Accounts
      2. Click Change User Account Control Settings
      3. Set UAC on Never Notify and then click OK


         
  3. Connectivity requirements

    On all workstations and servers that you want to manage, which need to have network connectivity to the GravityZone appliance, you will have to configure the firewall to allow the following communication ports, used by the security components:

    • 8443: the communication port between the GravityZone console and Bitdefender Endpoint Security Tools. This port must be allowed on all network computers
    • 7074: the communication port used for deployment and update via a Relay.

      Note: These ports must not be used by any other application installed in the network.

    It is recommended to use a static IP address for the relay server. If you do not set a static IP, use the machine's hostname.

    Configure each workstation not to use sharing wizard as follows:

    In Windows 7:

    1. Go to Start > Computer > Organize > Layout and select Menu bar;
    2. Click Tools and go to Folder options... > View;
    3. Clear the Use Sharing Wizard check box in the advanced settings list;
    4. Click OK.

    In Windows 8 and 8.1:

    1. Go to Computer > View > Options;
    2. In the Folder options window, click the View tab;
    3. Clear the Use Sharing Wizard check box in the advanced settings list;
    4. Click OK.

    In Windows 10:

    1. Go to This PC > View > Options;
    2. Click the View tab;
    3. Clear the Use Sharing Wizard check box in the advanced settings list;
    4. Click OK.


       
    • Make sure that the File and Printer Sharing protocol is enabled. This service is using TCP ports 139, 445 and UDP ports 137, 138. To verify if the File and Printer Sharing protocol is enabled:
      1. Go to Start > Control Panel > Network and Sharing Center;
      2. Identify which network connection is established and click it;
      3. Click Properties;


         
      note Note:

      For the connection to be successful:

      • Disable the Windows Firewall, or configure it to allow traffic through File and Printer Sharing protocol. To disable Windows Firewall, open Control Panel > Windows Firewall and click Off.
      • Allow ICMP traffic (so you can successfully PING the workstation).

      To check that the network stations are correctly configured:

      • Ping the respective network station;
      • Try to log on to the administrative share.
  4. Third-party security software removal

Uninstall (not just disable) any existing antimalware, firewall or Internet security software from computers. Running the security agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

Many of the incompatible security programs are automatically detected and removed at installation time.

To learn more and to check the list of the security software detected by Bitdefender Endpoint Security Tools for current Windows operating systems (Windows 7 / Windows Server 2008 R2 and later), refer to this KB article.

To check the list of the security software detected by Bitdefender Endpoint Security Tools for legacy Windows operating systems (including Windows XP and Vista families), refer to this KB article.

If you want to deploy the security agent on a computer with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, please access this KB article.

 

Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article:

Submit