Install a new XProtect system

Install XProtect Essential+

You can install a free version of XProtect Essential+. This version provides you with limited capabilities of the XProtect for a limited number of cameras. You must have internet connection to install XProtect Essential+.

This version is installed on a single computer, using the Single computer installation option. The Single computer option installs all server and client components on the current computer.

Milestone recommends that you read the following section carefully before you install: Before you start installation.

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the Windows operating system. Before you install, disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the computer that hosts SQL Server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you do not need to disable FIPS. For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.

After initial installation, you can continue with the configuration wizard. Depending on your hardware and configuration, the recording server scans your network for hardware. You can then select which hardware devices to add to your system. Cameras are preconfigured in views, and you have the option to enable other devices such as microphones and speakers. You also have the option of adding users to the system with either an operator role or an administrator role. After installation, XProtect Smart Client opens, and you are ready to use the system.

Otherwise, if you close the installation wizard, XProtect Management Client opens, where you can make manual configurations such as add hardware devices and users to the system.

If you upgrade from a previous version of the product, the system does not scan for hardware or create new views and user profiles.

  1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the Milestone XProtect VMS Products 2024 R1 System Installer.exe file.
  2. The installation files unpack. Depending on the security settings, one or more Windows® security warnings appear. Accept these and the unpacking continues.
  3. When done, the Milestone XProtect VMS installation wizard appears.
    1. Select the Language to use during the installation (this is not the language that your system uses once installed; this is selected later). Click Continue.
    2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license agreement check box and click Continue.
    3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

      4. You must not enable data collection if you want the system to have an EU GDPR-compliant installation. For more information about data protection and the usage data collection, see the GDPR privacy guide.

      You can always change your privacy setting later. See also System settings (Options dialog box).

    4. Click the XProtect Essential+ link to download a free license file.

      The free license file is downloaded and appears in the Enter or browse to the location of the license file field. Click Continue.

  4. Select Single computer.

    A list of components to install appears (you cannot edit this list). Click Continue.

  5. On the Assign a system configuration password page, enter a password that protects your system configuration. You will need this password in case of system recovery or when expanding your system, for example when adding clusters.

    It is important that you save this password and keep it safe. If you lose this password, you may compromise your ability to recover your system configuration.

    If you do not want your system configuration to be password protected, select I choose not to use a system configuration password and understand that the system configuration will not be encrypted.

    Click Continue.

  6. On the Assign a mobile server data protection password page, enter a password to encrypt your investigations. As a system administrator, you will need to enter this password to access the mobile server data in case of system recovery or when expanding your system with additional mobile servers.

    You must save this password and keep it safe. Failure to do so may compromise your ability to recover mobile server data.

    If you do not want your investigations to be password-protected, select I choose not to use a mobile server data protection password, and I understand that investigations will not be encrypted.

    Click Continue.

  7. On the Specify recording server settings page, specify the different recording server settings:
    1. In the Recording server name field, enter the name of the recording server. The default is the name of the computer.
    2. The Management server address field shows the address and port number of the management server: localhost:80.
    3. In the Select your media database location field, select the location where you want to save your video recording. Milestone recommends that you save your video recordings in a separate location from where you install the software and not on the system drive. The default location is the drive with the most space available.
    4. In Retention time for video recordings field, define for how long you want to save the recordings. You can enter from between 1 and 365,000 days, where 7 days is the default retention time.
    5. Click Continue.

  8. On the Select encryption page, you can secure the communication flows:

    • Between the recording servers, data collectors, and the management server

      To enable encryption for internal communication flows, in the Server certificate section, select a certificate.

      If you encrypt the connection from the recording server to the management server, the system requires that you also encrypt the connection from the management server to the recording server.

    • Between the recording servers and clients

      To enable encryption between recording servers and client components that retrieve data streams from the recording server, in the Streaming media certificate section, select a certificate.

    • Between the mobile server and clients

      To enable encryption between client components that retrieve data streams from the mobile server, in the Mobile streaming media certificate section, select a certificate.

    • Between the event server and components that communicate with the event server

      To enable encryption between the event server and components that communicate with the event server, including the LPR Server, in the Event server and extensions section, select a certificate.

    You can use the same certificate file for all system components or use different certificate files depending on the system components.

    For more information about preparing your system for secure communication, see:

    You can also enable encryption after installation from the Server Configurator in the Management Server Manager tray icon in the notification area.

  9. On the Select file location and product language page, do the following:

    1. In the File location field, select the location where you want to install the software.

      If any Milestone XProtect VMS product is already installed on the computer, this field is disabled. The field displays the location where the component will be installed.

    2. In Product language, select the language in which to install your XProtect product.
    3. Click Install.

    The software now installs. If not already installed on the computer, Microsoft® SQL Server® Express and Microsoft IIS are automatically installed during the installation.

  10. You may be prompted to restart the computer. After restarting your computer, depending on the security settings, one or more Windows security warnings may appear. Accept these and the installation completes.

  11. When the installation completes, a list shows the components that are installed on the computer.

    Click Continue to add hardware and users to the system.

    If you click Close now, you bypass the configuration wizard and XProtect Management Client opens. You can configure the system, for example add hardware and users to the system, in Management Client.

  12. On the Enter user names and passwords for hardware page, enter the user names and passwords for hardware that you have changed from the manufacturer defaults.

    The installer scans the network for this hardware as well as hardware with manufacturer default credentials.

    Click Continue and wait while the system scans for hardware.

  13. On the Select the hardware to add to the system page, select the hardware that you want to add to the system. Click Continue and wait while the system adds the hardware.
  14. On the Configure the devices page, you can give the hardware descriptive names by clicking the edit icon next to the hardware name. This name is then prefixed to the hardware devices.

    Expand the hardware node to enable or disable the hardware devices, such as cameras, speakers, and microphones.

    Cameras are enabled by default, and speakers and microphones are disabled by default.

    Click Continue and wait while the system configures the hardware.

  15. On the Add users page, you can add users to the system as Windows users or basic users. The users can have either the Administrators role or the Operators role.

    Define the user and click Add.

    When you are done adding users, click Continue.

  16. When the installation and initial configuration are done, the Configuration is complete page appears, where you see:
    • A list of hardware devices that are added to the system
    • A list of users who are added to the system
    • Addresses to the XProtect Web Client and XProtect Mobile client, which you can share with your users

    17. When you click Close, XProtect Smart Client opens and is ready to use.

Install your system - Single computer option

The Single computer option installs all server and client components on the current computer.

Milestone recommends that you read the following section carefully before you install: Before you start installation.

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the Windows operating system. Before you install, disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the computer that hosts SQL Server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you do not need to disable FIPS. For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.

After initial installation, you can continue with the configuration wizard. Depending on your hardware and configuration, the recording server scans your network for hardware. You can then select which hardware devices to add to your system. Cameras are preconfigured in views, and you have the option to enable other devices such as microphones and speakers. You also have the option of adding users to the system with either an operator role or an administrator role. After installation, XProtect Smart Client opens, and you are ready to use the system.

Otherwise, if you close the installation wizard, XProtect Management Client opens, where you can make manual configurations such as add hardware devices and users to the system.

If you upgrade from a previous version of the product, the system does not scan for hardware or create new views and user profiles.

  1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the Milestone XProtect VMS Products 2024 R1 System Installer.exe file.
  2. The installation files unpack. Depending on the security settings, one or more Windows® security warnings appear. Accept these and the unpacking continues.
  3. When done, the Milestone XProtect VMS installation wizard appears.
    1. Select the Language to use during the installation (this is not the language that your system uses once installed; this is selected later). Click Continue.
    2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license agreement check box and click Continue.
    3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

      4. You must not enable data collection if you want the system to have an EU GDPR-compliant installation. For more information about data protection and the usage data collection, see the GDPR privacy guide.

      You can always change your privacy setting later. See also System settings (Options dialog box).

    4. In the Enter or browse to the location of the license file, enter your license file from your XProtect provider. Alternatively, browse to the file location or click the XProtect Essential+ link to download a free license file. For limitations to the free XProtect Essential+ product, see the Product comparison. The system verifies your license file before you can continue. Click Continue.
  4. Select Single computer.

    A list of components to install appears (you cannot edit this list). Click Continue.

  5. On the Assign a system configuration password page, enter a password that protects your system configuration. You will need this password in case of system recovery or when expanding your system, for example when adding clusters.

    It is important that you save this password and keep it safe. If you lose this password, you may compromise your ability to recover your system configuration.

    If you do not want your system configuration to be password protected, select I choose not to use a system configuration password and understand that the system configuration will not be encrypted.

    Click Continue.

  6. On the Assign a mobile server data protection password page, enter a password to encrypt your investigations. As a system administrator, you will need to enter this password to access the mobile server data in case of system recovery or when expanding your system with additional mobile servers.

    You must save this password and keep it safe. Failure to do so may compromise your ability to recover mobile server data.

    If you do not want your investigations to be password-protected, select I choose not to use a mobile server data protection password, and I understand that investigations will not be encrypted.

    Click Continue.

  7. On the Specify recording server settings page, specify the different recording server settings:
    1. In the Recording server name field, enter the name of the recording server. The default is the name of the computer.
    2. The Management server address field shows the address and port number of the management server: localhost:80.
    3. In the Select your media database location field, select the location where you want to save your video recording. Milestone recommends that you save your video recordings in a separate location from where you install the software and not on the system drive. The default location is the drive with the most space available.
    4. In Retention time for video recordings field, define for how long you want to save the recordings. You can enter from between 1 and 365,000 days, where 7 days is the default retention time.
    5. Click Continue.

  8. On the Select encryption page, you can secure the communication flows:

    • Between the recording servers, data collectors, and the management server

      To enable encryption for internal communication flows, in the Server certificate section, select a certificate.

      If you encrypt the connection from the recording server to the management server, the system requires that you also encrypt the connection from the management server to the recording server.

    • Between the recording servers and clients

      To enable encryption between recording servers and client components that retrieve data streams from the recording server, in the Streaming media certificate section, select a certificate.

    • Between the mobile server and clients

      To enable encryption between client components that retrieve data streams from the mobile server, in the Mobile streaming media certificate section, select a certificate.

    • Between the event server and components that communicate with the event server

      To enable encryption between the event server and components that communicate with the event server, including the LPR Server, in the Event server and extensions section, select a certificate.

    You can use the same certificate file for all system components or use different certificate files depending on the system components.

    For more information about preparing your system for secure communication, see:

    You can also enable encryption after installation from the Server Configurator in the Management Server Manager tray icon in the notification area.

  9. On the Select file location and product language page, do the following:

    1. In the File location field, select the location where you want to install the software.

      If any Milestone XProtect VMS product is already installed on the computer, this field is disabled. The field displays the location where the component will be installed.

    2. In Product language, select the language in which to install your XProtect product.
    3. Click Install.

    The software now installs. If not already installed on the computer, Microsoft® SQL Server® Express and Microsoft IIS are automatically installed during the installation.

  10. You may be prompted to restart the computer. After restarting your computer, depending on the security settings, one or more Windows security warnings may appear. Accept these and the installation completes.

  11. When the installation completes, a list shows the components that are installed on the computer.

    Click Continue to add hardware and users to the system.

    If you click Close now, you bypass the configuration wizard and XProtect Management Client opens. You can configure the system, for example add hardware and users to the system, in Management Client.

  12. On the Enter user names and passwords for hardware page, enter the user names and passwords for hardware that you have changed from the manufacturer defaults.

    The installer scans the network for this hardware as well as hardware with manufacturer default credentials.

    Click Continue and wait while the system scans for hardware.

  13. On the Select the hardware to add to the system page, select the hardware that you want to add to the system. Click Continue and wait while the system adds the hardware.
  14. On the Configure the devices page, you can give the hardware descriptive names by clicking the edit icon next to the hardware name. This name is then prefixed to the hardware devices.

    Expand the hardware node to enable or disable the hardware devices, such as cameras, speakers, and microphones.

    Cameras are enabled by default, and speakers and microphones are disabled by default.

    Click Continue and wait while the system configures the hardware.

  15. On the Add users page, you can add users to the system as Windows users or basic users. The users can have either the Administrators role or the Operators role.

    Define the user and click Add.

    When you are done adding users, click Continue.

  16. When the installation and initial configuration are done, the Configuration is complete page appears, where you see:
    • A list of hardware devices that are added to the system
    • A list of users who are added to the system
    • Addresses to the XProtect Web Client and XProtect Mobile client, which you can share with your users

    17. When you click Close, XProtect Smart Client opens and is ready to use.

Install your system - Custom option

The Custom option installs the management server, but you can select which other server and client components you want to install on the current computer. By default, the recording server is not selected in the component list. Depending on your selections, you can install the not selected system components on other computers afterwards. For more information about each system component and their role, see Product overview. Installation on other computers is done through the management server's download web page named Download Manager. For more information about installation through the Download Manager, see Download Manager/download web page.

Milestone recommends that you read the following section carefully before you install: Before you start installation.

For FIPS installations, you cannot upgrade XProtect VMS when FIPS is enabled on the Windows operating system. Before you install, disable the Windows FIPS security policy on all of the computers that are part of the VMS, including the computer that hosts SQL Server. But, if you are upgrading from XProtect VMS version 2020 R3 and after, you do not need to disable FIPS. For detailed information on how to configure your XProtect VMS to run in FIPS 140-2 compliant mode, see the FIPS 140-2 compliance section in the hardening guide.

  1. Download the software from the internet (https://www.milestonesys.com/downloads/) and run the Milestone XProtect VMS Products 2024 R1 System Installer.exe file.
  2. The installation files unpack. Depending on the security settings, one or more Windows® security warnings appear. Accept these and the unpacking continues.
  3. When done, the Milestone XProtect VMS installation wizard appears.
    1. Select the Language to use during the installation (this is not the language that your system uses once installed; this is selected later). Click Continue.
    2. Read the Milestone End-user License Agreement. Select the I accept the terms in the license agreement check box and click Continue.
    3. On the Privacy settings page, select whether you want to share usage data, and click Continue.

      4. You must not enable data collection if you want the system to have an EU GDPR-compliant installation. For more information about data protection and the usage data collection, see the GDPR privacy guide.

      You can always change your privacy setting later. See also System settings (Options dialog box).

    4. In the Enter or browse to the location of the license file, enter your license file from your XProtect provider. Alternatively, browse to the file location or click the XProtect Essential+ link to download a free license file. For limitations to the free XProtect Essential+ product, see the Product comparison. The system verifies your license file before you can continue. Click Continue.

  4. Select Custom. A list of components to be installed appears. Apart from the management server, all components in the list are optional. The recording server and the mobile server are by default not selected. Select the system components you want to install and click Continue.

    For your system to function properly, you must install at least one instance of XProtect API Gateway.

    5. In the steps below, all system components are installed. For a more distributed system, install fewer system components on this computer and the remaining system components on other computers. If you cannot recognize an installation step, it is likely because you have not selected to install the system component that this page belongs to. In that case, continue to the next step. See also Installing through Download Manager (explained), Install a recording server through Download Manager, and Installing silently through a command line shell (explained).

  5. The Select a website on the IIS to use with your XProtect system page is shown only if you have more than one IIS website available on the computer. You must select which website you will use with your XProtect system. Select a website with HTTPS binding. Click Continue.

    6. If Microsoft® IIS is not installed on the computer, it is installed.

  6. On the Select Microsoft SQL Server page, select the SQL Server that you want to use. See also SQL Server options during custom installation. Click Continue.

    7. If you do not have SQL Server on your local computer, you can install Microsoft SQL Server Express, but in a larger distributed system you would typically use dedicated SQL Server on your network.

  7. On the Select database (only shown if you have selected existing SQL Server), select or create a SQL Server database for storing your system configuration. If you choose an existing SQL Server database, decide whether to Keep or Overwrite existing data. If you are upgrading, select to keep existing data so you do not lose your system configuration. See also SQL Server options during custom installation. Click Continue.
  8. On the Database settings page, select either Let the installer create or recreate a database or Use a pre-created database.
  9. To have your databases created or recreated automatically, select Let the installer create or recreate a database, and click Continue.
  10. To use databases that you set up for the purpose or databases that have already been created, select Use a pre-created database. You will then see the Advanced database setup page.
  11. On the Advanced database setup page, enter the server and the database name for the XProtect components.

  12. Select either Windows Authentication, do not trust server certificate (recommended) or Windows Authentication, trust server certificate or select Azure Active Directory Integrated, do not trust server certificate (recommended).

    The account to be used for the installation must be created in Azure AD or Windows AD depending on the authentication type you want to use. Multi-factor authentication (MFA) is not supported for the accounts.

    The (do not trust server certificate) option is recommended for Windows Authentication and mandatory for Azure Active Directory Integrated. This is to ensure that server certificates are validated and verified before installation. More information about invalid server certificates is available in the installation log file. With the Windows Authentication, trust server certificate option, you skip the validation of server certificates.

  13. Click the icon to verify the connection. By clicking the icon, you also validate server certificates.
  14. Click Continue
  15. On the Assign a system configuration password page, enter a password that protects your system configuration. You will need this password in case of system recovery or when expanding your system, for example when adding clusters.

    It is important that you save this password and keep it safe. If you lose this password, you may compromise your ability to recover your system configuration.

    If you do not want your system configuration to be password protected, select I choose not to use a system configuration password and understand that the system configuration will not be encrypted.

    Click Continue.

  16. On the Assign a mobile server data protection password page, enter a password to encrypt your investigations. As a system administrator, you will need to enter this password to access the mobile server data in case of system recovery or when expanding your system with additional mobile servers.

    You must save this password and keep it safe. Failure to do so may compromise your ability to recover mobile server data.

    If you do not want your investigations to be password-protected, select I choose not to use a mobile server data protection password, and I understand that investigations will not be encrypted.

    Click Continue.

  17. On the Select service account for recording server, select either This predefined account or This account to select the service account for the recording server.

    If needed, enter a password.

    The user name for the account must be a single word. It must not have a space.

    Click Continue.

  18. On the Specify recording server settings page, specify the different recording server settings:
    1. In the Recording server name field, enter the name of the recording server. The default is the name of the computer.
    2. The Management server address field shows the address and port number of the management server: localhost:80.
    3. In the Select your media database location field, select the location where you want to save your video recording. Milestone recommends that you save your video recordings in a separate location from where you install the software and not on the system drive. The default location is the drive with the most space available.
    4. In Retention time for video recordings field, define for how long you want to save the recordings. You can enter from between 1 and 365,000 days, where 7 days is the default retention time.
    5. Click Continue.

  19. On the Select encryption page, you can secure the communication flows:

    • Between the recording servers, data collectors, and the management server

      To enable encryption for internal communication flows, in the Server certificate section, select a certificate.

      If you encrypt the connection from the recording server to the management server, the system requires that you also encrypt the connection from the management server to the recording server.

    • Between the recording servers and clients

      To enable encryption between recording servers and client components that retrieve data streams from the recording server, in the Streaming media certificate section, select a certificate.

    • Between the mobile server and clients

      To enable encryption between client components that retrieve data streams from the mobile server, in the Mobile streaming media certificate section, select a certificate.

    • Between the event server and components that communicate with the event server

      To enable encryption between the event server and components that communicate with the event server, including the LPR Server, in the Event server and extensions section, select a certificate.

    You can use the same certificate file for all system components or use different certificate files depending on the system components.

    For more information about preparing your system for secure communication, see:

    You can also enable encryption after installation from the Server Configurator in the Management Server Manager tray icon in the notification area.

  20. On the Select file location and product language page, select the File location for the program files.

    If any Milestone XProtect VMS product is already installed on the computer, this field is disabled. The field displays the location where the component will be installed.

  21. In the Product language field, select the language in which to install your XProtect product. Click Install.

    The software now installs. When the installation completes, you see a list of successfully installed system components. Click Close.

  22. You may be prompted to restart the computer. After restarting your computer, depending on the security settings, one or more Windows security warnings may appear. Accept these and the installation completes.

  23. Configure your system in Management Client. See Initial configuration tasks list.
  24. Depending on your selections, install the remaining system components on other computers through the Download Manager. See Installing through Download Manager (explained).

SQL Server options during custom installation

Decide which SQL Server and database to use with the below options.

SQL Server options:

  • Install Microsoft® SQL Server® Express on this computer: This option is shown only if you do not have SQL Server installed on the computer

  • Use the SQL Server on this computer: This option is shown only if SQL Server is already installed on the computer

  • Select a SQL Server on your network through search: Enables you to search for all SQL Server installations that are discoverable on your network subnet
  • Select a SQL Server on your network: Enables you to enter the address (host name or IP address) of SQL Server that you might not be able to find through search

SQL Server database options:

  • Create new database: Mainly for new installations
  • Use existing database: Mainly for upgrades of existing installations. Milestone recommends that you reuse the existing SQL Server database and keep the existing data in it, so you do not lose your system configuration. You can also choose to overwrite the data in the SQL Server database