Kaspersky Endpoint Security for Windows 11.1.1
English
- Čeština (Česká republika)
- Deutsch
- Español (España)
- Español (México)
- Français
- Italiano
- Magyar (Magyarország)
- Polski (Polska)
- Português (Brasil)
- Português (Portugal)
- Română (România)
- Tiếng Việt (Việt Nam)
- Türkçe (Türkiye)
- Русский
- العربية (الإمارات العربية المتحدة)
- 한국어 (대한민국)
- 简体中文
- 繁體中文
- 日本語(日本)
English
- Čeština (Česká republika)
- Deutsch
- Español (España)
- Español (México)
- Français
- Italiano
- Magyar (Magyarország)
- Polski (Polska)
- Português (Brasil)
- Português (Portugal)
- Română (România)
- Tiếng Việt (Việt Nam)
- Türkçe (Türkiye)
- Русский
- العربية (الإمارات العربية المتحدة)
- 한국어 (대한민국)
- 简体中文
- 繁體中文
- 日本語(日本)
- About Kaspersky Endpoint Security for Windows
- What's new
- Application licensing
- Managing the application via the local interface
- Installing and removing the application
- Installing the application
- About ways to install the application
- Installing the application by using the Setup Wizard
- Step 1. Making sure that the computer meets installation requirements
- Step 2. Welcome page of the installation procedure
- Step 3. Viewing the License Agreement and Privacy Policy
- Step 4. Selecting application components to install
- Step 5. Selecting the destination folder
- Step 6. Preparing for application installation
- Step 7. Application installation
- Installing the application from the command line
- Remotely installing the application using System Center Configuration Manager
- Description of setup.ini file installation settings
- Upgrading from a previous version of the application
- Kaspersky Security Network Statement
- Removing the application
- Installing the application
- Activating the application
- Application interface
- Starting and stopping the application
- Kaspersky Security Network
- About participation in Kaspersky Security Network
- About data provision when using Kaspersky Security Network
- Enabling and disabling use of Kaspersky Security Network
- Enabling and disabling cloud mode for protection components
- Checking the connection to Kaspersky Security Network
- Checking the reputation of a file in Kaspersky Security Network
- Behavior Detection
- Exploit Prevention
- Host Intrusion Prevention
- About Host Intrusion Prevention
- Limitations of audio and video device control
- Enabling and disabling Host Intrusion Prevention
- Managing application trust groups
- Managing application rights
- Changing application rights for trust groups and groups of applications
- Modifying application rights
- Disabling downloads and updates of application rights from the Kaspersky Security Network database
- Disabling the inheritance of restrictions from the parent process
- Excluding specific application actions from application rights
- Deleting obsolete application rights
- Protecting operating system resources and identity data
- Remediation Engine
- File Threat Protection
- About File Threat Protection
- Enabling and disabling File Threat Protection
- Automatic pausing of File Threat Protection
- File Threat Protection settings
- Changing the security level
- Changing the action taken on infected files by the File Threat Protection component
- Forming the protection scope of the File Threat Protection component
- Using heuristic analysis in the operation of the File Threat Protection component
- Using scan technologies in the operation of the File Threat Protection component
- Optimizing file scanning
- Scanning compound files
- Changing the scan mode
- Web Threat Protection
- About Web Threat Protection
- Enabling and disabling Web Threat Protection
- Web Threat Protection settings
- Changing the web traffic security level
- Changing the action to take on malicious web traffic objects
- Web Threat Protection scanning of links to check them against databases of phishing and malicious web addresses
- Using heuristic analysis in the operation of the Web Threat Protection component
- Editing the list of trusted web addresses
- Mail Threat Protection
- Network Threat Protection
- Firewall
- BadUSB Attack Prevention
- AMSI Protection Provider
- Application Control
- About Application Control
- Enabling and disabling Application Control
- Application Control functionality limitations
- About Application Control rules
- Managing Application Control rules
- Rules for creating name masks for files or folders
- Editing Application Control message templates
- About Application Control operating modes
- Selecting the Application Control mode
- Device Control
- About Device Control
- Enabling and disabling Device Control
- About access rules
- About trusted devices
- Standard decisions on access to devices
- Editing a device access rule
- Adding or excluding records to or from the event log
- Adding a Wi-Fi network to the trusted list
- Editing a connection bus access rule
- Actions with trusted devices
- Adding a device to the Trusted list from the application interface
- Adding devices to the Trusted list based on the device model or ID
- Adding devices to the Trusted list based on the mask of the device ID
- Configuring user access to a trusted device
- Removing a device from the list of trusted devices
- Importing the list of trusted devices
- Exporting the list of trusted devices
- Editing templates of Device Control messages
- Anti-Bridging
- Obtaining access to a blocked device
- Creating a key for accessing a blocked device using Kaspersky Security Center
- Web Control
- About Web Control
- Enabling and disabling Web Control
- Web resource content categories
- About web resource access rules
- Actions with web resource access rules
- Migrating web resource access rules from previous versions of the application
- Exporting and importing the list of web resource addresses
- Editing masks for web resource addresses
- Editing templates of Web Control messages
- Adaptive Anomaly Control
- About Adaptive Anomaly Control
- Enabling and disabling Adaptive Anomaly Control
- Actions with Adaptive Anomaly Control rules
- Enabling and disabling an Adaptive Anomaly Control rule
- Modifying the action taken when an Adaptive Anomaly Control rule is triggered
- Creating and editing an exclusion for an Adaptive Anomaly Control rule
- Deleting an Adaptive Anomaly Control rule exclusion
- Importing exclusions for Adaptive Anomaly Control rules
- Exporting exclusions for Adaptive Anomaly Control rules
- Applying updates for Adaptive Anomaly Control rules
- Editing Adaptive Anomaly Control message templates
- Viewing Adaptive Anomaly Control reports
- Updating databases and application software modules
- Scanning the computer
- About scan tasks
- Starting or stopping a scan task
- Configuring scan task settings
- Changing the security level
- Changing the action to take on infected files
- Generating a list of objects to scan
- Selecting the type of files to scan
- Optimizing file scanning
- Scanning compound files
- Using scan methods
- Using scan technologies
- Selecting the run mode for the scan task
- Starting a scan task under the account of a different user
- Scanning removable drives when they are connected to the computer
- Background scan
- Working with active threats
- Checking the integrity of application modules
- Managing reports
- Notification service
- Managing Backup
- Advanced application settings
- Trusted zone
- About the trusted zone
- Creating a scan exclusion
- Modifying a scan exclusion
- Deleting a scan exclusion
- Enabling and disabling a scan exclusion
- Editing the list of trusted applications
- Enabling and disabling trusted zone rules for an application in the list of trusted applications
- Using trusted system certificate storage
- Network Protection
- Kaspersky Endpoint Security Self-Defense
- Kaspersky Endpoint Security performance and compatibility with other applications
- About Kaspersky Endpoint Security performance and compatibility with other applications
- Selecting types of detectable objects
- Enabling or disabling Advanced Disinfection technology for workstations
- Enabling or disabling Advanced Disinfection technology for file servers
- Enabling or disabling energy-saving mode
- Enabling or disabling conceding of resources to other applications
- Password protection
- Creating and using a configuration file
- Trusted zone
- Installing and removing the application
- Managing the application via the Kaspersky Security Center Administration Console
- About managing the application via Kaspersky Security Center
- Task management
- Managing policies
- Data Encryption
- About data encryption
- Encryption functionality limitations
- Changing the encryption algorithm
- Enabling Single Sign-On (SSO) technology
- Special considerations for file encryption
- Full Disk Encryption
- File Level Encryption on local computer drives
- Encryption of removable drives
- Using the Authentication Agent
- Using a token and smart card with Authentication Agent
- Editing Authentication Agent help messages
- Limited support for characters in Authentication Agent help messages
- Selecting the Authentication Agent trace level
- Managing Authentication Agent accounts
- Adding a command for creating an Authentication Agent account
- Adding an Authentication Agent account editing command
- Adding a command for deleting an Authentication Agent account
- Restoring Authentication Agent account credentials
- Responding to a user request to restore Authentication Agent account credentials
- Viewing data encryption details
- Managing encrypted files with limited file encryption functionality
- Working with encrypted devices when there is no access to them
- Obtaining access to encrypted devices through the application interface
- Granting user access to encrypted devices
- Providing a user with a recovery key for hard drives encrypted with BitLocker
- Creating the executable file of Restore Utility
- Restoring data on encrypted devices using the Restore Utility
- Responding to a user request to restore data on encrypted devices
- Restoring access to encrypted data after operating system failure
- Creating an operating system rescue disk
- Application Control
- About Application Control
- Managing Application Control rules
- Receiving information about the applications that are installed on users’ computers
- Creating application categories
- Step 1. Selecting the category type
- Step 2. Entering a user category name
- Step 3. Configuring the conditions for including applications in a category
- Step 4. Configuring the conditions for excluding applications from a category
- Step 5. Settings
- Step 6. Repository folder
- Step 7. Creating a custom category
- Adding executable files from the Executable files folder to the application category
- Adding event-related executable files to the application category
- Adding and modifying an Application Control rule using Kaspersky Security Center
- Changing the status of an Application Control rule via Kaspersky Security Center
- Testing Application Control rules using Kaspersky Security Center
- Viewing events resulting from test operation of the Application Control component
- Report on blocked applications in test mode
- Viewing events resulting from operation of the Application Control component
- Report on blocked applications
- Best practices for implementing white list mode
- Endpoint Sensor
- Sending user messages to the Kaspersky Security Center server
- Viewing user messages in the Kaspersky Security Center event storage
- Remote administration of the application through Kaspersky Security Center 11 Web Console
- About Kaspersky Endpoint Security management web plug-in
- Kaspersky Endpoint Security deployment
- Getting started
- Activation of Kaspersky Endpoint Security
- Starting and stopping Kaspersky Endpoint Security
- Updating databases and application software modules
- Task management
- Managing policies
- Configuring local application settings
- Policy settings
- Kaspersky Security Network
- Behavior Detection
- Exploit Prevention
- Host Intrusion Prevention
- Remediation Engine
- File Threat Protection
- Web Threat Protection
- Mail Threat Protection
- Network Threat Protection
- Firewall
- BadUSB Attack Prevention
- AMSI Protection Provider
- Application Control
- Device Control
- Web Control
- Adaptive Anomaly Control
- Endpoint Sensor
- Task management
- Scan from context menu
- Removable drives scan
- Background scan
- Application settings
- Network options
- Exclusions
- Reports and Storage
- Interface
- Managing the application from the command line
- Commands
- SCAN. Virus Scan
- UPDATE. Updating databases and application software modules
- ROLLBACK. Rolling back the last update
- TRACES. Traces
- START. Start the profile
- STOP. Stopping a profile
- STATUS. Profile status
- STATISTICS. Profile operation statistics
- RESTORE. Restoring files
- EXPORT. Exporting application settings
- IMPORT. Importing application settings
- ADDKEY. Applying a key file.
- LICENSE. Licensing
- RENEW. Purchasing a license
- PBATESTRESET. Reset the pre-encryption check results
- EXIT. Exit the application
- EXITPOLICY. Disabling policy
- STARTPOLICY. Enabling policy
- DISABLE. Disabling protection
- SPYWARE. Spyware detection
- KESCLI commands
- Scan. Virus Scan
- GetScanState. Scan completion status
- GetLastScanTime. Determining the scan completion time
- GetThreats. Obtaining data on detected threats
- UpdateDefinitions. Updating databases and application software modules
- GetDefinitionState. Determining the update completion time
- EnableRTP. Enabling protection
- GetRealTimeProtectionState. File Threat Protection status
- Version. Identifying the application version
- Appendix. Application profiles
- Commands
- Sources of information about the application
- Contacting Technical Support
- Glossary
- Active key
- Additional key
- Administration group
- Anti-virus databases
- Archive
- Authentication Agent
- Certificate issuer
- Database of malicious web addresses
- Database of phishing web addresses
- Disinfection
- False alarm
- Infected file
- License certificate
- Mask
- Network Agent
- Network Agent Connector
- Normalized form of the address of a web resource
- OLE object
- Protection scope
- Scan scope
- Task
- Trusted Platform Module
- Information about third-party code
- Trademark notices
Managing the application via the Kaspersky Security Center Administration Console > Data Encryption > Full Disk Encryption > Full disk encryption using BitLocker Drive Encryption technology
Full disk encryption using BitLocker Drive Encryption technology
Full disk encryption using BitLocker Drive Encryption technology
Prior to starting full disk encryption on a computer, you are advised to make sure that the computer is not infected. To do so, start the Full Scan or Critical Areas Scan task. Performing full disk encryption on a computer that is infected by a rootkit may cause the computer to become inoperable.
The use of BitLocker Drive Encryption technology on computers with a server operating system may require installation of the BitLocker Drive Encryption component using the Add roles and components wizard.
To apply full disk encryption using BitLocker Drive Encryption technology:
- Open the Kaspersky Security Center Administration Console.
- In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
- In the workspace, select the Policies tab.
- Select the necessary policy.
- Double-click it to open the policy properties window.
- In the Data encryption section, select Full Disk Encryption.
- In the Encryption technology drop-down list, select BitLocker Drive Encryption.
- In the Encryption mode drop-down list, select Encrypt all hard drives.
If the computer has several operating systems installed, after encryption you will be able to load only the operating system in which the encryption was performed.
- If you want to enable BitLocker authentication in the preboot environment on tablet computers, select the Allow use of authentication requiring preboot keyboard input on tablets check box.
The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must connect a USB keyboard, for example.
- Select one of the following types of encryption:
- If you want to use hardware encryption, select the Use hardware encryption check box.
- If you want to use software encryption, clear the Use hardware encryption check box.
- Select one of the following encryption methods:
- If you want to apply encryption only to those hard drive sectors that are occupied by files, select the Encrypt used disk space only check box.
- If you want to apply encryption to the entire hard drive, clear the Encrypt used disk space only check box.
This function is applicable only to unencrypted hard drives. If a hard drive was previously encrypted using the Encrypt used disk space only function, after applying a policy in Encrypt all hard drives mode, sectors that are not occupied by files will still not be encrypted.
- Select a method for accessing hard drives that were encrypted with BitLocker.
- If you want to use a Trusted Platform Module(TPM) to store encryption keys, select the Use Trusted Platform Module (TPM) option.
A microchip developed to provide basic functions related to security (for example, for storing encryption keys). A Trusted Platform Module is usually installed on the computer motherboard and interacts with all other system components via the hardware bus.
- If you are not using a TPM for full disk encryption, select the Use password option and specify the minimum number of characters that a password must contain in the Minimum password length field.
The availability of a TPM is mandatory for the Windows 7 and Windows 2008 R2 operating systems, as well as for earlier versions.
- If you want to use a
- If you selected the Use Trusted Platform Module (TPM) option during the previous step:
- If you want to set a PIN code that will be requested when the user attempts to access an encryption key, select the Use PIN check box and in the Minimum PIN length field, specify the minimum number of digits that a PIN code must contain.
- If you would like access to encrypted hard drives without a trusted platform module on the computer using a password, select the Use password if Trusted Platform Module (TPM) is unavailable check box, and in the Minimum password length field indicate the minimum number of characters the password should contain.
In this event, access to encryption keys will occur using the given password just like if the Use password check box is selected.
If the Use password if Trusted Platform Module (TPM) is unavailable check box is cleared and the trusted platform module is not available, full disk encryption will not start.
- Click OK to save changes.
- Apply the policy.
For details on applying a Kaspersky Security Center policy, refer to Kaspersky Security Center Help.
After applying the policy on the client computer with Kaspersky Endpoint Security installed, the following queries will be made:
- If encryption of the system hard drive is configured in the Kaspersky Security Center policy:
- If a TPM module is available, a PIN code prompt window appears.
- If a TPM module is not available, you will see a password prompt window for preboot authentication.
- If the Federal Information Processing standard compatibility mode is enabled for computer operating system, then in Windows 8 and earlier versions of operating system, a request for connecting a storage device is displayed to save the recovery key file.
If there is no access to encryption keys, the user may request the local network administrator to provide a recovery key (if the recovery key was not saved earlier on the storage device or was lost).
Article ID: 130689, Last review: Dec 22, 2022