Change application components

During installation of the application, you can select the components that will be available. You can change the available application components in the following ways:

Locally, by using the Setup Wizard.
Application components are changed by using the normal method for a Windows operating system, which is through the Control Panel. Run the Application Setup Wizard and select the option to change the application components that are available. Follow the instructions on the screen.

This method is not available if the application was installed via Kaspersky Security Center. You can change the selection of application components in the Control Panel only after installing the application locally.
Remotely using Kaspersky Security Center.
The Change application components task allows you to change the components of Kaspersky Endpoint Security after the application is installed.

Please take into account the following special considerations when changing the application components:

On computers running Windows Server, you cannot install all components of Kaspersky Endpoint Security (for example, the Adaptive Anomaly Control component is not available).
If the hard drives on your computer are protected by Full Disk Encryption (FDE), you cannot remove the Full Disk Encryption component. To remove the Full Disk Encryption component, decrypt all the hard drives of the computer.
If the computer has encrypted files (FLE) or the user uses encrypted removable drives (FDE or FLE), it will be impossible to access the files and removable drives after the Data Encryption components are removed. You can access the files and removable drives by reinstalling the Data Encryption components.
If the application is installed in Light Agent mode in a VDI infrastructure, changing the set components is not supported.

How to add or remove application components in the Administration Console (MMC)

In the Kaspersky Security Center Administration Console tree, select Tasks.
The list of tasks opens.
Click New task.

The Task Wizard starts. Follow the instructions of the Wizard.

Step 1. Selecting task type

Select Kaspersky Endpoint Security for Windows (12.12) → Select components to install.

Step 2. Task settings for changing application components

Select the configuration of the application:

Standard mode to protect workstations and servers. The default configuration. This configuration lets you use all components of the application, including components that provide support for Detection and Response solutions. This configuration is used for comprehensive protection of the computer from a variety of threats, network attacks, and fraud.
Endpoint Detection and Response Agent to protect against advanced threats and targeted attacks. In this configuration, you can only install the components that provide support for Detection and Response solutions: MDR, EDR (KATA), NDR (KATA), EDR Expert (on-premise), as well as KUMA. This configuration is needed if a third-party Endpoint Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent configuration compatible with third-party EPP applications.

When changing the application configuration for the EDR Agent to work with MDR, ensure that the components responsible for receiving telemetry are enabled.

Light Agent to protect virtual environments. This configuration is intended for the application that is used as part of the Kaspersky Security for Virtualization Light Agent solution. Light Agent must be installed on each virtual machine that needs to be protected using the solution. In this configuration, you cannot use Data Encryption components or Adaptive Anomaly Control. If you are installing Light Agent on a virtual machine template that will be used to create nonpersistent virtual machines, select the Protect VDI infrastructure check box (VDI stands for Virtual Desktop Infrastructure). The VDI protection mode helps optimize the performance of Kaspersky Endpoint Security on nonpersistent virtual machines. In this mode, Light Agent declines application updates that require restarting the virtual machine. When receiving application updates that require a restart, Light Agent generates an event about needing to update the template of the protected virtual machines.

Select the application components that will be available on the user's computer.

Step 3. Advanced settings

Configure the advanced settings for the task (see the table below).

Step 4. Selecting the devices to which the task will be assigned

Select the computers on which the task will be performed. The following options are available:

Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.

Step 5. Configuring a task start schedule

Configure a schedule for starting a task, for example, manually or when the computer is idle.

Step 6. Defining the task name

Enter a name for the task, for example, Add the Application Control component.

Step 7. Completing task creation

Exit the Wizard. If necessary, select the Run the task after the wizard finishes check box. You can monitor the progress of the task in the task properties.

How to add or remove application components in the Web Console and Cloud Console

In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
Click Add.

The Task Wizard starts. Follow the instructions of the Wizard.

Step 1. Configuring general task settings

Configure the general task settings:

In the Application drop-down list, select Kaspersky Endpoint Security for Windows 12.12.0.
In the Task type drop-down list, select Change application components.
In the Task name field, enter a brief description, for example, Add the Application Control component.
In the Devices to which the task will be assigned block, select the task scope.

Step 2. Selecting the devices to which the task will be assigned

Select the computers on which the task will be performed. For example, select a separate administration group or build a selection.

Step 3. Completing task creation

Select the Open task details when creation is complete check box and finish the wizard.

In the task properties, select the Application settings tab. Next, select the configuration of the application:

Standard mode to protect workstations and servers. The default configuration. This configuration lets you use all components of the application, including components that provide support for Detection and Response solutions. This configuration is used for comprehensive protection of the computer from a variety of threats, network attacks, and fraud.
Endpoint Detection and Response Agent to protect against advanced threats and targeted attacks. In this configuration, you can only install the components that provide support for Detection and Response solutions: MDR, EDR (KATA), NDR (KATA), EDR Expert (on-premise), as well as KUMA. This configuration is needed if a third-party Endpoint Protection Platform (EPP) is deployed in your organization alongside a Kaspersky Detection and Response solution. This makes Kaspersky Endpoint Security in the Endpoint Detection and Response Agent configuration compatible with third-party EPP applications.

When changing the application configuration for the EDR Agent to work with MDR, ensure that the components responsible for receiving telemetry are enabled.

Light Agent to protect virtual environments. This configuration is intended for the application that is used as part of the Kaspersky Security for Virtualization Light Agent solution. Light Agent must be installed on each virtual machine that needs to be protected using the solution. In this configuration, you cannot use Data Encryption components or Adaptive Anomaly Control. If you are installing Light Agent on a virtual machine template that will be used to create nonpersistent virtual machines, select the Protect VDI infrastructure check box (VDI stands for Virtual Desktop Infrastructure). The VDI protection mode helps optimize the performance of Kaspersky Endpoint Security on nonpersistent virtual machines. In this mode, Light Agent declines application updates that require restarting the virtual machine. When receiving application updates that require a restart, Light Agent generates an event about needing to update the template of the protected virtual machines.

Select the application components that will be available on the user's computer. Configure the advanced settings for the task (see the table below).

As a result, the set of Kaspersky Endpoint Security components on users' computers will be changed in silent mode. The settings of available components will be displayed in the local interface of the application. The components that were not included in the application are disabled, and the settings of these components are not available.

When installing, updating or uninstalling Kaspersky Endpoint Security, errors may occur. For more information about solving these errors, please refer to the Technical Support Knowledge Base.

Advanced Settings of the task

Parameter	Description
Task settings	Check for incompatible third-party applications. By default, Kaspersky Endpoint Security checks installed applications for compatibility. The list of software that may cause compatibility issues is available in the incompatible.txt file. The file is included in the distribution kit. If the scan of installed software is enabled, when an application from the list is detected, Kaspersky Endpoint Security stops the task. You can disable the scan of installed software if the vendor documentation of the third-party software claims compatibility with Endpoint Protection Platform (EPP). Remove incompatible third-party applications. Automatic removal of applications listed in the incompatible.txt file before changing the set of components. If this functionality is enabled, Kaspersky Endpoint Security attempts to remove the applications that may cause compatibility issues in order to continue the task. Use Azure WVD compatibility mode. This feature ensures correct display of Azure virtual machine state in the Kaspersky Anti Targeted Attack Platform console. To monitor the performance of the computer, Kaspersky Endpoint Security sends telemetry to KATA servers. Telemetry includes an ID of the computer (Sensor ID). Azure WVD compatibility mode allows assigning a permanent unique Sensor ID to these virtual machines. If the compatibility mode is turned off, the Sensor ID can change after the computer is restarted because of how Azure virtual machines work. This can cause duplicates of virtual machines to appear on the console.
Exclusions	Starting with Kaspersky Endpoint Security 12.6 for Windows, scan exclusions and trusted applications are added to the trusted zone. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers. Starting with Kaspersky Endpoint Security 12.8 for Windows, you can install the application in Light Agent mode for protecting virtual environments. Predefined scan exclusions and trusted applications can help you quickly configure Kaspersky Endpoint Security in Citrix and VMware virtual environments. You can also configure the trusted zone later in policy properties: scan exclusions and trusted applications.
Separate mode / Combined mode	You can create separate sets of components for workstations and servers – Separate mode. Before deploying the installation package, the installer detects the type of the operating system and installs only those application components that you selected for that operating system type. In this way, you can use the same installation package for workstations and servers. Combined mode offers a common list of components for workstation and servers. The availability of individual components depends on the operating system type. In this mode, we recommend creating a separate installation package for workstations and separate installation package for servers. You can configure the common list of components in the installation package only in Standard mode.
Use password for modifying the set of application components	Administrators typically enable Password protection to restrict access to Kaspersky Endpoint Security. That is, to modify the selection of application components, you must enter credentials of a user that has the Remove / modify / restore the application permission. For example, you can use the KLAdmin account.
Use the password to uninstall Kaspersky Endpoint Agent and Kaspersky Security for Windows Server	Administrators typically enable Password protection in settings of these tasks to restrict access to Kaspersky Endpoint Agent (KEA) and Kaspersky Security for Windows Server (KSWS). That is, if you are migrating from the [KES+KEA] configuration to [KES+built-in agent], or if you are migrating from KSWS to KES, you must enter a password to remove these applications.

Page top