Migrating KSWS tasks and policies
You can migrate KSWS policy and task settings in the following ways:
- Using the Policies and Tasks Batch Conversion Wizard (hereinafter also referred to as the Migration Wizard).
The Migration Wizard for KSWS is available only in the Administration Console (MMC). Policy and task settings cannot be migrated in the Web Console and Cloud Console.
The batch conversion wizard works differently for different versions of Kaspersky Security Center. We recommend upgrading the solution to version 14.2 or higher. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard lets you migrate policies into a profile rather than into a policy. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard also lets you migrate a broader range of policy settings.
- Using the New Policy Wizard for Kaspersky Endpoint Security for Windows.
The New Policy Wizard lets you create a KES policy based on a KSWS policy.
KSWS policy migration procedures are different when using Migration Wizard and the New Policy Wizard.
Policies and tasks batch conversion wizard
The migration wizard transfers KSWS policy settings into the policy profile instead of KES policy settings. The policy profile is a set of policy settings that is activated on a computer if the computer satisfies the configured activation rules. The UpgradedFromKSWS
device tag is selected as the triggering criterion of the policy profile. Kaspersky Security Center automatically adds the UpgradedFromKSWS
tag to all computers on which you install KES on top of KSWS using the remote installation task. If you chose a different installation method, you can assign the tag to devices manually.
To add a tag to a device:
- Create a new tag for servers —
UpgradedFromKSWS
.For more details about creating tags for devices, refer to the Kaspersky Security Center Help.
- Create a new administration group in the Kaspersky Security Center console and add servers to which you want to assign the tag to this group.
You can group servers using the selection tool. For more details about working with selections, refer to the Kaspersky Security Center Help.
- Select all servers of the administration group in the Kaspersky Security Center console, open the properties of the selected servers and assign the tag.
If you are migrating multiple KSWS policies, each policy is converted to a profile within one overarching policy. If the KSWS policy already contains profiles, these profiles are also migrated as profiles. As a result you will get a single policy that includes profiles corresponding to all KSWS policies.
How to use the Policies and Tasks Batch Conversion Wizard to migrate KSWS policy settings
- In the Administration Console, select the Administration Server and right-click to open the context menu.
- Select All Tasks → Policies and tasks batch conversion wizard.
The Policies and Tasks Batch Conversion Wizard will start. Follow the instructions of the Wizard.
Step 1. Selecting the application for which you need to convert policies and tasks
At this step, you need to select Kaspersky Endpoint Security for Windows. Go to the next step.
Step 2. Conversion of policies
The migration wizard creates KSWS policy profiles inside a KES policy. Select the Kaspersky Security for Windows Server policies that you want to convert to policy profiles. Go to the next step.
The Migration Wizard will then begin to convert the policies. The names of new policy profiles will correspond to original KSWS policies.
Step 3. Policy migration report
The migration wizard creates a policy migration report. The policy migration report contains the date and time when the policies were converted, the name of the original KSWS policy, the name of the target KES policy, and the name of the new policy profile.
Step 4. Conversion of tasks
The Migration Wizard creates new tasks for Kaspersky Endpoint Security for Windows. In the task list, select the KSWS tasks that you want to create for Kaspersky Endpoint Security. The new tasks will be named <KSWS task name> (converted). Go to the next step.
Step 5. Wizard completion
Exit the Wizard. As a result, the wizard does the following:
- New policy profiles are added to the Kaspersky Endpoint Security policy.
The policy includes profiles with the settings of Kaspersky Security for Windows Server. The new policy has the Active status. The Wizard leaves the KSWS policies unchanged.
- Creates new Kaspersky Endpoint Security tasks.
The new tasks are copies of KSWS tasks. The Wizard leaves the KSWS tasks unchanged.
The new policy profile with KSWS settings will be named UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy>. In profile properties, the migration wizard automatically selects the UpgradedFromKSWS
device tag as the triggering criterion. Thus the settings from the policy profile are applied to servers automatically.
Wizard for creating a policy based on a KSWS policy
When a KES policy is created based on a KSWS policy, the wizard transfers settings to the new policy accordingly. That is, one KES policy will correspond to one KSWS policy. The wizard does not convert the policy to a profile.
How to use the New Policy Wizard to migrate KSWS policy settings
- Open the Kaspersky Security Center Administration Console.
- In the Managed devices folder in the Administration Console tree, select the folder with the name of the administration group to which the relevant client computers belong.
- In the workspace, select the Policies tab.
- Click New policy.
The Policy Wizard starts.
- Follow the instructions of the Policy Wizard.
- To create a policy, select Kaspersky Endpoint Security. Go to the next step.
- At the step for entering a new name for the group policy, select the Use policy settings for an earlier version of the application check box.
- Click Browse and select the KSWS policy. Go to the next step.
- Follow the instructions of the New Policy Wizard until its completion.
When finished, the Wizard will create a new Kaspersky Endpoint Security for Windows policy with the settings from the KSWS policy.
Additional configuration of policies and tasks after migration
KSWS and KES have different sets of components and policy settings, so after migration you must verify that policy settings satisfy your corporate security requirements.
Check the following basic policy settings:
- Password protection. KSWS Password protection settings are not migrated. Kaspersky Endpoint Security has a built-in Password protection feature. If necessary, turn on Password protection and set a password.
- Trusted zone. The methods used by KSWS and KES for selecting objects differ. When migrating, KES supports exclusions defined as individual files or paths to file / folder. If KSWS has exclusions configured as a predefined area or a script URL, such exclusions are not migrated. After migration, you must add such exclusions manually.
To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add files important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF database files. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL files. You may use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf
.
- Firewall. KSWS Firewall functions are performed by the system-level Firewall. In KES, a separate component is responsible for the Firewall functionality. After migration, you can configure the Kaspersky Endpoint Security Firewall.
- Kaspersky Security Network. Kaspersky Endpoint Security does not support configuring KSN for individual components. Kaspersky Endpoint Security uses KSN for all application components. To use KSN, you must accept the new terms and conditions of the Kaspersky Security Network Statement.
- Web Control. Blocking rules for web traffic category control are migrated to a single blocking rule in Kaspersky Endpoint Security. Kaspersky Endpoint Security ignores allowing rules for category control. Kaspersky Endpoint Security does not support all categories of Kaspersky Security for Windows Server. Categories that do not exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource classification rules with unsupported categories are not migrated. If necessary, add Web Control rules.
- Proxy server. The proxy server connection password is not migrated. Enter the password to be used for connecting to the proxy server manually.
- Schedules of individual components. Kaspersky Endpoint Security does not support configuring schedules for individual components. The components are always on while Kaspersky Endpoint Security is operational.
- Set of components. The set of available Kaspersky Endpoint Security features depends on the type of operating system: workstation or server. For example, out of encryption tools, only BitLocker Drive Encryption is available on servers.
- attribute. The state of the attribute is not migrated. The attribute will have the default value. By default, almost all settings in the new policy have a prohibition applied on modifying settings in child policies and in the local application interface. The attribute has the value for policy settings in the Managed Detection and Response section and in the User support group of settings (Interface section). If necessary, configure the inheritance of settings from the parent policy.
- Working with active threats. Advanced Disinfection works differently for workstations and servers. You can configure advanced disinfection in Malware Scan task settings and in application settings.
- Upgrading the application. To install major updates and patches without restarting, you must change the application upgrade mode. By default, the Install application updates without restart feature is disabled.
- Kaspersky Endpoint Agent. Kaspersky Endpoint Security has a built-in agent for working with Detection and Response solutions. If necessary, transfer Kaspersky Endpoint Agent policy settings to the Kaspersky Endpoint Security policy.
- Update tasks. Make sure that the settings of the Update task were migrated correctly. Instead of KSWS's three tasks, KES uses a single KES task. You may optimize the Update tasks and remove superfluous tasks.
- Other tasks. Application Control, Device Control, and File Integrity Monitor components work differently in KSWS and KES. KES does not use Baseline File Integrity Monitor, Applications Launch Control Generator, Rule Generator for Device Control tasks. Therefore these tasks are not migrated. After migration, you can configure the File Integrity Monitor, Application Control, Device Control components.
Page top