KSWS to KES Migration Guide

KSWS to KES Migration Guide

Starting with version 11.8.0, Kaspersky Endpoint Security for Windows supports the basic functionality of the Kaspersky Security for Windows Server (KSWS) solution. Kaspersky Security for Windows Server protects servers running Microsoft Windows operating systems and network attached storages against viruses and other computer security threats which servers and network attached storages are exposed to while exchanging files. For detailed information about how the solution works, please refer to the Kaspersky Security for Windows Server Help. Starting with Kaspersky Endpoint Security 11.8.0, you can migrate from Kaspersky Security for Windows Server to Kaspersky Endpoint Security for Windows and use the same solution for protecting workstations and servers.

Software requirements

Before you begin the migration from KSWS to KES, make sure your server satisfies the hardware and software requirements of Kaspersky Endpoint Security for Windows. The lists of supported operating system versions are different for KES and KSWS. For example, KES does not support servers running Windows Server 2003.

Minimum software requirements for migrating from KSWS to KES:

Kaspersky Endpoint Security for Windows 12.0.
Kaspersky Security 11.0.1 for Windows Server.
If you have an earlier version of Kaspersky Security for Windows Server installed, we recommend upgrading the application to the latest version. The Policies and tasks conversion wizard does not support earlier versions of Kaspersky Security for Windows Server.
Kaspersky Security Center 14.2
If you have an earlier version of Kaspersky Security Center installed, update it to 14.2 or later. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard lets you migrate policies into a profile rather than into a policy. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard also lets you migrate a broader range of policy settings.
Kaspersky Endpoint Agent 3.10.
If you have an earlier version of Kaspersky Endpoint Agent installed, we recommend upgrading the application to the latest version. Kaspersky Endpoint Security supports migrating a [KSWS+KEA] configuration to [KES+built-in agent] starting with Kaspersky Endpoint Agent 3.10.

Migration recommendations

When migrating from KSWS to KES, observe the following recommendations:

Plan the KSWS to KES migration time in advance. Choose a time when servers are operating under the lightest load, for example, during the weekend.
After the migration, turn on application components gradually. That is, for example, start by enabling the File Threat Protection component alone, then enable other protection components, then enable control components, and so on. At each step, you must make sure the application is working correctly, and monitor the performance of the server. The architecture of KES differs from KSWS, therefore the operating system may also behave differently.
Carry out the migration gradually. First migrate a single server, then multiple servers, then carry out the migration on all servers of the organization.
Migrate different types of servers separately. That is, for example, first migrate database servers, then mail servers, and so on.
Migration on high-load servers involves some special considerations.

Migration steps

Migration from KSWS to KES is performed semi-automatically. This is necessary because of differing architectures of the applications. To migrate policy settings, you must run the Policies and tasks batch conversion wizard (the migration wizard). After migrating policy settings, you must manually configure settings that the migration wizard cannot migrate automatically (for example, Password protection settings). After the migration, it is also recommended to check if the migration wizard correctly migrated all settings.

Migrate from KSWS to KES in the following order:

Migrate KSWS tasks and policies
After migrating the policies and tasks, you must perform additional configuration steps. We also recommend to make sure that Kaspersky Endpoint Security provides the necessary level of security after migration from KSWS.

The Policies and tasks batch conversion wizard for Kaspersky Security for Windows Server is only available in the Administration Console (MMC). Policy and task settings cannot be migrated in the Web Console and Kaspersky Security Center Cloud Console.
Install Kaspersky Endpoint Security
You can install Kaspersky Endpoint Security in the following ways:
- Installing KES after removing KSWS (recommended).
- Installing KES on top of KSWS.
Activate KES with a KSWS key
Confirm that the application is in working order after migration
After migrating from KSWS to KES, make sure that the application is operating correctly. Check the status of the server in the console (should be OK). Make sure no errors are reported for the application, also check the time of the last connection to the Administration Server, the time of the last database update and the server protection status.

Pay special attention to the migration of exclusion lists, trusted applications, trusted web addresses, Application Control rules.

In this Help section

Correspondence of KSWS and KES components

Correspondence of KSWS and KES settings

Migrating KSWS components

Migrating KSWS tasks and policies

Migrating the KSWS trusted zone

Installing KES instead of KSWS

Migrating the [KSWS+KEA] configuration to [KES+built-in agent] configuration

Making sure Kaspersky Security for Windows Server was successfully removed

Activating KES with a KSWS key

Special considerations for migrating high-load servers

Managing the application on a server in Server Core mode

Migrating from [KSWS+KEA] to [KES+built-in agent]

Page top

Correspondence of KSWS and KES components

When migrating from KSWS to KES, the set of components is migrated only when the application is being installed locally.

Correspondence of Kaspersky Security for Windows Server and Kaspersky Endpoint Security for Windows components

Kaspersky Security for Windows Server component	Kaspersky Endpoint Security for Windows component
Basic functionality	Application kernel
Log Inspection	Log Inspection
Device Control	Device Control
Firewall Management	(not supported) KSWS Firewall functions are performed by the system-level Firewall. In KES, a separate component is responsible for the Firewall functionality. After migration, you can configure the Kaspersky Endpoint Security Firewall.
File Integrity Monitor	System Integrity Monitoring
Exploit Prevention	Exploit Prevention
System Tray Icon	(not supported) You can configure user interaction in the application interface settings.
Integration with Kaspersky Security Center	Network Agent Connector
Endpoint Agent	(not supported) In Kaspersky Endpoint Security 11.9.0 the Kaspersky Endpoint Agent distribution package is no longer part of the Kaspersky Endpoint Security distribution kit. You must download the Kaspersky Endpoint Agent distribution package separately.
Network Threat Protection	Network Threat Protection
Anti-Cryptor	Behavior Detection
Anti-Cryptor for NetApp	(not supported)
Traffic Security	Web Threat Protection Mail Threat Protection Web Control
On-Demand Scan	Application kernel
ICAP Network Storage Protection	(not supported) Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you need these components, you can continue using Kaspersky Security for Windows Server.
RPC Network Storage Protection	(not supported) Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you need these components, you can continue using Kaspersky Security for Windows Server.
Real-Time File Protection	File Threat Protection
Script Monitoring	(not supported) Script Monitoring is handled by other components, for example, AMSI Protection.
KSN Usage	Kaspersky Security Network
Applications Launch Control	Application Control
Performance counters	(not supported)

Page top

Correspondence of KSWS and KES settings

Expand all | Collapse all

When migrating policies and tasks, KES is configured in accordance with KSWS settings. Settings of application components that KSWS does not have are set to default values.

Application settings

Scalability, interface and scanning settings

Application settings are not supported in Kaspersky Endpoint Security for Windows.

Application settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Scalability settings	(does not migrate) Kaspersky Endpoint Security manages all work processes.
Show System Tray Icon	(does not migrate) On a client computer, the main window of Kaspersky Endpoint Security and the icon in the Windows notification area are available by default. In the context menu of the icon, the user can perform operations with Kaspersky Endpoint Security. Kaspersky Endpoint Security also displays notifications above the application icon. You can configure user interaction in the application interface settings.
Restore file attributes after scanning	(does not migrate) Kaspersky Endpoint Security automatically restores file attributes after scanning a file.
Limit CPU usage for scanning threads	(does not migrate) Kaspersky Endpoint Security does not limit CPU usage when scanning. You can configure the task to run when the computer is operating under minimum load.
Folder for temporary files created during scanning	(does not migrate) Kaspersky Endpoint Security places the temporary files in the C:\Windows\Temp folder.
HSM system settings	(does not migrate) Kaspersky Endpoint Security does not support HSM systems.

Security and reliability

KSWS security settings are migrated to the General settings section, Application settings and Interface subsections.

Application security settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Protect application processes from external threats	Enable Self-Defense (Application settings subsection)
Apply password protection	(does not migrate) Kaspersky Endpoint Security has a built-in Password protection feature (see the Interface subsection).
Perform task recovery	(does not migrate) Kaspersky Endpoint Security only automatically restores Malware Scan tasks. Kaspersky Endpoint Security runs other tasks on a schedule.
Do not start scheduled scan tasks	Postpone scheduled tasks while running on battery power (Application settings subsection)
Stop current scan tasks	(does not migrate) When the computer becomes powered by an UPS, Kaspersky Endpoint Security does not stop scan tasks that are already running.

Connection settings

Administration Server interaction settings are migrated to the General settings section, Network settings and Application settings subsections.

Administration Server interaction settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Proxy server settings	Proxy Server Settings (Network settings subsection)
Do not use proxy server for local addresses	Bypass proxy server for local addresses (Network settings subsection)
Proxy server authentication settings	Use proxy server authentication (Network settings subsection) Kaspersky Endpoint Security does not support NTLM authentication. If NTLM authentication is enabled in KSWS settings, after migration, you must configure proxy server authentication and configure a user name and a password. The proxy server authentication password is not migrated. After a policy is migrated, the password must be entered manually.
Use Kaspersky Security Center as a proxy server when activating the application	Use Kaspersky Security Center as proxy server for activation (Application settings subsection)

Run local system tasks

Kaspersky Endpoint Security ignores the settings for running local system tasks of Kaspersky Security for Windows Server. You can configure the use of local KES tasks under Local Tasks, Task management. You can also configure a schedule for running the Malware Scan and Update of databases and application modules tasks in the properties of these tasks.

Supplementary

Trusted zone

KSWS trusted zone settings are migrated to the General settings section, Exclusions subsection.

Trusted zone settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Object to scan (Exclusions)	Scan exclusions (Scan exclusions) The methods used by KSWS and KES for selecting objects differ. When migrating, KES supports exclusions defined as individual files or paths to file / folder. If KSWS has exclusions configured as a predefined area or a script URL, such exclusions are not migrated. After migration, you must add such exclusions manually. Exclusions as predefined areas must be configured in the Malware Scan task settings. Exclusions as script web addresses must be added to trusted web addresses for Web Threat Protection.
Apply also to subfolders (Exclusions)	Include subfolders (Scan exclusions)
Objects to detect (Exclusions)	Object name (Scan exclusions)
Exclusion usage scope (Exclusions)	Scan exclusions for application (Scan exclusions) If at least one component is selected in KSWS, KES applies the exclusions to all application components.
Comment (Exclusions)	Comment (Scan exclusions)
Trusted process (Trusted process)	Trusted applications Trusted process / application selection methods differ in KSWS and KES. When migrating, KES supports trusted applications configured as a path to the executable file or mask. If KSWS has trusted processes configured as a file has, such trusted processes are not migrated. After migration, you must add such trusted processes manually.
Do not check file backup operations (Trusted process)	Do not monitor application activity (Trusted applications)

Removable drives scan

Removable Drives Scan settings are migrated to the Local Tasks section, Removable Drives Scan subsection.

Removable Drives Scan settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Scan removable drives on connection via USB	Action on a removable drive connection
Scan removable drives if its stored data volume does not exceed (MB)	Maximum removable drive size
Scan with security level: Maximum protection Recommended Maximum performance	Action on a removable drive connection: Detailed Scan Quick Scan. KSWS security levels correspond to KES scan modes as follows: Maximum protection – Detailed Scan. Recommended – Quick Scan. Maximum performance – Quick Scan.

Kaspersky Security for Windows Server settings

Kaspersky Endpoint Security for Windows settings

Scan removable drives on connection via USB

Action on a removable drive connection

Scan removable drives if its stored data volume does not exceed (MB)

Maximum removable drive size

Scan with security level:

Maximum protection
Recommended
Maximum performance

Action on a removable drive connection:

Detailed Scan
Quick Scan.

KSWS security levels correspond to KES scan modes as follows:

Maximum protection – Detailed Scan.
Recommended – Quick Scan.
Maximum performance – Quick Scan.

User permissions for application management

Kaspersky Endpoint Security does not support assigning user access permissions for application management and application service management. You can configure access settings for users and user groups for managing the application in Kaspersky Security Center.

User access permissions for Kaspersky Security Service management

Storages

KSWS storage settings are migrated to General settings section, Reports and Storage subsection, and to Essential Threat Protection section, Network Threat Protection subsection.

Storage settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Backup folder	(does not migrate) Kaspersky Endpoint Security saves backup copies of files in the `C:\ProgramData\Kaspersky Lab\KES.21.18\QB` folder.
Maximum Backup size (MB)	Limit the size of Backup to N MB (General settings → Reports and Storage section)
Threshold value for space available (MB)	(does not migrate) Kaspersky Endpoint Security logs the Quarantine storage is almost out of space event when the 50 % threshold is reached.
Target folder for restoring objects	(does not migrate) Kaspersky Endpoint Security restores files to their original folder.
Quarantine folder	(does not migrate) Kaspersky Endpoint Security saves backup copies of files in the `C:\ProgramData\Kaspersky Lab\KES.21.18\QB` folder.
Maximum Quarantine size (MB)	(does not migrate) Kaspersky Endpoint Security uses Backup to store probably infected objects. During migration, Kaspersky Endpoint Security ignores Quarantine settings.
Threshold value for space available (MB)	(does not migrate) Kaspersky Endpoint Security uses Backup to store probably infected objects. During migration, Kaspersky Endpoint Security ignores Quarantine settings.
Target folder for restoring objects	(does not migrate) Kaspersky Endpoint Security restores files to their original folder.
Unblock automatically in N	Block attacking devices for N min (Essential Threat Protection → Network Threat Protection section)

Real-time server protection

Real-Time File Protection

KSWS Real-Time File Protection settings are migrated to the Essential Threat Protection section, File Threat Protection subsection.

Real-Time File Protection settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Objects protection mode: Smart mode When run On access On access and modification	Scan mode: Smart mode On execution On access On access and modification.
Deeper analysis of launching processes	(does not migrate) Kaspersky Endpoint Security supports only one analysis mode, the Optimal mode.
Heuristic analyzer: Light Medium Deep	Heuristic analysis: Light scan Medium scan Deep scan.
Apply Trusted Zone	(does not migrate) Kaspersky Endpoint Security applies the trusted zone to all components. You can configure exclusions in trusted zone settings.
Use KSN for protection	(does not migrate) Kaspersky Endpoint Security uses KSN for all application components.
Block access to network shared resources for the hosts that show malicious activity	(does not migrate) By default, Kaspersky Endpoint Security blocks access to network shared resources for hosts that show malicious activity.
Launch critical areas scan when active infection is detected	(does not migrate) Kaspersky Endpoint Security does not launch the critical areas scan task when active infection is detected.
Use Kaspersky Sandbox for protection	(does not migrate) By default, Kaspersky Endpoint Security sends objects for scanning to Kaspersky Sandbox.
Protection scope	Protection scope
Schedule settings	(does not migrate) Kaspersky Endpoint Security uses its own schedule for pausing File Threat Protection.

KSN Usage

KSWS settings for Kaspersky Security Network are migrated to the Advanced Threat Protection section, Kaspersky Security Network subsection.

Kaspersky Security Network settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
I confirm that I have fully read, understood, and accept the terms of participation in Kaspersky Security Network	Kaspersky Security Network Statement Kaspersky Endpoint Security requests consent to the Kaspersky Security Network Statement when the application is installed, a new policy is created, or Kaspersky Security Network usage is enabled.
Send data about scanned files	(does not migrate) Kaspersky Endpoint Security sends data about scanned files automatically if KSN is enabled.
Send data about requested URLs	(does not migrate) Kaspersky Endpoint Security sends data about requested URLs automatically if KSN is enabled.
Send Kaspersky Security Network statistics	Enable extended KSN mode
Accept the terms of the Kaspersky Managed Protection Statement	(does not migrate) Kaspersky Endpoint Security does not include the KMP service.
Action to perform on KSN untrusted objects	(does not migrate) You can configure the Action on threat detection in Protection component settings and Scan task settings.
Do not calculate checksum before sending to KSN if file size exceeds N MB	(does not migrate) You can configure large file scanning restrictions in Protection component settings and Scan task settings.
Use Kaspersky Security Center as KSN Proxy	Use Administration Server as a KSN proxy server
Schedule settings	(does not migrate) It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Traffic Security

KSWS Traffic Security settings are migrated to the Essential Threat Protection section, Web Threat Protection and Mail Threat Protection subsection, Security Controls section, Web Control subsection, General settings section, Network settings subsection.

Traffic Security settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Apply URL-based rules	Web Control (Web Control subsection) URL-based rules are migrated to separate rules in Kaspersky Endpoint Security.
Apply certificate-based rules	(does not migrate) Kaspersky Endpoint Security does not support certificate-based rules.
Apply rules for web traffic category control	Web Control (Web Control subsection) Blocking rules for web traffic category control are migrated to a single blocking rule in Kaspersky Endpoint Security. Kaspersky Endpoint Security ignores allowing rules for category control. The correspondence of KSWS and KES categories is listed below.
Allow access if the web page can not be categorized	(does not migrate) Kaspersky Endpoint Security allows access if the web page can not be categorized.
Allow access to legitimate web resources that can be used to damage a protected device	(does not migrate) Kaspersky Endpoint Security allow access to legitimate web resources that can be used to damage the protected device.
Allow access to legitimate advertisement	(does not migrate) You can manage access to legitimate advertisement using the Banners web resource category in Web Control settings.
Operation mode: Driver Interceptor Redirector External Proxy	(does not migrate) Kaspersky Endpoint Security supports only the Driver Interceptor mode.
ICAP-service connection settings	(does not migrate) Kaspersky Endpoint Security does not support ICAP Network Storage Protection.
Check safe connections through the HTTPS protocol	Scan encrypted connections / Always scan encrypted connections mode (Network settings subsection)
Use TLS protocol version	(does not migrate) Kaspersky Endpoint Security scans encrypted network traffic transmitted over the following protocols: SSL 3.0. TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3. You can additionally block SSL 2.0 connections in encrypted connections scan settings.
Do not trust web-servers with invalid certificate	Visiting a domain with an untrusted certificate (Network settings subsection)
Intercept ports (Interception area)	Monitored ports (Network settings subsection) During migration, KES clears the check boxes Monitor all ports for the applications from the list recommended by Kaspersky and Monitor all ports for specified applications.
Exclude ports (Interception area)	(does not migrate)
Exclude IP addresses (Interception area)	Configure trusted addresses (Network settings subsection)
Exclude processes (Interception area)	Configure trusted applications (Network settings subsection) During migration, KES configures the following settings for the trusted application: The Do not scan network traffic check box is selected. KES does not scan network traffic for any remote IP addresses and any ports. The other check boxes in the trusted application settings are cleared.
Security port	(does not migrate)
Use malicious URL database to scan web links	Check the web address against the database of malicious web addresses (Web Threat Protection subsection)
Use anti-phishing database to scan web pages	Check the web address against the database of phishing web addresses (Web Threat Protection subsection)
Use KSN for protection	(does not migrate) Kaspersky Endpoint Security uses KSN for all application components.
Use Trusted Zone	(does not migrate) Kaspersky Endpoint Security applies the trusted zone to all components. You can configure exclusions in trusted zone settings.
Use heuristic analyzer	Use Heuristic Analysis (Web Threat Protection and Mail Threat Protection subsections)
Security level	(does not migrate) Kaspersky Endpoint Security has its own security levels for Web Threat Protection and Mail Threat Protection components. By default, Kaspersky Endpoint Security sets the recommended security level.
Enable mail threat protection	Mail Threat Protection (Mail Threat Protection subsection) Connect Microsoft Outlook extension Incoming messages only (Protection scope) Scan when receiving (Email protection)
Schedule settings	(does not migrate) It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Exploit Prevention

KSWS Exploit Prevention settings are migrated to the Advanced Threat Protection section, Exploit Prevention subsection.

Exploit Prevention settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Prevent vulnerable processes exploit: Terminate on exploit Notify only	On detecting exploit: Block operation Inform.
Notify about abused processes via Terminal Service	(does not migrate) Kaspersky Endpoint Security does not support terminal services.
Prevent vulnerable processes exploit even if Kaspersky Security Service is disabled	(does not migrate) Kaspersky Endpoint Security constantly prevents vulnerable process exploits.
Protected processes	Enable system process memory protection Kaspersky Endpoint Security does not support selecting protected processes. You can only enable system processes memory protection.
Exploit prevention techniques: Apply all available exploit prevention techniques Apply selected exploit prevention techniques	(does not migrate) Kaspersky Endpoint Security applies all available exploit prevention techniques.

Kaspersky Security for Windows Server settings

Kaspersky Endpoint Security for Windows settings

Prevent vulnerable processes exploit:

Terminate on exploit
Notify only

On detecting exploit:

Block operation
Inform.

Notify about abused processes via Terminal Service

(does not migrate)

Kaspersky Endpoint Security does not support terminal services.

Prevent vulnerable processes exploit even if Kaspersky Security Service is disabled

(does not migrate)

Kaspersky Endpoint Security constantly prevents vulnerable process exploits.

Protected processes

Enable system process memory protection

Kaspersky Endpoint Security does not support selecting protected processes. You can only enable system processes memory protection.

Exploit prevention techniques:

Apply all available exploit prevention techniques
Apply selected exploit prevention techniques

(does not migrate)

Kaspersky Endpoint Security applies all available exploit prevention techniques.

Network Threat Protection

KSWS Network Threat Protection settings are migrated to the Essential Threat Protection section, Network Threat Protection subsection.

Network Threat Protection settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Operation mode: Pass-through Only inform about network attacks Block connections when attack is detected	Network Threat Protection If Pass-through mode is selected, Network Threat Protection is disabled. If Only inform about network attacks mode or Block connections when attack is detected mode is selected, Network Threat Protection is enabled. Kaspersky Endpoint Security always works in the Block connections when attack is detected mode.
Do not stop traffic analysis when the task is not running	(does not migrate) Kaspersky Endpoint Security analyses traffic continuously if the component is enabled.
Do not control excluded IP addresses	Exclusions
Schedule settings	(does not migrate) It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Script Monitoring

Kaspersky Endpoint Security does not support the Script Monitoring component. Script Monitoring is handled by other components, for example, AMSI Protection.

Website categories

Kaspersky Endpoint Security does not support all categories of Kaspersky Security for Windows Server. Categories that do not exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource classification rules with unsupported categories are not migrated.

Website categories

Kaspersky Security for Windows Server categories	Kaspersky Endpoint Security for Windows categories
Wargaming	Video games
Abortion	(does not migrate)
Lotteries (extended)	Gambling, lotteries, sweepstakes
Alcohol	Alcohol, tobacco, drugs
Anonymous proxy servers	Anonymizers
Anorexia	(does not migrate)
Rentals for real estate	(does not migrate)
Audio, video and software	Software, audio, video
Banks	Banks
Blogs	Blogs
Military	Weapons, explosives, military
For children	(does not migrate)
Discrimination	Violence, intolerance
Home and family	(does not migrate)
Hosting and domain services	Internet communication
Pets and animals	(does not migrate)
Law and politics	Forbidden by regional laws
Restricted by Roskomnadzor (RF)	Forbidden by Russian Federation laws
Restricted by Federal Law 436 (RF)	Forbidden by Russian Federation laws
Restricted by RF legislation	Forbidden by Russian Federation laws
Restricted by global legislation	Forbidden by regional laws
Adult dating	Adult content
Internet services	(does not migrate)
Sex shops	Adult content
Information technologies	(does not migrate)
Casinos, card games	Gambling, lotteries, sweepstakes
Books and writing	(does not migrate)
Computer games	Video games
Health and beauty	(does not migrate)
Culture and society	(does not migrate)
LGBT	Adult content
Lotteries	Gambling, lotteries, sweepstakes
Medicine	(does not migrate)
Fashion	(does not migrate)
Music	(does not migrate)
Drugs	Alcohol, tobacco, drugs
Violence	Violence, intolerance
Discontent	(does not migrate)
Illegal drugs	Alcohol, tobacco, drugs
Hate and discrimination	Violence, intolerance
Obscene vocabulary	Profanity, obscenity
Lingerie	Adult content
News	News media
Nudism	Adult content
Education	(does not migrate)
Online shopping	Online stores
All communication media	Internet communication
Payment by credit cards	Payment systems
Online shopping (own payment system)	Online stores
Online encyclopedias	(does not migrate)
Online banking	Banks
Weapons	Weapons, explosives, military
Fishing and hunting	(does not migrate)
Payment systems	Payment systems
Job search	Job search
Search engines	(does not migrate)
Police decision (JP)	Forbidden by Police of Japan
Trusted by KPSN	(does not migrate)
Untrusted by KPSN	(does not migrate)
Porn	Adult content
Media hosting and streaming	News media
Web Mail	Web-based email
Traveling	(does not migrate)
TV and radio	News media
Teasers and ads services	Banners
Religion	Religions, religious associations
Restaurants, cafe and food	(does not migrate)
Dating sites	Dating sites
Sex education	Adult content
Social networks	Social networks
Sport	(does not migrate)
Betting	Gambling, lotteries, sweepstakes
Suicide	Violence, intolerance
Tobacco	Alcohol, tobacco, drugs
Torrents	Torrents
Mentioned in Federal list of extremists (RF)	Forbidden by Russian Federation laws
File sharing	File sharing
Pharmacy	(does not migrate)
Hobby and entertainment	(does not migrate)
Chats and forums	Chats, forums, IM
Schools and universities pages	(does not migrate)
Astrology and esoterica	(does not migrate)
Extremism and racism	Violence, intolerance
E-commerce	Online stores
Erotic	Adult content
Humor	(does not migrate)

Local activity control

Applications Launch Control

KSWS Application Control settings are migrated to the Security Controls section, Application Control subsection.

Application Control settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Operation mode: Statistics only Active	Action (Application Control): Test rules Apply rules.
Repeat action taken for the first file launch on all the subsequent launches for this file	(does not migrate) Kaspersky Endpoint Security scans the application every time it attempts to run.
Deny the command interpreters launch with no command to execute	(does not migrate) Kaspersky Endpoint Security allows running command interpreters if they are not prohibited by Application Control.
Rules	Application Control rules (supported with limitations) Kaspersky Endpoint Security 11.11.0 introduces support for migrating Applications Launch Control rules. The Applications Launch Control rule migration functionality has some limitations. By default, KSWS Applications Launch Control includes two rules: Allow scripts and MSI by OS-trusted certificate Allow executable by OS-trusted certificate If at least one source KSWS rule has the Allow type, during the migration KES creates a new allowing rule, Applications with trusted root certificates. That is, KES Application Control uses a single rule to allow running trusted scripts, MSI packages, and executable files. If both source KSWS rules have the Deny type, KES does not add rules for managing applications with trusted root certificates.
Apply rules to executable files	(does not migrate) Rule application scope cannot be configured in KES Application Control settings. KES Application Control applies rules to all types of files: executable files, scripts, and MSI packages. If all file types are included in the rule application scope in KSWS, during migration KES carries over the KSWS rules. If some file type is excluded from the rule application scope in KSWS, during migration KES also carries over KSWS rules, but Test rules is selected as the Application Control action.
Monitor loading of DLL modules	Control DLL modules load (significantly increases the load on the system)
Apply rules to scripts and MSI packages	(does not migrate) Rule application scope cannot be configured in KES Application Control settings. KES Application Control applies rules to all types of files: executable files, scripts, and MSI packages. If all file types are included in the rule application scope in KSWS, during migration KES carries over the KSWS rules. If some file type is excluded from the rule application scope in KSWS, during migration KES carries over KSWS rules, but Test rules is selected as the Application Control action.
Deny applications untrusted by KSN	(does not migrate) Kaspersky Endpoint Security does not take into account the reputation of applications and allows or denies running applications in accordance with rules.
Allow applications trusted by KSN	During the migration, KES adds a new allowing rule. The Other Software → Applications trusted according to reputation in KSN KL category is specified as the rule triggering condition.
Users and / or user groups allowed to run applications trusted by KSN	Users and their rights in an Application Control allow rule that includes the KL category Other applications → Applications trusted according to reputation in KSN
Automatically allow software distribution via applications and packages listed	Software Distribution Control in KSWS and KES works differently. During the migration, KES adds new allowing rules for applications that have automatic software distribution allowed. The file hash is specified as the rule triggering condition.
Always allow software distribution via Windows Installer	Use trusted system certificate store (Exclusions subsection) The Trusted system certificate store setting has the Trusted root certification authorities value.
Always allow software distribution via SCCM using the Background Intelligent Transfer Service	(does not migrate)
Software distribution applications and packages allowed	Software Distribution Control in KSWS and KES works differently. During the migration, KES adds new allowing rules for applications that have automatic software distribution allowed. The file hash is specified as the rule triggering condition.
Schedule settings	(does not migrate) If a schedule is configured for the component in KSWS settings, the Application Control component is enabled upon migration. If a schedule is not configured for the component in KSWS settings, Application Control is disabled upon migration. It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Device Control

KSWS Device Control settings are migrated to the Security Controls section, Device Control subsection.

Device Control settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Operation mode: Active Statistics only	(does not migrate) Application Control operates in the Active mode. Device connection statistics is continuously provided by Audit.
Allow using all external devices when the Device Control task is not running	(does not migrate) Device Control is always on while Kaspersky Endpoint Security is running.
Device Control rules	Trusted devices During migration, Kaspersky Endpoint Security ignores disabled KSWS rules.
Schedule settings	(does not migrate) Kaspersky Endpoint Security uses its own schedule for gaining access to certain device types.

Network-Attached Storages Protection

RPC Network Storage Protection

Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you need these components, you can continue using Kaspersky Security for Windows Server.

ICAP Network Storage Protection

Kaspersky Endpoint Security does not support Network-Attached Storages Protection components. If you need these components, you can continue using Kaspersky Security for Windows Server.

Anti-Cryptor for NetApp

Kaspersky Endpoint Security does not support Anti-Cryptor for NetApp. Anti-Cryptor functionality is provided by other application components, such as Behavior Detection.

Network activity control

Firewall Management

Kaspersky Endpoint Security does not support KSWS Firewall Management. KSWS Firewall functions are performed by the system-level Firewall. After migration, you can configure the Kaspersky Endpoint Security Firewall.

Anti-Cryptor

Network Anti-Cryptor settings are migrated to the Advanced Threat Protection section, Behavior Detection subsection.

Anti-Cryptor settings

KSWS settings	KES settings
Operation mode: Statistics only Active	Upon detection of external encryption of shared folders: Inform Block connection.
Heuristic analyzer	(does not migrate) Kaspersky Endpoint Security does not use Heuristic Analysis for Behavior Detection.
Configuration of protection scope: All shared network folders on the protected device Only specified shared folders	(does not migrate) Kaspersky Endpoint Security prevents encryption of all shared network folders of the protected computer.
Exclusions	(does not migrate) Kaspersky Endpoint Security has its own exclusions for the Behavior Detection component. You can manually add exclusions after migration.
Schedule settings	(does not migrate) It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

KSWS settings

KES settings

Operation mode:

Statistics only
Active

Upon detection of external encryption of shared folders:

Inform
Block connection.

Heuristic analyzer

(does not migrate)

Kaspersky Endpoint Security does not use Heuristic Analysis for Behavior Detection.

Configuration of protection scope:

All shared network folders on the protected device
Only specified shared folders

(does not migrate)

Kaspersky Endpoint Security prevents encryption of all shared network folders of the protected computer.

Exclusions

(does not migrate)

Kaspersky Endpoint Security has its own exclusions for the Behavior Detection component. You can manually add exclusions after migration.

Schedule settings

(does not migrate)

It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

System Inspection

File Integrity Monitor

File Integrity Monitor settings from KSWS are migrated to the Security Controls section, System Integrity Monitoring subsection.

File Integrity Monitor settings

KSWS settings	KES settings
Log information about file operations that appear during the monitor interruption period	(does not migrate) Kaspersky Endpoint Security does not log events for file operations performed during the monitor interruption period.
Block attempts to compromise the USN log	(does not migrate) Kaspersky Endpoint Security does not block attempts to compromise the USN log.
Monitoring scope	Monitoring scope → File (supported with limitations) Disabled monitoring scope records are not migrated to KES. Kaspersky Endpoint Security adds only enabled records to the monitoring scope.
Trusted users	Trusted users and / or user groups
File operation markers	File operation markers
Calculate checksum for the file if possible	Hashing
Exclusions	Exclusions → File

Log Inspection

KSWS Log Inspection settings are migrated to the Security Controls section, Log Inspection subsection.

Log Inspection settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Apply custom rules for log inspection	(does not migrate) Kaspersky Endpoint Security applies all enabled custom rules.
Custom rules	Custom rules The A service was installed in the system (for Server 2003 OS) predefined rule is not migrated to KES.
Apply predefined rules for log inspection	(does not migrate) Kaspersky Endpoint Security applies all enabled predefined rules.
Predefined rules	Predefined rules
Password brute-force detection	Brute-force attack detection
Network logon detection	Network logon detection
Exclusions (IP addresses)	Exclusions (IP address)
Exclusions (users)	Exclusions (Users)
Schedule settings	(does not migrate) It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Logs and notifications

Task logs

KSWS Logs settings are migrated to the General settings section, Interface and Reports and Storage subsections.

Logs settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Event logging	Notifications (Interface subsection)
Logs folder	(does not migrate) Kaspersky Endpoint Security saves reports in the `C:\ProgramData\Kaspersky Lab\KES.21.18\Report` folder.
Remove task logs older than N day(s)	(does not migrate) You can configure the storage period for KES reports under General settings, Reports and Storage.
Remove from the audit log events N day(s)	(does not migrate) Kaspersky Endpoint Security applies report storage limitations to all reports including system audit reports.
Integration with SIEM	(does not migrate) You can configure SIEM integration in Kaspersky Security Center.

Event notifications

KSWS Notifications settings are migrated to the General settings section, Interface subsection.

Notifications settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Notifications	Notifications
Notify users: By using terminal service By using Windows Messenger Service command	(does not migrate) Kaspersky Endpoint Security does not support modifying notification text. Kaspersky Endpoint Security displays standard notifications.
Notify administrators: By using Windows Messenger Service command By running executable file By sending email	Only email notification settings are migrated to Kaspersky Endpoint Security – Email notification settings (Notifications block). Other methods of notifying administrators are not supported.
Application database is out of date	Send the "Databases out of date" notification if databases were not updated
Application database is extremely out of date	Send the "Databases extremely out of date" notification if databases were not updated
Critical areas scan has not been performed for a long time	(does not migrate) Kaspersky Endpoint Security generates a missed Critical Areas Scan event after three days.

Interaction with Administration Server

KSWS Administration Server interaction settings are migrated to the General settings section, Reports and Storage subsection.

Administration Server interaction settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Quarantined files	About Quarantine files
Backed up files	About files in Backup
Blocked hosts	(does not migrate) Kaspersky Endpoint Security automatically sends data about blocked hosts.

Kaspersky Security for Windows Server settings

Kaspersky Endpoint Security for Windows settings

Quarantined files

About Quarantine files

Backed up files

About files in Backup

Blocked hosts

(does not migrate)

Kaspersky Endpoint Security automatically sends data about blocked hosts.

Tasks

Activating the application

Kaspersky Endpoint Security does not support the Application activation task (KSWS). You can create a Add key task (KES), add a license key to the Installation package, or enable automatic license key distribution.

Copying Updates

The Copying Updates task settings (KSWS) are migrated to the Update of databases and application modules task (KES).

Copying Updates task settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Update source: Kaspersky Security Center Administration Server Kaspersky update servers Custom HTTP or FTP servers, or network folders	Update source: Kaspersky Security Center Kaspersky update servers Specified by user.
Use Kaspersky update servers if specified servers are not available	(does not migrate) Kaspersky Endpoint Security allows selecting multiple update sources, including Kaspersky update servers. If the first update source is not available, Kaspersky Endpoint Security lets you obtain updates from another source in the list.
Use proxy server settings to connect to Kaspersky update servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Use proxy server settings to connect to other servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Copying updates settings: Copy database updates Copy critical software modules updates Copy database updates and critical updates of application modules	(does not migrate) Kaspersky Endpoint Security copies database updates and critical updates of application modules as a single package.
Folder for local storage of copied updates	Copy updates to folder

Baseline File Integrity Monitor

The Baseline File Integrity Monitor task settings (KSWS) are migrated to the System Integrity Check task and to the policy section Security Controls, subsection System Integrity Monitoring.

Baseline File Integrity Monitor task settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Hash calculation algorithm: MD5. SHA256.	(does not migrate) Kaspersky Endpoint Security uses the SHA256 algorithm for checksum calculation.
Scan scope	Monitoring scope (System Integrity Monitoring subsection)

Kaspersky Security for Windows Server settings

Kaspersky Endpoint Security for Windows settings

Hash calculation algorithm:

MD5.
SHA256.

(does not migrate)

Kaspersky Endpoint Security uses the SHA256 algorithm for checksum calculation.

Scan scope

Monitoring scope (System Integrity Monitoring subsection)

Database Update

The Database Update task settings (KSWS) are migrated to the Update of databases and application modules task (KES).

Database Update task settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Update source: Kaspersky Security Center Administration Server Kaspersky update servers Custom HTTP or FTP servers, or network folders	Update source: Kaspersky Security Center Kaspersky update servers Specified by user.
Use Kaspersky update servers if specified servers are not available	(does not migrate) Kaspersky Endpoint Security allows selecting multiple update sources, including Kaspersky update servers. If the first update source is not available, Kaspersky Endpoint Security lets you obtain updates from another source in the list.
Use proxy server settings to connect to Kaspersky update servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Use proxy server settings to connect to other servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Lower the load on the disk I/O	(does not migrate)

Software modules updates

The Software Modules Update task settings (KSWS) are migrated to the Update of databases and application modules task (KES).

Software Modules Update task settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Update source: Kaspersky Security Center Administration Server Kaspersky update servers Custom HTTP or FTP servers, or network folders	Update source: Kaspersky Security Center Kaspersky update servers Specified by user.
Use Kaspersky update servers if specified servers are not available	(does not migrate) Kaspersky Endpoint Security allows selecting multiple update sources, including Kaspersky update servers. If the first update source is not available, Kaspersky Endpoint Security lets you obtain updates from another source in the list.
Use proxy server settings to connect to Kaspersky update servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Use proxy server settings to connect to other servers	(does not migrate) Kaspersky Endpoint Security uses the proxy server for all components. You can configure the proxy server connection in network options of the application.
Copy and install critical software modules updates	Install critical and approved updates
Only check for critical software updates available	(does not migrate) Kaspersky Endpoint Security continually checks the availability of critical updates for application modules.
Allow operating system restart	(does not migrate) Kaspersky Endpoint Security prompts the user for permission to restart the computer.
Receive information about available scheduled software modules updates	(does not migrate) Kaspersky Endpoint Security displays notifications about software module updates.

Rollback of Application Database Update

The Rollback of Application Database Update task settings (KSWS) are migrated to the Update rollback task (KES). The new Update rollback task (KES) has a task start schedule – Manually.

On-Demand Scan

The On-Demand Scan task settings (KSWS) are migrated to the Malware Scan task (KES).

Virus Scan task settings

Kaspersky Security for Windows Server settings	Kaspersky Endpoint Security for Windows settings
Scan scope	Scan scope
Protection level: Maximum protection Recommended Maximum performance	Security level: High Recommended Low. Security level settings are different in KSWS and KES.
Objects to scan: All objects Objects scanned by format Objects scanned according to list of extensions specified in anti-virus database Objects scanned by specified list of extensions	File types: All files Files scanned by format Files scanned by extension. Kaspersky Endpoint Security does not allow creating custom extension lists. Kaspersky Endpoint Security replaces the Objects scanned by specified list of extensions value with the Files scanned by extension value.
Subfolders	Include subfolders
Subfiles	(does not migrate)
Scan disk boot sectors and MBR	(does not migrate)
Scan alternate NTFS streams	(does not migrate)
Scan only new and modified files	Scan only new and modified files
Scan of compound objects: All archives All SFX archives All email databases All packed objects All plain email All embedded OLE objects	Scan of compound files: Scan archives Scan password-protected archives Scan distribution packages Scan email format files Scan files in Microsoft Office formats.
Action to perform on infected and other objects: Disinfect Disinfect. Remove if disinfection fails Remove Perform recommended action Notify only	Action on threat detection: Disinfect, delete if disinfection fails Disinfect, inform if disinfection fails Inform.
Action to perform on probably infected objects: Quarantine Remove Perform recommended action Notify only	(does not migrate) Kaspersky Endpoint Security applies the action if any threat is detected.
Perform actions depending on the type of object detected	(does not migrate)
Entirely remove compound file that cannot be modified by the application in case of embedded object detection	(does not migrate)
Exclude files	(does not migrate) Kaspersky Endpoint Security applies the trusted zone to all components. You can configure exclusions in trusted zone settings.
Do not detect	(does not migrate)
Stop scanning if it takes longer than N sec	Skip files that are scanned for longer than N sec
Do not scan compound objects larger than N MB	Do not unpack large compound files
Use iSwift technology	iSwift Technology
Use iChecker technology	iChecker Technology
Action on the offline files: Do not scan Scan resident part of file only Scan entire file Only if the file has been accessed within the specified period (days) Do not copy file to a local hard drive, if possible	(does not migrate) Kaspersky Endpoint Security scans offline files in their entirety.

Application Integrity Check

The Application Integrity Control task settings (KSWS) are migrated to the Application Integrity Check task (KES).

Rule Generator for Applications Launch Control

Kaspersky Endpoint Security does not support the Applications Launch Control Generator task. You can generate rules in Application Control settings.

Rule Generator for Device Control

Kaspersky Endpoint Security does not support the Rule Generator for Device Control task. You can generate access rules in Device Control settings.

Page top

Migrating KSWS components

Prior to the local installation, Kaspersky Endpoint Security checks the computer for the presence of Kaspersky applications. If Kaspersky Security for Windows Server is installed on the computer, KES detects the set of KSWS components that are installed and selects the same components for installation.

KES components that KSWS does not have are installed as follows:

AMSI Protection, Host Intrusion Prevention, Remediation Engine are installed with default settings.
BadUSB Attack Prevention, Adaptive Anomaly Control, Data Encryption, Detection and Response components are ignored.

When installed remotely, the KES application ignores the set of installed KSWS components. The installer installs components that you select in properties of the installation package. After installing Kaspersky Endpoint Security and migrating policies and tasks, KES settings are configured in accordance with KSWS settings.

Page top

Migrating KSWS tasks and policies

You can migrate KSWS policy and task settings in the following ways:

Using the Policies and Tasks Batch Conversion Wizard (hereinafter also referred to as the Migration Wizard).
The Migration Wizard for KSWS is available only in the Administration Console (MMC). Policy and task settings cannot be migrated in the Web Console and Cloud Console.

The batch conversion wizard works differently for different versions of Kaspersky Security Center. We recommend upgrading the solution to version 14.2 or higher. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard lets you migrate policies into a profile rather than into a policy. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard also lets you migrate a broader range of policy settings.
Using the New Policy Wizard for Kaspersky Endpoint Security for Windows.
The New Policy Wizard lets you create a KES policy based on a KSWS policy.

KSWS policy migration procedures are different when using Migration Wizard and the New Policy Wizard.

Policies and tasks batch conversion wizard

The migration wizard transfers KSWS policy settings into the policy profile instead of KES policy settings. The policy profile is a set of policy settings that is activated on a computer if the computer satisfies the configured activation rules. The UpgradedFromKSWS device tag is selected as the triggering criterion of the policy profile. Kaspersky Security Center automatically adds the UpgradedFromKSWS tag to all computers on which you install KES on top of KSWS using the remote installation task. If you chose a different installation method, you can assign the tag to devices manually.

To add a tag to a device:

Create a new tag for servers — UpgradedFromKSWS.
For more details about creating tags for devices, refer to the Kaspersky Security Center Help.
Create a new administration group in the Kaspersky Security Center console and add servers to which you want to assign the tag to this group.
You can group servers using the selection tool. For more details about working with selections, refer to the Kaspersky Security Center Help.
Select all servers of the administration group in the Kaspersky Security Center console, open the properties of the selected servers and assign the tag.

If you are migrating multiple KSWS policies, each policy is converted to a profile within one overarching policy. If the KSWS policy already contains profiles, these profiles are also migrated as profiles. As a result you will get a single policy that includes profiles corresponding to all KSWS policies.

How to use the Policies and Tasks Batch Conversion Wizard to migrate KSWS policy settings

In the Administration Console, select the Administration Server and right-click to open the context menu.
Select All Tasks → Policies and tasks batch conversion wizard.

The Policies and Tasks Batch Conversion Wizard will start. Follow the instructions of the Wizard.

Step 1. Selecting the application for which you need to convert policies and tasks

At this step, you need to select Kaspersky Endpoint Security for Windows. Go to the next step.

Step 2. Conversion of policies

The migration wizard creates KSWS policy profiles inside a KES policy. Select the Kaspersky Security for Windows Server policies that you want to convert to policy profiles. Go to the next step.

The Migration Wizard will then begin to convert the policies. The names of new policy profiles will correspond to original KSWS policies.

Step 3. Policy migration report

The migration wizard creates a policy migration report. The policy migration report contains the date and time when the policies were converted, the name of the original KSWS policy, the name of the target KES policy, and the name of the new policy profile.

Step 4. Conversion of tasks

The Migration Wizard creates new tasks for Kaspersky Endpoint Security for Windows. In the task list, select the KSWS tasks that you want to create for Kaspersky Endpoint Security. The new tasks will be named <KSWS task name> (converted). Go to the next step.

Step 5. Wizard completion

Exit the Wizard. As a result, the wizard does the following:

New policy profiles are added to the Kaspersky Endpoint Security policy.
The policy includes profiles with the settings of Kaspersky Security for Windows Server. The new policy has the Active status. The Wizard leaves the KSWS policies unchanged.
Creates new Kaspersky Endpoint Security tasks.
The new tasks are copies of KSWS tasks. The Wizard leaves the KSWS tasks unchanged.

The new policy profile with KSWS settings will be named UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy>. In profile properties, the migration wizard automatically selects the UpgradedFromKSWS device tag as the triggering criterion. Thus the settings from the policy profile are applied to servers automatically.

Wizard for creating a policy based on a KSWS policy

When a KES policy is created based on a KSWS policy, the wizard transfers settings to the new policy accordingly. That is, one KES policy will correspond to one KSWS policy. The wizard does not convert the policy to a profile.

How to use the New Policy Wizard to migrate KSWS policy settings

Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, select the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Click New policy.
The Policy Wizard starts.
Follow the instructions of the Policy Wizard.
To create a policy, select Kaspersky Endpoint Security. Go to the next step.
At the step for entering a new name for the group policy, select the Use policy settings for an earlier version of the application check box.
Click Browse and select the KSWS policy. Go to the next step.
Follow the instructions of the New Policy Wizard until its completion.

When finished, the Wizard will create a new Kaspersky Endpoint Security for Windows policy with the settings from the KSWS policy.

Additional configuration of policies and tasks after migration

KSWS and KES have different sets of components and policy settings, so after migration you must verify that policy settings satisfy your corporate security requirements.

Check the following basic policy settings:

Password protection. KSWS Password protection settings are not migrated. Kaspersky Endpoint Security has a built-in Password protection feature. If necessary, turn on Password protection and set a password.
Trusted zone. The methods used by KSWS and KES for selecting objects differ. When migrating, KES supports exclusions defined as individual files or paths to file / folder. If KSWS has exclusions configured as a predefined area or a script URL, such exclusions are not migrated. After migration, you must add such exclusions manually.
To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add files important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF database files. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL files. You may use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.

Starting with Kaspersky Endpoint Security 12.6 for Windows, scan exclusions and trusted applications are added to the trusted zone. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers.
Firewall. KSWS Firewall functions are performed by the system-level Firewall. In KES, a separate component is responsible for the Firewall functionality. After migration, you can configure the Kaspersky Endpoint Security Firewall.
Kaspersky Security Network. Kaspersky Endpoint Security does not support configuring KSN for individual components. Kaspersky Endpoint Security uses KSN for all application components. To use KSN, you must accept the new terms and conditions of the Kaspersky Security Network Statement.
Web Control. Blocking rules for web traffic category control are migrated to a single blocking rule in Kaspersky Endpoint Security. Kaspersky Endpoint Security ignores allowing rules for category control. Kaspersky Endpoint Security does not support all categories of Kaspersky Security for Windows Server. Categories that do not exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource classification rules with unsupported categories are not migrated. If necessary, add Web Control rules.
Proxy server. The proxy server connection password is not migrated. Enter the password to be used for connecting to the proxy server manually.
Schedules of individual components. Kaspersky Endpoint Security does not support configuring schedules for individual components. The components are always on while Kaspersky Endpoint Security is operational.
Set of components. The set of available Kaspersky Endpoint Security features depends on the type of operating system: workstation or server. For example, out of encryption tools, only BitLocker Drive Encryption is available on servers.
attribute. The state of the attribute is not migrated. The attribute will have the default value. By default, almost all settings in the new policy have a prohibition applied on modifying settings in child policies and in the local application interface. The attribute has the value for policy settings in the Managed Detection and Response section and in the User support group of settings (Interface section). If necessary, configure the inheritance of settings from the parent policy.
Working with active threats. Advanced Disinfection works differently for workstations and servers. You can configure advanced disinfection in Malware Scan task settings and in application settings.
Upgrading the application. To install major updates and patches without restarting, you must change the application upgrade mode. By default, the Install application updates without restart feature is disabled.
Kaspersky Endpoint Agent. Kaspersky Endpoint Security has a built-in agent for working with Detection and Response solutions. If necessary, transfer Kaspersky Endpoint Agent policy settings to the Kaspersky Endpoint Security policy.
Update of databases and application modules tasks. Make sure that the settings of the Update of databases and application modules task were migrated correctly. Instead of KSWS's three tasks, KES uses a single KES task. You may optimize the Update of databases and application modules tasks and remove superfluous tasks.
Other tasks. Application Control, Device Control, and File Integrity Monitor components work differently in KSWS and KES. KES does not use Baseline File Integrity Monitor, Applications Launch Control Generator, Rule Generator for Device Control tasks. Therefore these tasks are not migrated. After migration, you can configure the File Integrity Monitor, Application Control, Device Control components.

Page top

Migrating the KSWS trusted zone

A trusted zone is a system administrator-configured list of objects and applications that Kaspersky Endpoint Security does not monitor when active. You can migrate trusted zone objects from KSWS to KES using the Policies and Tasks Batch Conversion Wizard or the wizard for creating a new KES policy based on the KSWS policy. KSWS and KES have different sets of components and features, so after migration you must verify that exclusions satisfy your corporate security requirements. The methods of adding exclusions to the trusted zone are also different for KES and KSWS. The Migration Wizard does not have tools to migrate all KSWS exclusions. This means that after the migration, you must manually add some of the KSWS exclusions.

To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add files important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF database files. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL files. You may use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.

Starting with Kaspersky Endpoint Security 12.6 for Windows, scan exclusions and trusted applications are added to the trusted zone. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers.

KES and KSWS trusted zone creation methods.

KSWS		KES
Object to scan
Predefined scope	(does not migrate)
Disk, folder or network location	→	File or folder
File	→	File or folder
Script file or web address	(does not migrate)
Detected object	→	Object name
Trusted processes	→	Trusted applications

Migration of scanned objects

KSWS exclusions that have the Object to scan method selected in their properties are migrated to KES exclusions that have the File or folder method selected in their properties, with some limitations. The migration of an exclusion depends on the object selection method:

Predefined scope – does not migrate.
After migration, you must add such exclusions manually. Exclusions as predefined areas must be configured in the Malware Scan task settings.
Disk, folder or network location – migrate to KES exclusions that have the "File or folder" method selected in properties.
File – migrate to KES exclusions that have the "File or folder" method selected in properties.
Script file or web address – does not migrate.
After migration, you must add such exclusions manually. Exclusions as script web addresses must be added to trusted web addresses for Web Threat Protection.

If the Apply also to subfolders check box is selected for the scanned object, this setting is migrated to KES exclusions (the Include subfolders check box).

A window with exclusion selection tools. The user can select file or folder, enter an object name or hash.

KES exclusion settings

loc_screen_ksws_Exclusions

KSWS exclusion settings

Migration of detected objects

KSWS exclusions that have the Detected object method selected in their properties are migrated to KES exclusions that have the Object name method selected in their properties. The name of the detected object corresponds to the classification of the Kaspersky Encyclopedia (for example, Email-Worm, Rootkit, or RemoteAdmin). Kaspersky Endpoint Security supports masks with the question mark ? (matches any single character) and the asterisk * (matches any sequence of characters).

Migration of exclusion usage scope

The usage scope of an exclusion is a set of components to which the exclusion applies. KES and KSWS have different sets of components so the Migration Wizard cannot migrate the exclusion usage scope. Therefore, if at least one component is selected in the KSWS usage scope, KES applies the exclusion to all application components.

You can configure the KSWS usage scope in trusted zone settings and also in the settings of KSWS protection components. To do so, you can select or clear the Apply Trusted Zone check box in the corresponding section of the policy. The settings of KES protection components do not include such a check box. This means the trusted zone status in individual component settings is lost upon migration. After completing the migration, select components to which the exclusion applies in trusted zone settings in the KES policy.

Migrating comments

Comments from the KSWS trusted zone are migrated to KES exclusion comments without modification.

Migrating trusted processes

KSWS trusted processes are migrated to KES trusted processes with some limitations. Migrating trusted processes depends on the object selection method:

Path to the file on the protected device – migrates to KES trusted applications.
File hash – does not migrate.

If KSWS has trusted processes configured as a file has, such trusted processes are not migrated. After migration, you must add such trusted processes manually.

If the Do not check file backup operations check box is selected in trusted process settings, this setting is migrated to KES trusted applications (the Do not monitor application activity check box).

A window with a field for entering the path to a file or folder. Masks can be used.

KES trusted application settings

loc_screen_ksws_Trusted_Process

KSWS trusted process settings

Page top

Installing KES instead of KSWS

You can install Kaspersky Endpoint Security in the following ways:

Installing KES after removing KSWS (recommended).
Installing KES on top of KSWS.

Removing Kaspersky Security for Windows Server

You can remove the application remotely using the Uninstall application remotely task or locally on the server. You may need to restart the server after removing KSWS. If you want to install Kaspersky Endpoint Security without a restart, please make sure that Kaspersky Security for Windows Server is completely removed. If the application is not completely removed, installing Kaspersky Endpoint Security may cause faulty operation of the server. Making sure that the application is completely removed is also recommended if you have used the kavremover utility. The kavremover utility does not support managing KSWS.

If Password Protection is enabled to restrict access to KSWS, enter the uninstallation password in the settings fo the KES installation package.

After removing KSWS, install Kaspersky Endpoint Security for Windows using any available method.

Installing Kaspersky Endpoint Security

When you install KES remotely, components that you have selected in installation package properties are installed on the server. We recommend selecting default components in installation package properties. A restart is not necessary when installing KES on top of KSWS.

If installing KES on top of KSWS failed, you can roll back the installation. After rolling back the installation, it is recommended to restart the server and try again.

KSWS settings and tasks are not migrated when Kaspersky Endpoint Security for Windows is installed. To migrate settings and tasks, run the Policies and tasks batch conversion wizard.

You can check the list of installed components in the Security section of the application interface, using the status command, or in the Kaspersky Security Center console in computer properties. You can change the set of components after installation by using the Change application components.

Page top

Migrating the [KSWS+KEA] configuration to [KES+built-in agent] configuration

To support using Kaspersky Endpoint Security for Windows as part of EDR (KATA), EDR Optimum, EDR Expert, Kaspersky Sandbox, and MDR, a built-in agent has been added to the application. You no longer need a separate Kaspersky Endpoint Agent application to work with these solutions.

When migrating from KSWS to KES, the EDR (KATA), EDR Optimum, EDR Expert, Kaspersky Sandbox, and MDR solutions continue to work with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent will be removed from the computer.

Migrating the [KSWS+KEA] configuration to [KES+built-in agent] involves the following steps:

Migrating from KSWS to KES
Migrating from KSWS to KES involves installing Kaspersky Endpoint Security instead of Kaspersky Security for Windows Server.

Administrators typically enable Password protection to restrict access to KSWS and KEA. Starting with Kaspersky Security Center Linux 15.1, you can enter the application uninstallation password in the Install application remotely task settings. The task allows entering only one uninstallation password. That is, if the same password is set for KSWS and KEA, the KSWS and KEA applications are removed successfully. If the passwords are different, removal of one of the applications fails with an access error. To complete the migration, you must disable Password Protection for the application whose password you could not enter in the settings of the Install application remotely task.

To carry out the migration, you must select the components needed to support Detection and Response solutions as part of Kaspersky Endpoint Security. After installing the application, Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.
Migrating the policy and tasks
Migrating [KSWS+KEA] policies and tasks to [KES+built-in agent] involves the following steps:
1. Migrating policies and tasks from KSWS to KES using the Policies and Tasks Batch Conversion Wizard (only available on the Administration Console (MMC)).
  As a result, a policy profile with the UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy> name is added to the KES policy. New KES tasks are also created with <KSWS task name> (converted) names.
2. Migrating policies and tasks from KEA to KES using the wizard for migration from Kaspersky Endpoint Agent (only available in Web Console and Cloud Console).
  As a result, a new policy is created with the name <Name of the Kaspersky Endpoint Security policy> & <Name of the Kaspersky Endpoint Agent policy>. New tasks and KES tasks are also created.
Licensing functionality
If you use a common Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security license to activate Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Agent, EDR Optimum functionality will be activated automatically after upgrading the application to version 11.7.0. You do not need to do anything else.

If you use a stand-alone Kaspersky Endpoint Detection and Response Optimum Add-on license to activate EDR Optimum functionality, you must make sure that the EDR Optimum key is added to the Kaspersky Security Center repository and the automatic license key distribution functionality is enabled. After you upgrade the application to version 11.7.0, EDR Optimum functionality is activated automatically.

If you use a Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security license to activate Kaspersky Endpoint Agent, and a different license to activate Kaspersky Endpoint Security for Windows, you must replace the Kaspersky Endpoint Security for Windows key with the common Kaspersky Endpoint Detection and Response Optimum or Kaspersky Optimum Security key. You can replace the key using the Add key task.

You do not need to activate Kaspersky Sandbox functionality. Kaspersky Sandbox functionality will be available immediately after upgrading and activating Kaspersky Endpoint Security for Windows.

Only the Kaspersky Anti Targeted Attack Platform license can be used to activate Kaspersky Endpoint Security as part of the Kaspersky Anti Targeted Attack Platform solution. After you upgrade the application to version 12.1, EDR (KATA) functionality is activated automatically. You do not need to do anything else.
Checking the health of Kaspersky Endpoint Detection and Response Optimum and Kaspersky Sandbox
If after the upgrade, the computer has the Critical status in the Kaspersky Security Center console:
- Make sure that the computer has Network Agent version 13.2 or higher installed.
- Check the operating status of the built-in agent by viewing the Application components status report. If a component has the Not installed status, install the component using the Change application components task.
- Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint Security for Windows.
Make sure EDR Optimum functionality is activated using the Application components status report. If a component has the Not covered by license status, make sure that the automatic license key distribution functionality of EDR Optimum is turned on.

Page top

Making sure Kaspersky Security for Windows Server was successfully removed

Make sure Kaspersky Security for Windows Server is completely removed:

The %ProgramFiles%\Kaspersky Lab\Kaspersky Security for Windows Server\ folder does not exist.
The following services are not present:
- Kaspersky Security Service (KAVFS)
- Kaspersky Security Management (KAVFSGT)
- Kaspersky Security Exploit Prevention (KAVFSSLP)
- Kaspersky Security Script Checker (KAVFSSCS)
You can check running services in Task Manager or by issuing the sc query command (see figure below).
The following drivers are not present:
- klam.sys
- klflt.sys
- klramdisk.sys
- klelaml.sys
- klfltdev.sys
- klips.sys
- klids.sys
- klwtpee
You can check installed drivers in the C:\Windows\System32\drivers folder or by issuing the sc query command. If a service or driver are missing, you will get the following response:

Making sure Kaspersky Security for Windows Server services and drivers were successfully removed

If application or driver files remain on the server, delete the relevant files manually. If Kaspersky Security for Windows Server services are still running on the server, stop (sc stop) and delete (sc delete) the services manually. To stop the klam.sys driver, use the fltmc unload klam command.

Page top

Activating KES with a KSWS key

After installing the application, you can activate Kaspersky Endpoint Security for Windows (KES) using a Kaspersky Security for Windows Server (KSWS) license key. The activation process after migration depends on the KSWS activation method (see the table below).

Kaspersky Endpoint Security does not support the Kaspersky Security for Storage license. To work with this license, you need to use Kaspersky Security for Windows Server.

To activate KES with the KSWS key you can use only the activation code. If you are using a key file to activate the application, you need to contact Technical Support for a Kaspersky Endpoint Security key file.

Activating Kaspersky Endpoint Security for Windows with a Kaspersky Security for Windows Server key

Kaspersky Security for Windows Server activation method	Migrating the key to Kaspersky Endpoint Security for Windows.
Automatic distribution of the KSWS license key to computers.	If automatic key distribution is enabled in KSWS license key properties, KES is automatically activated with the KSWS key.
The KSWS key is added by a task.	If your KSWS is activated using the task, the KSWS license key is deleted during migration from KSWS. You must activate the application again. For example, you can add a license key to the Kaspersky Endpoint Security for Windows installation package.
The KSWS key is added locally in the application interface.	If your KSWS is activated locally using the Application Activation Wizard, the KSWS license key is deleted during migration from KSWS. You must activate the application again. For example, you can add a license key to the Kaspersky Endpoint Security for Windows installation package.
The KSWS key is added to the installation package.	If your KSWS is activated using the key from the installation package, the KSWS license key is deleted during migration from KSWS. You must activate the application again. For example, you can add a license key to the Kaspersky Endpoint Security for Windows installation package.
Paid virtual machine image (Amazon Machine Image – AMI) in Amazon Web Services (AWS).	If you purchased Kaspersky Security Center as a paid virtual machine image (Amazon Machine Image – AMI) in Amazon Web Services (AWS), activating KES is not required. In this case, Kaspersky Security Center uses the AWS subscription that is already added to the application.
Ready-made free-of-charge Kaspersky Security Center image with your own license (Bring Your Own License – BYOL model).	If you are using an out-of-the-box free Kaspersky Security Center image with your own license in a cloud environment (the Bring Your Own License – BYOL model), you must activate the application using any available method. You will need a Kaspersky Hybrid Cloud Security license.

Page top

Special considerations for migrating high-load servers

On high-load servers, it is important to monitor performance and avoid faults. After migration to Kaspersky Endpoint Security for Windows, we recommend temporarily disabling application components that use substantial server resources relative to other components. After you make sure that the server is performing as normal, you can turn the application components back on.

We recommend migrating high-load servers as follows:

Create a Kaspersky Endpoint Security policy with default settings.
Default settings are considered optimal. This settings are recommended by Kaspersky experts. Default settings provide recommended protection level and optimal resource use.
In policy settings, turn off the following components: Network Threat Protection, Behavior Detection, Exploit Prevention, Remediation Engine, Application Control.
If your organization has the Kaspersky Managed Detection and Response (MDR) solution deployed, upload the BLOB configuration file to the Kaspersky Endpoint Security policy.
Remove Kaspersky Security for Windows Server from the server.
Install Kaspersky Endpoint Security for Windows with the default set of components.
If your organization has Detection and Response solutions deployed, select the relevant components in the properties of the installation package.
Check the settings of the application:
- The application is activated with the KSWS license key.
- The new policy is applied. Previously selected components are disabled.
Make sure the server is working. Make sure that Kaspersky Endpoint Security for Windows is not using more than 1% of the server's resources.
If necessary, create scan exclusions, add trusted applications, create a list of trusted web addresses.
Turn on Behavior Detection, Exploit Prevention, Remediation Engine components. Make sure that Kaspersky Endpoint Security for Windows is not using more than 1% of the server's resources.
Turn on the Network Threat Protection component. Make sure that Kaspersky Endpoint Security for Windows is not using more than 2% of the server's resources.
Turn on the Application Control component in rule testing mode.
Make sure Application Control is working. If necessary, add new Application Control rules and turn off rule testing mode after confirming that Application Control is working.

After migrating from KSWS to KES, make sure that the application is operating correctly. Check the status of the server in the console (should be OK). Make sure no errors are reported for the application, also check the time of the last connection to the Administration Server, the time of the last database update and the server protection status.

Page top

Managing the application on a server in Server Core mode

A server in Server Core mode does not have a GUI. Therefore you can only manage the application remotely using the Kaspersky Security Center console or locally on the command line.

Managing the application using the Kaspersky Security Center console

Installing the application using the Kaspersky Security Center console is not different from installing it the normal way. When creating an installation package, you can add a license key to activate the application. You can use a Kaspersky Endpoint Security for Windows key or a Kaspersky Security for Windows Server key.

On a server in Server Core mode, the following application components are not available: Web Threat Protection, Mail Threat Protection, Web Control, BadUSB Attack Prevention, File Level Encryption (FLE), Kaspersky Disk Encryption (FDE).

Restart is not required when installing Kaspersky Endpoint Security. Restart is required only if you have to remove incompatible applications prior to installation. Restart may also be required when updating the application version. The application cannot display a window to prompt the user to restart the server. You can learn about the need to restart the server from reports in the Kaspersky Security Center console.

Managing the application on a server in Server Core mode is not different from managing a computer. You can use policies and tasks to configure the application.

Managing the application on a server in Server Core mode involves the following special considerations:

The server in Server Core mode does not have a GUI, therefore Kaspersky Endpoint Security does not display a warning telling the user that Advanced Disinfection is needed. To disinfect a threat, you need to enable Advanced Disinfection technology in application settings and enable immediate Advanced Disinfection in Malware Scan task settings. Then you need to start a Malware Scan task.
BitLocker Drive Encryption is only available with a Trusted Platform Module (TPM). A PIN / password cannot be used for encryption because the application is unable to display the password prompt window for preboot authentication. If the operating system has Federal Information Processing standard (FIPS) compatibility mode enabled, connect a removable drive for saving the encryption key before you begin encrypting the drive.

Managing the application from the command line

When you cannot use a GUI, you can manage Kaspersky Endpoint Security from the command line.

To install the application on a server in Server Core mode, run the following command:

setup_kes.exe /pEULA=1 /pPRIVACYPOLICY=1 /s

To activate the application, run the following command:

avp.com license /add <activation code or key file>

To check application profile statuses, run the following command:

avp.com status

To view the list of application management commands, run the following command:

avp.com help

Page top

Migrating from [KSWS+KEA] to [KES+built-in agent]

When migrating from Kaspersky Security for Windows Server (KSWS) to Kaspersky Endpoint Security (KES), you can use the follow recommendations to configure server protection and optimize performance. Here we will look at an example of migration for a single organization.

Infrastructure of the organization

The company has the following equipment installed:

Kaspersky Security Center 14.2
The administrator manages Kaspersky solutions using the Administration Console (MMC). Kaspersky Endpoint Detection and Response Optimum (EDR Optimum) is also deployed

In Kaspersky Security Center, three administration groups are created, containing servers of the organization: two administration groups for SQL servers and an administration group for Microsoft Exchange servers. Each administration group is managed by its own policy. Database Update and On-demand scan tasks are created for all servers in the organization.

The KSWS activation key is added to Kaspersky Security Center. Automatic key distribution is enabled.
SQL servers with Kaspersky Security for Windows Server 11.0.1 and Kaspersky Endpoint Agent 3.11 installed. The SQL servers are combined into two clusters.
KSWS is managed by SQL_Policy(1) and SQL_Policy(2) policies. Database Update, On-demand scan tasks are also created.
A Microsoft Exchange server with Kaspersky Security for Windows Server 11.0.1 and Kaspersky Endpoint Agent 3.11 installed.
KSWS is managed by the Exchange_Policy policy. Database Update, On-demand scan tasks are also created.

Planning the migration

The migration involves the following steps:

Migrating KSWS tasks and policies using the Policies and Tasks Batch Conversion Wizard.
Migrating the Kaspersky Endpoint Agent policy using the Policies and Tasks Batch Conversion Wizard.
Using tags to activate policy profiles in the properties of the new policy.
Installing KES instead of KSWS.
Activating EDR Optimum.
Confirming that KES is working.

The migration scenario is initially performed on one of the cluster of SQL servers. Then the migration scenario is performed on the other cluster of SQL servers. Then the migration scenario is performed on the Microsoft Exchange.

Migrating KSWS tasks and policies using the Policies and Tasks Batch Conversion Wizard

To migrate KSWS tasks, you can use the Policies and Tasks Batch Conversion Wizard (the migration wizard). As a result, instead of the SQL_Policy(1), SQL_Policy(2), and Exchange_Policy policies, you will get a single policy with three profiles for SQL and Microsoft Exchange servers respectively. The new policy profile with KSWS settings will be named UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy>. In profile properties, the migration wizard automatically selects the UpgradedFromKSWS device tag as the triggering criterion. Thus the settings from the policy profile are applied to servers automatically.

Migrating the Kaspersky Endpoint Agent policy using the Policies and Tasks Batch Conversion Wizard

To migrate Kaspersky Endpoint Agent policies, you can use the Policies and Tasks Batch Conversion Wizard. The Policy and Task Migration Wizard for Kaspersky Endpoint Agent is only available in the Web Console.

Using tags to activate policy profiles in the properties of the new policy

Select the device tag that you assigned earlier as the profile activation condition. Open policy properties and select General rules for policy profile activation as the profile activation condition.

Installing KES instead of KSWS

Before installing KES, you must disable Password protection in KSWS policy properties.

Installing KES involves the following steps:

Prepare the installation package. In installation package properties, select the Kaspersky Endpoint Security for Windows 12.0 distribution kit and select the default set of components.
Create a Install application remotely task for one of the SQL server administration groups.
In task properties, select the installation package and the license key file.
Wait until the task successfully completes.
Repeat KES installation for remaining administration groups.

Kaspersky Security Center automatically adds the UpgradedFromKSWS tag to names of computers on the console after the KES installation is complete.

To check the KES installation, you can use the Report on protection deployment. You can also check the device status. To confirm application activation, you can use the Report on usage of license keys.

Activating EDR Optimum

You can activate EDR Optimum functionality using a stand-alone Kaspersky Endpoint Detection and Response Optimum Add-on license. You must confirm that the EDR Optimum key is added to the Kaspersky Security Center repository and the automatic license key distribution functionality is enabled.

To check EDR Optimum activation, you can use the Report on status of application components.

Confirming that KES is working

To confirm that KES is working, you can check and see that no errors are reported. The device status must be OK. Update and malware scan tasks and successfully completed.

Page top

Contents

KSWS to KES Migration Guide

Correspondence of KSWS and KES components

Correspondence of KSWS and KES settings

Migrating KSWS components

Migrating KSWS tasks and policies

Migrating the KSWS trusted zone

Installing KES instead of KSWS

Migrating the [KSWS+KEA] configuration to [KES+built-in agent] configuration

Making sure Kaspersky Security for Windows Server was successfully removed

Activating KES with a KSWS key

Special considerations for migrating high-load servers

Managing the application on a server in Server Core mode

Migrating from [KSWS+KEA] to [KES+built-in agent]