For details about support for the Microsoft Windows 10, Microsoft Windows Server 2016 and Microsoft Windows Server 2019 operating systems, please refer to the Technical Support Knowledge Base.
For details about support for the Microsoft Windows 11 and Microsoft Windows Server 2022 operating systems, please refer to the Technical Support Knowledge Base.
After being installed to an infected computer, the application does not inform the user about the need to run a computer scan. You may experience problems activating the application. To resolve these problems, start a Critical Areas Scan.
If non-ASCII characters (for example, Russian letters) are used in the setup.ini and setup.reg files, you are advised to edit the file using notepad.exe and to save the file in UTF-16LE encoding. Other encodings are not supported.
The application does not support the use of non-ASCII characters when specifying the application installation path in the installation package settings.
When application settings are imported from a CFG file, the value of the setting that defines participation in Kaspersky Security Network is not applied. After importing the settings, please read the text of the Kaspersky Security Network Statement and confirm your consent to participate in Kaspersky Security Network. You can read the text of the Statement in the application interface or in the ksn_*.txt file located in the folder containing the application distribution kit.
If you want to remove and then re-install encryption (FLE or FDE) or the Device Control component, you must restart the system before reinstallation.
When using the Microsoft Windows 10 operating system, you must restart the system after removing the File Level Encryption (FLE) component.
Installation of the application may end with an error stating An application whose name is missing or unreadable is installed on your computer. This means that incompatible applications or fragments of them remain on your computer. To remove artifacts of incompatible applications, send a request with a detailed description of the situation to Kaspersky Technical Support via Kaspersky CompanyAccount.
If you canceled removal of the application, start its recovery after the computer restarts.
The application requires Microsoft .NET Framework 4.0 or later. Microsoft .NET Framework 4.6.1 has vulnerabilities. If you are using Microsoft .NET Framework 4.6.1, you must install security updates. For details about Microsoft .NET Framework security updates, refer to the Microsoft Technical Support website.
If the application is unsuccessfully installed with the Kaspersky Endpoint Agent component selected in a server operating system and the Windows Installer Coordinator Error window appears, refer to the instructions on the Microsoft support website.
If the application was installed locally in non-interactive mode, use the provided setup.ini file to replace the installed components.
After Kaspersky Endpoint Security for Windows is installed in some configurations of Windows 7, Windows Defender continues to operate. You are advised to manually disable Windows Defender to prevent degraded system performance.
When installing Kaspersky Endpoint Security for Windows on a server with installed Kaspersky Security for Windows Server (KSWS) and Windows Defender applications, you must restart the system. A system restart is necessary even if you have enabled application installation without system restart. Windows Defender for Windows Server is included in the list of software that is incompatible with Kaspersky Endpoint Security for Windows. Before installing the application, the installer removes Windows Defender for Windows Server. Removing incompatible software makes a system restart necessary.
Before installing Kaspersky Endpoint Security for Windows (KES) on a server with Kaspersky Security for Windows Server (KSWS) installed, you must turn off KSWS Password Protection. After migrating from KSWS to KES, enable Password Protection in the application settings.
To install the application on computers running Windows 7 or Windows Server 2008 R2 with Veeam Backup & Replication software deployed, you may need to reboot your computer and run the installation again.
Migration from Kaspersky Small Office Security (KSOS) to Kaspersky Endpoint Security (KES) with Password Protection enabled is available starting with KSOS build 21.16.*.*. To migrate earlier versions of KSOS, you must disable Password Protection or manually remove KSOS. Migration from KSOS to KES with disabled Password Protection is performed correctly.
Starting from 11.0.0 application version, you can install Kaspersky Endpoint Security for Windows MMC plugin on top of the previous plugin version. To return to a previous plugin version, delete the current plugin and install a previous version of the plugin.
When upgrading Kaspersky Endpoint Security 11.0.0 or 11.0.1 for Windows, the local task schedule settings for the Update of databases and application modules, Critical Areas Scan, Custom Scan and Application Integrity Check tasks are not saved.
On computers running Windows 10 version 1903 and 1909, upgrades from Kaspersky Endpoint Security 10 for Windows Service Pack 2 Maintenance Release 3 (build 10.3.3.275), Service Pack 2 Maintenance Release 4 (build 10.3.3.304), 11.0.0 and 11.0.1 with the File Level Encryption (FLE) component installed may end with an error. This is because file encryption is not supported for these versions of Kaspersky Endpoint Security for Windows in Windows 10 version 1903 and 1909. Prior to installing this upgrade, you are advised to remove the file encryption component.
The application requires Microsoft .NET Framework 4.0 or later. Microsoft .NET Framework 4.6.1 has vulnerabilities. If you are using Microsoft .NET Framework 4.6.1, you must install security updates. For details about Microsoft .NET Framework security updates, refer to the Microsoft Technical Support website.
When upgrading Kaspersky Endpoint Security, the application disables the use of KSN until the Kaspersky Security Network Statement is accepted. In addition, the computer status can be changed to Critical in Kaspersky Security Center; the event KSN servers unavailable is received. If you use Kaspersky Managed Detection and Response, you will receive events about violations in the operation of the solution. The use of KSN is required for the operation of Kaspersky Managed Detection and Response. Kaspersky Endpoint Security enables the use of KSN after applying the policy in which the administrator accepts the KSN terms of use. Once the Kaspersky Security Network Statement is accepted, Kaspersky Endpoint Security resumes its operation.
After upgrading Kaspersky Endpoint Security to version 11.10.0 or later without a restart, the computer will have two Kaspersky Endpoint Security applications installed. Do not manually remove the previous version of the application. The previous version will be removed automatically when the computer is restarted.
After upgrading Kaspersky Endpoint Security on a computer running Microsoft Windows 11, the file context menu may display items for both previous and new application versions. Restart your computer twice to ensure the correct operation of the file context menu.
If the application's Self-Defense is turned off and all network adapters are stopped, the network components of the application will not work between the end of the application upgrade and the restart of the computer. The network components of the application include Web Threat Protection, Mail Threat Protection, Network Threat Protection, Firewall, Host Intrusion Prevention, and Web Control. Restart the computer for the application to work correctly.
The BadUSB Attack Prevention component does not work between the end of the application upgrade and the restart of the computer. Restart the computer for the application to work correctly.
It is not possible to upgrade the application if you skipped restarting the computer after the previous upgrade. Restart the computer for the application to work correctly.
After the application is upgraded from versions earlier than Kaspersky Endpoint Security 11 for Windows, the computer must be restarted.
On servers with data deduplication enabled, you need to add the fsdmhost.exe file to the list of trusted applications. This helps optimize the performance of the application and prevent excessive load on the CPU.
The ReFS file system is supported with limitations:
Kaspersky Endpoint Security may process threat disinfection events incorrectly. For example, if the application has deleted a malicious file, the report might have an Object not processed entry. At the same time, Kaspersky Endpoint Security disinfects threats in accordance with application settings. Kaspersky Endpoint Security can also create a duplicate of the Object will be disinfected on restart event for the same object.
File Threat Protection may skip some threats. At the same time, Malware Scan works correctly.
After the Malware Scan task is started, the exclusions added with iChecker are reset when the server is rebooted.
The iSwift technology is not supported. Kaspersky Endpoint Security does not consider scan exclusions added using the iSwift technology.
Kaspersky Endpoint Security does not detect eicar.com and susp-eicar.com files if meicar.exe file existed on the computer before Kaspersky Endpoint Security was installed.
Kaspersky Endpoint Security may incorrectly display threat disinfection notifications. For example, the application may display a threat notification for a previously disinfected threat.
File Level Encryption (FLE) and Kaspersky Disk Encryption (FDE) technologies are not supported on server platforms. At the same time, Kaspersky Endpoint Security may incorrectly process data encryption events.
In server operating systems, no warning is displayed regarding the need for advanced disinfection.
Microsoft Windows Server 2008 was excluded from support. - Installing the application on a computer running the Microsoft Windows Server 2008 operating system is not supported.
Kaspersky Endpoint Security installed on a server with Microsoft Data Protection Manager (DPM) deployed can cause DPM to malfunction. It is related to limitations in DPM operation. To eliminate malfunctions, you should add local server drives to exclusions for File Threat Protection component and Malware Scan tasks.
The Server Core mode is supported with limitations:
The local graphical user interface is not available, including notifications, pop-up notifications, and other interface controls. The application cannot display prompt windows, including the following windows:
Application version and module upgrade confirmation prompt;
Computer restart prompt;
Prompt for proxy server authentication credentials.
Prompt for gaining access to a device (Device Control).
The following components are not available: Web Threat Protection, Mail Threat Protection, Web Control, BadUSB Attack Prevention.
Anti-Bridging is not available.
You can only accept the Kaspersky Security Network Statement in the application policy in the Kaspersky Security Center console.
BitLocker Drive Encryption is only available with a Trusted Platform Module (TPM). A PIN / password cannot be used for encryption because the application is unable to display the password prompt window for preboot authentication. If the operating system has Federal Information Processing standard (FIPS) compatibility mode enabled, connect a removable drive for saving the encryption key before you begin encrypting the drive.
Full disk encryption (FDE) on Hyper-V virtual machines is not supported.
Full disk encryption (FDE) on Citrix virtual platforms is not supported.
Windows 10 Enterprise multi-session is supported with limitations:
Kaspersky Endpoint Security disinfects active threats without notifying the user, just like when disinfecting active threats on servers. Because the operating system continues to run in multi-session mode, other active users may lose their data if the threat is not immediately resolved.
Full disk encryption (FDE) is not supported.
Managing BitLocker is not supported.
Using Kaspersky Endpoint Security with removable drives is not supported. The Microsoft Azure infrastructure defines removable drives as network drives.
Installation and use of file level encryption (FLE) on Citrix virtual platforms is not supported.
To support compatibility of Kaspersky Endpoint Security for Windows with Citrix PVS, perform installation with the Ensure compatibility with Citrix PVSoption enabled. This option can be enabled in the Setup Wizard or by using the command line parameter/pCITRIXCOMPATIBILITY=1. In case of remote installation, the KUD file must be edited by adding the following parameter to it: /pCITRIXCOMPATIBILITY=1.
Citrix XenDesktop. Before starting cloning, you must disable Self-Defense to clone virtual machines that use vDisk.
When preparing a template machine for the Citrix XenDesktop master image with pre-installed Kaspersky Endpoint Security for Windows and Kaspersky Security Center Network Agent, add the following types of exclusions to the configuration file:
In some cases, an attempt to safely disconnect a removable drive may be unsuccessful on a virtual machine that is deployed on a VMware ESXi hypervisor. Attempt to safely disconnect the device once again.
In Kaspersky Security Center Web Console version 14.1 and earlier, the names of functional areas for Log Inspection and File Integrity Monitor components are not correctly displayed in the user access permissions settings section of Administration Server properties.
After repairing the application, the protection of the computer's connection to the Administration Server is disabled. After repairing the application, run the Administration Server connection protection task again.
In Kaspersky Security Center Linux 15.1, you can run tasks at intervals of several weeks (the By days of week schedule). Kaspersky Endpoint Security does not support running tasks at multiple-weeks intervals. If you have a task scheduled to run at an interval of several weeks for Kaspersky Endpoint Security, the application runs the task every week at the specified day and hour.
If the Error receiving data system message is displayed, verify that the computer on which you are performing activation has network access, or configure the activation settings via Kaspersky Security Center Activation Proxy.
The application cannot be activated by subscription via the Kaspersky Security Center if the license has expired or if a trial license is active on the computer. To replace a trial license or a soon-to-be expired license with a subscription license, use the license distribution task.
In the application interface, the license expiration date is displayed in the local time of the computer.
Installation of the application with an embedded key file on a computer that has unstable Internet access may result in the temporary display of events stating that the application is not activated or that the license does not permit component operation. This is caused by the fact that during the installation process the application first activates the embedded trial license. It requires internet access.
During the trial period, installation of any application upgrade or patch on a computer that has unstable Internet access may result in the temporary display of events stating that the application is not activated. This is caused by the fact that during the update installation process the application first activates the embedded trial license. It requires internet access.
If the trial license was automatically activated during application installation and then the application was removed without saving the license information, the application will not be automatically activated with the trial license when re-installed. In this case, manually activate the application.
If you are using Kaspersky Security Center version 11 and Kaspersky Endpoint Security version 12.7, component performance reports may work incorrectly. If you installed Kaspersky Endpoint Security components that are not included in your license, Network Agent may send component status errors to the Windows Event Log. To avoid errors, remove the components that are not included in your license.
Kaspersky Endpoint Security does not support the 64-bit version of MS Outlook email client. This means that Kaspersky Endpoint Security does not scan MS Outlook files (PST and OST files) if a 64-bit version of MS Outlook is installed on the computer, even if mail is included in the scan scope.
It is not possible to restore files residing on network drives or on rewritable CD/DVD discs.
It is not possible to restore files that were encrypted with the Encryption File System (EFS). For more details on EFS operation, please visit the Microsoft website.
The application does not monitor modifications to files performed by processes at the level of the operating system kernel.
The application does not monitor modifications made to files over a network interface (for example, if a file is stored in a shared folder and a process is started remotely from another computer).
Filtration of packets or connections by local address, physical interface, and packet time to live (TTL) is supported in the following cases:
By local address for outbound packets or connections in application rules for TCP and UDP and packet rules.
By local address for inbound packets or connections (except UDP) in block application rules and packet rules.
By packet time to live (TTL) in block packet rules for inbound or outbound packets.
By network interface for inbound and outbound packets or connections in packet rules.
In application versions 11.0.0 and 11.0.1, defined MAC addresses are incorrectly applied. The MAC address settings for versions 11.0.0, 11.0.1 and 11.1.0 or later are not compatible. After upgrading the application or plug-in from these versions to version 11.1.0 or later, you must verify and reconfigure the defined MAC addresses in Firewall rules.
When upgrading the application from versions 11.1.1 and 11.2.0 to version 12.7, the statuses of permissions for the following Firewall rules are not migrated:
Requests to DNS server over TCP.
Requests to DNS server over UDP.
Any network activity.
ICMP Destination Unreachable incoming responses.
Incoming ICMP stream.
If you configured a network adapter or packet time to live (TTL) for an allowing packet rule, the priority of this rule is lower than a blocking application rule. In other words, if network activity is blocked for an application (for example, the application is in the High Restricted trust group), you cannot allow network activity of the application by using a packet rule with these settings. In all other cases, the priority of a packet rule is higher than an application network rule.
When importing Firewall packet rules, Kaspersky Endpoint Security may modify rule names. The application determines rules with identical sets of general parameters: protocol, direction, remote and local ports, packet time-to-live (TTL). If this set of general parameters is identical for multiple rules, the application assigns the same name to those rules or appends a parameter tag to the name. In this way, Kaspersky Endpoint Security imports all packet rules, but the name of rules that have identical general settings can be modified.
If you have enabled application event reporting in a network rule, on moving the application to a different trust group, the restrictions of this trust group will not be applied. Thus, if the application is in the Trusted trust group, it will have no network restrictions. Then you enabled event reporting for this application and moved it to the Untrusted trust group. Firewall will not enforce network restrictions for this application. We recommend that you first move the application to the appropriate trust group and then enable event reporting. If this method is not suitable, you can manually configure restrictions for the application in the network rule settings. The restriction applies only to the local interface of the application. Moving the application between trust groups in the policy works correctly.
The Firewall and Intrusion Prevention components have common settings: application rights and protected resources. If you change these settings for Firewall, Kaspersky Endpoint Security automatically applies the new settings to Intrusion Prevention. If, for example, you have allowed changes to the general settings of the Firewall policy (the padlock is open), the Intrusion Prevention settings will also become editable.
When a network packet rule is triggered in Kaspersky Endpoint Security 11.6.0 or earlier, the Application name column in the Firewall report will always display the Kaspersky Endpoint Security value. In addition, the Firewall will block the connection at packet level for all applications. This behavior has been modified for Kaspersky Endpoint Security 11.7.0 or later. The Rule type column has been added to the Firewall report. When a network packet rule is triggered, the value in the Application name column remains empty.
Kaspersky Endpoint Security resets the timeout of USB device lock when the computer is locked (for example, screen lock timeout elapsed). That is, if you enter a wrong USB device authorization code multiple times and the application locks the USB device, Kaspersky Endpoint Security allows you to repeat the authorization attempt after unlocking the computer. In this case, Kaspersky Endpoint Security does not lock the USB device for a time specified in BadUSB Attack Prevention component settings.
Kaspersky Endpoint Security resets the USB device lock timeout when computer protection is paused. That is, if you enter a wrong USB device authorization code multiple times and the application locks the USB device, Kaspersky Endpoint Security allows you to repeat the authorization attempt after resuming computer protection. In this case, Kaspersky Endpoint Security does not lock the USB device for a time specified in BadUSB Attack Prevention component settings.
Only ZIP format archives are supported when working with Application Control rules in Kaspersky Security Center Web Console. Archives in other formats, such as RAR or 7z, are not supported. There is no such restriction if you work with Application Control rules in the Administration Console (MMC).
When working with Application Control rules in Kaspersky Security Center Web Console, the maximum supported size of an uploaded file is 104 MB. There is no such restriction if you work with Application Control rules in the Administration Console (MMC).
When working in Microsoft Windows 10 in application denylist mode, block rules may be incorrectly applied, which could cause blocking of applications that are not specified in rules.
When progressive web apps (PWA) are blocked by the Application Control component, appManifest.xml is indicated as the blocked app in the report.
When adding the standard Notepad application to an Application Control rule for Windows 11, it is not recommended to specify the path to the application. On computers running Windows 11, the operating system uses Metro Notepad located in the folder C:\Program Files\WindowsApps\Microsoft.WindowsNotepad*\Notepad\Notepad.exe. In previous versions of the operating system, Notepad is located in the following folders:
C:\Windows\notepad.exe
C:\Windows\System32\notepad.exe
C:\Windows\SysWOW64\notepad.exe
When adding Notepad to an Application Control rule, you can specify the application name and the file hash from the properties of the running application, for example.
When migrating the KSWS policy to the KES policy profile, the Policies and tasks batch conversion wizard (Migration Wizard) renames application categories if category names contain forbidden characters: '*<>?\:|. The Migration Wizard replaces these characters with _ characters. For example, the KSWS::\Everyone:[C61F-3B7C-4D89-96A1] application category is renamed to KSWS_Everyone_[C61F-3B7C-4D89-96A1].
Kaspersky Endpoint Security can log external device connection and disconnection events. Windows services use the system user account to connect or disconnect devices. This makes it impossible to know which user is connecting or disconnecting the device. Kaspersky Endpoint Security specifies the SYSTEM user account in the event.
Access to Printer devices that were added to the trusted list is blocked by device and bus blocking rules.
For MTP devices, control of Read, Write, and Connect operations is supported if you are using the built-in Microsoft drivers of the operating system. If a user installs a custom driver for working with a device (for example, as part of iTunes or Android Debug Bridge), control of Read and Write operations may not work.
When working with MTP devices, access rules are changed after reconnecting the device.
The Device Control component registers events related to monitored devices, such as connection and disconnection of a device, reading a file from a device, writing a file to a device, and other events. Kaspersky Endpoint Security registers disconnection events only for the following device types: Portable devices (MTP), Removable drives, Floppy disks, CD/DVD drives. For other device types, the application does not register disconnection events. The application registers the operation of connecting a device to a computer for all device types.
If you are adding a device to the trusted list based on a model mask and use characters that are included in the ID but not in the model name, these devices are not added. On a workstation, these devices will be added to the trusted list based on an ID mask.
When the application is upgraded without computer restart, Device Control does not apply access rules to devices that are reconnected. However, if the device was connected before the upgrade, Device Control applies the rules correctly. Restart the computer for the application to work correctly with devices that are reconnected.
On computers with Kaspersky Endpoint Security version 12.0 installed, the Allow and do not log printer access mode for the Network printers device type is called Depends on connection bus, if Kaspersky Endpoint Security version 12.1 policy is applied on the computer. In these modes the application performs the same actions. In Kaspersky Endpoint Security version 12.1, the access mode for network printers is correctly named Allow and do not log.
Starting with Kaspersky Endpoint Security 12.0 for Windows, the application allows configuring printing rules for printers (printing control). After installing the application with printing control or upgrading the application to a version with printing control, you must restart the computer. Until the computer is restarted, Kaspersky Endpoint Security does not apply printing rules and can only control access to printers. If restarting the computer adversely affects workflows in your organization, you can restart just the spoolsv service (Print Spooler).
Starting with Kaspersky Endpoint Security 12.0 for Windows, the WPA3 protocol is supported by the application for Wi-Fi type devices. If a Kaspersky Endpoint Security version 12.2 policy is applied on a computer, the WPA2 protocol is selected on computers with Kaspersky Endpoint Security version 11.11.0 and earlier; WPA2 / WPA3 is selected for versions 12.0 to 12.1; WPA3 is selected for versions 12.2 and later.
Apple devices are classified as portable devices (MTP) and iTunes devices. The operating system can incorrectly identify the connection of the Apple device and not determine the Apple device as a portable device (MTP). Therefore the Apple device will be unavailable in the file manager, but accessible in the iTunes application. As a result, Kaspersky Endpoint Security will control access to the Apple device in the iTunes application only. To access your Apple device as a portable device (MTP), you need to go to Device Manager and remove the Apple Mobile Device USB Driver from the USB Controllers list. After computer restart, the operating system will identify the Apple device as a portable device (MTP) and iTunes device. Kaspersky Endpoint Security will control access to the device both in the iTunes application and in the file manager.
In Kaspersky Endpoint Security 12.3 for Windows, access settings are different for the Bluetooth device type. If you specified the Depends on connection bus value in the previous version of the application, then after upgrading the application to version 12.3, the configured value changes to Allow and do not log. This does not alter the behavior of the device.
Device Control supports Bluetooth devices only through the Microsoft Windows Bluetooth stack. Device Control may function incorrectly with third-party Bluetooth stacks.
If the Bluetooth device hides or spoofs its Class of Device (COD), Device Control may function incorrectly.
On Windows 7 or Windows 8 computers with certain Realtek Bluetooth dongle drivers, it may not be possible to only allow connecting Bluetooth devices as input devices (HID class). That is, if you prohibit access to Bluetooth devices in application settings and add input devices to exclusions, Device Control may prevent access to all Bluetooth devices instead.
It is recommended to create exclusions automatically based on the event. When manually adding an exclusion, add the * character to the beginning of the path when specifying the target object.
After installing the application, you must restart the operating system for hard drive encryption to work properly.
The Authentication Agent does not support hieroglyphics or the special characters | and \.
For optimal computer performance after encryption, it is required that the processor supports AES-NI instruction set (Intel Advanced Encryption Standard New Instructions). If the processor does not support AES-NI, computer performance might decrease.
When there are processes that attempt to access encrypted devices before the application has granted access to such devices, the application shows a warning stating that such processes must be terminated. If the processes cannot be terminated, re-connect the encrypted devices.
The unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
It is not recommended to format devices while they are being encrypted.
When multiple removable drives are simultaneously connected to a computer, the encryption policy can be applied to only one removable drive. When the removable devices are reconnected, the encryption policy is applied correctly.
Encryption may fail to start on a heavily fragmented hard drive. Defragment the hard drive.
When hard drives are encrypted, hibernation is blocked from the time when the encryption task starts until the first restart of a computer running Microsoft Windows 7/8/8.1/10, and after installation of hard drive encryption until the first restart of Microsoft Windows 8/8.1/10 operating systems. When hard drives are decrypted, hibernation is blocked from the time when the boot drive is fully decrypted until the first restart of the operating system. When the Quick Start option is enabled in Microsoft Windows 8/8.1/10, blocking of hibernation prevents you from shutting down the operating system.
Windows 7 computers don't allow to change password during recovery when the disk is encrypted with BitLocker technology. After the recovery key is entered and the operating system is loaded, Kaspersky Endpoint Security won't prompt the user to change the password or PIN code. Thus, it is impossible to set a new password or a PIN code. This issue stems from the peculiarities of the operating system. To continue, you need to re-encrypt the hard drive.
It is not recommended to use the xbootmgr.exe tool with additional providers enabled. For example, Dispatcher, Network, or Drivers.
Formatting an encrypted removable drive is not supported on a computer that has Kaspersky Endpoint Security for Windows installed.
Formatting an encrypted removable drive with the FAT32 file system is not supported (the drive is displayed as encrypted). To format a drive, reformat it to the NTFS file system.
For details on restoring an operating system from a backup copy to an encrypted GPT device, visit the Technical Support Knowledge Base.
Multiple download agents cannot co-exist on one encrypted computer.
It is impossible to access a removable drive that was previously encrypted on a different computer when all of the following conditions are simultaneously met:
There is no connection to the Kaspersky Security Center server.
The user is attempting authorization with a new token or password.
If a similar situation occurs, restart the computer. After the computer has been restarted, access to the encrypted removable drive will be granted.
Discovery of USB devices by the Authentication Agent may not be supported when xHCI mode for USB is enabled in BIOS settings.
Kaspersky Disk Encryption (FDE) for the SSD part of a device that is used for caching the most frequently used data is not supported for SSHD devices.
Encryption of hard drives in 32-bit Microsoft Windows 8/8.1/10 operating systems running in UEFI mode is not supported.
Restart the computer before encrypting a decrypted hard drive again.
Hard drive encryption is not compatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use hard drive encryption on computers that have Kaspersky Anti-Virus for UEFI installed.
Automatic creation of Authentication Agent accounts is not supported if the option to create accounts for users who log in to the system in the last N days is selected.
If the name of an Authentication Agent account has the format <domain>/<Windows account name>, after changing the computer name you need to also change the names of accounts that were created for local users of this computer. For example, imagine that there is a local user Ivanov on the Ivanov computer, and an Authentication Agent account with the name Ivanov/Ivanov has been created for this user. If the computer name Ivanov has been changed to Ivanov-PC, you need to change the name of the Authentication Agent account for the user Ivanov from Ivanov/Ivanov to Ivanov-PC/Ivanov. You can change the account name using the local account management task of the Authentication Agent. Before the name of the account has been changed, authentication in the preboot environment is possible using the old name (for example, Ivanov/Ivanov).
If a user is allowed to access a computer that was encrypted using Kaspersky Disk Encryption technology only by using a token and this user needs to complete the access recovery procedure, make sure that this user is granted password-based access to this computer after access to the encrypted computer has been restored. The password that the user set when restoring access might not be saved. In this case, the user will have to complete the procedure for restoring access to the encrypted computer again the next time the computer is restarted.
When decrypting a hard drive using the FDE Recovery Tool, the decryption process may end with an error if data on the source device is overwritten with the decrypted data. Part of the data on the hard drive will remain encrypted. It is recommended to choose the option to save decrypted data to a file in the device decryption settings when using the FDE Recovery Tool.
If the Authentication Agent password has been changed, a message containing the text Your password has been changed successfully. Click OK appears and the user restarts the computer, the new password is not saved. The old password must be used for subsequent authentication in the preboot environment.
Disk encryption is incompatible with Intel Rapid Start technology.
Disk encryption is incompatible with ExpressCache technology.
In some cases, when attempting to decrypt an encrypted drive using the FDE Recovery Tool, the tool mistakenly detects the device status as "unencrypted" after the "Request-Response" procedure is completed. The tool's log shows an event stating that the device was successfully decrypted. In this case, you must restart the data recovery procedure to decrypt the device.
After the Kaspersky Endpoint Security for Windows plug-in is updated in the Web Console, the client computer properties do not show the BitLocker recovery key until the Web Console service is restarted.
To see the other limitations of full disk encryption support and a list of devices for which encryption of hard drives is supported with restrictions, please refer to the Technical Support Knowledge Base.
File and folder encryption is not supported in operating systems of the Microsoft Windows Embedded family.
Once you have installed the application, you must restart the operating system for file and folder encryption to work properly.
The application supports file encryption only on devices with NTFS and FAT32 file systems. If an encrypted file is transferred to a device with an unsupported file system (for example, exFAT), the file on that device will not be encrypted and will be available for modification.
If an encrypted file is stored on a computer that has available encryption functionality and you access the file from a computer where encryption is not available, direct access to this file will be provided. An encrypted file that is stored in a network folder on a computer that has available encryption functionality is copied in decrypted form to a computer that does not have available encryption functionality.
You are advised to decrypt files that were encrypted with Encrypting File System before encrypting files with Kaspersky Endpoint Security for Windows.
After a file is encrypted, its size increases by 4 KB.
After a file is encrypted, the Archive attribute is set in the file properties.
If an unpacked file from an encrypted archive has the same name as an already existing file on your computer, the latter will be overwritten by the new file that is unpacked from an encrypted archive. The user is not notified about the overwrite operation.
Before you unpack an encrypted archive, make sure you have enough free disk space to accommodate the unpacked files. If you do not have enough disk space, the archive unpacking may be completed but the files may be corrupted. In this case, it is possible that Kaspersky Endpoint Security does not display any error messages.
The Portable File Manager interface does not display messages about errors that occur during its operation.
Kaspersky Endpoint Security for Windows does not start the Portable File Manager on a computer that has the File Level Encryption component installed.
You cannot use the Portable File Manager to access a removable drive if the following conditions are true simultaneously:
There is no connection to Kaspersky Security Center;
Kaspersky Endpoint Security for Windows is installed on the computer;
Data encryption (FDE or FLE) was not performed on the computer.
Access is impossible even if you know the password of the Portable File Manager.
When file encryption is used, the application is incompatible with the Sylpheed mail client.
Kaspersky Endpoint Security for Windows does not support the rules of restriction of access to encrypted files for some applications. This is due to the fact that some file operations are performed by a third-party application. For example, file copying is performed by the file manager, not by the application itself. In this way, if access to encrypted files is denied to the Outlook mail client, Kaspersky Endpoint Security will allow the mail client to access the encrypted file, if the user has copied files to the email message via the clipboard or using the drag-and-drop function. The copy operation was performed by a file manager, for which the rules of restriction of access to encrypted files are not specified, i.e. the access is allowed.
When removable drives are encrypted with portable mode support, password age control cannot be disabled.
Changing the page file settings is not supported. The operating system uses the default values instead of the specified parameter values.
Use safe removal when working with encrypted removable drives. We cannot guarantee data integrity if the removable drive is not safely removed.
After files are encrypted, their non-encrypted originals are securely deleted.
Synchronization of offline files using Client-Side Caching (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the group policy level. Files that are in offline mode can be edited. After synchronization, changes made to an offline file may be lost. For details regarding support for Client-Side Caching (CSC) when using encryption, please refer to the Technical Support Knowledge Base.
You may experience problems when accessing encrypted files over the network. You are advised to move the files to a different source or make sure that the computer being used as a file server is managed by the same Kaspersky Security Center Administration Server.
Changing the keyboard layout may cause the password entry window for an encrypted self-extracting archive to hang. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
When file encryption is used on systems that have multiple partitions on one disk, you are advised to use the option that automatically determines the size of the pagefile.sys file. After the computer restarts, the pagefile.sys file may move between disk partitions.
After applying file encryption rules, including files in the My Documents folder, make sure that users for whom encryption has been applied can successfully access encrypted files. To do so, have each user sign in to the system when a connection to Kaspersky Security Center is available. If a user attempts to access encrypted files without a connection to Kaspersky Security Center, the system may hang.
If system files are somehow included in the scope of file level encryption, events regarding errors when encrypting these files may appear in reports. The files specified in these events are not actually encrypted.
Pico processes are not supported.
Case-sensitive paths are not supported. When encryption rules or decryption rules are applied, the paths in product events are displayed in lowercase.
It is not recommended to encrypt files that are used by the system on startup. If these files are encrypted, an attempt to access encrypted files without a connection to Kaspersky Security Center may cause the system to hang or result in prompts for access to unencrypted files.
If users jointly work with a file over the network under FLE rules via applications that use the file-to-memory mapping method (such as WordPad or FAR) and applications designed for working with large files (such as Notepad ++ ), the file in unencrypted form may be blocked indefinitely without the capability to access it from the computer on which it resides.
Kaspersky Endpoint Security does not encrypt files that are located in OneDrive cloud storage or in other folders that have OneDrive as their name. Kaspersky Endpoint Security also blocks the copying of encrypted files to OneDrive folders if those files are not added to the decryption rule.
When the file level encryption component is installed, management of users and groups does not work in WSL mode (Windows Subsystem for Linux).
When the file level encryption component is installed, POSIX (Portable Operating System Interface) for renaming and deleting files is not supported.
It is not recommended to encrypt temporary files, as this can cause data loss. For example, Microsoft Word creates temporary files when processing a document. If temporary files are encrypted, but the original file is not, the user may receive an Access Denied error when trying to save the document. Additionally, Microsoft Word might save the file, but it will not be possible to open the document the next time, i.e. the data will be lost. To prevent data loss, you need to exclude the temporary files folder from encryption rules.
After updating Kaspersky Endpoint Security for Windows version 11.0.1 or earlier, to access encrypted files after restarting the computer, make sure that the Network Agent is running. Network Agent has a delayed startup, so you cannot access the encrypted files immediately after the operating system loads. There is no need to wait for the Network Agent to start after the next computer startup.
You cannot scan an object quarantined as a result of the Move file to Quarantine task.
It is not possible to quarantine an Alternate Data Stream (ADS) that is larger than 4 MB. Kaspersky Endpoint Security skips any ADS this large without notifying the user.
Kaspersky Endpoint Security does not run IOC Scan tasks on network drives if the folder path in the task properties begins with a drive letter. Kaspersky Endpoint Security supports only the UNC path format for IOC Scan tasks on network drives. For example, \\server\shared_folder.
An import of an application configuration file ends with an error if the integration with Kaspersky Sandbox setting is enabled in the configuration file. Prior to exporting application settings, disable Kaspersky Sandbox. Then perform the export/import procedure. After importing the configuration file, enable Kaspersky Sandbox.
When an indicator of compromise is detected while running the IOC Scan task, the application quarantines a file only for the FileItem term. Quarantining a file for other terms is not supported.
Kaspersky Endpoint Security for Windows web plug-in 11.7.0 or later is required for managing alert details. Alert details are necessary when working with Endpoint Detection and Response solutions (EDR Optimum and EDR Expert). Alert details are available only in Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.
Migrating the [KES+KEA] configuration to [KES+built-in agent] configuration may complete with a Kaspersky Endpoint Agent application removal error. The application removal error is fixed in the latest version of Kaspersky Endpoint Agent. To remove Kaspersky Endpoint Agent, restart the computer and create an application removal task.
The [KES+KEA+built-in agent] configuration is not supported. Such configuration disrupts the interaction between applications and the Detection and Response solution that is deployed in your organization. In addition, using Kaspersky Endpoint Agent and the built-in agent on the same computer can lead to duplication of telemetry and increased load on the computer and network. After migrating to [KES + built-in agent] configuration, make sure that Kaspersky Endpoint Agent has been removed from the computer. If Kaspersky Endpoint Agent continues to work after migration, uninstall the application manually (for example, using the Uninstall application remotely task).
The installer allows you to deploy Kaspersky Endpoint Agent on a computer with Kaspersky Endpoint Security and the built-in agent installed. Kaspersky Endpoint Agent and the built-in agent can also be installed on one computer as a result of the Change application components task. The behavior depends on the versions of Kaspersky Endpoint Security and Kaspersky Endpoint Agent.
Kaspersky Endpoint Security for Windows web plug-in 11.7.0 or later is required for managing EDR Optimum and Kaspersky Sandbox components. Kaspersky Endpoint Security for Windows web plug-in 11.8.0 or later is required for managing the EDR Expert component. If you created the Change application components task using a web plug-in that does not support working with these components, the installer will delete these components on computers with EDR Optimum, EDR Expert or Kaspersky Sandbox installed.
The built-in agent, EDR (KATA), resumes the network isolation of a computer after a computer restart, even if the isolation period has expired. To prevent the repeated computer isolation, you need to turn off network isolation in the Kaspersky Anti Targeted Attack Platform console.
We recommend upgrading the application after Network isolation finishes. After upgrading Kaspersky Endpoint Security, Network isolation can be stopped.
Built-in agents for EDR (KATA), EDR Optimum, and EDR Expert are not compatible with each other. Therefore, the activation of the EDR built-in agent with a stand-alone Kaspersky Endpoint Detection and Response Add-on license can be skipped if you have activated Kaspersky Endpoint Security with different EDR functionality. For example, the activation of EDR (KATA) built-in agent with a stand-alone license is skipped if you have activated Kaspersky Endpoint Security with the [KES+EDR Optimum] license.
In Kaspersky Endpoint Security version 12.1, the built-in EDR (KATA) agent does not support the following metafiles for the Get NTFS metafiles task: $Secure:$SDH:$INDEX_ROOT; $Secure:$SDH:$INDEX_ALLOCATION; $Secure:$SDH:$BITMAP; $Secure:$SII:$INDEX_ROOT; $Secure:$SII:$INDEX_ALLOCATION; $Secure:$SII:$BITMAP; $Extend\$UsnJrnl:$J:$DATA; $Extend\$UsnJrnl:$Max:$DATA. Support for these metafiles has been added to Kaspersky Endpoint Security version 12.2.
When migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for the Kaspersky Anti Targeted Attack Platform (EDR) solution, you may encounter errors when connecting the computer to Central Node servers. The reason is that the migration wizard in Web Console skips the following policy settings and does not migrate them:
Settings modification prohibition Settings for connecting to KATA servers ("lock").
By default, settings can be modified (the "lock" is open). Therefore the settings are not applied on the computer. You must prohibit the modification of settings and close the "lock".
Crypto-container.
If you are using two-way authentication for connecting to Central Node servers, you must re-add the crypto-container. The migration wizard correctly migrates the TLS certificate of the server.
The Policy and Task Migration Wizard in Administration Console (MMC) migrates all settings for the Kaspersky Anti Targeted Attack Platform (EDR) solution.
Application activation status is incorrectly displayed when the application is installed in the Endpoint Detection and Response Agent mode to support the Kaspersky Managed Detection and Response solution with no connection to Kaspersky Security Center. After the BLOB file download, the Windows taskbar notification area displays an incorrect status: Application is not activated. However, the application interface displays the activation status correctly. Restart the computer for the application to work correctly.
Kaspersky Endpoint Security allows integrating with the Kaspersky Anti Targeted Attack Platform solution using the EDR (KATA) component or Endpoint Sensor (unsupported). Note that you can only use one of the components to interact with Kaspersky Anti Targeted Attack Platform. To view the status of the component, open computer properties in the Administration Console (MMC), in the Applications section, open the properties of Kaspersky Endpoint Security for Windows, and go to the Components section. The following special considerations apply to the display of component status for the interaction with Kaspersky Anti Targeted Attack Platform:
For the management plug-in 12.0 and earlier versions, the application displays the current status of Endpoint Sensor. In Kaspersky Endpoint Security 12.0 and earlier, the EDR (KATA) component is not available. The EDR (KATA) component was introduced in version 12.1.
For the management plug-in 12.1 and later versions, the application displays the overall status of Endpoint Detection and Response (KATA), which can mean either the Endpoint Sensor status, or the EDR (KATA) component status. This depends on the version of the application installed on the user's computer, and the available components that you can use to interact with Kaspersky Anti Targeted Attack Platform.
Starting from Kaspersky Endpoint Security version 12.6 and higher, Kaspersky Security Center Web Console version 14.2 and lower does not correctly display the name of the Endpoint Detection and Response (KATA) component in the computer properties. Instead of Endpoint Detection and Response (KATA) component, the application displays the name of Endpoint Detection and Response Expert (KATA EDR) component. To view the list of components, open computer properties in the Web Console, in the Applications section, open the properties of Kaspersky Endpoint Security for Windows, and go to the Components section. Starting from Kaspersky Security Center Web Console version 15.1 and higher, the application correctly displays the component name.
If the application returns errors or hangs up during operation, it may be restarted automatically. If the application encounters recurring errors that cause the application to crash, the application performs the following operations:
Disables control and protection functions (encryption functionality remains enabled).
Notifies the user that the functions have been disabled.
Attempts to restore the application to a functional state after updating anti-virus databases or applying application module updates.
In the Kaspersky Security Center console, you cannot save a file to disk from the Advanced → Repositories → Active threats folder. To save the file, you must disinfect the infected file. When disinfecting, the application saves a copy of the file in Backup. Now you can save the file to disk from the Advanced → Repositories → Backup folder.
Inheritance of settings of data transfer to Administration Server (General settings → Reports and Storage → Data transfer to Administration Server) differs from inheritance of other settings. If you have allowed changing data transmission settings in the policy (the "lock" is open), these settings will be reset to default values in the local computer properties in the console if they were not previously defined. If these settings were previously defined, then their values will be restored. When deleting a policy, the settings are inherited in the same way. In these cases, other settings in the local computer properties are inherited from the policy.
Kaspersky Endpoint Security monitors HTTP traffic that complies with the RFC 2616, RFC 7540, RFC 7541, RFC 7301 standards. If Kaspersky Endpoint Security detects another data exchange format in HTTP traffic, the application blocks this connection to prevent downloading malicious files from the Internet.
Kaspersky Endpoint Security prevents communication over the QUIC protocol. Browsers use the standard transport protocol (TLS or SSL) regardless of whether QUIC support is enabled in the browser or not.
TLS connection errors may occur when third-party software works with the Libcurl library. This can be related to the Kaspersky certificate that Kaspersky Endpoint Security uses to scan encrypted connections. To continue working, you can disable certificate validation for third-party software (not recommended) or add a Kaspersky certificate body to the cURL certificate storage. For detailed information, refer to the Kaspersky Knowledge Base.
When Kaspersky Endpoint Security for Windows is started for the first time, a digitally signed application may be temporarily placed into the wrong group. The digitally signed application will later be put into the correct group.
In Kaspersky Security Center, when switching from using the global Kaspersky Security Network to using a private Kaspersky Security Network, or vice versa, the option to participate in Kaspersky Security Network is disabled in the policy of the specific product. After switching, carefully read the text of the Kaspersky Security Network Statement and confirm your consent to participate in KSN. You can read the text of the Statement in the application interface or when editing the product policy.
During a rescan of a malicious object that was blocked by third-party software, the user is not notified when the threat is detected again. The threat re-detection event is displayed in the application report and in the Kaspersky Security Center report.
The Endpoint Sensor component cannot be installed in Microsoft Windows Server 2008.
The Kaspersky Security Center report on device encryption will not include information about devices that were encrypted using Microsoft BitLocker on server platforms or on workstations on which the Device Control component is not installed.
It is not possible to enable the display of all report entries in the Kaspersky Security Center Web Console. In the Web Console, you can only change the number of entries displayed in reports. By default, Kaspersky Security Center Web Console shows 1000 report entries. You can enable the display of all report entries in the Administration Console (MMC).
It is not possible to set the display of more than 1000 report entries in the Kaspersky Security Center Console. If you set a higher value than 1000, the Kaspersky Security Center Console will display only 1000 report entries.
When using a policy hierarchy, the settings of the Encryption of Removable Drives section in a child policy are accessible for editing if the parent policy prohibits modification of those settings.
If shared folder protection is enabled, Kaspersky Endpoint Security for Windows monitors attempts to encrypt shared folders for each remote access session that was started before the startup of Kaspersky Endpoint Security for Windows, including if the computer from which the remote access session was started has been added to exclusions. If you do not want Kaspersky Endpoint Security for Windows to monitor attempts to encrypt shared folders for remote access sessions that were started from a computer that was added to exclusions and that were started before the startup of Kaspersky Endpoint Security for Windows, terminate and re-establish the remote access session or restart the computer on which Kaspersky Endpoint Security for Windows is installed.
The application may fail to start due to insufficient system performance. To resolve this problem, use the Ready Boot option or increase the operating system timeout for starting services.
Application operation in Safe Mode is not supported.
We cannot guarantee that Audio Control will work until after the first restart after installing the application.
In the Administration Console (MMC), in the Intrusion Prevention settings in the window for configuring application permissions, the Remove button is unavailable. You can remove an application from a trust group via the context menu of the application.
In the local interface of the application, in the Intrusion Prevention settings, application permissions and protected resources are not available for viewing if the computer is managed by a policy. Scroll, search, filter and other window controls are unavailable. You can view application permissions in the policy properties in the Kaspersky Security Center Console.
When rotated trace files are enabled, no traces are created for the AMSI component and the Outlook plug-in.
Performance traces cannot be manually collected in Windows Server 2008.
Performance traces for the "Restart" trace type are not supported.
Dump logging is not supported for pico processes.
Turning off the Disable external management of system services option will not allow you to stop the service of the application that was installed with the AMPPL=1 parameter (by default, the parameter value is set to 1 starting with the Windows 10RS2 operating system version). The AMPPL parameter with a value of 1 enables the use of Protection Processes technology for the product service.
To run a custom scan of a folder, the user that starts the custom scan must have the permissions to read the attributes of this folder. Otherwise the custom folder scan will be impossible and will end with an error.
When a scan rule defined in a policy includes a path without the \ character at the end, for example, С:\folder1\folder2, the scan will be run for the path C:\folder1\.
If you are using software restriction policies (Software Restriction Policies, SRP), the computer may fail to load (black screen). To prevent malfunctions, you need to allow the use of application libraries in the SRP properties. In the SRP properties add the rule with Unrestricted security level for khkum.dll file (New Hash Rule menu item). The file is located in the C:\Program Files (x86)\Common Files\Kaspersky Lab\KES.21.19\klhk\klhk_x64\ folder. If you selected this method, you need to additionally clear the Download updates of application modules check box in the Update task settings for Kaspersky Endpoint Security. For details on using SRP, refer to the Microsoft documentation.
You can also disable SRP and use the Application Control component of Kaspersky Endpoint Security to control application usage.
If the computer belongs to a domain under Windows Group Policy Object (Group Policy Object, GPO) with DriverLoadPolicy parameter set to 8 (Good only), restarting the computer with Kaspersky Endpoint Security installed causes a BSOD. To prevent a failure, the Early Launch Antimalware (ELAM) parameter in Group Policy must be set to 1 (Good and unknown). ELAM settings are located in the policy under: Computer Configuration → Administrative Templates → System → Early Launch Antimalware.
Management of Outlook plug-in settings via Rest API is not supported.
Task run settings for a specific user cannot be transferred between devices via a configuration file. After settings are applied from a configuration file, manually specify the user name and password.
After installing an update, the integrity check task does not work until the system is restarted to apply the update.
When the rotated tracing level is changed through the remote diagnostics utility, Kaspersky Endpoint Security for Windows incorrectly displays a blank value for the trace level. However, trace files are written according to the correct trace level. When the rotated tracing level is changed through the local interface of the application, the tracing level is correctly modified but the remote diagnostics utility incorrectly displays the trace level that was last defined by the utility. This may cause the administrator to not have up-to-date information about the current tracing level, and relevant information may be absent from traces if a user manually changes the tracing level in the local interface of the application.
In the local interface, Password protection settings don't allow changing the name of the administrator account (KLAdmin by default). To change the name of the administrator account, you need to disable Password protection, then enable Password protection and specify a new name of the administrator account.
The Kaspersky Endpoint Security application when installed on a Windows Server 2019 server is incompatible with Docker. Deploying Docker containers on a computer with Kaspersky Endpoint Security causes a crash (BSOD).
Kaspersky Endpoint Security does not support HTTPS when connecting to KSN Proxy (Use HTTPS check box selected in KSN Proxy connection settings) if the address of the server includes non-Latin letters (non-ASCII symbols).
Compatibility of Kaspersky Endpoint Security and Secret Net Studio software is limited:
The Kaspersky Endpoint Security application is not compatible with the Antivirus component of Secret Net Studio software.
The application cannot be installed on a computer where Secret Net Studio is deployed with the Antivirus component. To make interoperability possible, you must remove the Antivirus component from Secret Net Studio.
The Kaspersky Endpoint Security application is not compatible with the Full Disk Encryption component of Secret Net Studio software.
The application cannot be installed on a computer where Secret Net Studio is deployed with the Full Disk Encryption component. To make interoperability possible, you must remove the Full Disk Encryption component from Secret Net Studio.
Secret Net Studio is not compatible with the File Level Encryption (FLE) component of Kaspersky Endpoint Security.
When you install Kaspersky Endpoint Security with the File Level Encryption (FLE) component, Secret Net Studio can operate with errors. To ensure interoperability, you must remove the File Level Encryption (FLE) component from Kaspersky Endpoint Security.
When importing System Integrity Monitoring rules, the application checks the ID and name of the rule. If rule IDs are the same, Kaspersky Endpoint Security replaces the existing rules with the new rule. When exporting rules, the application automatically assigns IDs. Rule with identical IDs can exist, for example, if you manually edited exported rule XML files. If rule IDs are unique, but rule names are the same, Kaspersky Endpoint Security adds (1) and so on to the name of the rule.