1. Open the Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the Administration Console tree, select the folder with the name of the administration group to which the relevant client computers belong.
3. In the workspace, select the Policies tab.
4. Click New policy.

   The Policy Wizard starts.

5. Follow the instructions of the Policy Wizard.

Step 1. Selecting the application to create group policy

Select the Kaspersky Endpoint Security for Windows (12.8) application.

Step 2. Naming the group policy

Enter a name for the group policy, for example, Policy for the office.

You can also create new policies based on the existing policies using the Policy Wizard. To do so, when specifying the group policy name, select the Use policy settings for an earlier version of the application check box. The wizard also allows creating a Kaspersky Endpoint Security (KES) policy based on a policy of a different solution, for example, Kaspersky Security for Windows Server (KSWS) or Kaspersky Security for Virtualization Light Agent for Windows

Step 3. Participating in Kaspersky Security Network

Please read and accept the terms of the Kaspersky Security Network (KSN) Statement.

Step 4. Selecting the application usage mode on computers

Depending on the purpose of using Kaspersky Endpoint Security, you can deploy the Kaspersky Endpoint Security application in different modes:

• Standard mode.

  If you select this mode, you can specify basic policy settings while the wizard is running. You can also import basic policy settings from a configuration file.

• Endpoint Detection and Response Agent.

  If you select this mode, you can create a policy only with default settings. To configure EDR Agent settings, you must navigate to policy properties after the wizard finishes.

• Light Agent to protect virtual environments.

  If you select this mode, at the next step, you must configure the connection to the Protection Server (SVM). These settings are required for the application to work in Light Agent mode.

Kaspersky Endpoint Security provides a common policy for all application modes and OS types. This means that the policy covers the whole set of settings. However, the application may ignore some of the policy settings because Kaspersky Endpoint Security is deployed in a mode in which some functionality is not available. For example, when using the application in Endpoint Detection and Response Agent mode, only settings that are relevant to the integration with Kaspersky Detection and Response solutions and to integration with KUMA are available.

We recommend using different policies for different modes and operating system types.

Step 5. Configuring the trusted zone

Configure the trusted zone. You can add predefined scan exclusions and trusted applications. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers. Predefined scan exclusions and trusted applications can also help you quickly configure Kaspersky Endpoint Security in Light Agent mode in Citrix and VMware virtual environments.

Step 6. Selecting the policy status

• Active. After the next synchronization, the policy will be used as the active policy on the computer.

  The settings of an active policy are saved on client computers during synchronization. You cannot simultaneously apply multiple policies to one computer, therefore only one policy may be active in each group.

• Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.

  You can create an unlimited number of inactive policies. An inactive policy does not affect application settings on computers in the network. Inactive policies are intended as preparations for emergency situations, such as a virus attack. If there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the active policy automatically becomes inactive.

• Out-of-office. The policy is activated when a computer leaves the organization network perimeter.

Exit the Wizard.

1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
2. Click Add.

   The Policy Wizard starts.

3. Select Kaspersky Endpoint Security and click Next.
4. Please read and accept the terms of the Kaspersky Security Network (KSN) Statement and click Next.
5. Select the mode of the application:
   • Standard mode to protect workstations and servers.
   • Endpoint Detection and Response Agent to protect against advanced threats and targeted attacks.

     If you select this mode, you can create a policy to integrate the computer with Kaspersky Detection and Response solutions. The wizard prompts you to configure the integration for Kaspersky Managed Detection and Response and then Kaspersky Anti Targeted Attack Platform (EDR).

   • Light Agent to protect virtual environments.

     If you select this mode, at the next step, you must configure the connection to the Protection Server (SVM). These settings are required for the application to work in Light Agent mode.

   Kaspersky Endpoint Security provides a common policy for all application modes and OS types. This means that the policy covers the whole set of settings. However, the application may ignore some of the policy settings because Kaspersky Endpoint Security is deployed in a mode in which some functionality is not available. For example, when using the application in Endpoint Detection and Response Agent mode, only settings that are relevant to the integration with Kaspersky Detection and Response solutions and to integration with KUMA are available.

   We recommend using different policies for different modes and operating system types.

6. Configure the trusted zone. You can add predefined scan exclusions and trusted applications. Predefined scan exclusions and trusted applications help quickly configure Kaspersky Endpoint Security on SQL servers, Microsoft Exchange servers, and System Center Configuration Manager. This means you do not need to manually set up a trusted zone for the application on servers. Predefined scan exclusions and trusted applications can also help you quickly configure Kaspersky Endpoint Security in Light Agent mode in Citrix and VMware virtual environments.
7. On the General tab, you can perform the following actions:
   • Change the policy name.
   • Select the policy status:
     • Active. After the next synchronization, the policy will be used as the active policy on the computer.

       The settings of an active policy are saved on client computers during synchronization. You cannot simultaneously apply multiple policies to one computer, therefore only one policy may be active in each group.

     • Inactive. Backup policy. If necessary, an inactive policy can be switched to active status.

       You can create an unlimited number of inactive policies. An inactive policy does not affect application settings on computers in the network. Inactive policies are intended as preparations for emergency situations, such as a virus attack. If there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the active policy automatically becomes inactive.

     • Out-of-office. The policy is activated when a computer leaves the organization network perimeter.
   • Configure the inheritance of settings:
     • Inherit settings from parent policy. If this toggle button is switched on, the policy setting values are inherited from the top-level policy. Policy settings cannot be edited if is set for the parent policy.
     • Force inheritance of settings in child policies. If the toggle button is on, the values of the policy settings are propagated to the child policies. In the properties of the child policy, the Inherit settings from parent policy toggle button will be automatically switched on and cannot be switched off. Child policy settings are inherited from the parent policy, except for the settings marked with . Child policy settings cannot be edited if is set for the parent policy.
8. On the Application settings tab, you can configure the Kaspersky Endpoint Security policy settings.
9. Exit the Wizard.