What to do if tasks do not run and policies are not applied on a device with Kaspersky Endpoint Security for Windows
Show applications and versions that this article concerns
- Kaspersky Endpoint Security 12.6 for Windows (version 12.6.0.438)
- Kaspersky Endpoint Security 12.5 for Windows (version 12.5.0.539)
- Kaspersky Endpoint Security 12.4 for Windows (version 12.4.0.467)
- Kaspersky Endpoint Security 12.3 for Windows (version 12.3.0.493)
- Kaspersky Endpoint Security 12.2 for Windows (version 12.2.0.462)
- Kaspersky Endpoint Security 12.1 for Windows (version 12.1.0.506)
- Kaspersky Endpoint Security 12 for Windows (version 12.0.0.465)
- Kaspersky Endpoint Security 11.11 for Windows (version 11.11.0.452)
- Kaspersky Endpoint Security 11.10 for Windows (version 11.10.0.399)
- Kaspersky Endpoint Security 11.9 for Windows (version 11.9.0.351)
- Kaspersky Endpoint Security 11.8 for Windows (version 11.8.0.384)
- Kaspersky Endpoint Security 11.7 for Windows (version 11.7.0.669)
- Kaspersky Security Center 14.2 (version 14.2.0.26967)
- Kaspersky Security Center 14 (version 14.0.0.10902)
Issue
Devices with Kaspersky Endpoint Security for Windows (KESW) may experience problems with tasks or policies, for example:
- There is no automatic distribution of a license key.
- The KESW and Network Agent tasks do not run.
- Policy settings are not applied.
Solution
Step 1. Check policy settings
Verify the following:
- The policy is active.
- The locks next to the policy setting and component are closed in the MMC-based Administration Console or set to Enforce in the Web Console.
- The target settings are set correctly and have not been overwritten by the parent policy due to configuration errors in the Settings inheritance block.
- If the Out-of-office policy option is selected, make sure that a connection profile for out-of-office users is created in the Network Agent policy and the Enable out-of-office mode when Administration Server is not available option is enabled. These conditions must be met at the time of verification.
- If the policy conditions use data from Active Directory about the placement of objects in groups or organizational unit (OU), make sure that Active Directory polling works:
- Create a new computer object in Active Directory.
- Start a forced Active Directory polling.
- Check the synchronization result via a device search from the Administration Server node.
If the test object does not appear, follow the instructions.
If you are using a policy profile, check the following:
- The Enable profile check box and the lock is closed.
- The activation rules are specified and the lock next to them is closed. Make sure that the affected device complies with the specified rules. To do so, use the device search by policy profile conditions.
- There are no parent policy profiles that overwrite the affected policy settings of the same name.
Step 2. Check the settings of the group to which the policy applies
Verify the following:
- The device is part of a group or subgroup that is covered by the policy.
- A child policy or policy profile that overwrites the same-named settings of an affected policy is not applied to the group. To do this, open the properties of the managed device in the Kaspersky Security Center Administration Console (KSC) and check that:
- The policy is displayed in the Active policies section.
- The policy profile is displayed in the Active policy profiles section.
Step 3. Check the status of the policy distribution
After changing the policy and synchronizing the managed device again, wait for the synchronization period to end. Check the status of the policy distribution in the Policy distribution results window of the KSC Administration Console:
- The Finished status means that communication between KSC and KESW is intact and KESW has received the policy settings. Check that the parameters and conditions in the policies settings and profiles are specified correctly.
- The Pending status means that communication between KSC and KESW is interrupted and KESW has not received the policy settings. Possible causes and recommendations:
- The device or KESW are disabled.
- The device is not available for the Administration Server or distribution point that acts as a connection gateway.
- The device does not receive notifications from the notifying server and applies the policy only after the synchronization period ends (by default every 15 minutes).
Configure the multicast to the Network Agents using the instructions. - The distribution point is not functioning properly.
Move the device away from the current point and check that the synchronization runs. - The Network Agent service has been disrupted or the Agent's connection to the Administration Server has been configured incorrectly.
Resolve this issue using the instructions. Pay special attention to the klnagchk utility scan. - The operation of KESW or any of its components has been disrupted due to a violation of the application integrity.
Restore the KESW integrity.
Step 4. Check the KESW configuration
Verify the following:
- Make sure that KESW is activated.
If KESW is not activated or does not automatically accept the new license key, follow the instructions. - The KESW component is installed and enabled on the device, the operation of which is determined by the policy.
- The KESW task or component is included in your license.
If the component is included in the license but not activated, follow the instructions. - The Network Agent Connector is installed as part of KESW if the installation was performed locally.
- The device does not have the critical status “Your device is connected to an untrusted Administration Server”.
To fix this issue, follow the instructions.
If the issue persists, reinstall the KESW management plug-in:
- Remove and install the latest version of the management plug-in using the instructions.
- Export the affected policy. After that, disable or remove it.
- Create a new policy, reconfigure it, and consistently distribute this policy to the managed devices.
What to do if the issue persists
- Follow the recommendations for diagnosing hardware and operating system problems in the device.
- Follow the instructions to ensure that the KSC is not overloaded with the Administration Server events.
If the issue persists, submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount. In your request, provide the following:
- Diagnostic information collected on the device with KESW.
- Diagnostic information collected on the device with KSC.
Useful references
Error when updating anti-virus databases from the Kaspersky Security Center repository
How to configure an operating system to troubleshoot the remote installation of the Kaspersky Security Center Network Agent
Policy setup and propagation: Device-centric approach
Hierarchy of policies, using policy profiles