Migrating KSWS tasks and policies

You can migrate KSWS policy and task settings in the following ways:

• Using the Policies and Tasks Batch Conversion Wizard (hereinafter also referred to as the Migration Wizard).

  The Migration Wizard for KSWS is available only in the Administration Console (MMC). Policy and task settings cannot be migrated in the Web Console and Cloud Console.

  The batch conversion wizard works differently for different versions of Kaspersky Security Center. We recommend upgrading the solution to version 14.2 or higher. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard lets you migrate policies into a profile rather than into a policy. In this version of Kaspersky Security Center, the Policies and tasks batch conversion wizard also lets you migrate a broader range of policy settings.

• Using the New Policy Wizard for Kaspersky Endpoint Security for Windows.

  The New Policy Wizard lets you create a KES policy based on a KSWS policy.

KSWS policy migration procedures are different when using Migration Wizard and the New Policy Wizard.

Policies and tasks batch conversion wizard

The migration wizard transfers KSWS policy settings into the policy profile instead of KES policy settings. The policy profile is a set of policy settings that is activated on a computer if the computer satisfies the configured activation rules. The UpgradedFromKSWS device tag is selected as the triggering criterion of the policy profile. Kaspersky Security Center automatically adds the UpgradedFromKSWS tag to all computers on which you install KES on top of KSWS using the remote installation task. If you chose a different installation method, you can assign the tag to devices manually.

To add a tag to a device:

1. Create a new tag for servers — UpgradedFromKSWS.

   For more details about creating tags for devices, refer to the Kaspersky Security Center Help.

2. Create a new administration group in the Kaspersky Security Center console and add servers to which you want to assign the tag to this group.

   You can group servers using the selection tool. For more details about working with selections, refer to the Kaspersky Security Center Help.

3. Select all servers of the administration group in the Kaspersky Security Center console, open the properties of the selected servers and assign the tag.

If you are migrating multiple KSWS policies, each policy is converted to a profile within one overarching policy. If the KSWS policy already contains profiles, these profiles are also migrated as profiles. As a result you will get a single policy that includes profiles corresponding to all KSWS policies.

How to use the Policies and Tasks Batch Conversion Wizard to migrate KSWS policy settings

The new policy profile with KSWS settings will be named UpgradedFromKSWS <Name of the Kaspersky Security for Windows Server policy>. In profile properties, the migration wizard automatically selects the UpgradedFromKSWS device tag as the triggering criterion. Thus the settings from the policy profile are applied to servers automatically.

Wizard for creating a policy based on a KSWS policy

When a KES policy is created based on a KSWS policy, the wizard transfers settings to the new policy accordingly. That is, one KES policy will correspond to one KSWS policy. The wizard does not convert the policy to a profile.

How to use the New Policy Wizard to migrate KSWS policy settings

Additional configuration of policies and tasks after migration

KSWS and KES have different sets of components and policy settings, so after migration you must verify that policy settings satisfy your corporate security requirements.

Check the following basic policy settings:

• Password protection. KSWS Password protection settings are not migrated. Kaspersky Endpoint Security has a built-in Password protection feature. If necessary, turn on Password protection and set a password.
• Trusted zone. The methods used by KSWS and KES for selecting objects differ. When migrating, KES supports exclusions defined as individual files or paths to file / folder. If KSWS has exclusions configured as a predefined area or a script URL, such exclusions are not migrated. After migration, you must add such exclusions manually.

  To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add files important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF database files. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL files. You may use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.

• Firewall. KSWS Firewall functions are performed by the system-level Firewall. In KES, a separate component is responsible for the Firewall functionality. After migration, you can configure the Kaspersky Endpoint Security Firewall.
• Kaspersky Security Network. Kaspersky Endpoint Security does not support configuring KSN for individual components. Kaspersky Endpoint Security uses KSN for all application components. To use KSN, you must accept the new terms and conditions of the Kaspersky Security Network Statement.
• Web Control. Blocking rules for web traffic category control are migrated to a single blocking rule in Kaspersky Endpoint Security. Kaspersky Endpoint Security ignores allowing rules for category control. Kaspersky Endpoint Security does not support all categories of Kaspersky Security for Windows Server. Categories that do not exist in Kaspersky Endpoint Security are not migrated. Therefore, web resource classification rules with unsupported categories are not migrated. If necessary, add Web Control rules.
• Proxy server. The proxy server connection password is not migrated. Enter the password to be used for connecting to the proxy server manually.
• Schedules of individual components. Kaspersky Endpoint Security does not support configuring schedules for individual components. The components are always on while Kaspersky Endpoint Security is operational.
• Set of components. The set of available Kaspersky Endpoint Security features depends on the type of operating system: workstation or server. For example, out of encryption tools, only BitLocker Drive Encryption is available on servers.
• attribute. The state of the attribute is not migrated. The attribute will have the default value. By default, almost all settings in the new policy have a prohibition applied on modifying settings in child policies and in the local application interface. The attribute has the value for policy settings in the Managed Detection and Response section and in the User support group of settings (Interface section). If necessary, configure the inheritance of settings from the parent policy.
• Working with active threats. Advanced Disinfection works differently for workstations and servers. You can configure advanced disinfection in Malware Scan task settings and in application settings.
• Upgrading the application. To install major updates and patches without restarting, you must change the application upgrade mode. By default, the Install application updates without restart feature is disabled.
• Kaspersky Endpoint Agent. Kaspersky Endpoint Security has a built-in agent for working with Detection and Response solutions. If necessary, transfer Kaspersky Endpoint Agent policy settings to the Kaspersky Endpoint Security policy.
• Update tasks. Make sure that the settings of the Update task were migrated correctly. Instead of KSWS's three tasks, KES uses a single KES task. You may optimize the Update tasks and remove superfluous tasks.
• Other tasks. Application Control, Device Control, and File Integrity Monitor components work differently in KSWS and KES. KES does not use Baseline File Integrity Monitor, Applications Launch Control Generator, Rule Generator for Device Control tasks. Therefore these tasks are not migrated. After migration, you can configure the File Integrity Monitor, Application Control, Device Control components.