• For correct operation of the hard drive encryption feature, system reboot is required after the installation of the product.
• The authentication agent does not support hieroglyphics and the special symbols "|" and "\".
• Kaspersky Endpoint Security 11 for Windows shows the notification that you need to close the processes that use the encrypted devices before the the application grants access to such devices. If all such processes cannot be terminated, the encrypted drives have to be reconnected.
• Unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
• We do not recommend to format the devices during the process of their encryption.
• When more than one removable drives are connected to the computer, the encryption policy is applied only to one of the drives. Upon the next attempt to connect the drives that were not encrypted, the policy works correctly.
• Encryption may fail to start on a heavily fragmented hard drive. Hard drive defragmentation must be performed.
• During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows 7 / 8 / 8.1 / 10 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 7 / 8 / 8.1 / 10 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 / 10 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
• It is not recommended to use the xbootmgr.exe tool with additional providers enabled (such as Dispatcher, Network, Drivers).
• Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security for Windows installed.
• Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the drive, reformat it to the NTFS file system.
• Issues of restoring the operating system from a backup copy to an encrypted GPT device are described in this article.
• Coexistence of several download agents on one encrypted computer is not supported.
• Unable to access the removable drive which was earlier encrypted on another computer under one of the following conditions:
  • No connection with the Kaspersky Security Center 10 server.
  • The user authorizes with a new token or password.
  In such cases, restart the computer. After the computer restart, access to the encrypted removable drive will be granted.
• Discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
• Full Disk Encryption (FDE) of the SSD part of the drive, which is used for caching the most frequently used data, is not supported for SSHD devices.
• Full-disk encryption of 32-bit Microsoft Windows 8 / 8.1 / 10 operating systems running in UEFI mode is not supported.
• Before the next encryption of the decrypted hard drive, computer restart is required.
• Hard drive encryption is incompatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use full disk encryption on computers with Kaspersky Anti-Virus for UEFI installed.
• Creating authentication agent user accounts based on MS accounts is supported with the following limitations:
  • Single sign-on is not supported.
  • Automatic creation of user accounts for the authentication agent is not supported if the option of creating accounts for users who have logged in to the system within N days is enabled.
• If the authentication agent account name is "domain"/"Windows account name", then after changing the computer name you must also update the domain part of the account names created for local users on this computer. For example, the computer name is USER and your local user account name is Username, and the FDE account has been created under the name USER/Username. If the computer name (USER) has been changed (for example, to USER-PC) , then you must change the FDE account name from USER/Username to USER-PC/Username. To change the authentication agent account name, use the local accounts management task. Until the account name is changed, only the old name can be used for preboot authentication (in the example: USER/Username).
• If the user is allowed to log in only with a token and a access restoration procedure is required on a computer which is encrypted with the FDE technology, make sure this user can log in with a password after the aceess to the encrypted computer is restored. The password set by the user during access restoration may not be saved. In this case, the user will have to restore access to the encrypted host once again at the next computer restart.
• Disk encryption is incompatible with the Intel Rapid Start technology.
• Disk encryption is incompatible with the ExpressCache technology.
• If the data on the device is overwritten with the existing decrypted data when the hard drive is decrypted in the GPT format with the FDE Test Utility tool, the decryption may end with an error. Some of the data will remain encrypted. We recommend selecting the option of saving the decrypted data to a file in the decryption settings or use the new version of the FDE Test Utility. If the user restarts the computer when the message «Your password has been changed. Click OK» is displayed, the new password is not saved. The old password must be used for the next preboot authentication.

• File and folder encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
• Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
• If encryption is unavailable on the computer, then in case it tries to access an encrypted file on the computer with encryption enabled, direct access to the file may be provided. The encrypted file located in a shared folder on the computer computer where the encryption functionality of Kaspersky Endpoint Security is available, is copied unencrypted to the computer with encryption functionality unavailable.
• You are advised to decrypt files that were encrypted with Encrypting File System, before encrypting files with Kaspersky Endpoint Security.
• After a file is encrypted, its size increases by 4 KB.
• After a file is encrypted, the "Archive" attribute is set in the file properties.
• When extracting the files from an encrypted archive, the extracted files are replaced with existing files that are included into the encrypted archive in case their names are the same. The user is not notified about this operation.
• Portable File Manager errors are not displayed in the Portable File Manager interface.
• Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed. 
• When file encryption is used, the application is incompatible with the Sylpheed email client.
• The parameters of the swap file cannot be changed. Instead of the specified settings, the operating system uses the default values.
• Safe removal should be used when working with encrypted removable drives. If a removable drive is removed unsafely, data safety is not guaranteed.
• After the files are encrypted, their non-encrypted original copies undergo safe removal.
• Synchronization of offline files using Client-Side Caching service (CSC) is not supported. We recommend that you deny autonomous use of shared resources on the group policy level. Files in the autonomous mode can be edited. Upon synchronization, the changes made to the files can be lost. For more information about Client-Side Caching (CSC) support, see this article.
• Creation of an encrypted archive in the root of the system hard drive is not supported.
• Problems can be experienced when attempting to access encrypted files over the network. We recommend that you move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
• Changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to stop responding. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive. 
• When using file encryption on systems with several disk partitions, it is recommended that you use the automatic pagefile.sys file size identification option. The pagefile may be moved to a different partition upon computer restart.
• After applying file encryption rules, including the files located in the Documents folder, make sure all users for which the encryption was enabled have access to the files. Each of users must log in with Kaspersky Security Center connected. If the user tries to access the encrypted files when there is no connection to Kaspersky Security Center 10, the system may stop responding.
• Encryption of files used by the system at the startup is not recommended. Otherwise, when the system tries to access these files without connection to Kaspersky Security Center, the system may stop responding or may show multiple requests on access to the files.
• Password expiration term cannot be disabled for encryption of removable drives that suppoer the portable mode.

For silent installation, add the PRIVACYPOLICY=1 parameter to the command line or to the setup.ini file. By doing this, you will accept the Privacy Policy. The Privacy Policy file is included into the distribution package of Kaspersky Endpoint Security 11 for Windows. You must accept the terms of the Privacy Policy to install or upgrade the application. If you do not specify this parameter for silent installation, the application will not be installed.

• After being installed to an infected computer, the application does not inform the user that it is necessary to scan the computer. Problems with the application activation may be occur. To fix these issues, run the Critical Areas Scan. 
• If setup.ini contains non-ASCII characters (e.g. Cyrillic letters), we recommend editing the file using notepad.exe. Save the file in Encoding Unicode or UTF-16LE. Other encodings are not supported.
• If you need to delete the AES encryption module before upgrade and changing of the application settings is password-protected, use the following commands:
  • For AES encryption module (256 bit):
  msiexec /x {090EAE5F-F428-49D5-9CAF-BEED98A702CA} KLLOGIN=<login> KLPASSWD=<password>/qn
  • For AES encryption module (56 bit):
• msiexec /x {51DAFEE1-44D0-4E1E-8F6B-80F57FEC5AE0} KLLOGIN=<login> KLPASSWD=<password>/qn
• During the product settings import from the CFG file, the value for participation in Kaspersky Security Network is not applied. After the settings are imported, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can find the Policy from the application interface or in the ksn_*.txt file which is located in the installation folder.
• When upgrading from Kaspersky Endpoint Security 10 Service Pack 2 for Windows (10.3.0.6294), the Host Intrusion Prevention component turns on.
• When upgrading from Kaspersky Endpoint Security 10 Service Pack 2 for Windows (10.3.0.6294) to Kaspersky Endpoint Security 11 for Windows (11.0.0.6499), the files from backup and quarantine are moved to the backup storage of the new version. For versions earlier than Kaspersky Endpoint Security 10 for Windows Service Pack 2 (10.3.0.6294), files from quarantine and backup will not be moved to the new version. To keep the files, restore them from backup and quarantine before upgrading to Kaspersky Endpoint Security 11 for Windows. After the upgrade, scan the restored files.
• When the encryption module (FLE or FDE) or the Device Control component is removed then installed again, computer restart is required before installation.
• In Microsoft Windows 10, you must restart the system after removing the FLE component.
• The attempts to install any version of the AES encryption module on a computer with Kaspersky Endpoint Security 10 Service Pack 11 for Windows installed fail with the error informing that the newer version of the application is installed on the computer, even if no encryption components are installed. Starting with Kaspersky Endpoint Security 11, the encryption module does not have a separate installation file. Encryption libraries are included into the application installation package. Kaspersky Endpoint Security 11 for Windows is incompatible with AES encryption modules released , for previous versions of Kaspersky Endpoint Security. All libraries required for encryption are installed automatically when the full disk encryption (FDE) or file level encryption (FLE) component is selected.

• If the "Error receiving data" system message is displayed, check if the computer on which you are performing activation has network access, or configure activation via Kaspersky Security Center Activation Proxy.
• Installation of the subscription license through Kaspersky Security Center 10 automatic distribution is not performed if the license on the computer is expired or if trial license is used. To replace the trial license or a renewal license which is due to expire soon, use the license distribution task to apply the renewal license.
• In the application interface, the license expiration date is displayed in the local time.

Access to Printer devices added to the list of trusted devices is blocked by device and bus blocking rules.

When using Microsoft Windows 10, blocking rules may be applied incorrectly in the denylist mode. Start of some applications not listed in the rules may be blocked.

• OGV and WEBM formats are not supported.
• RTMP protocol is not supported.
• The block notification page is not displayed for HTTPS connections.

Filtering packets / connections by local addresses, physical interface, and TTL is supported in the following cases:

• by local address for outgoing packets / connections in applications rules (for TCP and UDP) and packet rules;
• by local address for incoming packets / connections (except for UDP) in blocking rules of apps and packet rules;
• by packet TTL in blocking packet rules for incoming / outgoing packets;
• by network interface for incoming and outgoing packets / connections in packet rules.

• Full disk encryption (FDE) on Hyper-V virtual machines is not supported.
• Full disk encryption (FDE) and encryption of files and folders (FLE) are not supported on Citrix virtual platforms.
• To enable Kaspersky Endpoint Security compatibility with Citrix PVS, perform installation with the Ensure compatibility with Citrix PVS option enabled. This option can be enabled in the Setup Wizard or using the command line parameter /pCITRIXCOMPATIBILITY=1. In case of remote installation, you must add the /pCITRIXCOMPATIBILITY=1 key into the KUD file.
• Using Target Device for creating images of virtual machines with Kaspersky Endpoint Security 10 installed that run under Microsoft Windows Vista is not supported.
• Citrix Xen Desktop. Before cloning, Self-Defense must be disabled on the computers that use vDisk.
• When preparing the template machine for the master image of Citrix XenDesktop with pre-installed Kaspersky Endpoint Security 10 and the KSC Network Agent, add the exclusion of the following type to the configuration file:

For more information, see the Citrix XenDesktop guide.

• Under server operating systems, no warning of required advanced disinfection is displayed.
• Web addresses added to the allowlist may be processed incorrectly.  
• Application events are displayed incorrectly in Kaspersky Security Center reports.
• System Watcher. Information about processes is not displayed in full.
• At the first startup of Kaspersky Endpoint Security for Windows, the application signed with a digital signature may end up in a wrong group. Later the group will be automatically changed to the correct one.
• In the Host Intrusion Prevention component, the Protected resources are available for configuring through the local interface. You cannot configure it through the policy.
• When checking mail with Mail Threat Protection, we recommend that you use the Cached Exchange Mode (option Use Cached Exchange Mode).
• Mail Anti-Virus for Microsoft Outlook does not support 64 bit versions of Microsoft Outlook.
• When using on-premises relay in the network with different localizations of Kaspersky Endpoint Security installed on the computers, use Update Utility of the compatible version to download application module updates.
• When switching from global Kaspersky Security Network to local or vice versa, the checkbox for participation in Kaspersky Security Network is cleared in the product policy. After switching, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can view the Kaspersky Security Network Statement in the application interface or while editing the application policy.
• When re-scanning a malicious object that has been blocked by the application, the user is not informed that the threat has been rediscovered. The rediscovery of the threat is displayed as an event in the product report and the Kaspersky Security Center report.
• Installation of the Endpoint Sensor component is not supported on Microsoft Windows Server 2008.
• The encryption report in Kaspersky Security Center 10 does not include the information about the devices encrypted with Microsoft BitLocker on server platforms and and workstations, on which the Device Control component is not installed.
• If the hierarchy of policies is used, the settings of the Encryption of removable drives section in the child policy are displayed as available for editing while it is disabled in the parent policy. 
• Enable the login audit in the operating system settings for correct work of exclusions in the protection of shared resources from encryption.
• If protection of shared folders is enabled, Kaspersky Endpoint Security for Windows tracks encryption attempts for each session of the remote computer which was launched before the start of Kaspersky Endpoint Security for Windows, including the computer from which the remote access session was started is added to exclusions. To disable tracking of encryption attempts for remote access sessions started from the computer which was added to exclusions or launched before the start of Kaspersky Endpoint Security for Windows, stop this session and start it once again or restart the computer on which Kaspersky Endpoint Security for Windows is installed.
• If the update task is started with the permissions of a specific user account, patches will not be downloaded from the sources that require authorization.
• Kaspersky Endpoint Security forcibly uses the HTTP/1 protocol for scanning encrypted traffic.