• For correct operation of the hard drive encryption feature, system reboot is required after the installation of the product.
• The authentication agent does not support hieroglyphics and the special symbols "|" and "\".
• When there are processes that attempt to access encrypted drives before the application has granted them access to such devices, the application shows a warning saying that such processes must be terminated. If all such processes cannot be terminated, the encrypted drives have to be reconnected.
• Unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
• It is not recommended to format the devices during the process of their encryption.
• In some cases, when more than one removable drives are connected to the computer, the encryption policy is applied only to one of the drives. Upon the next attempt of connecting the drives that were not encrypted, the policy works correctly.
• Encryption may fail to start on a heavily fragmented hard drive. In this case, hard drive defragmentation should be performed.
• During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows 7 / 8 / 8.1 / 10 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 7 / 8 / 8.1 / 10 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 / 10 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
• It is not recommended to use the xbootmgr.exe tool with additional providers enabled (such as DISPATCHER, NETWORK, DRIVERS, and others).
• Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security installed.
• Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the drive, reformat it to the NTFS file system.
• Issues of restoring the operating system from a backup copy to an encrypted GPT device are described in this article. 
• Coexistence of several download agents on one encrypted computer is not supported.
• It is impossible to access a removable drive that was previously encrypted on a different computer in case of simultaneous existence of the following conditions: there is no connection to the Kaspersky Security Center server; the user attempts authorization using a new token (a newly issued or replacement token) or a new password. If this happens, the computer has to be restarted. After the computer restart, access to the encrypted removable drive will be granted.
• In some cases, discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
• Full-disk encryption (FDE) of the SSD part of the drive, which is used for caching the most frequently used data, is not supported for SSHD devices.
• Full-disk encryption of 32-bit Microsoft Windows 8 / 8.1 / 10 operating systems running in UEFI mode is not supported.
• Before the next encryption of the decrypted hard drive, computer restart is required.
• Hard drive encryption is incompatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use full disk encryption on computers with Kaspersky Anti-Virus for UEFI installed.
• Creating authentication agent accounts based on MS accounts is supported with the following restrictions: single sign-on technology is not supported; automatic authentication agent account creation is not supported if the option of creating accounts for users who entered the system during last N days has been selected.
• If the FDE account name is "domain"/"Windows account name", then after changing the computer name you must also update the domain part of the account names created for local users on this computer. For example, the computer name is USER and your local user account name is Username, and the FDE account has been created under the name USER/Username. If the computer name (USER) has been changed (for example, to USER-PC) , then you must change the FDE account name from USER/Username to USER-PC/Username. To change the FDE account name, use the local FDE accounts management task. Until the FDE account name is changed, only the old name can be used for preboot authentication (in the example: USER/Username).
• If the user restarts the computer when the message "Your password has been changed. Click OK" is displayed, the new password is not saved. therefore, the old password must be used for the next preboot authentication.
• If the user can only allowed to access the host computer encrypted using FDE with a token and has performed the access restoring procedure, make sure that after restoring access to the encrypted host, the user is allowed to access it using the password in the authentication agent. In some cases, the password set when restoring access is not saved. In this case, the user will have to restore access to the encrypted host once again at the next computer restart.
• The single sign-on feature of the application is incompatible with similar third-party solutions.
• FDE is not supported on Hyper-V and Citrix virtual platforms.
• To see the list of devices which support hard drive encryption with limitations, please follow this link.
• If hard disks on the computer have been encrypted with BitLocker, and encryption keys are being stored using the Trusted Platform Module (TPM), then after upgrading to Creators Update (Redstone 2) the PIN-code used to access the encryption key must contain at least 6 digits.

• Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
• If encryption is unavailable on the computer, then in case it tries to access an encrypted file on the computer with encryption enabled, direct access to the file may be provided. The encrypted file located in a shared folder on the computer computer where the encryption functionality of Kaspersky Endpoint Security is available, is copied unencrypted to the computer with encryption functionality unavailable.
• You are advised to decrypt files that were encrypted with Encrypting File System, before encrypting files with Kaspersky Endpoint Security.
• After a file is encrypted, its size increases by 4 KB.
• After a file is encrypted, the "Archive" attribute is set in the file properties.
• When unpacking an encrypted archive, files from this archive overwrite those in the target folder in case any files with identical names are detected. The user is not informed of the overwriting operation.
• Portable File Manager errors are not displayed in the Portable File Manager interface.
• Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed.
• When file encryption functionality is used, the application is incompatible with the Sylpheed email client.
• Editing of the swap file settings is not supported: the operating system uses default values instead of user-defined settings.
• Using FLE for full disk encryption is not recommended. For encryption of the system drive, use FDE.
• Safe removal should be used when working with encrypted removable drives. If a removable drive is removed unsafely, data safety on the removable drive is not guaranteed.
• After the files are encrypted, their non-encrypted original copies undergo safe removal.
• Synchronization of offline files using Client-Side Caching service (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the level of group policies: offline files are still available for editing; however, changes made to an offline file can be lost after synchronization. For more information, please follow this link.
• Creation of an encrypted archive in the root of the system hard drive is not supported.
• In some cases, problems can be experienced when attempting to access encrypted files over the network. If this happens, it is recommended to move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
• In some cases, changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to stop responding. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
• When using file encryption on systems with several disk partitions, it is recommended that you use the automatic pagefile.sys file size identification option. Otherwise, the file pagefile.sys may be moved to a different partition upon computer restart.
• After applying file encryption rules, including the files located in the Documents folder, make sure all users for which the encryption was enabled have access to the files. Each of users can log in with Kaspersky Security Center connected. When the user tries to access the encrypted files with no connection to Kaspersky Security Center, the system may stop responding.
• Encryption of files used by the system at the startup is not recommended. Otherwise, when the system tries to access these files without connection to Kaspersky Security Center, the system may stop responding or may show multiple requests on access to the files.
• Password expiration term cannot be disabled for encryption of removable drives that support the portable mode.
• Encryption of files and folders is not supported on Citrix virtual platforms.

• The task of adding keys through Kaspersky Security Center might not work correctly. For more information, please follow this link.
• If the "Error receiving data" system message is displayed, check if the computer on which you are performing activation has network access, or configure activation via Kaspersky Security Center Activation Proxy.
• Installation of the subscription license through Kaspersky Security Center automatic distribution is not performed if the license on the computer is expired or if trial license is used. To replace the trial license or a renewal license which is due to expire soon, use the license distribution task to apply the renewal license.

• In some cases, access to Printer devices added to the list of trusted devices is blocked by device and bus blocking rules.
• In some cases, blocking of devices at the level of connection buses is not supported on computers running under Microsoft Windows 8.1. You are advised to block devices by type.

• After being installed to an infected computer, the application does not inform the user of required scan of the computer. Problems with the application activation may be experienced. To solve this problem, run the critical areas scan after the application installation.
• When non-ASCII characters (such as Russian letters) are used in the setup.ini file (including in the "InstallDir" parameter), it is recommended to use notepad.exe and save the file in "Encoding: Unicode" encoding or otherwise save the setup.ini file in UTF-16LE encoding. Other encodings are not supported.
• If changing of application settings is password-protected, use the following commands to remove the encryption module:
  • For the AES encryption module (256 bit): msiexec /x {090EAE5F-F428-49D5-9CAF-BEED98A702CA} KLLOGIN=<login> KLPASSWD=<password> /qn
  • For the AES encryption module (56 bits): msiexec /x {51DAFEE1-44D0-4E1E-8F6B-80F57FEC5AE0} KLLOGIN=<login> KLPASSWD=<password> /qn
• During the product settings import from the cfg file, the value for participation in Kaspersky Security Network is not applied. After the settings are imported, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can find the text of the Kaspersky Security Network Statement in the product interface or in the file ksn_*.txt in the product installation folder.
• When the encryption module (FLE or FDE) or the Device Control component is removed then installed again, computer restart is required before installation.
• During installation of product patches, the option Start Kaspersky Endpoint Security 10 for Windows on computer startup is enabled by default.
• The attempts to install any version of the AES encryption module on a computer with Kaspersky Endpoint Security 10 Service Pack 2 for Windows installed fail with the error informing that the newer version of the application is installed on the computer, even if no encryption components are installed. Starting with Kaspersky Endpoint Security 10 Service Pack 2, the encryption module does not have a separate installation file. Encryption libraries are included into the application installation package. Thus, Kaspersky Endpoint Security 10 Service Pack 2 for Windows is incompatible with AES encryption modules released for previous versions of Kaspersky Endpoint Security. All libraries required for encryption are installed automatically when the full disk encryption (FDE) or file level encryption (FLE) component is selected.

• ogv and webm formats are not supported.
• RTMP protocol is not supported.

• Filtering packets / connections by local addresses, physical interface, and TTL is supported in the following cases:
  • by local address for outgoing packets / connections in applications rules (for TCP and UDP) and packet rules;
  • by local address for incoming packets / connections (except for UDP) in blocking rules of apps and packet rules;
  • by packet TTL in blocking packet rules for incoming / outgoing packets;
  • by network interface for incoming and outgoing packets / connections in packet rules.

• To enable Kaspersky Endpoint Security compatibility with Citrix PVS, perform installation with the Ensure compatibility with Citrix PVS option enabled. This option can be enabled in the Setup Wizard or using the command line parameter /pCITRIXCOMPATIBILITY=1. In case of remote installation, you must add the /pCITRIXCOMPATIBILITY=1 key into the kud file.
• Citrix Xen Desktop: before cloning of virtual machines which use vDisk, Self-Defense mast be disabled
• When preparing the template machine for the master image of Citrix XenDesktop with pre-installed Kaspersky Endpoint Security 10 and the KSC Network Agent, add the exclusion of the following type to the configuration file:

[Rule-Begin]
Type=File-Catalog-Construction
Action=Catalog-Location-Guest-Modifiable
name="%ALLUSERSPROFILE%\Kaspersky Lab\**\*"
name="%ALLUSERSPROFILE%\KasperskyLab\**\*"
[Rule-End]

For more information, see the Citrix XenDesktop guide.

• Under server operating systems, no warning of required advanced disinfection is displayed.
• If a scan of startup objects detects an infected file and the user has not applied Advanced Disinfection, then restoring the infected file from Quarantine before restarting the computer results in a permanent deletion of the file after the restart.
• In some cases, web addresses added to the list of trusted web addresses can be processed incorrectly.
• In some cases, application events are displayed incorrectly in Kaspersky Security Center reports.
• Recovery of objects moved to Quarantine by Mail Anti-Virus is not supported.
• System Watcher: full information about processes is not displayed.
• In some cases, at the first startup of Kaspersky Endpoint Securit, the application with a digital signature may be moved to an incorrect group. Later the group will be automatically changed to the correct one.
• Vulnerability scan takes a long time if many updates for Microsoft Windows are not installed on the host.
• When checking mail with the MS Outlook plug-in, we recommend that you use the Cached Exchange Mode (option Use Cached Exchange Mode). For more information about the Cached Exchange Mode and Microsoft recommendations on its use, please follow this link. 
• When using lon-premises relay in the network with different localizations of Kaspersky Endpoint Security installed on the computers, use Update Utility of the compatible version to download application module updates.
• When switching from global KSN to local KSN through Kaspersky Security Center or vice versa, the option of participation in KSN is disabled in the application policy. After switching, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can view the Kaspersky Security Network Statement in the application interface or while editing the application policy.
• If you want to use PIN for disk encryption using the Microsoft BitLocker technology on the computers with Microsoft Windows 10 RS2 installed, set the minimum PIN length to 6 characters. If the PIN is shorter than 6 characters, the encryption process ends with the error Failed to prepare the system volume for encryption.
• When a malicious object blocked by third-party software is scanned for the second time, the user does not get the second notification about the threat. This information is displayed in the product log and the report in Kaspersky Security Center.