Known issues and limitations of Kaspersky Endpoint Security 11.3.0 for Windows (version 18.104.22.1683)
The MMC plugin for Kaspersky Endpoint Security for Windows version 11.2.0 and 11.3.0 does not support installation under Windows Server 2008 operating system. To ensure proper operation of Kaspersky Endpoint Security for Windows, use supported operating systems.
Support of Microsoft Windows 10 / Server 2016 / Server 2019
Full disk encryption (FDE) of hard drives and removable drives
- For correct operation of the hard drive encryption feature, reboot the computer after the installation of the product.
- Authentication Agent does not support hieroglyphics and the special symbols "|" and "\".
- When there are processes that attempt to access encrypted drives before the application has granted them access to the devices, the application shows a warning saying that such processes must be terminated. If not all such processes can be killed, the encrypted drives have to be reconnected.
- Unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
- We do not recommend to format the devices during the process of their encryption.
- When more than one removable drives are connected to the device, the encryption policy is applied only to one of the drives. At the next attempt to connect the drives that were not encrypted, the encryption policy is applied correctly.
- Encryption may fail to start on a heavily fragmented hard drive. Defragment your hard drive.
- During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows 7 / 8 / 8.1 / 10 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 8 / 8.1 / 10 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 / 10 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
- We do not recommend that you use the xbootmgr.exe tool with additional providers enabled (such as Dispatcher, Network, Drivers).
- Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security for Windows installed.
- Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the drive, reformat it to the NTFS file system.
- Issues of restoring the operating system from a backup copy to an encrypted GPT device are described in this article.
- Coexistence of several download agents on one encrypted computer is not supported.
- It is impossible to access the removable drive, which was earlier encrypted on another computer, when all of the following conditions are maintained:
- There is no connection to the Kaspersky Security Center server.
- The user authorizes with a new token or password.
- Discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
- Full-disk encryption (FDE) of the SSD part of the drive, which is used for caching the frequently used data, is not supported for SSHD devices.
- Full-disk encryption of 32-bit Microsoft Windows 8 / 8.1 / 10 operating systems running in UEFI mode is not supported.
- Before the next encryption of the decrypted hard drive, restart the computer.
- Hard drive encryption is incompatible with Kaspersky Anti-Virus for UEFI. We do not recommend that you use full disk encryption on computers with Kaspersky Anti-Virus for UEFI installed.
- Creating Authentication Agent user accounts based on Microsoft accounts is supported with the following limitations:
- Single sign-on is not supported.
- Automatic creation of user accounts for the authentication agent is not supported if the option of creating accounts for users, who have logged in to the system within N days, is enabled.
- If the authentication agent account name is "domain"/"Windows account name", then after changing the computer name you must also update the domain part of the account names created for local users on this computer. For example, the computer name is USER and your local user account name is Username, and the FDE account has been created under the name USER/Username. If the computer name (USER) has been changed (for example, to USER-PC) , then you must change the FDE account name from USER/Username to USER-PC/Username. To change the authentication agent account name, use the local accounts management task. Until the account name is changed, only the old name can be used for preboot authentication (in the example: USER/Username).
- If the user is allowed to log in only with a token and an access restoration procedure is required on a computer that has been encrypted using FDE technology, make sure this user can log in with a password after the access to the encrypted computer is restored. The password set by the user during access restoration may not be saved. In this case, the user will have to restore access to the encrypted host once again at the next computer restart.
- If the data on the original device is overwritten with the decrypted data when the hard drive is decrypted with the FDE Recovery Tool, the decryption process may end with an error. Some of the data will remain encrypted. We recommend selecting the option of saving the decrypted data to a file in the FDE Recovery Tool settings.
- If the user restarts the computer when the message "Your password has been changed. Click OK" is displayed, the new password is not saved. The old password must be used for the next preboot authentication.
- Disk encryption is incompatible with the Intel Rapid Start technology.
- Disk encryption is incompatible with the ExpressCache technology.
- In some cases, when trying to decrypt an encrypted drive, FDE Recovery Tool will erroneously detect the device condition as not encrypted after the Challenge-Response procedure completion. The successful decryption event will appear in the tool operation log. In this case, it is necessary to run the data recovery process again to decrypt the device.
- See this article for the remaining limitations in Full Disk Encryption support and for the list of devices that support hard drive encryption with limitations.
Encryption of files and folders (FLE)
- File and folder encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
- Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
- If encryption is unavailable on the computer, then in case it tries to access an encrypted file on the computer with encryption enabled, direct access to the file may be provided. The encrypted file located in a shared folder on the computer computer where the encryption functionality of Kaspersky Endpoint Security is available, is copied unencrypted to the computer with encryption functionality unavailable.
- You are advised to decrypt files that were encrypted with Encrypting File System before encrypting files with Kaspersky Endpoint Security for Windows.
- After a file is encrypted, its size increases by 4 KB.
- After a file is encrypted, the "Archive" attribute is set in the file properties.
- When extracting the files from an encrypted archive, the extracted files are replaced with existing files that are included into the encrypted archive in case their names are the same. The user is not notified about this operation.
- Portable File Manager errors are not displayed in the Portable File Manager interface.
- Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed.
- When file encryption functionality is used, the application is incompatible with the Sylpheed email client.
- The parameters of the swap file cannot be changed. Instead of the specified settings, the operating system uses the default values.
- Use safe removal when working with encrypted removable drives. If the removable drive is not ejected safely, data may be lost.
- After the files are encrypted, their non-encrypted original copies undergo safe removal.
- Synchronization of offline files using Client-Side Caching service (CSC) is not supported. We recommend that you deny autonomous use of shared resources on the group policy level. Files in the autonomous mode can be edited. Upon synchronization, the changes made to the autonomous file can be lost. For more information about Client-Side Caching (CSC) support, see this article.
- Creation of an encrypted archive in the root of the system hard drive is not supported.
- Problems can be experienced when attempting to access encrypted files over the network. We recommend that you move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
- Changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to stop responding. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
- When using file encryption on systems with several disk partitions, it is recommended that you use the automatic pagefile.sys file size identification option. The pagefile.sys file may move between disk partitions after restarting the computer.
- After applying file encryption rules, including the files located in the Documents folder, make sure all users for which the encryption was enabled have access to the files. Each user should log in to the system when there is a connection with Kaspersky Security Center. If the user tries to access the encrypted files when there is no connection to Kaspersky Security Center, the system may stop responding.
- If system files end up in the FLE scope, an event may be logged in application reports about an error encrypting them. The files specified in the events are not encrypted.
- Pico processes are not supported.
- Paths that are case-sensitive are not supported. When are applying encryption or decryption rules, paths are displayed in product events in lower case.
- Encryption of files used by the system at the startup is not recommended. Otherwise, when the system tries to access these files without connection to Kaspersky Security Center, the system may stop responding or may show multiple requests on access to the files.
- Password expiration term cannot be disabled for encryption of removable drives that support the portable mode.
- When a file is edited simultaneously by multiple users over the network according to FLE encryption rules in an application that uses memory-mapped file technology (e.g., WordPad, FAR) or an application for working with large files (e.g., Notepad++), the unencrypted file can be blocked indefinitely without being accessible on this computer.
- File encryption is not supported in the OneDrive synchronization folders. Adding folders which contain already encrypted files to the list of synchronization with OneDrive may result in data loss in those folders.
- If the "Error receiving data" system message is displayed, check if the computer on which you are performing activation has network access, or configure activation via Kaspersky Security Center Activation Proxy.
- Installation of the subscription license through Kaspersky Security Center automatic distribution is not performed if the license on the computer is expired or if trial license is used. To replace a trial license or a renewal license which is due to expire soon, use the license distribution task to apply the renewal license.
- In the application interface, the license expiration date is displayed in local time.
- When installing a program with a built-in key file on a computer with unstable Internet connection, events may appear temporary, reporting that the program could not be activated or that the license blocks the component. During its installation, the program will first install and try to activate an in-built test license. This process requires stable Internet connection.
- Installing any update or patch for the program during its trial period on a computer with an unstable Internet access may cause events to appear temporary, reporting that the program could not be activated. During an update installation, the program will reinstall and try to activate an in-built test license. This process requires stable Internet connection.
- If the application was activated with a trial license upon installation and then removed without saving the license information, it will not be repeatedly activated with the trial license when installed again. In this case, activate the application manually.
Installing the application
- After being installed to an infected computer, the application does not inform the user that it is necessary to scan the computer. Problems with the application activation may occur. To fix these issues, run a Critical Areas Scan.
- If non-ASCII characters are used in the setup.ini and setup.reg files (for example, Cyrillic characters), we recommend editing the file in Notepad.exe and saving it in the UTF-16LE encoding. Other encodings are not supported.
- Only ASCII characters are supported when specifying the application installation path in the installation package settings.
- During the product settings import from the cfg file, the value for participation in Kaspersky Security Network is not applied. After the settings are imported, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can find the Policy from the application interface or in the ksn_*.txt file which is located in the installation folder.
- When upgrading from Kaspersky Endpoint Security 10 Service Pack 2 for Windows (10.3.0.6294), the Host Intrusion Prevention component is turned on.
- When upgrading Kaspersky Endpoint Security 10 Service Pack 2 for Windows (10.3.0.6294) to Kaspersky Endpoint Security 11.3.0 for Windows, the files from backup and quarantine are moved to the backup storage of the new version. For versions earlier than Kaspersky Endpoint Security 10 for Windows Service Pack 2 (10.3.0.6294), files from quarantine and backup will not be moved to the new version. To keep the files, restore them from backup and quarantine before upgrading to Kaspersky Endpoint Security 11.3.0 for Windows. After the upgrade, scan the restored files again.
- When the encryption module (FLE or FDE) or the Device Control component is removed then installed again, computer restart is required before reinstalling the modules.
- On Microsoft Windows 10, you must restart the system after removing the FLE component.
- Attempts to install any version of the AES encryption module on a computer with Kaspersky Endpoint Security 11 for Windows fail with an error stating that a newer version of the application is installed on the computer, even if no encryption components are installed. Starting with Kaspersky Endpoint Security 10 Service Pack 2 (version 10.3.0.6294), the encryption module does not have a separate installation file. Encryption libraries are included into the application installation package. Kaspersky Endpoint Security 11.3.0 for Windows is incompatible with AES encryption modules released for previous versions of Kaspersky Endpoint Security for Windows. All libraries required for encryption are installed automatically when the full disk encryption (FDE) or file level encryption (FLE) component is selected.
- Application installation may end with an error stating that application has been installed on the computer without a name, or with a name that is unreadable. It means that incompatible applications or their traces are still present on your computer. To remove the traces of incompatible applications, submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount. Please include a detailed description of the issue.
- The Kaspersky Endpoint Security 11.3.0 for Windows plug-in is installed on top of the Kaspersky Endpoint Security 11.0, 11.0.1, 11.1.0, 11.1.1 or 11.2.0 plug-in. To continue using the earlier version of the Administration Plug-in, you must first remove its version 11.3.0.
- When upgrading Kaspersky Endpoint Security 11.0.0 and 11.0.1 for Windows, schedule configurations for local Update, Critical Areas Scan, Custom Scan and Integrity Check tasks are not saved.
- If you canceled the installation of the program, run its restore task after restarting the computer.
- When run on the computers operating under Windows 10 19H1 and 19H2, the update from versions Kaspersky Endpoint Security 10 for Windows Service Pack 2 Maintenance Release 3 (10.3.3.275) and Service Pack 2 Maintenance Release 4 (10.3.3.304), 11.0.0 and 11.0.1, with file encryption (FLE) component installed, may end with an error. Such update errors are caused by the lack of file encryption support in Kaspersky Endpoint Security for Windows 10 19H1 and 19H2. We recommend deleting the file encryption component before installing the update.
- If you update a previous version of the application to version 11.3.0, then in order to install Kaspersky Endpoint Agent you will need to restart the computer and log into the system under the local administrator account. Otherwise, the installation will not include Kaspersky Endpoint Agent.
- When updating Kaspersky Endpoint Security 11 to version 11.3.0, the Delete rights for applications that are not started for more than N days parameter in the Host Intrusion Prevention section will be reset to 60 days.
- If the installation of the program with Kaspersky Endpoint Agent component selected failed on the server operating system and the operating system shows the Windows Installer Coordinator Error, see this article.
- The installation from the distribution package with in-built private patches is not supported.
- If the application was installed locally in silent mode, use the built-in setup.ini file to change the installed components.
- When updating Kaspersky Endpoint Security 10 for Windows with file encryption component (FLE) installed from version Service Pack 2 Maintenance Release 4 to version Kaspersky Endpoint Security 11.3.0 for Windows on computers with operating systems Windows 10 RS5, 19H1 and 19H2, FDE drivers will not be installed into the WinRE image.
- The access to Printer devices added to the list of trusted devices is blocked by device and bus blocking rules.
- Read, Write, Connect operations are not controlled on MTP devices if built-in Microsoft drivers are used. If the user installs a custom driver (e.g. prom the iTunes or Android Debug Bridge package), Read and Write operations may not be controlled.
- When using MTP devices, changes to the access rules are applied after the device is reconnected.
- When adding a device to the list of trusted devices by device mask and using characters included in the identifier but not included in the model name, the device is not added to the list. On the workstation, the device will be added to the trusted list by the identifier mask.
Adaptive Anomaly Control
- We recommend creating automatic exclusions based on events if necessary. When manually adding an object to the exclusions list, add character * to the beginning of the path.
- Adaptive Anomalies Control Rules report is not created if the data contains at least one event longer than 260 characters.
- When using Microsoft Windows 10, blocking rules may be applied incorrectly in the denylist mode. Start of some applications not listed in the rules may be blocked.
- When blocking PWA (Progressive Web App) applications with the Application Control component, the report will show appManifest.xml. as the blocked application.
- Filtering packets / connections by local addresses, physical interface, and TTL is supported in the following cases:
- by local address for outgoing packets / connections in applications rules (for TCP and UDP) and packet rules;
- by local address for incoming packets / connections (except for UDP) in blocking rules of apps and packet rules;
- by packet TTL in blocking packet rules for incoming / outgoing packets;
- by network interface for incoming and outgoing packets / connections in packet rules.
- In versions 11.0.0 and 11.0.1 of the application, the selected MAC addresses cannot be applied correctly. The MAC address settings in versions 11.0.0 / 11.0.1 are incompatible with versions 11.1.0 and later. It is necessary to check and reapply the selected MAC addresses in the Firewall rules after updating the program or plug-in from version 11.0 to version 11.1.0.
Issues and limitations of virtual platform support
- Full disk encryption (FDE) on Hyper-V virtual machines is not supported.
- Full disk encryption (FDE) on Citrix virtual machines is not supported.
- Installing and using of files and folders encryption (FLE) is not supported on Citrix virtual platforms.
- To enable Kaspersky Endpoint Security compatibility with Citrix PVS, perform installation with the Ensure compatibility with Citrix PVS option enabled. This option can be enabled in the Setup Wizard or using the command line parameter /pCITRIXCOMPATIBILITY=1. In case of remote installation, you need to add the /pCITRIXCOMPATIBILITY=1 key into the KUD file.
- Citrix Xen Desktop. Before cloning, Self-Defense must be disabled on virtual machines that use vDisk.
- When preparing the Citrix XenDesktop master image with pre-installed Kaspersky Endpoint Security 11.3.0 and the KSC Network Agent, add exclusions of the following type to the configuration file:
For more information, see the Citrix support website.
- Attempts to remove hardware safely may sometimes result in an error on virtual machines deployed on VMWare ESXi hypervisor. If you encounter this issue, try removing hardware safely one more time.
Compatibility with Kaspersky Security Center
- The encryption report in Kaspersky Security Center 10 does not include information about devices encrypted with Microsoft BitLocker on server platforms or workstations on which the Device Control component is not installed.
- You can only manage the Adaptive Anomaly Control component in Kaspersky Security Center 11.
- Kaspersky Endpoint Security 11.3.0 for Windows does not support the new RFC 9218 standard of the HTTP/2 protocol. If the application uses this standard, the problem may occur when attempting to establish TLS connection, and when opening the browser you will see the error "ERR_HTTP2_PROTOCOL_ERROR". To fix the issue, add the domain to exclusions or contact Kaspersky technical support via Kaspersky CompanyAccount to receive the patch.
- Under server operating systems, no warning of required advanced disinfection is displayed.
- Web addresses added to the allowlist may be processed incorrectly.
- System Watcher. Full information about processes is not displayed.
- At the first startup of Kaspersky Endpoint Security for Windows, the application signed with a digital signature may temporarily end up in a wrong group. Later the group will be automatically changed to the correct one.
- When checking mail with the Mail Threat Protection plug-in for Microsoft Outlook, we recommend that you use the Use Cached Exchange Mode option.
- Mail Anti-Virus for Microsoft Outlook does not support 64-bit versions of Microsoft Outlook.
- When switching from global Kaspersky Security Network to local or vice versa in Kaspersky Security Center 10, the checkbox for participation in Kaspersky Security Network is cleared in the product policy. After switching, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can view the Kaspersky Security Network Statement in the application interface or while editing the application policy.
- When re-scanning a malicious object that has been blocked by the application, the user is not informed that the threat has been rediscovered. The rediscovery of the threat is displayed as an event in the product report and the Kaspersky Security Center report.
- Installation of the Endpoint Sensor component is not supported on Microsoft Windows Server 2008.
- When policy hierarchy is used, the settings of the Encryption of removable drives section in the child policy are displayed as available for editing when they are disabled in the parent policy.
- It is necessary to enable the login audit in the operating system settings for exclusions in the protection of shared resources against encryption to work correctly.
- If protection of shared folders is enabled, Kaspersky Endpoint Security for Windows tracks encryption attempts for each session of the remote computer that was launched before the start of Kaspersky Endpoint Security for Windows, even if the computer from which the remote access session was started has been added to the exclusions list. To disable the monitoring of attempts to encrypt shared folders for remote access sessions started before Kaspersky Endpoint Security for Windows was launched from a computer that has been added to the exclusions list, terminate the session and start it once again, or restart the computer on which Kaspersky Endpoint Security for Windows is installed.
- If the update task is started with the permissions of a specific user account, product patches will not be downloaded from sources that require authorization.
- The application may not start if there are insufficient system resources. To solve this issue, use the Ready Boot option or increase the operating system timeout for starting services.
- The application does not work in Safe Mode.
- We cannot guarantee that audio control will work after installing the application until the system is rebooted for the first time.
- When trace rotation is enabled, trace files are not created for the AMSI component and the Outlook plug-in.
- You cannot manually collect performance trace files on Windows Server 2008.
- Writing of performance traces of the Upon restart type is not supported.
- The task for checking the availability of KSN is no longer supported.
- Disabling the Disable external management of system services option will not stop the application service if the parameter AMPPL=1 is set (by default the value 1 is set for this parameter, starting from Windows version 10RS2). When the AMPPL parameter has the value 1, use of the Protection Processes technology for product services is enabled.
- When running a selective scan of a directory, it is necessary for the user who runs the scan to possess the right to read the attributes of the directory. Otherwise, the selective scan will result in an error.
- If you specify the path without the character "\" at the end of the pathname while configuring a scan rule, the part which follows after the last "\" will not be included in the rule. С:\folder1\folder2, for example, will start a scan for С:\folder1\.
- The AMSI settings will be reset to defaults after updating the application from version 11.1 to 11.3.0.
- Settings management for Outlook plug-in via Rest API is not supported.
- Task configuration cannot be transferred under a specified user between different devices via a configuration file. Specify the user name and password manually after applying the settings from the configuration file.
- The integrity check task is not supported during the period between the update installation and the computer restart.
- Actions taken against the threat may not be shown in Kaspersky Security Center threat report if that threat was detected by the AMSI component.
- Reports and statuses for the AMSI protection and Adaptive Anomaly Control components are only available in Kaspersky Security Center 11 and later. You can view the status in the Tasks section of the device properties in Kaspersky Security Center.
- When changing the tracing level with rotation through the remote diagnostics tool in Kaspersky Endpoint Security for Windows, the value for the tracing level is displayed as empty. Traces are written with the correct level.
- The "Not supported by license" status which indicates that some components are not covered by the current license, is not displayed.
- Kaspersky Endpoint Security forcibly uses the HTTP/1 protocol for scanning encrypted traffic.