Kaspersky
Solved

In-place upgrade Windows 10 1809 to 1909 best practice/Tips and tricks

  • 6 July 2020
  • 4 replies
  • 197 views

Hello,

I’m curious of what are the best practices for Windows 10 In-place upgrades from Kaspersky’s perspective?

I need to upgrade Windows 10 1809 to 1909 with KES 11.1.1.126 already installed on the clients, when I’m doing the validation suggested by MS I get a success code of 0xC1900210 (no issues found) and later on when I run the upgrade (from ISO) the upgrade fails and the device (VM) tries to revert with a poor effect as most applications don’t work including MS Office.
Just to test I installed an identical client (same applications, also a VM on the same hypervisor) without KES and tried to upgrade it - totally no issues, the upgrade went smooth and fast.

We are discussing with our internal security department the way to upgrade the OS and there is an idea to disable Kaspersky just for the upgrade and I’m wondering if this is the best practice/recommended way by Kaspersky?

I think that till now people have made a lot of In-place upgrades and have faced the same issue, so please share the approach you took to make a successful upgrade of Windows 10 while using KES.

icon

Best answer by alexcad 7 July 2020, 13:06

1.) … if we have the “ File Encryption component (FLE)” and it even wouldn’t need to be used for the In-place upgrade to fail, is this correct?

Please check your installation package - FLE is disabled by default.
 

 

With KES11.3 or 11.4 operating system update is supported - even with FLE:
“If KES 11.2.0 or 11.2.0 Critical Fix 1 with the FLE encryption component is installed on your computer, the operating system update is not supported. Upgrade Kaspersky Endpoint Security to version 11.4.0...”


2.) ...Is there any option to stay on KES 11.1.1.126 and disable some of it’s components and make the upgrade (just for a test)?

If FLE is installed you can use the “Change application components” task to uninstall this feature (reboot required)

 

3.) BTW if there is a need to upgrade let’s say to 11.4 as you suggested, can we make the upgrade on a pilot group of client devices or do we need to upgrade it on all devices as I guess some server component also needs to be updated that talks to KES 11.4, right?

Testing new products in a pilot group is always a good idea :slight_smile: 
You just have to install the new plugin for KES11.4 and check the policy for new features with default settings. There is no need to create new policies or tasks.

The easiest way to upgrade is: just approve the update for KES11.4. But be careful: in this case it will be installed automatically on all systems with the next pattern update task.

 

KES11.3 and KES11.4 are only supported with Agent/KSC12.

Regards
Alex

View original

4 replies

Userlevel 6
Badge +4

You first have to upgrade KES to 11.4, 11.3 or 11.2CF1
https://support.kaspersky.com/13036#19h2

I would recommend version 11.4
https://support.kaspersky.com/kes11#downloads

Regards
Alex

Thanks a lot for a fast reply!
Just to be sure if I understand this correctly, if we have the “ File Encryption component (FLE)” and it even wouldn’t need to be used for the In-place upgrade to fail, is this correct?

Is there any option to stay on KES 11.1.1.126 and disable some of it’s components and make the upgrade (just for a test)?
BTW if there is a need to upgrade let’s say to 11.4 as you suggested, can we make the upgrade on a pilot group of client devices or do we need to upgrade it on all devices as I guess some server component also needs to be updated that talks to KES 11.4, right?

Userlevel 6
Badge +4

1.) … if we have the “ File Encryption component (FLE)” and it even wouldn’t need to be used for the In-place upgrade to fail, is this correct?

Please check your installation package - FLE is disabled by default.
 

 

With KES11.3 or 11.4 operating system update is supported - even with FLE:
“If KES 11.2.0 or 11.2.0 Critical Fix 1 with the FLE encryption component is installed on your computer, the operating system update is not supported. Upgrade Kaspersky Endpoint Security to version 11.4.0...”


2.) ...Is there any option to stay on KES 11.1.1.126 and disable some of it’s components and make the upgrade (just for a test)?

If FLE is installed you can use the “Change application components” task to uninstall this feature (reboot required)

 

3.) BTW if there is a need to upgrade let’s say to 11.4 as you suggested, can we make the upgrade on a pilot group of client devices or do we need to upgrade it on all devices as I guess some server component also needs to be updated that talks to KES 11.4, right?

Testing new products in a pilot group is always a good idea :slight_smile: 
You just have to install the new plugin for KES11.4 and check the policy for new features with default settings. There is no need to create new policies or tasks.

The easiest way to upgrade is: just approve the update for KES11.4. But be careful: in this case it will be installed automatically on all systems with the next pattern update task.

 

KES11.3 and KES11.4 are only supported with Agent/KSC12.

Regards
Alex

Thank you Alex, for an extremely good explanation!

Reply / Ответить