I am in the process of upgrading a segment of our production environment from KES 184.108.40.20699 to 220.127.116.11. Last year a number of machines were successfully upgraded to KES 18.104.22.168 and even KES 11.2, however, back in April 2020 we discovered that any machine that had been upgraded to KES 11.1 or 11.2 was no longer checking in to our KACE K1000 Systems Management Appliance. We use this appliance to monitor machine metrics and deploy software. Earlier this year we upgraded the Kace Agent from 6.4 to 7.2, and in this new version a separate .pem certificate gets saved to C:\ProgramData\Dell\KACE\ and is used by the locally installed agent to communicate with the appliance.
We believe that as soon as a machine that has Kace Agent 7.2 installed is upgraded to KES 11.1 or 11.2, Kaspersky intercepts and replaces the certificate used to facilitate that communication. As soon as the endpoint comes back from the restart to install KES 11.1/11.2, it loses communication, and if we look in the KACE Agent log, we see activity like this start to loop indefinitely:
This behavior shows that when the KACE Agent starts it sees that the certificate has been signed by an unknown authority and will not allow it to connect. This happens only after the client restarts after installing a KES client higher than 11.0. As far as I know there is nowhere in the Endpoint or Security Center that highlights if/when Kaspersky replaces the certificate. The only known fix at this time is to regenerate the certificate manually client-side, which is not feasible for an organization of my size.
I have whitelisted C:\ProgramData\Dell\KACE everywhere in the Kaspersky Security Center policy that I could find. I added the URL of our K100 Systems Management Appliance to the list of Trusted Domains. I even repackaged our Kaspersky Endpoint deployment entirely with install.cfg so that our policy comes installed with the endpoint on the off chance that Kaspersky is intercepting the cert before KES has a chance to check into our server.
We checked with KACE Support to confirm what locations need to be whitelisted (and they already were). I have opened a few tickets with KL Support and am simply told that enabling/configuring this option here or that one there should do the trick, but it never does. I have spent an inordinate amount of time troubleshooting this issue and I am sick and tired of this.
Has anyone else had to get these two technologies to work together or have any tips?