1. Sign in to your account on Kaspersky CompanyAccount.
2. Click New request → Submit a request to technical support.

3. Fill out the fields: Protection scope, Product, Product version.

If a cumulative patch is available for your application version, you will be recommended to download and install it.

For the Administration Console (MMC) and Web Console

1. Download the required KESW version from the shared folder (KLSHARE) in Kaspersky Security Center (KSC) or from the Kaspersky website.
2. Unpack the application installation package if it was downloaded from the Kaspersky website.
3. Depending on how you create the installation package, do the following:
   • If you create the installation package based on a downloaded one, put the patch files in the folder with Kaspersky Endpoint Security for Windows.
   • If you create the installation package based on an existing application package in KSC, copy the patch files to the exec folder.
   When creating an installation package of KESW version 12.5 and later, besides the .msp-format patch file, add also the .kcat-format digital signature file that comes with the patch file in a ZIP archive.
   If the digital signature file is missing from the installation package, the following error will occur during installing the patch: “Error 27228. Failed to verify the signature of the file”.
4. Create a new installation package based on the KUD file in the same folder where the patch files are located.
5. Create a task to install the application together with the patch.

You can download the patch for your application version in Kaspersky CompanyAccount using these instructions.

For Cloud Console

It is impossible to create an installation package with a patch via Cloud Console. Use these instructions to install the patch.

For the Administration Console (MMC)

1. Open KSC.
2. Go to Advanced → Remote installation → Installation packages.
3. Click Create installation package.
4. Select Create an installation package for the specified executable file.
5. Enter a name for the package and click Next.

6. Click Browse and specify the path to the patch installation file in the .msp format.
   The patch must be located in a separate folder. When creating a patch installation package for KESW version 12.5 and later, the digital signature file in the .kcat format, provided in a ZIP archive along with the patch file, must also be in the same folder.
   If the digital signature file is missing from the installation package, the following error will occur during installing the patch: “Error 27228. Failed to verify the signature of the file”.
7. In the Executable file command line (optional) field, enter:

8. Select the checkbox Copy entire folder to the installation package and click Next.

9. Click Finish.

For Web Console and Cloud Console

1. Download a cumulative patch following the instructions from step 1.
2. Open KSC.
3. In the main application window, go to Discovery & deployment → Deployment & assignment → Installation packages.
4. Click Add.
5. Click Create an installation package from a file.
   Note that there is no such an option in trial mode of Cloud Console. The environment must be deployed under a commercial license.
6. Enter the name for the installation package.
7. Click Browse and select the archive with a cumulative patch.
8. Wait for the download to complete.
9. Select the .msp-format file and specify the following parameters in the additional command line settings:
   EULA=1 PRIVACYPOLICY=1 /qn

Locally through the Installation Wizard

1. Extract the archive so that the patch signature passes the verification.
2. Run the installation file of the patch.
3. Follow the instructions of the Installation Wizard.

Locally through the command line in silent mode

1. Open the command line on the client device.
2. Run the following command:

Remotely using the Administration Console (MMC) on a group of devices

1. Open KSC.
2. Go to Advanced → Remote installation → Installation packages.
3. Open the context menu of the created package and select Install application.
4. Choose one of the options:
   • Install on group of managed devices. Use this option to install the patch on all managed devices of the administration group, including nested groups.
     We recommend installing the patch on a few devices first and ensuring that the issues are resolved before installing the patch on all devices.
   • Select devices for installation. Use this option to specifically install the patch on certain devices or to install the patch on devices from the Unassigned devices group.

5. Select devices or groups of devices on which the patches will be installed and click Next.
6. Select the Do not re-install application if it is already installed checkbox.

7. Follow the steps of the Remote Installation Wizard.
8. Click Next → Finish.
9. Run the patch installation task.

Remotely using the Web Console and Cloud Console

Install the cumulative patch on managed devices using a remote installation task. See these instructions.

To troubleshoot issues that may occur during installation or removal of the patch, obtain a log file:

1. On a client device, open:
   • The system folder where temporary files are located (during remote installation)
     E.g. C:\Windows\Temp
   • The folder where user’s temporary files are located (during local installation)
     E.g. C:\Users\Username\App Data\Local\Temp
2. Save the msi****.log files.

Locally

To get the list of patches installed on a managed device:

• Right-click the Kaspersky Endpoint Security icon on Windows taskbar.
• In the context menu, select About.
• Go to Start → Control Panel → Programs and Features and click View installed updates in the upper-left corner.

Remotely using the Administration Console (MMC)

• To get the list of patches installed on the network:

  1. Open KSC and go to the Reports tab.
  2. Right-click Report on Kaspersky software versions and select Properties.

  

  3. Go to the Fields tab.
  4. Select the Installed checkbox in the Details fields and click OK.
  5. Right-click Report on Kaspersky software versions and select Show report.

  

  In the report, you will see the list of patches installed on the devices in the network.

• To get the list of patches installed on a client device:

  1. Open KSC and go to Managed devices.
  2. Open the properties of the needed device.
  3. Go to Applications, select Kaspersky Endpoint Security for Windows and open its properties.

  

  Information about installed patches will be displayed in the list of installed updates.

  

• To view the list of devices on which a patch is installed:

  1. Open KSC and go to Device selections.
  2. Click Advanced → Create a selection.

  

  3. Enter a name for the selection and click ОК.
  4. Click Selection properties.
  5. Go to Conditions, choose the created selection and click Properties.

  

  6. Go to Application, specify the Critical update name and click OK.

  

  The search results will appear in the list of devices.

Remotely using the Web Console and Cloud Console

• To get the list of managed devices with information about installed patches, generate a Kaspersky application versions report using these instructions and click Details.
• To get information about patches installed on the client device, go to the managed device settings and see information about installed applications.
• To get the list of devices based on the installed patch, generate a device selection and specify the condition for the patch presence.

Locally through the Installation and Removal Wizard

1. Go to Control Panel → Programs and Features.
2. Click View installed updates in the upper-left corner.
3. In the context menu of the patch, click Delete.

Locally through the command line

1. Open the command line on the client device.
2. To remove the patch:
   msiexec /i {GUID KESW} MSIPATCHREMOVE={GUID PrivateFix} EULA=1 PRIVACYPOLICY=1 /qn
   Instead of {GUID KESW} and {GUID PrivateFix}, enter the relevant GUID for your application and patch version.

Remotely through KSC from all devices of the network

1. In the Administration Console, go to Advanced → Application management → Software updates.
2. Configure the filter settings of the list to display the installed patches, in case they are hidden.
3. Open the properties of the patch to remove.
4. Select the status Declined in the Update approval drop-down list.

After running a task to update anti-virus databases, the patch will be removed from all devices in the network.

You can also remove the patch using the Web Console and Cloud Console through declining software updates.

Remotely through KSC from the selected device or group of devices

1. In the Administration Console, go to Advanced → Remote installation → Installation packages.
2. In the right frame, click Create installation package.
3. Select Create an installation package for the specified executable file.
4. Enter a name for the package and click Next.
5. Create a new .bat file and specify in it the command to remove the patch from the command line:
   msiexec /i {GUID KESW} MSIPATCHREMOVE={GUID PrivateFix} EULA=1 PRIVACYPOLICY=1 /qn
   Instead of {GUID KESW} and {GUID PrivateFix}, enter the relevant GUID for your application and patch version.
6. Save the file and go back to the Administration Console.
7. Click Browse and specify the path to the created .bat file
8. Click Next → Finish.
9. Create a remote installation task with this installation package for a device or a group of devices.
10. Run the task to remove the patch.

You can also remove the patch using the Web Console and Cloud Console according to these instructions.

GUID of the patch

To view the GUID from the patch file:

1. Open the properties of the installation file of the patch.
2. Go to the Details tab.

Information about the GUID will be displayed in the Edition line.

To view the GUID on a client device managed by Windows 10 or Windows Server 2019 and earlier:

1. Go to Control Panel → Programs and Features.
   
2. Click View installed updates in the upper-left corner.
3. Press Alt on the keyboard.
4. Go to View → Choose details.
5. Select the Update ID checkbox and click OK.

Information about the GUID will be displayed in the list of installed updates.

KESW GUID

To find out the GUID of KESW, run the command below on the device with Kaspersky Endpoint Security installed:

You can also learn the GUID for your version of Kaspersky Endpoint Security for Windows in this article.