1. Sign in to your account on Kaspersky CompanyAccount.
2. Click New request → Submit a request to technical support.

3. Fill out the fields: Protection scope, Product, Product version.

If a cumulative patch is available for your application version, you will be recommended to download and install it.

1. Download the required version of Kaspersky Endpoint Security for Windows from the Kaspersky Security Center network folder or the Kaspersky website.
2. Unpack the application installation package if it was downloaded from the Kaspersky website.
3. Depending on how you create the installation package, do the following:
   • If you create the installation package based on the downloaded package, put the patch files in the folder together with Kaspersky Endpoint Security for Windows.
   • If you create an installation package based on the existing application package in Kaspersky Security Center, copy the patch files to the exec folder.
   When creating an installation package of KESW version 12.5 and later, in addition to the .msp patch file, also add the .kcat digital signature file that comes with the patch file in a ZIP archive.
   If the digital signature file is missing from the installation package, the following error will occur during installing the patch: “Error 27228: Signature file verification error”.
4. Create a new installation package based on the KUD file in the folder where the patch files are located.
5. Create a task to install the application together with the patch.

You can download the patch for your application version in Kaspersky CompanyAccount using these instructions.

1. Open Kaspersky Security Center.
2. Go to Advanced → Remote installation → Installation packages.
3. Click Create installation package.
4. Select Create an installation package for the specified executable file.
5. Enter a name for the package and click Next.

6. Click Browse and specify the path to the patch installation file in the .msp format.
   The patch must be located in a separate folder. When creating a patch installation package for KESW version 12.5 and later, the .kcat digital signature file, which is provided in a ZIP archive along with the patch file, must be in the folder as well.
   If the digital signature file is missing from the installation package, the following error will occur during installing the patch: “Error 27228: Signature file verification error”.
7. In the Executable file command line (optional) field, enter:

8. Select the check box Copy entire folder to the installation package and click Next.

9. Click Finish.

Locally through the Installation wizard

1. Run the executable file of the patch.
2. Follow the instructions in the Installation Wizard.

Locally through the command line in the silent mode

1. Open the command line on the client device.
2. Run the following command:

Remotely through Kaspersky Security Center

1. Open Kaspersky Security Center.
2. Go to Advanced → Remote installation → Installation packages.
3. Open the context menu of the created package and select Install application.
4. Choose one of the options:
   • Install on group of managed devices. Choose this option if you have already included devices in the administration groups.
   • Select devices for installation. Choose this option if you have no devices in administration groups, or if you need to install the application to specific devices.

5. Select devices or groups of devices on which the patches will be installed and click Next.
6. Select the Do not re-install application if it is already installed checkbox.

7. Follow the steps of the remote installation wizard.
8. At the Select accounts to access devices step, add the user account with the administrator permissions on selected devices and click Next.
9. Click Next → Finish.
10. Run the patch installation task.

To troubleshoot issues that may occur during installation or removal of the patch, get a log file:

1. On the client device, open:
   • The system folder where temporary files are located (during remote installation)
     e.g. C:\Windows\Temp
   • The folder where user’s temporary files are located (during local installation)
     e.g. C:\Users\Username\App Data\Local\Temp
2. Save the msi****.log files.

Locally

To get the list of patches installed on a managed device:

• Right-click the Kaspersky Endpoint Security icon on Windows taskbar.
• In the context menu, select About.
• Go to Start → Control Panel → Programs and Features and click View installed updates in the upper-left corner.

Remotely through Kaspersky Security Center

To get the list of patches installed in the network:

1. Open Kaspersky Security Center, select the Administration Server and go to the Reports tab.
2. Right-click Report on Kaspersky software versions and select Properties.

3. Go to the Fields tab.
4. Select the Installed checkbox in the Details fields and click OK.
5. Right-click Report on Kaspersky software versions and select Show report.

In the report, you will see the list of patches installed on the devices in the network.

To get the list of patches installed on a client device:

1. Open Kaspersky Security Center and go to Managed devices.
2. Open the properties of the device.
3. Go to Applications, select Kaspersky Endpoint Security for Windows and open its properties.

Information about installed patches will be displayed in the list of installed updates.

To view the list of devices on which a patch is installed:

1. Open Kaspersky Security Center and go to Device selections.
2. Click Advanced → Create a selection.

3. Enter a name for the selection and click ОК.
4. Click Selection properties.
5. Go to Conditions, choose the created selection and click Properties.

6. Go to Application, specify the Critical update name and click OK.

The search results will appear in the list of devices.

Locally through the installation wizard

1. Go to Control Panel → Programs and Features.
2. Click View installed updates in the upper-left corner.
3. In the context menu of the patch, click Delete.

Locally through the command line

1. Open the command line on the client device.
2. To remove the patch:
   msiexec /i {GUID KESW} MSIPATCHREMOVE={GUID PrivateFix} EULA=1 PRIVACYPOLICY=1 /qn
   Instead of {GUID KESW} and {GUID PrivateFix}, enter the relevant GUID for your application and patch version.

Remotely through Kaspersky Security Center from all devices in the network

1. In the Administration Console, go to Advanced → Application management → Software updates.
2. Configure the filter settings of the list to display the installed patches, in case they are hidden.
3. Open the properties of the patch to remove.
4. Select the status Declined in the Update approval drop-down list.

After running a task to update anti-virus databases, the patch will be removed from all devices in the network.

Remotely through Kaspersky Security Center from the selected device or group of devices

1. In the Administration Console, go to Advanced → Remote installation → Installation packages.
2. In the right frame, click Create installation package.
3. Select Create an installation package for the specified executable file.
4. Enter a name for the package and click Next.
5. Create a new .bat file and specify in it the command to remove the patch from the command line:
   msiexec /i {GUID KESW} MSIPATCHREMOVE={GUID PrivateFix} EULA=1 PRIVACYPOLICY=1 /qn
   Instead of {GUID KESW} and {GUID PrivateFix}, enter the relevant GUID for your application and patch version.
6. Save the file and go back to the Administration Console.
7. Click Browse and specify the path to the created .bat file
8. Click Next → Finish.
9. Create a remote installation task with this installation package for a device or a group of devices.
10. Run the task to remove the patch.

Patch GUID

To view the GUID from the patch file:

1. Open the properties of the installation file of the patch.
2. Go to the Details tab.

Information about the GUID will be displayed in the Edition line.

To view the GUID on a client device managed by Windows 10 or Windows Server 2019 and earlier:

1. Go to Control Panel → Programs and Features.
   
2. Click View installed updates in the upper-left corner.
3. Press Alt.
4. Go to View → Choose details.
5. Select the Update ID checkbox and click OK.

Information about the GUID will be displayed in the list of installed updates.

GUID KESW

To learn the KESW GUID, run the command below on the device with Kaspersky Endpoint Security installed:

You can also learn the GUID for your version of Kaspersky Endpoint Security for Windows in this article.