KAV licenses have expired on the endpoint or are displaying as expired on the VSA:
While there are many reasons this may occur, the most common is that the Kaspersky uninstall password (which is created upon installation) did not successfully write itself to the registry. This most commonly occurs during upgrades from KAV6 to KAV10.
Because the VSA sends an uninstall password with its license command, the endpoint rejects it every time because it is expecting a "null" password due to the key being missing.
You can verify this by navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\KES10\settings or HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\KES10\settings (if 32-bit OS) and finding the OPEP key:
This key holds the encrypted version of your uninstall password that was set on the VSA:
If this key is blank, then you are experiencing this issue.
The fix for this issue is pretty straightforward, you need only re-add the encrypted uninstall password to the OPEP key. However, often this is not possible due to Kaspersky's self-protection being enabled and, unfortunately, cannot be disabled as there is no password in place so when disabling the feature, no password will successfully pass. That being said, you can work around this by booting into Safe Mode and modifying the registry.
An agent procedure that automates this process has been created and is attached to this KB.
First, create a folder called "Safe Mode" in your Shared Managed Files Directory:
Next, upload the two attached .bat files into this directory.
Next, import the attached agent procedure to your VSA:
Finally, select the "0-Run all steps" procedure and run it on the affected agents:
Note: This procedure will cause your endpoint to reboot twice. After the reboot is complete, your endpoint should correctly receive a license.