BitLocker management [KES for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

What is the role of Kaspersky in BitLocker encryption process ?

Basically, KES BitLocker management is a COM object that is registered in the system and changes the BitLocker component settings in accordance to the settings that are specified in the KES policy. Afterwards it stores the recovery data received from BitLocker component on the KSC side. Also, it provides error-reporting and verifies that the settings that were specified in the policy are left intact and return errors, if this is not the case.

You can manage BitLocker using a number of tools and approaches, KES is just one of them, that do share the same principles with the rest. You can enable BitLocker manually, using GPO, using native Microsoft's solutions, using various similar 3rd party solutions, and using KES BitLocker management. Each of those have their own pros and cons.

Is there a guide for the recovery by means of AD in case of Kaspersky Bitlocker encryption?

KES only enables encryption (changes settings for the component), stores the recovery data received from it, reports the status, that's it.

Naturally, BitLocker recovery data can be stored besides KSC in AD and other BitLocker management tools.

Storing keys in AD is possible, for example like this: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/ but this has nothing to do with functionality of Kaspersky products.

What happens in case if Kaspersky Security Center is down/not reachable, and I want the recovery key for Kaspersky Bitlocker Encryption?

In this case recovery keys from this KSC will not be available as well. A valid KSC backup containing the recovery keys should be used for a recovery in this case. 

Is there an opportunity to export all recovery keys at once for all encrypted devices?

It is not possible to export recovery keys in volume from KSC to a txt file, for example. This data is stored in a protected (encrypted) format in the KAV db and can be extracted only using KES management plugin over KSC console individually for each host.

Is there an approximate algorithm for the initial implementation of BitLocker encryption using KES management?

1. Make sure that the encrypted hosts will be serviced by a healthy KSC infrastructure (backups are performed regularly, no errors in Kaspersky Event log that needs to be addressed, healthy database with plenty room for growth, no cloned hosts, etc.).
2. Create a scope of devices for KES Bitlocker implementation testing, that will consist of devices representing most widespread hardware & software configurations that is used in your enterprise. Devices should have default firmware settings configured on them.
3. Attach to the test devices as much peripheral devices as possible (again most widespread configurations that is likely to be attached to encrypted devices during its regular usage) USB headsets, dongles, external flash drives, tokens, card-readers, etc...
4. Deploy KES Bitlocker management and encrypt devices using actual KES version on a limited scope of test devices in production. Use the desired Bitlocker configurations, that is expected to be used in production.
5. Monitor the user experience on the test devices in actual production environment during the pilot testing period. Make sure that it was encrypted successfully and there are no errors, recovery data is available for all test hosts, and the data can be successfully recovered from those devices using the recovery procedures (especially for the devices with multiple hard drives, that both hard drives can be unlocked assuming access to the data is lost completely and Bitlocker password is forgotten). Also make sure that the procedure itself is well-documented and is clearly understood by the local IT staff, that will execute it in production.
6. Prohibit the end-users to adjust firmware settings on the hosts with encryption, prior to deploying encryption to production on the whole set of devices, by setting a BIOS password, for example.
7. Deploy to production.