Step by step to create Encryption Policy for managed Windows machines.

[Rodh_oliver]

Guys, good afternoon!

I need help again on how to create an encryption policy for Windows machines in the domain (managed).

We use local Kaspersky (local console).

I also need to know how to manage these encryption keys in cases where they need to be decrypted.

Thank you in advance.

[Tahmeed702]

15 hours ago, Rodh_oliver said:

Guys, good afternoon!

I need help again on how to create an encryption policy for Windows machines in the domain (managed).

We use local Kaspersky (local console).

I also need to know how to manage these encryption keys in cases where they need to be decrypted.

Thank you in advance.

1. Creating an Encryption Policy

Kaspersky Endpoint Security for Windows (KES) includes Full Disk Encryption (FDE) or File-Level Encryption capabilities, depending on your license. Here’s how to configure it:
Step 1: Open the Kaspersky Security Center Console

    Launch the Kaspersky Security Center Administration Console.

    Navigate to Policies > Your Managed Group (e.g., the Active Directory OU where your machines reside).

Step 2: Create a New Policy

    Right-click your managed group and select Create Policy > Kaspersky Endpoint Security for Windows.

    Name the policy (e.g., "Domain Encryption Policy").

Step 3: Configure Encryption Settings

    Go to the Encryption section in the policy settings.

        Enable Full Disk Encryption (FDE):

            Select the drives to encrypt (system drive, fixed drives, etc.).

            Choose the encryption algorithm (e.g., AES-256).

            Configure pre-boot authentication (e.g., password, USB key, or integration with Active Directory credentials).

        File-Level Encryption:

            Define rules for encrypting specific files/folders (if applicable).

Step 4: Deploy the Policy

    Assign the policy to the target group of machines in your domain.

    Ensure the policy is applied to all managed devices.

2. Managing Encryption Keys

Kaspersky stores encryption keys securely, but you must plan for recovery scenarios (e.g., forgotten passwords, hardware failure).
Step 1: Recovery Key Storage

    Kaspersky Key Storage:

        Encryption keys are stored in the Kaspersky Security Center database by default.

        To retrieve keys:

            In the KSC console, go to Devices > select the target machine.

            Navigate to Encryption > Recovery Keys.

            Export and securely store the recovery key (e.g., in a password vault).

    Active Directory Integration (Optional):

        Configure Kaspersky to store recovery keys in Active Directory (if integrated). This allows centralized management via AD attributes.

Step 2: Decrypting a Machine

    Via the KSC Console:

        Right-click the encrypted device > Decrypt Disk.

        Authenticate using admin credentials or a recovery key.

    Using a Recovery Key:

        Boot the machine and enter pre-boot authentication mode.

        Select the recovery option and input the recovery key (manually or via a USB file).

Step 3: Key Backup Best Practices

    Export and back up recovery keys to a secure, offline location (e.g., a hardware security module or encrypted storage).

    Restrict access to keys to authorized admins only.

3. Additional Considerations

    Pre-Boot Authentication: Ensure compatibility with your domain environment (e.g., AD credentials for seamless login).

    Disaster Recovery: Test decryption workflows regularly.

    Audit Logs: Use KSC reports to monitor encryption status and key usage.

Troubleshooting

    If a machine is unbootable after encryption, use the Kaspersky Rescue Disk (bootable USB) to decrypt it with the recovery key.

    Ensure the Kaspersky Security Center server and clients are updated to the latest version (e.g., 12.8).

Let me know if you need further clarification on specific steps! 😊

[Renan Corassa]

Dear Sir, Kaspersky's documentation is very clear regarding the procedure. With a little patience it will be easier to read and interpret for good applicability.