How to enable data encryption on managed devices

Expand all | Collapse all

The section contains information on how to enable File Level Encryption and Full Disk Encryption in Kaspersky Endpoint Security for Windows installed on Windows-based managed devices. These types of encryption prevent the leakage of sensitive data when a corporate device is lost or stolen. If your company uses data encryption on corporate devices, an unauthorized user does not have access to encrypted files. For more information about File Level Encryption and Full Disk Encryption, see the Kaspersky Endpoint Security for Windows Help.

Before you enable data encryption, make sure that you have the following prerequisites met:

• You have purchased the Kaspersky Endpoint Security for Business Advanced or Kaspersky Total Security for Business license. If you use Kaspersky Endpoint Security for Business Select, upgrade it. Kaspersky Endpoint Security for Business Select does not support data encryption.
• Kaspersky Endpoint Security for Windows with Strong encryption (AES256) is installed on your managed devices. If Kaspersky Endpoint Security for Windows with Lite encryption (AES56) is installed instead, reinstall the application. To do this, create an installation package, and then run the Install application remotely task. Use the distribution package that includes Strong encryption (AES256).

To enable data encryption on managed devices:

1. In Kaspersky Security Center, in MMC-based Administration Console, go to the Tasks section.
2. Click the New task button.

   The New Task Wizard opens.

3. Select the Change application components task for Kaspersky Endpoint Security for Windows.

   

   Creating a task to change components of Kaspersky Endpoint Security for Windows

4. In the Data encryption section, keep the default options enabled, and then select the following options:
   • File Level Encryption (For workstations only)
   • Full Disk Encryption (For workstations only)

   These options define the components that are to be added to Kaspersky Endpoint Security for Windows.

   

   Adding the data encryption components to Kaspersky Endpoint Security for Windows

5. Click the Select networked devices detected by Administration Server button to specify client devices on which the new components are to be installed.

   

   Selecting a group of client devices on which the data encryption components are to be installed

6. Select managed devices where you want to enable File Level Encryption and Full Disk Encryption. If the list does not contain the needed devices, click the Add button to add them to the list.

   

   Selecting managed devices where you want to enable data encryption

7. Specify a schedule to run the task to enable data encryption:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Once

       The task runs once, on the specified date and time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is selected.

     • When new updates are downloaded to the repository

       The task runs after updates are downloaded to the repository. You do not need to download updates to run the task for enabling data encryption, so you may select another option.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select the types of applications that monitor virus outbreaks from the list below:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       As Kaspersky Endpoint Security for Windows is an application for workstations and file servers, you can cancel the selection of inappropriate variants.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task should be completed (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the task for enabling data encryption.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If you specified the Manually or Once value in the task schedule, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices. For the Manually or Once values in the schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

   

   Configuring the task schedule

8. Specify the task name. You can keep the default name.

   

   Specifying the task name

9. Select the Run the task after the wizard finishes option, and then finish the New Task Wizard.

   

   Finishing the New Task Wizard and launching the created task

   After you have created a task, it appears in the Tasks section. You can click on the task to check its status.

   

   Checking the task status

10. When the task is completed successfully, make sure that Kaspersky Endpoint Security for Windows installed on your managed devices has the File Level Encryption and Full Disk Encryption features. To do this, view the encryption status.

As a result, you enabled the File Level Encryption and Full Disk Encryption components in Kaspersky Endpoint Security for Windows on your managed devices. Now, you can encrypt your files and start Kaspersky Disk Encryption. If you have technical problems while enabling data encryption in Kaspersky Security Center, contact technical support.

Page top