The application creates service files during encryption. Around 0.5% of non-fragmented free space on the hard drive is required to store them. If there is not enough non-fragmented free space on the hard drive, encryption will not start until enough space is freed up.
You can manage all data encryption components in the Kaspersky Security Center Administration Console and in the Kaspersky Security Center Web Console. In the Kaspersky Security Center Cloud Console, you can only manage Bitlocker.
Data encryption is available only when using Kaspersky Endpoint Security with the Kaspersky Security Center administration system or the Kaspersky Security Center Cloud Console (BitLocker only). Data Encryption when using Kaspersky Endpoint Security in offline mode is not possible because Kaspersky Endpoint Security stores encryption keys in Kaspersky Security Center.
If Kaspersky Endpoint Security is installed on a computer running Microsoft Windows for Servers, only full disk encryption using BitLocker Drive Encryption technology is available. If Kaspersky Endpoint Security is installed on a computer running Windows for Workstations, data encryption functionality is fully available.
Full disk encryption using Kaspersky Disk Encryption technology is unavailable for hard drives that do not meet the hardware and software requirements.
Compatibility between the full disk encryption functionality of Kaspersky Endpoint Security and Kaspersky Anti-Virus for UEFI is not supported. Kaspersky Anti-Virus for UEFI starts before the operating system loads. When using full disk encryption, the application will detect the absence of an installed operating system on the computer. As a result, the operation of Kaspersky Anti-Virus for UEFI will end with an error. File Level Encryption (FLE) does not affect the operation of Kaspersky Anti-Virus for UEFI.
Kaspersky Endpoint Security supports the following configurations:
HDD, SSD, and USB drives.
Kaspersky Disk Encryption (FDE) technology supports working with SSD while preserving the performance and service life of SSD drives.
Drives with 4096-byte sectors that emulate 512 bytes.
Drives with the following type of partitions: GPT, MBR, and VBR (removable drives).
Embedded software of the UEFI 64 and Legacy BIOS standard.
Embedded software of the UEFI standard with Secure Boot support.
Secure Boot is a technology designed to verify digital signatures for UEFI loader applications and drivers. Secure Boot blocks the startup of UEFI applications and drivers that are unsigned or signed by unknown publishers. Kaspersky Disk Encryption (FDE) fully supports Secure Boot. Authentication Agent is signed by a Microsoft Windows UEFI Driver Publisher certificate.
On some devices (for example, Microsoft Surface Pro and Microsoft Surface Pro 2), an out-of-date list of digital signature verification certificates may be installed by default. Prior to encrypting the drive, you need to update the list of certificates.
Embedded software of the UEFI standard with Fast Boot support.
Fast Boot is a technology that helps the computer start up faster. When Fast Boot technology is enabled, normally the computer loads only the minimum set of UEFI drivers required for starting the operating system. When Fast Boot technology is enabled, USB keyboards, mice, USB tokens, touchpads and touchscreens may not work while Authentication Agent is running.
To use Kaspersky Disk Encryption (FDE), it is recommended to disable Fast Boot technology. You can use the FDE Test Utility to test the operation of Kaspersky Disk Encryption (FDE).
Kaspersky Endpoint Security does not support the following configurations:
The boot loader is located on one drive while the operating system is on a different drive.
The system contains embedded software of the UEFI 32 standard.
The system has Intel® Rapid Start Technology and drives that have a hibernation partition even when Intel® Rapid Start Technology is disabled.
Drives in MBR format with more than 10 extended partitions.
The system has a swap file located on a non-system drive.
Multiboot system with multiple simultaneously installed operating systems.
Dynamic partitions (only primary partitions are supported).
Drives with less than 0.5% free unfragmented disk space.
Drives with a sector size different from 512 bytes or 4096 bytes that emulate 512 bytes.
Hybrid drives.
The system has third-party loaders.
Drives with compressed NTFS directories.
Kaspersky Disk Encryption (FDE) technology is incompatible with other full disk encryption technologies (such as BitLocker, McAfee Drive Encryption, and WinMagic SecureDoc).
Kaspersky Disk Encryption (FDE) technology is incompatible with ExpressCache technology.
Creating, deleting, and modifying partitions on an encrypted drive is not supported. You could lose data.
File system formatting is not supported. You could lose data.
If you need to format a drive that was encrypted with Kaspersky Disk Encryption (FDE) technology, format the drive on a computer that does not have Kaspersky Endpoint Security for Windows and use only full disk encryption.
An encrypted drive that is formatted with the quick format option may be mistakenly identified as encrypted the next time it is connected to a computer that has Kaspersky Endpoint Security for Windows installed. User data will be unavailable.
Authentication Agent supports no more than 100 accounts.
Single Sign-On technology is incompatible with other technologies of third-party developers.
Kaspersky Disk Encryption (FDE) technology is not supported on the following models of devices:
Dell Latitude E6410 (UEFI mode)
HP Compaq nc8430 (Legacy BIOS mode)
Lenovo Think Center 8811 (Legacy BIOS mode)
Authentication Agent does not support working with USB tokens when Legacy USB Support is enabled. Only password-based authentication will be possible on the computer.
When encrypting a drive in Legacy BIOS mode, you are advised to enable Legacy USB Support on the following models of devices: