Kaspersky FDE in Endpoint Security for Windows: issues and limitations (for workstations only)
This article concerns:
- Kaspersky Endpoint Security 12.1.0 for Windows (version 12.1.0.506)
- Kaspersky Endpoint Security 12.0.0 for Windows (version 12.0.0.465)
- Kaspersky Endpoint Security 11.11.0 for Windows (version 11.11.0.452)
- Kaspersky Endpoint Security 11.10.0 for Windows (version 11.10.0.399)
- Kaspersky Endpoint Security 11.9.0 for Windows (version 11.9.0.351)
- Kaspersky Endpoint Security 11.8.0 for Windows (version 11.8.0.384)
- Kaspersky Endpoint Security 11.7.0 for Windows (version 11.7.0.669)
- Kaspersky Endpoint Security 11.6.0 for Windows (version 11.6.0.394)
- Kaspersky Endpoint Security 11.5.0 for Windows (version 11.5.0.590)
- Kaspersky Endpoint Security 11.4.0 for Windows (version 11.4.0.233)
- Kaspersky Endpoint Security 11.3.0 for Windows (version 11.3.0.773)
- Kaspersky Endpoint Security 11.2.0 for Windows (version 11.2.0.2254) Critical Fix 1
- Kaspersky Endpoint Security 11.2.0 for Windows (version 11.2.0.2254)
Upgrading Windows 10 on a computer encrypted with Kaspersky FDE
Starting with Windows 10 Anniversary Update (Redstone 1), the operating system allows upgrading with the fully encrypted boot drive:
- Before upgrading Windows, copy the cm_km.inf, cm_km.sys, klfde.cat, klfde.inf, klfde.sys, klfdefsf.cat, klfdefsf.inf, klfdefsf.sys files to a local folder (e.g. C:\fde_drivers).
- Run the system upgrade installation with the key /ReflectDrivers and specify the folder with the following drivers:
setup.exe /ReflectDrivers C:\fde_drivers
Supported drive types
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
Kaspersky FDE is supported on the following device types:
- HDD, SSD, USB drives
- Drives connected through SCSI, ATA, IEEE1934, USB, RAID, SAS, SATA, or NVME buses.
- Built-in drives connected through SD or MMC buses.
- Drives with sector size of 512 bytes.
- Drives with sector size of 4096 bytes that emulate 512 bytes.
- Drives with the following partition types: GPT, MBR or VBR (removable disks).
Kaspersky FDE is compatible with SSD drives and includes features for retaining service and performance of SSD.
Kaspersky FDE is not supported on the following device types:
- Dynamic drives.
- Devices on which the loader is located on one drive and the operating system on another.
- Boot drive in the MBR format that has more than ten extended partitions.
- System with a swap file on a system drive.
- Multiboot system with several operating systems installed.
- A system on which third-party loaders have been installed.
- Drives with compressed NTFS directories.
Firmware support
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
Kaspersky FDE supports 2 types of firmware: UEFI 64-bit and Legacy BIOS.
UEFI 32-bit firmware is not supported.
UEFI: compatibility with Secure Boot
Secure Boot is a technology that checks digital signatures for UEFI loaders and drivers. Secure Boot does not allow the running of unsigned UEFI applications and drivers or the ones signed by unknown publishers.
Kaspersky FDE fully supports Secure Boot. Kaspersky FDE authentication agent loaders are signed by Microsoft with the Microsoft Windows UEFI Driver Publisher certificate.
Some devices (e.g. Microsoft Surface Pro or Microsoft Surface Pro 2) contain an outdated list of certificates for checking digital signatures. Before using Kaspersky FDE on such devices, you must update the list of certificates according to the vendor’s instructions.
UEFI: compatibility with Fast Boot
Fast Boot is a technology that speeds up loading of the operating system. When Fast Boot is enabled, only the minimum set of UEFI drivers required for the operating system startup is loaded. When Fast Boot is enabled, USB keyboards, mice, USB tokens, as well as touchpads and touchscreens, may not work.
We recommend that you disable Fast Boot if you want to use Kaspersky FDE. Before encrypting your drives, use FDE Test Utility to check the compatibility of such devices.
Limitations of encryption support on some devices
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
Kaspersky FDE is not supported on the following device types:
- in Kaspersky Endpoint Security for Windows version 11.1.0–11.4.0:
- Dell Latitude E6410 (UEFI mode)
- HP Compaq nc8430 (Legacy BIOS mode)
- Lenovo Think Center 8811 (Legacy BIOS mode)
- in Kaspersky Endpoint Security for Windows version 11.0.0 and 11.0.1:
- Dell Latitude E6410 (UEFI mode)
- HP Compaq nc8430 (Legacy BIOS mode)
- HP Z200 Workstation (Legacy BIOS mode)
- Lenovo Think Center 8811 (Legacy BIOS mode)
- Lenovo Miix 700-12ISK (80QL) (Legacy BIOS mode)
- Lenovo Yoga 500-14ISK (80R5) (Legacy BIOS mode)
To use Kaspersky FDE on the following device models in the Legacy BIOS mode, we recommend that you enable the Use Legacy USB Support option:
- Acer Aspire 5560G
- Acer Aspire 6930
- Acer TravelMate 8572T
- Dell Inspiron 1420
- Dell Inspiron 1545
- Dell Inspiron 1750
- Dell Inspiron N4110
- Dell Latitide E4300
- Dell Studio 1537
- Dell Studio 1569
- Dell Vostro 1310
- Dell Vostro 1320
- Dell Vostro 1510
- Dell Vostro 1720
- Dell Vostro V13
- Dell XPS L502x
- Fujitsu Celsius W370
- Fujitsu LifeBook A555
- HP Compaq dx2450 Microtower PC
- Lenovo G550
- Lenovo ThinkPad L530
- Lenovo ThinkPad T510
- Lenovo ThinkPad W540
- Lenovo Thinkpad X121e
- Lenovo Thinkpad X200s (74665YG)
- Samsung R530
- Toshiba Satellite A350
- Toshiba Satellite U400 10O
- MSI 760GM-E51 (motherboard)
The Kaspersky FDE authentication agent does not support USB tokens when Use Legacy USB Support is enabled. On workstations, only password authentication is possible.
Supported USB tokens and smart cards
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
USB tokens
- SafeNet eToken PRO 64K (4.2b)
- SafeNet eToken PRO 72K Java
- SafeNet eToken 4100-72K (Java)
- SafeNet eToken 5100
- SafeNet eToken 5105
- SafeNet eToken 7300
- EMC RSA SID 800
- Gemalto IDPrime.NET 510
- Gemalto IDPrime.NET 511
- ruToken ECP
- ruToken ECP Flash
- Aladdin-RD JaCarta PKI
- Athena IDProtect Laser
Smart cards
- SafeNet eToken PRO 72K Java
- Aladdin-RD JaCarta PKI
Supported keyboard layouts
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
The Kaspersky FDE authentication agent supports the following keyboard layouts:
- English (United Kingdom)
- English (United States)
- French (Switzerland)
- German (Germany/Austria)
- French (France)
- German (Switzerland)
- Portuguese (Brazil; ABNT2 keyboards)
- Spanish (Latin America)
- Arabic (102) AZERTY (Algeria, Morocco, SA, Tunisia)
- Italian (Italy)
- Turkish (Turkish Q)
- Japanese QWERTY (106 Japanese)
- AZERTY BE
- Russian 105-key (ЙЦУКЕН) IBM/Windows
Other limitations of Kaspersky FDE
For information about Kaspersky Endpoint Security for Windows version 11.5.0 and later, see Online Help.
- On Windows 7 it is impossible to change the password when restoring a hard drive, encrypted with BitLocker. After the restore key is entered and the operating system loaded, Kaspersky Endpoint Security for Windows does not prompt to change the password or PIN code. The issue is caused by the operating system limitations. To continue, re-encrypt the hard drive.
- Kaspersky FDE is incompatible with other full-disk encryption technologies (e.g. BitLocker, McAffee Drive Encryption, WinMagic SecureDoc).
- Kaspersky FDE is incompatible with the Intel ® Rapid Start technology.
- Kaspersky FDE is incompatible with the Express Cache technology.
- Creating, deleting and editing of encrypted drive partitions is not supported. The user can lose their data.
- File systems formatting is not supported. The user can lose their data.
- Formatting of devices on Kaspersky Endpoint Security 11.x for Window encrypted with Kaspersky FDE is not supported.
- If you need to format the device encrypted with Kaspersky FDE, perform the formatting on a computer where Kaspersky Endpoint Security for Windows is not installed and use full formatting only.
- The encrypted device which was formatted with quick formatting may be identified as encrypted upon its next connection to Kaspersky Endpoint Security for Windows. User files will be unavailable.
- Kaspersky FDE authentication agent supports no more than 100 user accounts.
- The Single Sign-On feature of Kaspersky FDE with similar third-party solutions.
View a full list of known Kaspersky FDE encryption limitations for:
- Kaspersky Endpoint Security 12.1.0 for Windows
- Kaspersky Endpoint Security 12.0.0 for Windows
- Kaspersky Endpoint Security 11.11.0 for Windows
- Kaspersky Endpoint Security 11.10.0 for Windows
- Kaspersky Endpoint Security 11.9.0 for Windows
- Kaspersky Endpoint Security 11.8.0 for Windows
- Kaspersky Endpoint Security 11.7.0 for Windows
- Kaspersky Endpoint Security 11.6.0 for Windows
- Kaspersky Endpoint Security 11.5.0 for Windows
- Kaspersky Endpoint Security 11.4.0 for Windows
- Kaspersky Endpoint Security 11.3.0 for Windows
- Kaspersky Endpoint Security 11.2.0 for Windows