Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

If a self-signed certificate is used on the Dell Server. For Windows, certificate trust validation must remain disabled on the client computer (trust validation is disabled by default with Dell Server). Before enabling trust validation on the client computer, the following requirements must be met.

• A certificate signed by a root authority, such as EnTrust or Verisign, must be imported into Dell Server.
• The full chain of trust of the certificate must be stored in the Microsoft keystore on the client computer.

• To enable trust validation for Encryption, change the value of the following registry entry to 0 on the target computer.

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "IgnoreCertErrors"=DWORD:00000000

  0 = Fail if a certificate error is encountered

  1= Ignores errors

To create an Encryption Removal Agent log file, create the following registry entry on the computer targeted for decryption. See (Optional) Create an Encryption Removal Agent Log File.

[HKLM\Software\Credant\DecryptionAgent]

"LogVerbosity"=DWORD:2

0: no logging

1: logs errors that prevent the service from running

2: logs errors that prevent complete data decryption (recommended level)

3: logs information about all decrypting volumes and files

5: logs debugging information

To disable prompting the user to reboot their computer after the Encryption Removal Agent finishes its final state in the decryption process, modify the following registry value or modify the Force Reboot on Update policy in the Management Console.

[HKLM\Software\Dell\Dell Data Protection]

"ShowDecryptAgentRebootPrompt"=DWORD

1 = enabled (displays prompt)

0 = disabled (hides prompt)

By default, during installation, the notification area icon is displayed. Use the following registry setting to hide the notification area icon for all managed users on a computer after the original installation. Create or modify the registry setting:

[HKLM\Software\CREDANT\CMGShield]

"HIDESYSTRAYICON"=DWORD:1

By default, all temporary files in the c:\windows\temp directory are automatically deleted during installation. Deletion of temporary files speeds initial encryption and occurs before the initial encryption sweep.

However, if your organization uses a third-party application that requires the file structure within the \temp directory to be preserved, you should prevent this deletion.

To disable temporary file deletion, create or modify the registry setting as follows:

[HKLM\SOFTWARE\CREDANT\CMGShield]

"DeleteTempFiles"=REG_DWORD:0

Not deleting temporary files increases initial encryption time.

Encryption displays the length of each policy update delay prompt for five minutes each time. If the user does not respond to the prompt, the next delay begins. The final delay prompt includes a countdown and progress bar, and it displays until the user responds, or the final delay expires and the required logoff/reboot occurs.

You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing after no user response to the prompt. To do this, set the value:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

"SnoozeBeforeSweep"=DWORD:1

Any non-zero value changes the default behavior to snooze. With no user interaction, encryption processing is delayed up to the number of configurable allowed delays. Encryption processing begins when the final delay expires.

Calculate the maximum possible delay as follows (a maximum delay would involve the user never responding to a delay prompt, each of which displays for 5 minutes):

(NUMBER OF POLICY UPDATE DELAYS ALLOWED × LENGTH OF EACH POLICY UPDATE DELAY) + (5 MINUTES × [NUMBER OF POLICY UPDATE DELAYS ALLOWED - 1])

Use the registry setting to have Encryption poll the Dell Server for a forced policy update. Create or modify the registry setting:

[HKLM\SOFTWARE\Credant\CMGShield\Notify]

"PingProxy"=DWORD value:1

The registry setting automatically disappears when done.

Use the registry settings to allow Encryption to send an optimized, full (activated and unactivated users), or full (activated users only) inventory to the Dell Server.

• Send Optimized Inventory to Dell Server:

  Create or modify the registry setting:

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "OnlySendInvChanges"=REG_DWORD:1

  If no entry is present, optimized inventory is sent to the Dell Server.

• Send Full Inventory to Dell Server:

  Create or modify the registry setting:

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "OnlySendInvChanges"=REG_DWORD:0

  If no entry is present, optimized inventory is sent to the Dell Server.

• Send Full Inventory for All Activated Users

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "RefreshInventory"=REG_DWORD:1

  This entry is deleted from the registry as soon as it is processed. The value is saved in the vault, so even if the computer is rebooted before the inventory upload takes place, Encryption still honors this request the next successful inventory upload.

  This entry supersedes the OnlySendInvChanges registry value.

Slotted Activation is a feature that allows you to spread activations of clients over a set time period to ease Dell Server load during a mass deployment. Activations are delayed based on algorithmically generated time slots to provide a smooth distribution of activation times.

For users requiring activation through VPN, a slotted activation configuration for the client may be required, to delay initial activation for long enough to allow time for the VPN client to establish a network connection.

These registry entries require a restart of the computer for the updates to take effect.

• Slotted Activation

  To enable or disable this feature, create a DWORD with the name SlottedActivation under the parent key:

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]

• Activation Slot

  To enable or disable this feature, create a subkey with the name ActivationSlot under the parent key:

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]

  Activation Slot - a string that defines the period within which Encryption attempts to activate with the Dell Server. These values are defined in seconds, and the syntax is defined by <lowervalue>,<uppervalue>. An example would be 120,300. This means that Encryption attempts to activate at a random time between 2 minutes and 5 minutes after user login.

  • Calendar Repeat

    To enable or disable this feature, create a subkey with the name CalRepeat under the parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    CalRepeat - A DWORD that defines the time period in seconds that the activation slot interval occurs. Use this setting to override the time period in seconds that the activation slot interval occurs. 25200 seconds are available for slotting activations during a seven-hour period. The default setting is 86400 seconds, which represents a daily repeat. The suggested decimal value is 600, which represents 10 minutes.

  • Slot Interval

    To enable or disable this feature, create a subkey with the name SlotInterval under the parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    Slot Interval - A string value that defines the intervals between slot activations. The suggested setting is 45,120. This represents activation time being randomly assigned between 45 and 120 seconds.

  • Missed Threshold

    To enable or disable this feature, create a subkey with the name MissThreshold under the parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    MissThreshold - a DWORD value that contains a positive integer that defines the number of attempts to activate before a log off is required. If the MissThreshold is reached, activation attempts cease until the next login for the unactivated user. The count for MissThreshold is always reset on logoff.

    The registry keys collect slotted activation user data:

    [HKCU/Software/CREDANT/ActivationSlot] (per-user data)

    Deferred time to attempt the slotted activation, which is set when the user logs onto the network for the first time after slotted activation is enabled. The activation slot is recalculated for each activation attempt.

    [HKCU/Software/CREDANT/SlotAttemptCount] (per-user data)

    Number of failed or missed attempts, when the time slot arrives and activation is attempted but fails. When this number reaches the value set in ACTIVATION_SLOT_MISSTHRESHOLD, the computer attempts one immediate activation upon connecting to the network.

To detect unmanaged users on the client computer, set the registry value on the client computer:

[HKLM\SOFTWARE\Credant\CMGShield\ManagedUsers\]

"UnmanagedUserDetected"=DWORD value:1

Detect unmanaged users on this computer=1

Do not detect unmanaged users on this computer=0

To enable silent automatic reactivation in the rare case that a user becomes deactivated, the registry value must be set on the client computer.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShield]

"AutoReactivation"=DWORD:00000001

0=Disabled (default)

1=Enabled

System Data Encryption (SDE) is enforced based on the policy value for SDE Encryption Rules. Additional directories are protected by default when the SDE Encryption Enabled policy is Selected. For more information, search "SDE Encryption Rules" in AdminHelp. When Encryption is processing a policy update that includes an active SDE policy, the current user profile directory is encrypted by default with the SDUser key (a User key) rather than the SDE key (a Device key). The SDUser key is also used to encrypt files or folders that are copied (not moved) into a user directory that is not a encrypted with SDE.

To disable the SDUser key and use the SDE key to encrypt these user directories, create the registry on the computer:

[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]

"EnableSDUserKeyUsage"=DWORD:00000000

If this registry key is not present or is set to anything other than 0, the SDUser key will be used to encrypt these user directories.

For more information about SDUser, see KB article 131035

Setting the registry entry, EnableNGMetadata, if issues occur related with Microsoft updates on computers with Common key-encrypted data or with encrypting, decrypting, or unzipping large numbers of files within a folder.

Set the EnableNGMetadata registry entry in the following location:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CmgShieldFFE]

"EnableNGMetadata" = DWORD:1

0=Disabled (default)

1=Enabled

The Encryption Management Agent no longer outputs policies by default. To output future consumed policies, create the following registry key:

HKLM\Software\Dell\Dell Data Protection\

" DumpPolicies" = DWORD

Value=1

Note: Logs are written to C:\ProgramData\Dell\Dell Data Protection\Policy .

To disable or enable the Encrypt for Sharing option in the right-click menu use the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection\Encryption

"DisplaySharing"=DWORD

0 = disable the Encrypt for Sharing option in the right-click context menu

1 = enable the Encrypt for Sharing option in the right-click context menu