- Notes, cautions, and warnings
- Introduction
- Requirements
- Registry Settings
- Install Using the Master Installer
- Uninstall the Master Installer
- Install Using the Child Installers
- Uninstall Using the Child Installers
- Data Security Uninstaller
- Commonly Used Scenarios
- Provision a Tenant
- Configure Advanced Threat Prevention Agent Auto Update
- Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Designate the Dell Server through Registry
- Extract Child Installers
- Configure Key Server
- Use the Administrative Download Utility (CMGAd)
- Configure Encryption on a Server Operating System
- Configure Deferred Activation
- Troubleshooting
- Glossary
Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8
SED Manager
- The computer must have a wired network connection to successfully install SED Manager.
- The computer must have a wired network connection for a smart card user to log in through pre-boot authentication for the first time.
- Third-party credential providers will not function with SED Manager installed and all third-party credential providers will be disabled when the PBA is enabled.
- IPv6 is not supported.
- SED Manager is not currently supported within virtualized host computers.
- Be prepared to shut down and restart the computer after you apply policies and are ready to begin enforcing them.
- Computers equipped with self-encrypting drives cannot be used with HCA cards. Incompatibilities exist that prevent the provisioning of the HCA. Dell does not sell computers with self-encrypting drives that support the HCA module. This unsupported configuration would be an after-market configuration.
- If the computer targeted for encryption is equipped with a self-encrypting drive, ensure that the Active Directory option, User Must Change Password at Next Logon, is disabled. Pre-boot authentication does not support this Active Directory option.
-
Dell recommends that you do not change the authentication method after the PBA has been activated. If you must switch to a different authentication method, you must either:
- Remove all the users from the PBA.
or
- Deactivate the PBA, change the authentication method, and then re-activate the PBA.
- Remove all the users from the PBA.
-
Configuration of self-encrypting drives for SED Manager differ between NVMe and non-NVMe (SATA) drives, as follows.
- Any NVMe drive that is being leveraged for PBA:
- If the Dell device was manufactured in 2018 or later: Either RAID ON or AHCI may be leveraged with NVMe drives.
- The BIOS boot mode must be set to Unified Extensible Firmware Interface (UEFI). Legacy operation ROMs must be disabled.
-
Any non-NVMe drive that is being leveraged for PBA:
- BIOS SATA operation can be set to either AHCI or RAID ON.
-
The operating system will crash when switched from RAID ON > AHCI if the AHCI controller drivers are not pre-installed. For instructions on how to switch from RAID > AHCI (or vice versa), see KB article 124714.
Supported OPAL compliant SEDs require updated Intel Rapid Storage Technology Drivers, located at www.dell.com/support. Dell recommends the latest Intel Rapid Storage Technology Driver.
NOTE:The Intel Rapid Storage Technology Drivers are platform dependent. You can find your system's driver at the link above based on your computer model. - Any NVMe drive that is being leveraged for PBA:
- SED Manager requires the use of the Dell custom Credential Provider to synchronize Windows password changes and data encryption keys. If you require use of third-party applications that use custom Credential Providers running on computers protected SED Manager, you must initiate Windows password changes through the Data Security Console. For information about changing your password in the Data Security Console, see the Password chapter in the Data Security Console User Guide.
-
The master installer installs these components if not already installed on the target computer. When using the child installer, you must install these components before installing the clients.
Prerequisite
-
Visual C++ 2017 or later Redistributable Package (x86 or x64)
-
As of January 2020, SHA1 signing certificates are no longer valid and cannot be renewed. Devices running Windows Server 2008 R2 must install Microsoft KBs https://support.microsoft.com/help/4474419 and https://support.microsoft.com/help/4490628 to validate SHA256 signing certificates on applications and installation packages.
Applications and installation packages signed with SHA1 certificates will function but an error will display on the endpoint during installation or execution of the application without these updates installed
-
- SED Manager is not supported with Encryption on server operating systems or Advanced Threat Prevention on a server operating system.
- Multi-disk encryption configurations with SED Manager require the following:
- All disks in the target system must have the following configuration:
- SED drives
- Disks must have an assigned drive letter
- In UEFI boot mode, the operating system can be installed on any target disk.
-
In Legacy boot mode, the operating system must be installed on the first disk (Disk #0). If the operating system is not installed on the first disk, Multi-disk encryption is disabled.
Enable Multi-Disk encryption in the Management Console. See Registry Settings to see Windows Registry values for Multi-disk encryption and multi-sweep.
- All disks in the target system must have the following configuration:
-
NOTE:A password is required with pre-boot authentication. Dell recommends a minimum password setting compliant with internal security policies.
-
NOTE:When PBA is used, the Sync All Users policy should be enabled if a computer has multiple users. Additionally, all users must have passwords. Zero-length password users will be locked out of the computer following activation.
-
NOTE:Computers protected by SED Manager must be updated to Windows 10 v1703 (Creators Update/Redstone 2) or later before updating to Windows 10 v1903 (May 2019 Update/19H1) or later. If this upgrade path is attempted, an error message displays.
Hardware
OPAL Compliant SEDs
-
For the most up-to-date list of Opal compliant SEDs supported with the SED Manager, refer to this KB article 126855
-
For the most up-to-date list of platforms supported with the SED Manager, see KB article 126855.
- For a list of docking stations and adapters supported with SED Manager, see KB article 124241.
Pre-Boot Authentication Options with SED Manager
- Specific hardware is required to use smart cards and to authenticate on UEFI computers. Configuration is required to use smart cards with pre-boot authentication. The following tables show authentication options available by operating system, when hardware and configuration requirements are met.
|
Non-UEFI |
||||
|---|---|---|---|---|
|
PBA |
||||
|
Password |
Fingerprint |
Contacted Smart card |
SIPR Card |
|
|
Windows 10 |
X1 |
X1 2 |
||
|
Windows 11 |
X1 |
X1 2 |
||
|
1. Available when authentication drivers are downloaded from dell.com/support 2. Available with a supported OPAL SED |
||||
|
UEFI |
||||
|---|---|---|---|---|
|
PBA - on supported Dell Computers |
||||
|
Password |
Fingerprint |
Contacted Smart card |
SIPR Card |
|
|
Windows 10 |
X1 |
X1 |
||
|
Windows 11 |
X1 |
X1 |
||
|
1. Available with a supported OPAL SED on supported UEFI computers |
||||
International Keyboards
The following table lists international keyboards supported with Pre-boot Authentication on UEFI and non-UEFI computers.
| International Keyboard Support - UEFI | |
|---|---|
| DE-FR - (French Swiss) | EN-GB - English (British English) |
| DE-CH - (German Swiss) | EN-CA - English (Canadian English) |
| EN-US - English (American English) | |
|
International Keyboard Support - Non-UEFI |
|
|---|---|
| AR - Arabic (using Latin letters) | EN-US - English (American English) |
| DE-FR - (French Swiss) | EN-GB - English (British English) |
| DE-CH - (German Swiss) | EN-CA - English (Canadian English) |
Operating Systems
-
The following table details the supported operating systems.
Windows Operating Systems (32- and 64-bit)
- Windows 10: Education, Enterprise, Pro v1909-v22H2 (November 2019 Update/19H2 - November 2022 Update/22H2)
Note: OEMs and ODMs do not ship Windows 10 v2004 (May 2020 Update/20H1 and later) with 32-bit architecture. For more information, see https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview.
- Windows 10 2019 LTSC
- Windows 10 2021 LTSC
- Windows 11: Enterprise, Pro v21H2 - 22H2
- Windows 10: Education, Enterprise, Pro v1909-v22H2 (November 2019 Update/19H2 - November 2022 Update/22H2)
Localization
SED Manager is a multilingual user interface compliant and is localized the following languages. UEFI mode and PBA advanced authentication are supported in the following languages:
|
Language Support |
|
|---|---|
|
EN - English |
JA - Japanese |
|
FR - French |
KO - Korean |
|
IT - Italian |
PT-BR - Portuguese, Brazilian |
|
DE - German |
PT-PT - Portuguese, Portugal (Iberian) |
|
ES - Spanish |
|
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\