Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

To set the retry interval when the Dell Server is unavailable to communicate with SED Manager, add the following registry value.

[HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters]

"CommErrorSleepSecs"=DWORD:300

This value is the number of seconds SED Manager waits to attempt to contact the Dell Server if it is unavailable to communicate. The default is 300 seconds (5 minutes).

If a self-signed certificate is used on the Dell Server for SED Manager, SSL/TLS trust validation must remain disabled on the client computer (SSL/TLS trust validation is disabled by default with SED Manager). Before enabling SSL/TLS trust validation on the client computer, the following requirements must be met.

• A certificate signed by a root authority, such as EnTrust or Verisign, must be imported into Dell Server.
• The full chain of trust of the certificate must be stored in the Microsoft keystore on the client computer.

• To enable SSL/TLS trust validation for SED Manager, change the value of the following registry entry to 0 on the client computer.

  [HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters]

  "DisableSSLCertTrust"=DWORD:0

  0 = Enabled

  1 = Disabled

To determine if the PBA is activated, ensure that the following value is set:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent\Parameters]

"PBAIsActivated"=DWORD (32-bit):1

A value of 1 means that the PBA is activated. A value of 0 means the PBA is not activated.

To determine if a smart card is present and active, ensure the following value is set:

HKLM\SOFTWARE\Dell\Dell Data Protection\

"SmartcardEnabled"=DWORD:1

If SmartcardEnabled is missing or has a value of zero, the Credential Provider will display only Password for authentication.

If SmartcardEnabled has a non-zero value, the Credential Provider will display options for Password and smart card authentication.

The following registry value indicates whether Winlogon should generate a notification for logon events from smart cards.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

"SmartCardLogonNotify"=DWORD:1

0 = Disabled

1 = Enabled

To prevent SED Manager from disabling third-party credential providers, create the following registry key:

HKLM\SOFTWARE\Dell\Dell Data Protection\

"AllowOtherCredProviders" = DWORD:1

0=Disabled (default)

1=Enabled

NOTE: This value may prevent the Dell credential provider from properly syncing credentials initially due to third-party credential providers being disabled. Ensure the devices using this registry key can properly communicate with the Dell Server.

To set the interval that SED Manager attempts to contact the Dell Server when it is unavailable to communicate, set the following value on the target computer:

[HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters]

"CommErrorSleepSecs"=DWORD Value:300

This value is the number of seconds SED Manager waits to attempt to contact the Dell Server if it is unavailable to communicate. The default is 300 seconds (5 minutes).

The Security Server host may be changed from the original installation location if needed. The host information is read every time a policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

"ServerHost"=REG_SZ:<newname>.<organization>.com

The Security Server port may be changed from the original installation location if needed. This value is read every time a policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

ServerPort=REG_SZ:8888

The Security Server URL may be changed from the original install location if needed. This value is read by the client computer every time a policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

"ServerUrl"=REG_SZ:https://<newname>.<organization>.com:8888/agent

(With pre-boot authentication only) If you do not want PBA advanced authentication to change the services associated with smart cards and biometric devices to a startup type of "automatic", disable the service startup feature. Disabling this feature also suppresses warnings associated with the required services not running.

When disabled, PBA advanced authentication does not attempt to start these services:

• SCardSvr - Manages access to smart cards read by the computer. If this service is stopped, this computer is unable to read smart cards. If this service is disabled, any services that explicitly depend on it fail to start.
• SCPolicySvc - Allows the system to be configured to lock the user desktop upon smart card removal.

• WbioSrvc - The Windows biometric service gives client applications the ability to capture, compare, manipulate, and store biometric data without gaining direct access to any biometric hardware or samples. The service is hosted in a privileged SVCHOST process.

  By default, if the registry key does not exist or the value is set to 0, this feature is enabled.

  [HKLM\SOFTWARE\DELL\Dell Data Protection]

  SmartCardServiceCheck=REG_DWORD:0

  0 = Enabled

  1 = Disabled

To use smart cards with SED PBA Authentication, the following registry value must be set on the client computer that is equipped with an SED.

[HKLM\SOFTWARE\DigitalPersona\Policies\Default\SmartCards]

"MSSmartcardSupport"=DWORD:1

Set the Authentication Method policy to Smart Card in the Management Console, and commit the change.

To suppress all Toaster notifications from the Encryption Management Agent, the following registry value must be set on the client computer.

[HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection]

"PbaToastersAllowClose" =DWORD:1

0=Enabled (default)

1=Disabled