How Port Control System works with Dell Data Protection External Media Edition

Summary: This article describes how the Port Control System works with Dell Data Protection | External Media Edition.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Affected Products:

  • Dell Data Protection | External Media Edition

Cause

Not Applicable

Resolution

Using Port Control System (PCS) with EMS

Defining Internal or External Ports

  • Computer manufacturers define whether a port is external or internal, usually through the BIOS.
  • If the computer manufacturer defines the port as external, PCS and EMS policies are applied instead of fixed drive encryption. Because of this, EMS and PCS policies are consistently applied to eSATA.

Defining Removable or Fixed Storage Devices

  • Device manufacturers define if their storage devices are reported as fixed or removable. Windows usually accepts whatever the device reports as. Our product does not follow this convention. A storage device is considered a removable device by our product if:
  • It reports itself as a removable device.
    Or
  • It is connected to an external port.

Levels of Port Controls

There are three possible levels of port controls:

  • Port Level - Applies policies to external ports themselves.
  • Device Class Level - Applies policies per device type (such as HID, storage, printers, media players).
  • Device Sub Class Level - These are more granular policies that are applied to device classes.

Port Control Policy Options

  • Enabled: The operating system and applications have full access to devices on this port. If a USB port is enabled, PCS then looks to the Device Sub-Class policy for finer grain control, and then EMS policies apply to the associated volume.
  • Blocked: PCS disables access so you are unable to use any device on the blocked port, even I/O devices such as keyboards. When a port is blocked, devices that are attached to these ports are not available to the operating system. For example, if USB ports are blocked, all other PCS sub policies are ignored and any devices that are attached to USB ports are not detected by the operating system (or the Shield or EMS). In other words, the blocked port takes precedence over these finer grained policies.
  • Bypass: PCS allows access to the port and ignores (bypasses) any Device Sub-Class policies that would otherwise apply to devices inserted in that port.

How PCS Impacts EMS

EMS deals with volumes, while PCS deals with ports and devices. EMS deals with the results of the port control policies, like the operating system. Since PCS defines how applications can access ports and EMS is an application, PCS policies change EMS behavior. In general, you must allow full read/write access at the Port and Device Sub-Class levels or EMS policies are not applied as expected. A PCS policy could demote a USB flash drive to be read-only before EMS policies are applied, thus that media is treated as a read-only device (which is not encrypted by EMS since it cannot write the EMS system files to the media).

How PCS Policy is Applied

  • When a new PCS policy is received, the related policy change cannot apply until reboot.
  • For eSata ports and devices, policy changes are always applied after a reboot because the operating system does not allow the product to reenumerate the SATA ports.
  • PCS policy is never applied to a port that is defined as internal, regardless of port type (USB, SATA, eSATA, PCIe).

Computer Identification - laptop or Desktop

Comptuers are identified using the Windows Management Instrumentation (WMI) class Win32_SystemEnclosure. The value within this class is ChassisTypes, MSDN defines these values at  Win32_SystemEnclosure class This hyperlink is taking you to a website outside of Dell Technologies.. This identification is exposed in the PCS log file, for example:

11.08.03 13:14:27.230 [I] [PolicyOverrideProxy] Chassis type detected as "Mini Tower"

PCS logs are at:

  • Windows 8.1/10/11 - C:\ProgramData\Dell\Dell Data Protection\Encryption\PCS
  • Windows 7/8 - C:\ProgramData\Dell\PCS

The following Chassis Types are treated as laptops when implementing PCS policy:

  • Portable
  • Laptop
  • Notebook
  • Hand Held
  • Sub Notebook

The following Chassis Types are treated as Desktops when implementing PCS policy:

  • Other
  • Unknown
  • Desktop
  • Low Profile Desktop
  • Pizza Box
  • Mini Tower
  • Tower
  • Docking Station
  • All in One
  • Space-Saving
  • Lunch Box
  • Main System Chassis
  • Expansion Chassis
  • Sub-Chassis
  • Bus Expansion Chassis
  • Peripheral Chassis
  • Storage Chassis
  • Rack Mount Chassis
  • Sealed-Case personal computer

Use Cases

  • If you intend to set EMS Access to un-Shielded Media to Full Access, ensure that Storage Class: External Drive Control is not set to Read Only or Blocked.
  • Storage Class: External Drive Control interacts with the Removable Storage - EMS Access to un-Shielded Media policy. If you intend users to have Full Access to media, also set this policy to Full Access.
  • To encrypt data written to CD/DVD media:
    • Storage Class: Optical Drive Control = UDF Only
    • EMS Encrypt External Media = Selected
    • EMS Exclude CD/DVD Encryption = Not Selected
  • To encrypt all removable media or block, it if it cannot be encrypted:
    • PCS Policies
      • Port Control System = Selected (To turn on PCS)
      • Port: <Port Type> = Selected (To enable all physical and logical ports)
      • Class: Storage = Selected (To allow storage devices to be mounted on the computer)
      • Subclass Storage: External Drive Control = Full Access [To allow external drive types to mount (thumb-drives, external HDs, so on)]
      • Subclass Storage: Optical Drive Control = Read Only, UDF Only, or Blocked (Setting this to Full Access allows burning to the optical media, which would bypass EMS)
      • Subclass Storage: Floppy Drive Control = Read Only or Blocked (Floppies are too small to encrypt, so Full Access would be useless in this case)
      • Class: Windows Portable Device (WPD) = Disabled (To prevent mounting of all WPD devices. This includes most smartphones and music players. Some older devices show up as standard storage devices and are allowed.)
      • Subclass Windows Portable Device (WPD): Storage = N/A (Is not applicable because the entire WPD class is disabled. Although it is possible to Enable WPD and set this policy to Read Only, incompatibilities exist with iTunes, so disabling is a safer choice for this use case.)
    • EMS Policies:
      • EMS Encrypt External Media = Selected (To turn on EMS)
      • EMS Exclude CD/DVD Encryption = Not Selected (To force optical media to be encrypted)
      • EMS Access to un-Shielded Media = Block or Read Only (To prevent data from going to external media without encryption)
      • EMS Block Access to un-Shieldable Media = True (To block access to devices that are too small to encrypt)

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption, Dell Endpoint Security Suite Pro
Article Properties
Article Number: 000178515
Article Type: Solution
Last Modified: 28 Oct 2025
Version:  13
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.