Dell Encryption May Become Unresponsive with a High Number of Activated Users
Summary: Dell Encryption (formerly Dell Data Protection | Encryption) may become nonresponsive when a high number of users are activated on a single device. This nonresponsiveness may result in an operating system failure (Blue Screen error) on the device. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Affected Products:
- Dell Encryption Enterprise
- Dell Encryption Personal
- Dell Data Protection | Encryption
- Dell Data Protection | Personal Edition
Affected Versions:
- v8.9.0 and Earlier
Cause
Dell Encryption stores activated user data within the credsys.vlt (commonly called as the vault file), which is stored within C:\Windows\system32\. This file is a limited size flat-file database that stores information about the activated user, encryption keys for this device, policy sets for the activated users, and the bindings for which keys correlate to which users on the device. When many users activate on the device, the data within the file may exceed the limit of the configured size for the flat file database, resulting in corruption. This corruption can manifest as a failure in the CMGShield service file, and since this service is set as a system Critical service, an Operating System failure can be experienced if this service fails.
This issue can be identified within the CMGShield.log file, which is stored by default within the ProgramData directory of: C:\ProgramData\Dell\Dell Data Protection\Encryption\. If errors are present, this indicates that the vault exceeds its maximum size (data generalized as it can vary in the field):
Vault Error - Cluster index <NUMBER> exceeds maximum clusters (<NUMBER>) while validating (<NUMBER>) <POLICYFILENAME> Size=<NUMBER>
Resolution
Administrators who are experiencing this issue can Run WSDeactivate to resolve on an endpoint that gets into this state. WSDeactivate can be acquired from Dell Support if needed, as this application is not published externally, as it does result in a loss of data if the device is not able to reach the server.
Note:
WSDeactivate can be used to troubleshoot an encrypted computer. The utility renames the vault file (credsys.vlt) and adds a date and timestamp to the end of its filename after a prompt to reboot. This process requires all previously activated users to reactivate on this device during the next login.
This issue is resolved in Dell Encryption v8.9.1 and later. This was resolved by limiting the maximum number of activated users to 25 by default along with modifying the calculations for the size and checksums of the activation data within the vault. Once the 26th user activates, then the user that has not logged in the longest is from the vault.
This value can be modified as wanted by modifying the registry key:
Warning: The next step is a Windows Registry edit:
- Back up the Registry before proceeding, reference How to Back Up and Restore the Registry in Windows
.
- Editing the Registry can cause the computer to become unresponsive on the next reboot.
- Contact Dell Data Security International Support Phone Numbers for assistance if you have concerns about performing this step.
HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection\Encryption DWORD: MaxActivatedUsers Value: <IntegerHere>
The defined Value is limited to being a minimum of five users, and a maximum of 50.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
Affected Products
Dell EncryptionArticle Properties
Article Number: 000125053
Article Type: Solution
Last Modified: 19 Jun 2024
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.