Security Policies Considerations When Enabling the Single Sign-On (One Step log in) Option in Dell Encryption

Affected Products:

• Dell Endpoint Security Suite Enterprise
• Dell Encryption
• Dell Data Protection | Encryption

Affected Versions:

• v7.3 and Later

Affected Platforms:

• Windows 7
• Windows 8.1
• Windows 10

When leveraging a build of Dell Encryption (formerly Dell Data Protection | Encryption) or Dell Endpoint Security Suite Enterprise and Single Sign-On (SSO) is enabled, the following considerations apply.

Interactive log in

In order for Single Sign-On (SSO) to work as intended, Require users to press CTRL+Alt+Delete should be disabled:

1. Open Control Panel
2. Double-click User Accounts.
3. Select Manage User Accounts option.
4. Click the Advanced tab.
5. Ensure Require users to press CTRL+Alt+Delete is cleared.

Figure 1: (English Only) User Accounts

Figure 2: (English Only) Secure sign-in

If an endpoint is part of a domain, the Interactive logon: Do not require CTRL+ALT+DEL Group Policy Object (GPO) must be Enabled or Not Defined for SSO to work as intended.

Figure 3: (English Only) Interactive logon: Do not require CTRL+ALT+DEL Properties

The Interactive logon: Message text for users attempting to log on and Interactive logon: Message title for users attempting to log on GPOs must be Not Defined for SSO to work as intended:

Figure 4: (English Only) Interactive logon: Message text for user's attempting to log on

If SSO is properly configured but the above GPOs are enforced, the below entries are missing within the AuthProxy logs:

[2018.06.15 09:11:34 PID=01532 TID=03640 D] AccountNameToSIDUsingPolicy: Found User SID
[2018.06.15 09:11:34 PID=01532 TID=03640 D] SidToString: Converted account name to SID: xxx\TEST1 => S-1-5-21-3372480839-4220617495-3508434089-1628
[2018.06.15 09:11:34 PID=01532 TID=03640 D] ProxyTunnel: Formatting Password UUK SSO token
[2018.06.15 09:11:34 PID=01532 TID=03640 D] ProxyTunnel: Assembled SSO package for DP of length 2086

Note: v8.18.x and 10.0.x builds interact with the Active Directory (AD) Interactive logon Group Policy Object (GPO) slightly differently due to the introduction of the new Dell credential provider. For this reason, end users that are prompted for Ctrl + Alt + Del immediately after Pre-Boot Authentication (PBA) login may never see that their current session expires. Dell is working to alleviate any concerns by forcing Single Sign-On credentials to expire when they are not consumed in a timely manner. The Interactive logon: Machine inactivity limit AD GPO can be applied as a workaround to force log in sessions to expire after X seconds.


Figure 5: (English Only) Interactive logon: Machine inactivity limit Properties

Other Sign in Screen

An additional Sign-In screen may be seen when resuming from hibernation, unlocking, or after starting from a powered-off state. This additional screen is due to security changes within the Windows 10 1803 operating system. A timer has been introduced that will force any credentials in memory to expire after a fixed duration.

Figure 6: (English Only) Windows Sign in screen

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.