Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Dell Encryption Personal Installation Guide v11.9

PDF

Dell Encryption Troubleshooting

(Optional) Create an Encryption Removal Agent Log File

  • Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create this log file.
  • The Encryption Removal Agent log file is not created until after the Encryption Removal Agent service runs, which does not happen until the computer is restarted. Once the client is successfully uninstalled and the computer is fully decrypted, the log file is permanently deleted.
  • The log file path is C:\ProgramData\Dell\Dell Data Protection\Encryption.

  • Create the following registry entry on the computer targeted for decryption.

    [HKLM\Software\Credant\DecryptionAgent]

    "LogVerbosity"=DWORD:2

    0: no logging

    1: logs errors that prevent the service from running

    2: logs errors that prevent complete data decryption (recommended level)

    3: logs information about all decrypting volumes and files

    5: logs debugging information

Find TSS Version

  • TSS is a component that interfaces with the TPM. To find the TSS version, go to (default location) C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin > tcsd_win32.exe. Right-click the file and select Properties. Verify the file version on the Details tab.

Encryption External Media and PCS Interactions

To Ensure Media is Not Read-Only and the Port is Not Blocked

The EMS Access to unShielded Media policy interacts with the Port Control System - Class: Storage > Subclass Storage: External Drive Control policy. If you intend to set the EMS Access to unShielded Media policy to Full Access, ensure that the Subclass Storage: External Drive Control policy is also set to Full Access to ensure that the media is not set to read-only and the port is not blocked.

To Encrypt Data Written to CD/DVD

  • Set Windows Media Encryption = On.
  • Set EMS Exclude CD/DVD Encryption = not selected.
  • Set Subclass Storage: Optical Drive Control = UDF Only.

Use WSScan

  • WSScan allows you to ensure that all data is decrypted when uninstalling Encryption as well as view encryption status and identify unencrypted files that should be encrypted.

  • Administrator privileges are required to run this utility.

    NOTE:WSScan must be run in System Mode with the PsExec tool if a target file is owned by the system account.

Run WSScan

  1. From the Dell installation media, copy WSScan.exe to the Windows computer to scan.
  2. Launch a command line at the location above and enter wsscan.exe at the command prompt. WSScan launches.
  3. Click Advanced.
  4. Select the type of drive to scan: All Drives, Fixed Drives, Removable Drives, or CDROMs/ DVDROMs.
  5. Select the Encryption Report Type: Encrypted FIles, Unencrypted FIles, All FIles, or Unencrypted FIles in Violation:
    • Encrypted FIles - To ensure that all data is decrypted when uninstalling Encryption. Follow your existing process for decrypting data, such as issuing a decryption policy update. After decrypting data, but before performing a restart in preparation for uninstall, run WSScan to ensure that all data is decrypted.
    • Unencrypted FIles - To identify files that are not encrypted, with an indication of whether the files should be encrypted (Y/N).
    • All FIles - To list all encrypted and unencrypted files, with an indication of whether the files should be encrypted (Y/N).
    • Unencrypted FIles in Violation - To identify files that are not encrypted that should be encrypted.

  6. Click Search.

OR

  1. Click Advanced to toggle the view to Simple to scan a particular folder.
  2. Go to Scan Settings and enter the folder path in the Search Path field. If this field is used, the selection in the menu is ignored.
  3. If you do not want to write WSScan output to a file, clear the Output to File check box.
  4. Change the default path and file name in Path, if desired.
  5. Select Add to Existing File if you do not want to overwrite any existing WSScan output files.

  6. Choose the output format:

    • Select Report Format for a report style list of scanned output. This is the default format.
    • Select Value Delimited File for output that can be imported into a spreadsheet application. The default delimiter is "|", although it can be changed to up to 9 alphanumeric, space, or keyboard punctuation characters.
    • Select the Quoted Values option to enclose each value in double quotation marks.
    • Select Fixed Width File for non-delimited output containing a continuous line of fixed-length information about each encrypted file.

  7. Click Search.

    Click Stop Searching to stop your search. Click Clear to clear displayed messages.

WSScan Output

WSScan information about encrypted files contains the following information.

Example Output:

[2015-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: "c:\temp\Dell - test.log" is still AES256 encrypted

Output

Meaning

Date/time stamp

The date and time the file was scanned.

Encryption type

The type of encryption used to encrypt the file.

SysData: SDE key.

User: User encryption key.

Common: Common encryption key.

WSScan does not report files encrypted using Encrypt for Sharing.

KCID

The Key Computer ID.

As shown in the example above, "7vdlxrsb"

If you are scanning a mapped network drive, the scanning report does not return a KCID.

UCID

The User ID.

As shown in the example above, "_SDENCR_"

The UCID is shared by all the users of that computer.

File

The path of the encrypted file.

As shown in the example above, "c:\temp\Dell - test.log"

Algorithm

The encryption algorithm being used to encrypt the file.

As shown in the example above, "is still AES256 encrypted"

RIJNDAEL 128

RIJNDAEL 256

AES-128

AES-256

3DES

Check Encryption Removal Agent Status

The Encryption Removal Agent displays its status in the description area of the services panel (Start > Run > services.msc > OK) as follows. Periodically refresh the service (highlight the service > right-click > Refresh) to update its status.

  • Waiting for SDE Deactivation - Encryption is still installed, is still configured, or both. Decryption does not start until Encryption is uninstalled.
  • Initial sweep - The service is making an initial sweep, calculating the number of encrypted files and bytes. The initial sweep occurs one time.
  • Decryption sweep - The service is decrypting files and possibly requesting to decrypt locked files.
  • Decrypt on Reboot (partial) - The decryption sweep is complete and some locked files (but not all) are to be decrypted on the next restart.
  • Decrypt on Reboot - The decryption sweep is complete and all locked files are to be decrypted on the next restart.

  • All files could not be decrypted - The decryption sweep is complete, but all files could not be decrypted. This status means one of the following occurred:

    • The locked files could not be scheduled for decryption because they were too big, or an error occurred while making the request to unlock them.
    • An input/output error occurred while decrypting files.
    • The files could not be decrypted by policy.
    • The files are marked as should be encrypted.
    • An error occurred during the decryption sweep.
    • In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent service to force another decryption sweep.

  • Complete - The decryption sweep is complete. The service, the executable, the driver, and the driver executable are all scheduled for deletion on the next restart.

How to Encrypt an iPod with Encryption External Media

These rules disable or enable encryption for these folders and file types for all removable devices - not just an iPod. Use care when defining rules.

  • Dell does not recommend the use of the iPod Shuffle, as unexpected results may occur.
  • As iPods change, this information could also change, so caution is advised when allowing the use of iPods on Encryption External Media-enabled computers.
  • Because folder names on iPods are dependent on the model of the iPod, Dell recommends creating an exclusion policy which covers all folder names, across all iPod models.

  • To ensure encrypting an iPod via Encryption External Media does not make the device unusable, enter the following rules in the Encryption External Media Encryption Rules policy:

    -R#:\Calendars

    -R#:\Contacts

    -R#:\iPod_Control

    -R#:\Notes

    -R#:\Photos

  • You can also force encryption of specific file types in the directories above. Adding the following rules will ensure that ppt, pptx, doc, docx, xls, and xlsx files are encrypted in the directories excluded from encryption via the previous rules:

    ^R#:\Calendars;ppt.doc.xls.pptx.docx.xlsx

    ^R#:\Contacts;ppt.doc.xls.pptx.docx.xlsx

    ^R#:\iPod_Control;ppt.doc.xls.pptx.docx.xlsx

    ^R#:\Notes;ppt.doc.xls.pptx.docx.xlsx

    ^R#:\Photos;ppt.doc.xls.pptx.docx.xlsx

  • Replacing these five rules with the following rule will force encryption of ppt, pptx, doc, docx, xls, and xlsx files in any directory on the iPod, including Calendars, Contacts, iPod_Control, Notes, and Photos:

    ^R#:\;ppt.doc.xls.pptx.docx.xlsx

  • Rules have been tested against these iPods:

    iPod Video 30gb fifth generation

    iPod Nano 2gb second generation

    iPod Mini 4gb second generation

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\