Dell Encryption Personal Installation Guide v11.9

PDF

Policies


Policy	Aggressive Protection for All Fixed Drives and External Drives	PCI Regulation	Data Breach Regulation	HIPAA Regulation	Basic Protection for All Fixed Drives and Ext Drives (Default)	Basic Protection for All Fixed Drives	Basic Protection for System Drive Only	Basic Protection for External Drives	Encryption Disabled	Description
Fixed Storage Policies
SDE Encryption Enabled	True								False	This policy is the "master policy" for all other System Data Encryption (SDE) policies. If this policy is False, no SDE encryption takes place, regardless of other policy values. A True value means that all data not encrypted by other Policy-Based Encryption policies are encrypted per the SDE Encryption Rules policy. Changing the value of this policy requires a reboot.
SDE Encryption Algorithm	AES256									AES-256, AES-128
SDE Encryption Rules										Encryption rules to be used to encrypt/not encrypt certain drives, directories, and folders. Contact Dell ProSupport for guidance if you are unsure about changing the default values.
General Settings Policies
Encryption Enabled	True							False		This policy is the "master policy" for all General Settings policies. A False value means that no encryption takes place, regardless of other policy values. A True value means that all encryption policies are enabled. Changing the value of this policy triggers a new sweep to encrypt/decrypt files.
Common Encrypted Folders										String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters) A list of folders on endpoint drives to be encrypted or excluded from encryption, which can then be accessed by all managed users who have access to the endpoint. The available drive letters are: #: Refers to all drives f#: Refers to all fixed drives r#: Refers to all removable drives Important: Overriding directory protection can result in an unbootable computer and/or require reformatting drives. If the same folder is specified in both this policy and the User Encrypted Folders policy, this policy prevails.
Common Encryption Algorithm	AES256									AES-256, Rijndael 256, AES 128, Rijndael 128 System paging files are encrypted using AES-128.
Application Data Encryption List	winword.exe excel.exe powerpnt.exe msaccess.exe winproj.exe outlook.exe acrobat.exe visio.exe mspub.exe notepad.exe wordpad.exe winzip.exe winrar.exe onenote.exe onenotem.exe									String - maximum of 100 entries of 500 characters each Dell recommends not adding explorer.exe or iexplorer.exe to the ADE list, as unexpected or unintended results may occur. However, explorer.exe is the process used to create a new Notepad file on the desktop using the right-click menu. Setting encryption by file extension, instead of the ADE list, provides more comprehensive coverage. List process names of applications (without paths) whose new files you want encrypted, separated by carriage returns. Do not use wildcards. Dell recommends not listing applications/installers that write system-critical files. Doing so could result in encryption of important system files, which could make a computer unbootable. Common process names: outlook.exe, winword.exe, powerpnt.exe, msaccess.exe, wordpad.exe, mspaint.exe, excel.exe The following hard-coded system and installer process names are ignored if specified in this policy: hotfix.exe, update.exe, setup.exe, msiexec.exe, wuauclt.exe, wmiprvse.exe, migrate.exe, unregmp2.exe, ikernel.exe, wssetup.exe, svchost.exe
Application Data Encryption Key	Common									Common or User Choose a key to indicate who can access files encrypted by Application Data Encryption List, and where. Common for these files to be accessible to all managed users on the endpoint where they were created (the same level of access as Common Encrypted Folders), and encrypted with the Common encryption algorithm. User for these files to be accessible only to the user who created them, only on the endpoint where they were created (the same level of access as User Encrypted Folders), and encrypted with the User encryption algorithm. Changes to this policy do not affect files already encrypted because of this policy.
Encrypt Outlook Personal Folders	True							False		True encrypts Outlook Personal Folders.
Encrypt Temporary Files	True							False		True encrypts the paths listed in the environment variables TEMP and TMP with the User data encryption key.
Encrypt Temporary Internet Files	True	False								True encrypts the path listed in the environment variable CSIDL_INTERNET_CACHE with the User data encryption key. To reduce encryption sweep time, the client clears the contents of CSIDL_INTERNET_CACHE for initial encryption, as well as updates to this policy. This policy is applicable when using Microsoft Internet Explorer only.
Encrypt User Profile Documents	True								False	True encrypts: • The users profile (C:\Users\jsmith) with the User data encryption key • \Users\Public with the Common encryption key
Encrypt Windows Paging File	True								False	True encrypts the Windows paging file. A change to this policy requires a reboot.
Managed Services										String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters) When a service is managed by this policy, the service is started only after the user is logged in and the client is unlocked. This policy also ensures that the service managed by this policy is stopped before the client is locked during logoff. This policy can also prevent a user logoff if a service is unresponsive. Syntax is one service name per line. Spaces in the service name are supported. Wildcards are not supported. Managed services are not started if an unmanaged user logs on.
Secure Post-Encryption Cleanup	Three Pass Overwrite	Single Pass Overwrite							No Overwrite	No Overwrite, Single-pass Overwrite, Three-pass Overwrite, Seven-pass Overwrite Once folders specified via other policies in this category have been encrypted, this policy determines what happens to the unencrypted residue of the original files: • No Overwrite deletes it. This value yields the fastest encryption processing. • Single-pass Overwrite overwrites it with random data. • Three-pass Overwrite overwrites it with a standard pattern of 1s and 0s, then with its complement, and then with random data. • Seven-pass Overwrite overwrites it with a standard pattern of 1s and 0s, then with its complement, and then with random data five times. This value makes it most difficult to recover the original files from memory, and yields the most secure encryption processing.
Secure Windows Hibernation File	True					False		True	False	When enabled, the hibernation file is encrypted only when the computer enters hibernation. The client disengages protection when the computer comes out of hibernation, providing protection without impacting users or applications while the computer is in use.
Prevent Unsecured Hibernation	True					False		True	False	When enabled, the client does not allow computer hibernation if the client is unable to encrypt the hibernation data.
Workstation Scan Priority	High	Norm								Highest, High, Normal, Low, Lowest Specifies the relative Windows priority of encrypted folder scanning.
User Encrypted Folders										String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters) A list of folders on the endpoint hard drive to be encrypted with the User data encryption key or excluded from encryption. This policy applies to all drives classified by Windows as Hard Disk Drives. You cannot use this policy to encrypt drives or removable media whose type displays as Removable Disk, use EMS Encrypt External Media instead.
User Encryption Algorithm	AES256									AES 256, Rijndael 256, AES 128, Rijndael 128 Encryption algorithm used to encrypt data at the individual user level. You can specify different values for different users of the same endpoint.
User Data Encryption Key	User	Common		User	Common				User	Common or User Choose a key to indicate who can access files encrypted by the following policies, and where: • User Encrypted Folders • Encrypt Outlook Personal folders • Encrypt Temporary Files (\Documents and Settings\username\Local Settings\Temp only) • Encrypt Temporary Internet Files • Encrypt User Profile Documents Select: • Common for User Encrypted Files/Folders to be accessible by all managed users on the endpoint where they were created (the same level of access as Common Encrypted Folders), and encrypted with the Common encryption algorithm. • User for these files to be accessible only to the user who created them, only on the endpoint where they were created (the same level of access as User Encrypted Folders), and encrypted with the User encryption algorithm. If you elect to incorporate an encryption policy to encrypt entire disk partitions, it is recommended to use the default SDE encryption policy, rather than Common or User. This ensures that any operating system files that are encrypted are accessible during states when the managed user is not logged in.
Hardware Crypto Accelerator (supported only with v8.3 through v8.9.1 Encryption clients)
Hardware Crypto Accelerator (HCA)	False									This policy is the “master policy” for all other Hardware Crypto Accelerator (HCA) policies. If this policy is False, no HCA encryption takes place, regardless of other policy values. HCA policies can only be used on computers equipped with a Hardware Crypto Accelerator.
Volumes Targeted for Encryption	All Fixed Volumes									All Fixed Volumes or System Volume Only Specify which volume(s) to target for encryption.
Forensic Meta Data Available on HCA Encrypted Drive	False									True or False When True, forensics meta data is included on the drive to facilitate forensics. Meta data included: Machine ID (MCID) of the current machine Device ID (DCID/SCID) of the current Encryption client installation When False, forensics meta data is not included on the drive. Switching from False to True re-sweeps, based on the policies to add forensics.
Allow User Approval of Secondary Drive Encryption	False									True allows users to decide if additional drives are encrypted.
Encryption Algorithm	AES256									AES-256 or AES-128
Port Control Policies
Port Control System	Disabled									Enable or Disable all Port Control System policies. If this policy is set to Disable, no Port Control System policies are applied, regardless of other Port Control System policies values. PCS policies require a reboot before the policy takes effect. NOTE:Blocking device operations results in device names displaying blank.
Port: Express Card Slot	Enabled									Enable, Disable, or Bypass ports exposed through the Express Card Slot.
Port: eSATA	Enabled									Enable, Disable, or Bypass port access to external SATA ports.
Port: PCMCIA	Enabled									Enable, Disable, or Bypass port access to PCMCIA ports.
Port: Firewire (1394)	Enabled									Enable, Disable, or Bypass port access to external Firewire (1394) ports.
Port: SD	Enabled									Enable, Disable, or Bypass port access to SD card ports.
Subclass Storage: External Drive Control	Blocked	Read Only			Full Access			Read Only	Full Access	CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy. This policy has interactions with PCS. See Encryption External Media and PCS Interactions. Full Access: External Drive port does not have read/write data restrictions applied Read Only: Allows read capability. Write data is disabled Blocked: Port is blocked from read/write capability This policy is endpoint-based and cannot be overridden by user policy.
Port: Memory Transfer Device (MTD)	Enabled									Enable, Disable, or Bypass access to Memory Transfer Device (MTD) ports.
Class: Storage	Enabled									PARENT to the next 3 policies. Set this policy to Enabled to use the next 3 Subclass Storage polices. Setting this policy to Disabled disables all 3 Subclass Storage policies - no matter what their value.
Subclass Storage: Optical Drive Control	Read Only	UDF Only				Full Access		UDF Only	Full Access	CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy. Full Access: Optical Drive port does not have read/write data restrictions applied UDF Only: Blocks all data writes that are not in the UDF format (CD/DVD burning, ISO burning). Read data is enabled. Read Only: Allows read capability. Write data is disabled Blocked: Port is blocked from read/write capability This policy is endpoint-based and cannot be overridden by user policy. Universal Disk Format (UDF) is an implementation of the specification known as ISO/IEC 13346 and ECMA-167 and is an open vendor-neutral file system for computer data storage for a broad range of media. This policy has interactions with PCS. See Encryption External Media and PCS Interactions.
Subclass Storage: Floppy Drive Control	Blocked	Read Only				Full Access		Read Only	Full Access	CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy. Full Access: Floppy Drive port does not have read/write data restrictions applied Read Only: Allows read capability. Write data is disabled Blocked: Port is blocked from read/write capability This policy is endpoint-based and cannot be overridden by user policy.
Class: Windows Portable Device (WPD)	Enabled									PARENT to the next policy. Set this policy to Enabled to use the Subclass Windows Portable Device (WPD): Storage policy. Setting this policy to Disabled disables the Subclass Windows Portable Device (WPD): Storage policy - no matter what its value. Control access to all Windows Portable Devices.
Subclass Windows Portable Device (WPD): Storage	Enabled									CHILD of Class: Windows Portable Device (WPD) Class: Windows Portable Device (WPD) must be set to Enabled to use this policy. Full Access: Port does not have read/write data restrictions applied. Read Only: Allows read capability. Write data is disabled. Blocked: Port is blocked from read/write capability.
Class: Human Interface Device (HID)	Enabled									Control access to all Human Interface Devices (keyboards, mice). Note: USB port-level blocking and HID class-level blocking is only honored if the computer chassis type can be identified as a laptop/notebook form-factor. The computer's BIOS is relied on for the identification of the chassis.
Class: Other	Enabled									Control access to all devices not covered by other Classes.
Removable Storage Policies
EMS Encrypt External Media	True					False		True	False	This policy is the "master policy" for all Removable Storage policies. A False value means that no encryption of removable storage takes place, regardless of other policy values. A True value means that all Removable Storage encryption policies are enabled. This policy has interactions with PCS. See Encryption External Media and PCS Interactions.
EMS Exclude CD/DVD Encryption	False								True	False encrypts CD/DVD devices. This policy has interactions with PCS. See Encryption External Media and PCS Interactions.
EMS Access to unShielded Media	Block		Read only			Full Access		Read only	Full Access	Block, Read Only, Full Access This policy has interactions with PCS. See Encryption External Media and PCS Interactions. When this policy is set to Block Access, you have no access to removable storage unless it is encrypted. Choosing either Read-Only or Full Access allows you to decide what removable storage to encrypt. If you choose not to encrypt removable storage and this policy is set to Full Access, you have full read/write access to removable storage. If you choose not to encrypt removable storage and this policy is set to Read-Only, you cannot read or delete existing files on the unencrypted removable storage, but the client does not allow any files to be edited on, or added to, the removable storage unless it is encrypted.
EMS Encryption Algorithm	AES256									AES-256, Rijndael 256, AES-128, Rijndael 128
EMS Scan External Media	True	False								True allows removable media to be scanned every time it is inserted. When this policy is False and the EMS Encrypt External Media policy is True, only new and changed files are encrypted. A scan occurs at every insertion so that any files added to the removable media without authenticating can be caught. Files can be added to the media if authentication is declined, but encrypted data cannot be accessed. The files added are not encrypted in this case, so the next time the media is authenticated (to work with encrypted data), any files that may have been added are scanned and encrypted.
EMS Access Encrypted Data on unShielded Device	True									True allows the user to access encrypted data on removable storage whether the endpoint is encrypted or not.
EMS Device Whitelist										This policy allows the specification of removable media devices to exclude from encryption. Any removable media devices not on this list are protected. Maximum of 150 devices with a maximum of 500 characters per PNPDeviceID. Maximum of 2048 total characters allowed. To find the PNPDeviceID for removable storage: Insert the removable storage device into a Encrypted computer. Open the EMSService.log in C:\Programdata\Dell\Dell Data Protection\Encryption\EMS. Find "PNPDeviceID=" For example: 14.03.18 18:50:06.834 [I] [Volume "F:\"] PnPDeviceID = USBSTOR\DISK&VEN_SEAGATE&PROD_USB&REV_0409\2HC015KJ&0 Specify the following in the EMS Device Whitelist policy: VEN=Vendor (Ex: USBSTOR\DISK&VEN_SEAGATE) PROD=Product/Model Name (Ex: &PROD_USB); also excludes from EMS Encryption all of Seagate’s USB drives; a VEN value (Ex: USBSTOR\DISK&VEN_SEAGATE) must precede this value REV=Firmware Revision (Ex: &REV_0409); also excludes the specific model being used; VEN and PROD values must precede this value Serial number (Ex: \2HC015KJ&0); excludes only this device; VEN, PROD, and REV values must precede this value Allowed Delimiters: Tabs, Commas, Semi colons, Hex character 0x1E (Record separator character)
EMS Alpha Characters Required in Password	True									True requires one or more letters in the password.
EMS Mixed Case Required in Password	True	False								True requires at least one uppercase and one lowercase letter in the password.
EMS Number of Characters. Required in Password	8					6		8		1-40 characters Minimum number of characters required in the password.
EMS Numeric Characters Required in Password	True	False								True requires one or more numeric characters in the password.
EMS Password Attempts Allowed	2	3				4		3		1-10 Number of times the user can attempt to enter the correct password.
EMS Special Characters Required in Password	True	False							True	True requires one or more special characters in the password.
EMS Cooldown Time Delay	30									0-5000 seconds Number of seconds the user must wait between the first and second rounds of access code entry attempts.
EMS Cooldown Time Increment	30	20				10	30	10		0-5000 seconds Incremental time to add to the previous cooldown time after each unsuccessful round of access code entry attempts.
EMS Encryption Rules										Encryption rules to encrypt/not encrypt certain drives, directories, and folders. A total of 2048 characters are allowed. Space and Enter characters used to add lines between rows count as characters used. Any rules exceeding the 2048 limit are ignored. Storage devices which incorporate multi-interface connections, such as Firewire, USB, eSATA, etc. may require the use of both Encryption External Media and encryption rules to encrypt the device. This is necessary due to differences in how the Windows operating system handles storage devices based on interface type. See How to Encrypt an iPod with Encryption External Media.
EMS Block Access to UnShieldable Media	True								False	Block access to any removable media that is less than 55 MB and thus has insufficient storage capacity to host Encryption External Media (such as a 1.44MB floppy disk). All access is blocked if EMS and this policy are both True. If EMS Encrypt External Media is True, but this policy is False, data can be read from the unencryptable media, but write access to the media is blocked. If EMS Encrypt External Media is False, then this policy has no effect and access to unencryptable media is not impacted.
User Experience Control Policies
Force Reboot on Update	True								False	Setting the value to True causes the computer to immediately reboot to allow processing of encryption or updates related to device-based policy, such as System Data Encryption (SDE).
Length of Each Reboot Delay	5	10				20		15		The number of minutes to delay when the user chooses to delay reboot for device-based policy.
Number of Reboot Delays Allowed	1					5		3		The number of times the user is allowed to delay reboot for device-based policy.
Suppress File Contention Notification	False									This policy controls whether users see notification pop-ups if an application attempts to access a file while the client is processing it.
Display Local Encryption Processing Control	False		True					False		Setting the value to True allows the user to see a menu option in the notification area icon that allows them to pause/resume encryption/decryption (depending on what Encryption is currently doing). Allowing a user to pause encryption could allow the user to prevent the Encryption client from fully encrypting or decrypting data per policy.
Allow Encryption Processing Only When Screen is Locked	False		User-Optional					False		True, False, User-Optional When True, there is no encryption or decryption of data while the user is actively working. The client only processes data when the screen is locked. User-Optional adds an option to the notification area icon allowing the user to turn this feature on or off. When False, encryption processing occurs any time, even while the user is working. Enabling this option significantly extends the amount of time it takes to complete encryption or decryption.