Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

• Full Disk Encryption requires activation against a Dell Server running v9.8.2 or later.
• Full Disk Encryption is not currently supported within virtualized host computers.
• Full Disk Encryption requires a discrete hardware TPM. PTT and firmware-based TPMs are not supported at this time.
• Third-party credential providers will not function with FDE features installed and all third-party credential providers will be disabled when the PBA is enabled.
• The client computer must have network connectivity or access code to activate.
• The computer must have a wired network connection for a smartcard user to log in through pre-boot authentication for the first time.
• Operating system Feature updates are not supported with Full Disk Encryption.
• A wired connection is required for the PBA to communicate with the Dell Server.
• An SED cannot be present on the target computer.
• Full Disk Encryption is not supported with BitLocker or BitLocker Manager. Do not install Full Disk Encryption on a computer on which BitLocker or BitLocker Manager is installed.

• Dell recommends the latest Intel Rapid Storage Technology Driver with NVMe drives.

• Any NVMe drive that is being leveraged for PBA:
  • If the Dell device was manufactured in 2018 or later: Either RAID ON or AHCI may be leveraged with NVMe drives.
  • The BIOS boot mode must be set to Unified Extensible Firmware Interface (UEFI). Legacy operation ROMs must be disabled.
• Any non-NVMe drive that is being leveraged for PBA:

  • BIOS SATA operation can be set to either AHCI or RAID ON.

  • The operating system crashes when switched from RAID ON > AHCI if the AHCI controller drivers are not pre-installed. For instructions on how to switch from RAID > AHCI (or conversely), see KB article 124714.

• Full Disk Encryption management does not support dual boot configurations since it is possible to encrypt system files of the other operating system, which would interfere with its operation.

• In-place operating system re-install is not supported. To re-install the operating system, perform a backup of the target computer, wipe the computer, install the operating system, then recover the encrypted data following established recovery procedures.

• Direct Feature Updates from Windows 10 v1607 (Anniversary Update/Redstone 1), to the Windows 10 v1903 (May 2019 Update/19H1) are not supported with FDE. Dell recommends updating the operating system to a newer Feature Update if updating to Windows 10 v1903. Any attempts to update directly from Windows 10 v1607 to v1903 results in an error message and the update is prevented.
• All disks must be initialized and formatted before enabling Full Disk Encryption.
• Multi-disk encryption configurations with Full Disk Encryption require the following:
  • All disks in the target system must have the following configuration:
    • Non-SED drives
    • Configured in the same boot mode
    • Initialized as GUID Partition Table (GPT)
    • Disks must be primary partitions
    • Disks must have an assigned drive letter
  • A reboot is required to encrypt new disks after initial configuration.
  • A maximum of 16 disks can be encrypted.
  • In UEFI boot mode, the operating system can be installed on any target disk.

  • In Legacy boot mode, the operating system must be installed on the first disk (Disk #0). If the operating system is not installed on the first disk, Multi-disk encryption is disabled.

    Enable Multi-Disk encryption in the Management Console. See Registry Settings to see Windows Registry values for Multi-disk encryption and multi-sweep.

  • Full Disk Encryption requires the use of the Dell custom Credential Provider to synchronize Windows password changes and data encryption keys. If you require use of third-party applications that use custom Credential Providers running on computers protected Full Disk Encryption, you must initiate Windows password changes through the Data Security Console. For information about changing your password in the Data Security Console, see the Password chapter in the Data Security Console User Guide.

• The master installer installs these components if not already installed on the target computer. When using the child installer, you must install these components before installing the clients.

  Prerequisite

  Visual C++ 2017 or later Redistributable Package (x86 or x64) As of January 2020, SHA1 signing certificates are no longer valid and cannot be renewed. Devices running Windows Server 2008 R2 must install Microsoft KBs https://support.microsoft.com/help/4474419 and https://support.microsoft.com/help/4490628 to validate SHA256 signing certificates on applications and installation packages. Applications and installation packages signed with SHA1 certificates will function but an error will display on the endpoint during installation or execution of the application without these updates installed

• NOTE:A password is required with pre-boot authentication. Dell recommends a minimum password setting compliant with internal security policies.
• NOTE:When PBA is used, the Sync All Users policy should be enabled if a computer has multiple users. Additionally, all users must have passwords. Zero-length password users will be locked out of the computer following activation.
• NOTE:Computers protected by Full Disk Encryption must be updated to Windows 10 v1703 (Creators Update/Redstone 2) or later before updating to Windows 10 v1903 (May 2019 Update/19H1) or later. If this upgrade path is attempted, an error message displays.

Hardware

• The following table details supported hardware.

  Optional Embedded Hardware
  TPM 1.2 or 2.0

Authentication Options with Full Disk Encryption Client

Dell Computer Models Supported with UEFI Boot Mode

• For the most up-to-date list of platforms supported with the Full Disk Encryption, see KB article 126855.

• For a list of docking stations and adapters supported with Full Disk Encryption, see KB article 124241.

Operating Systems