Advanced Authentication - The Advanced Authentication product provides smart card reader
options. Advanced Authentication helps manage these multiple
authentication methods, supports login with self-encrypting drives, SSO, and
manages user credentials and passwords.
Encryption Administrator Password (EAP) - The EAP is an administrative
password that is unique to each computer. Most configuration changes made in
the local Management Console require this password. This password is also the
same password that is required to use your
LSARecovery_[hostname].exe file to recover data. Record and save this
password in a safe place.
Encryption Client - The Encryption client is the on-device component
that enforces security policies, whether an endpoint is connected to the
network, disconnected from the network, lost, or stolen. Creating a trusted
computing environment for endpoints, the Encryption client operates as a layer
on top of the device operating system, and provides consistently-enforced
authentication, encryption, and authorization to maximize the protection of
sensitive information.
Encryption keys - In most cases, Encryption uses the User encryption
key plus two additional encryption keys. However, there are exceptions: All SDE
policies and the Secure Windows Credentials policy use the SDE key. The Encrypt
Windows Paging File policy and Secure Windows Hibernation File policy use their
own key, the General Purpose Key (GPK). The Common encryption key makes files accessible
to all managed users on the device where they were created. The User encryption key makes
files accessible only to the user who created them, only on the device where
they were created. The User Roaming encryption key makes files accessible only to the user
who created them, on any encrypted Windows or Mac device.
Encryption sweep - The process of scanning
folders to be encrypted to ensure the contained files
are in the proper encryption state. Ordinary file creation and rename
operations do not trigger an encryption sweep. It is important to understand
when an encryption sweep may happen and what may affect the resulting sweep
times, as follows: - An encryption sweep occurs upon initial receipt of a
policy that has encryption enabled. This can occur immediately after activation
if your policy has encryption enabled. - If the Scan Workstation on Logon
policy is enabled, folders specified for encryption are swept on each user
logon. - A sweep can be re-triggered under certain subsequent policy changes.
Any policy change related to the definition of the encryption folders,
encryption algorithms, encryption key usage (common verses user), triggers
a sweep. In addition, toggling between encryption enabled and disabled triggers an encryption sweep.
Pre-boot Authentication (PBA) - Pre-boot Authentication serves as an
extension of the BIOS or boot firmware and guarantees a secure, tamper-proof
environment external to the operating system as a trusted authentication layer.
The PBA prevents anything being read from the hard disk, such as the operating
system, until the user has confirmed they have the correct credentials.
Single Sign-On (SSO) - SSO simplifies the logon process when
multi-factor authentication is enabled at both preboot and Windows logon. If
enabled, authentication is required at preboot only, and users are
automatically logged on to Windows. If not enabled, authentication may be
required multiple times.
System Data Encryption (SDE) - SDE is designed to encrypt the
operating system and program files. To accomplish this purpose, SDE must be
able to open its key while the operating system is booting. Its intent is to
prevent alteration or offline attacks on the operating system by an attacker.
SDE is not intended for user data. Common and User key encryption are intended
for sensitive user data because they require a user password to unlock
encryption keys. SDE policies do not encrypt the files needed by the operating
system to start the boot process. SDE policies do not require preboot
authentication or interfere with the Master Boot Record in any way. When the
computer boots up, the encrypted files are available before any user logs in
(to enable patch management, SMS, backup and recovery tools). Disabling SDE triggers automatic decryption of all SDE encrypted files and
directories for the relevant users, regardless of other SDE policy values, such as
SDE Encryption Rules.
Trusted Platform Module (TPM) - TPM is a security chip with three
major functions: secure storage, measurement, and attestation. The Encryption
client uses TPM for its secure storage function. The TPM can also provide
encrypted containers for the software vault.