Fixed Storage Policies
SDE Encryption Enabled
This policy is the "master policy" for all other System Data Encryption (SDE) policies. If this policy is False, no SDE encryption takes place, regardless of other policy values.
A True value means that all data not encrypted by other Policy-Based Encryption policies are encrypted per the SDE Encryption Rules policy.
Changing the value of this policy requires a reboot.
SDE Encryption Algorithm
AES-256, AES-128
SDE Encryption Rules
Encryption rules to be used to encrypt/not encrypt certain drives, directories, and folders.
Contact Dell ProSupport for guidance if you are unsure about changing the default values.
General Settings Policies
Encryption Enabled
This policy is the "master policy" for all General Settings policies. A False value means that no encryption takes place, regardless of other policy values.
A True value means that all encryption policies are enabled.
Changing the value of this policy triggers a new sweep to encrypt/decrypt files.
Common Encrypted Folders
String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters)
A list of folders on endpoint drives to be encrypted or excluded from encryption, which can then be accessed by all managed users who have access to the endpoint.
The available drive letters are:
#: Refers to all drives
f#: Refers to all fixed drives
r#: Refers to all removable drives
Important: Overriding directory protection can result in an unbootable computer and/or require reformatting drives.
If the same folder is specified in both this policy and the User Encrypted Folders policy, this policy prevails.
Common Encryption Algorithm
AES-256, Rijndael 256, AES 128, Rijndael 128
System paging files are encrypted using AES-128.
Application Data Encryption List
String - maximum of 100 entries of 500 characters each
Dell recommends not adding explorer.exe or iexplorer.exe to the ADE list, as unexpected or unintended results may occur. However, explorer.exe is the process used to create a new Notepad file on the desktop using the right-click menu. Setting encryption by file extension, instead of the ADE list, provides more comprehensive coverage.
List process names of applications (without paths) whose new files you want encrypted, separated by carriage returns. Do not use wildcards.
Dell recommends not listing applications/installers that write system-critical files. Doing so could result in encryption of important system files, which could make a computer unbootable.
Common process names:
outlook.exe, winword.exe, powerpnt.exe, msaccess.exe, wordpad.exe, mspaint.exe, excel.exe
The following hard-coded system and installer process names are ignored if specified in this policy:
hotfix.exe, update.exe, setup.exe, msiexec.exe, wuauclt.exe, wmiprvse.exe, migrate.exe, unregmp2.exe, ikernel.exe, wssetup.exe, svchost.exe
Application Data Encryption Key
Common or User
Choose a key to indicate who can access files encrypted by Application Data Encryption List, and where.
Common for these files to be accessible to all managed users on the endpoint where they were created (the same level of access as Common Encrypted Folders), and encrypted with the Common encryption algorithm.
User for these files to be accessible only to the user who created them, only on the endpoint where they were created (the same level of access as User Encrypted Folders), and encrypted with the User encryption algorithm.
Changes to this policy do not affect files already encrypted because of this policy.
Encrypt Outlook Personal Folders
True encrypts Outlook Personal Folders.
Encrypt Temporary Files
True encrypts the paths listed in the environment variables TEMP and TMP with the User data encryption key.
Encrypt Temporary Internet Files
True encrypts the path listed in the environment variable CSIDL_INTERNET_CACHE with the User data encryption key.
To reduce encryption sweep time, the client clears the contents of CSIDL_INTERNET_CACHE for initial encryption, as well as updates to this policy.
This policy is applicable when using Microsoft Internet Explorer only.
Encrypt User Profile Documents
True encrypts:
• The users profile (C:\Users\jsmith) with the User data encryption key
• \Users\Public with the Common encryption key
Encrypt Windows Paging File
True encrypts the Windows paging file. A change to this policy requires a reboot.
Managed Services
String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters)
When a service is managed by this policy, the service is started only after the user is logged in and the client is unlocked. This policy also ensures that the service managed by this policy is stopped before the client is locked during logoff. This policy can also prevent a user logoff if a service is unresponsive.
Syntax is one service name per line. Spaces in the service name are supported.
Wildcards are not supported.
Managed services are not started if an unmanaged user logs on.
Secure Post-Encryption Cleanup
Three Pass Overwrite
Single Pass Overwrite
No Overwrite
No Overwrite, Single-pass Overwrite, Three-pass Overwrite, Seven-pass Overwrite
Once folders specified via other policies in this category have been encrypted, this policy determines what happens to the unencrypted residue of the original files:
• No Overwrite deletes it. This value yields the fastest encryption processing.
• Single-pass Overwrite overwrites it with random data.
• Three-pass Overwrite overwrites it with a standard pattern of 1s and 0s, then with its complement, and then with random data.
• Seven-pass Overwrite overwrites it with a standard pattern of 1s and 0s, then with its complement, and then with random data five times. This value makes it most difficult to recover the original files from memory, and yields the most secure encryption processing.
Secure Windows Hibernation File
When enabled, the hibernation file is encrypted only when the computer enters hibernation. The client disengages protection when the computer comes out of hibernation, providing protection without impacting users or applications while the computer is in use.
Prevent Unsecured Hibernation
When enabled, the client does not allow computer hibernation if the client is unable to encrypt the hibernation data.
Workstation Scan Priority
Highest, High, Normal, Low, Lowest
Specifies the relative Windows priority of encrypted folder scanning.
User Encrypted Folders
String - maximum of 100 entries of 500 characters each (up to a maximum of 2048 characters)
A list of folders on the endpoint hard drive to be encrypted with the User data encryption key or excluded from encryption.
This policy applies to all drives classified by Windows as Hard Disk Drives. You cannot use this policy to encrypt drives or removable media whose type displays as Removable Disk, use EMS Encrypt External Media instead.
User Encryption Algorithm
AES 256, Rijndael 256, AES 128, Rijndael 128
Encryption algorithm used to encrypt data at the individual user level. You can specify different values for different users of the same endpoint.
User Data Encryption Key
Common or User
Choose a key to indicate who can access files encrypted by the following policies, and where:
• User Encrypted Folders
• Encrypt Outlook Personal folders
• Encrypt Temporary Files (\Documents and Settings\username\Local Settings\Temp only)
• Encrypt Temporary Internet Files
• Encrypt User Profile Documents
• Common for User Encrypted Files/Folders to be accessible by all managed users on the endpoint where they were created (the same level of access as Common Encrypted Folders), and encrypted with the Common encryption algorithm.
• User for these files to be accessible only to the user who created them, only on the endpoint where they were created (the same level of access as User Encrypted Folders), and encrypted with the User encryption algorithm.
If you elect to incorporate an encryption policy to encrypt entire disk partitions, it is recommended to use the default SDE encryption policy, rather than Common or User. This ensures that any operating system files that are encrypted are accessible during states when the managed user is not logged in.
Hardware Crypto Accelerator (supported only with v8.3 through v8.9.1 Encryption clients)
Hardware Crypto Accelerator (HCA)
This policy is the “master policy” for all other Hardware Crypto Accelerator (HCA) policies. If this policy is False, no HCA encryption takes place, regardless of other policy values.
HCA policies can only be used on computers equipped with a Hardware Crypto Accelerator.
Volumes Targeted for Encryption
All Fixed Volumes
All Fixed Volumes or System Volume Only
Specify which volume(s) to target for encryption.
Forensic Meta Data Available on HCA Encrypted Drive
True or False
When True, forensics meta data is included on the drive to facilitate forensics. Meta data included:
- Machine ID (MCID) of the current machine
- Device ID (DCID/SCID) of the current
Encryption client installation
When False, forensics meta data is not included on the drive.
Switching from False to True re-sweeps, based on the policies to add forensics.
Allow User Approval of Secondary Drive Encryption
True allows users to decide if additional drives are encrypted.
Encryption Algorithm
AES-256 or AES-128
Port Control Policies
Port Control System
Enable or Disable all Port Control System policies. If this policy is set to Disable, no Port Control System policies are applied, regardless of other Port Control System policies values.
PCS policies require a reboot before the policy takes effect.
NOTE:Blocking device operations results in device names displaying blank.
Port: Express Card Slot
Enable, Disable, or Bypass ports exposed through the Express Card Slot.
Port: eSATA
Enable, Disable, or Bypass port access to external SATA ports.
Enable, Disable, or Bypass port access to PCMCIA ports.
Port: Firewire (1394)
Enable, Disable, or Bypass port access to external Firewire (1394) ports.
Port: SD
Enable, Disable, or Bypass port access to SD card ports.
Subclass Storage: External Drive Control
Read Only
Full Access
Read Only
Full Access
CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy.
This policy has interactions with PCS. See
Encryption External Media and PCS Interactions.
Full Access: External Drive port does not have read/write data restrictions applied
Read Only: Allows read capability. Write data is disabled
Blocked: Port is blocked from read/write capability
This policy is endpoint-based and cannot be overridden by user policy.
Port: Memory Transfer Device (MTD)
Enable, Disable, or Bypass access to Memory Transfer Device (MTD) ports.
Class: Storage
PARENT to the next 3 policies. Set this policy to Enabled to use the next 3 Subclass Storage polices. Setting this policy to Disabled disables all 3 Subclass Storage policies - no matter what their value.
Subclass Storage: Optical Drive Control
Read Only
UDF Only
Full Access
UDF Only
Full Access
CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy.
Full Access: Optical Drive port does not have read/write data restrictions applied
UDF Only: Blocks all data writes that are not in the UDF format (CD/DVD burning, ISO burning). Read data is enabled.
Read Only: Allows read capability. Write data is disabled
Blocked: Port is blocked from read/write capability
This policy is endpoint-based and cannot be overridden by user policy.
Universal Disk Format (UDF) is an implementation of the specification known as ISO/IEC 13346 and ECMA-167 and is an open vendor-neutral file system for computer data storage for a broad range of media.
This policy has interactions with PCS. See
Encryption External Media and PCS Interactions.
Subclass Storage: Floppy Drive Control
Read Only
Full Access
Read Only
Full Access
CHILD of Class: Storage. Class: Storage must be set to Enabled to use this policy.
Full Access: Floppy Drive port does not have read/write data restrictions applied
Read Only: Allows read capability. Write data is disabled
Blocked: Port is blocked from read/write capability
This policy is endpoint-based and cannot be overridden by user policy.
Class: Windows Portable Device (WPD)
PARENT to the next policy. Set this policy to Enabled to use the Subclass Windows Portable Device (WPD): Storage policy. Setting this policy to Disabled disables the Subclass Windows Portable Device (WPD): Storage policy - no matter what its value.
Control access to all Windows Portable Devices.
Subclass Windows Portable Device (WPD): Storage
CHILD of Class: Windows Portable Device (WPD)
Class: Windows Portable Device (WPD) must be set to Enabled to use this policy.
Full Access: Port does not have read/write data restrictions applied.
Read Only: Allows read capability. Write data is disabled.
Blocked: Port is blocked from read/write capability.
Class: Human Interface Device (HID)
Control access to all Human Interface Devices (keyboards, mice).
Note: USB port-level blocking and HID class-level blocking is only honored if the computer chassis type can be identified as a laptop/notebook form-factor. The computer's BIOS is relied on for the identification of the chassis.
Class: Other
Control access to all devices not covered by other Classes.
Removable Storage Policies
EMS Encrypt External Media
This policy is the "master policy" for all Removable Storage policies. A False value means that no encryption of removable storage takes place, regardless of other policy values.
A True value means that all Removable Storage encryption policies are enabled.
This policy has interactions with PCS. See
Encryption External Media and PCS Interactions.
EMS Exclude CD/DVD Encryption
False encrypts CD/DVD devices.
This policy has interactions with PCS. See
Encryption External Media and PCS Interactions.
EMS Access to unShielded Media
Read only
Full Access
Read only
Full Access
Block, Read Only, Full Access
This policy has interactions with PCS. See
Encryption External Media and PCS Interactions.
When this policy is set to Block Access, you have no access to removable storage unless it is encrypted.
Choosing either Read-Only or Full Access allows you to decide what removable storage to encrypt.
If you choose not to encrypt removable storage and this policy is set to Full Access, you have full read/write access to removable storage.
If you choose not to encrypt removable storage and this policy is set to Read-Only, you cannot read or delete existing files on the unencrypted removable storage, but the client does not allow any files to be edited on, or added to, the removable storage unless it is encrypted.
EMS Encryption Algorithm
AES-256, Rijndael 256, AES-128, Rijndael 128
EMS Scan External Media
True allows removable media to be scanned every time it is inserted. When this policy is False and the EMS Encrypt External Media policy is True, only new and changed files are encrypted.
A scan occurs at every insertion so that any files added to the removable media without authenticating can be caught. Files can be added to the media if authentication is declined, but encrypted data cannot be accessed. The files added are not encrypted in this case, so the next time the media is authenticated (to work with encrypted data), any files that may have been added are scanned and encrypted.
EMS Access Encrypted Data on unShielded Device
True allows the user to access encrypted data on removable storage whether the endpoint is encrypted or not.
EMS Device Whitelist
This policy allows the specification of removable media devices to exclude from encryption. Any removable media devices not on this list are protected. Maximum of 150 devices with a maximum of 500 characters per PNPDeviceID. Maximum of 2048 total characters allowed.
To find the PNPDeviceID for removable storage:
- Insert the removable storage device into a Encrypted computer.
- Open the EMSService.log in C:\Programdata\Dell\Dell Data Protection\Encryption\EMS.
Find "PNPDeviceID="
For example: 14.03.18 18:50:06.834 [I] [Volume "F:\"] PnPDeviceID = USBSTOR\DISK&VEN_SEAGATE&PROD_USB&REV_0409\2HC015KJ&0
Specify the following in the EMS Device Whitelist policy:
PROD=Product/Model Name (Ex: &PROD_USB); also excludes from EMS Encryption all of Seagate’s USB drives; a VEN value (Ex: USBSTOR\DISK&VEN_SEAGATE) must precede this value
REV=Firmware Revision (Ex: &REV_0409); also excludes the specific model being used; VEN and PROD values must precede this value
Serial number (Ex: \2HC015KJ&0); excludes only this device; VEN, PROD, and REV values must precede this value
Allowed Delimiters: Tabs, Commas, Semi colons, Hex character 0x1E (Record separator character)
EMS Alpha Characters Required in Password
True requires one or more letters in the password.
EMS Mixed Case Required in Password
True requires at least one uppercase and one lowercase letter in the password.
EMS Number of Characters. Required in Password
1-40 characters
Minimum number of characters required in the password.
EMS Numeric Characters Required in Password
True requires one or more numeric characters in the password.
EMS Password Attempts Allowed
Number of times the user can attempt to enter the correct password.
EMS Special Characters Required in Password
True requires one or more special characters in the password.
EMS Cooldown Time Delay
0-5000 seconds
Number of seconds the user must wait between the first and second rounds of access code entry attempts.
EMS Cooldown Time Increment
0-5000 seconds
Incremental time to add to the previous cooldown time after each unsuccessful round of access code entry attempts.
EMS Encryption Rules
Encryption rules to encrypt/not encrypt certain drives, directories, and folders.
A total of 2048 characters are allowed. Space and Enter characters used to add lines between rows count as characters used. Any rules exceeding the 2048 limit are ignored.
Storage devices which incorporate multi-interface connections, such as Firewire, USB, eSATA, etc. may require the use of both Encryption External Media and encryption rules to encrypt the device. This is necessary due to differences in how the Windows operating system handles storage devices based on interface type. See
How to Encrypt an iPod with Encryption External Media.
EMS Block Access to UnShieldable Media
Block access to any removable media that is less than 55 MB and thus has insufficient storage capacity to host
Encryption External Media (such as a 1.44MB floppy disk).
All access is blocked if EMS and this policy are both True. If EMS Encrypt External Media is True, but this policy is False, data can be read from the unencryptable media, but write access to the media is blocked.
If EMS Encrypt External Media is False, then this policy has no effect and access to unencryptable media is not impacted.
User Experience Control Policies
Force Reboot on Update
Setting the value to True causes the computer to immediately reboot to allow processing of encryption or updates related to device-based policy, such as System Data Encryption (SDE).
Length of Each Reboot Delay
The number of minutes to delay when the user chooses to delay reboot for device-based policy.
Number of Reboot Delays Allowed
The number of times the user is allowed to delay reboot for device-based policy.
Suppress File Contention Notification
This policy controls whether users see notification pop-ups if an application attempts to access a file while the client is processing it.
Display Local Encryption Processing Control
Setting the value to True allows the user to see a menu option in the notification area icon that allows them to pause/resume encryption/decryption (depending on what Encryption is currently doing).
Allowing a user to pause encryption could allow the user to prevent the
Encryption client from fully encrypting or decrypting data per policy.
Allow Encryption Processing Only When Screen is Locked
True, False, User-Optional
When True, there is no encryption or decryption of data while the user is actively working. The client only processes data when the screen is locked.
User-Optional adds an option to the notification area icon allowing the user to turn this feature on or off.
When False, encryption processing occurs any time, even while the user is working.
Enabling this option significantly extends the amount of time it takes to complete encryption or decryption.