Encryption
(Optional) Create an Encryption Removal Agent Log File
- Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create this log file.
- The Encryption Removal Agent log file is not created until after the Encryption Removal Agent service runs, which does not happen until the computer is restarted. Once the client is successfully uninstalled and the computer is fully decrypted, the log file is permanently deleted.
- The log file path is C:\ProgramData\Dell\Dell Data Protection\Encryption.
-
Create the following registry entry on the computer targeted for decryption.
[HKLM\Software\Credant\DecryptionAgent]
"LogVerbosity"=DWORD:2
0: no logging
1: logs errors that prevent the service from running
2: logs errors that prevent complete data decryption (recommended level)
3: logs information about all decrypting volumes and files
5: logs debugging information
Use Smart Cards with Windows Log On
-
To determine if a smart card is present and active, ensure the following value is set:
HKLM\SOFTWARE\Dell\Dell Data Protection\
"SmartcardEnabled"=DWORD:1
If SmartcardEnabled is missing or has a value of zero, the Credential Provider will display only Password for authentication.
If SmartcardEnabled has a non-zero value, the Credential Provider will display options for Password and smart card authentication.
-
The following registry value indicates whether Winlogon should generate a notification for logon events from smart cards.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"SmartCardLogonNotify"=DWORD:1
0 = Disabled
1 = Enabled
Preserve Temp Files During Installation
-
By default, all temporary files in the c:\windows\temp directory are automatically deleted during installation. Deletion of temporary files speeds initial encryption and occurs before the initial encryption sweep.
However, if your organization uses a third-party application that requires the file structure within the \temp directory to be preserved, you should prevent this deletion.
To disable temporary file deletion, create or modify the registry setting as follows:
[HKLM\SOFTWARE\CREDANT\CMGShield]
"DeleteTempFiles"=REG_DWORD:0
Not deleting temporary files increases initial encryption time.
Change the Default Behavior of the User Prompt to Begin or Delay Encryption
-
The Encryption client displays the length of each policy update delay prompt for five minutes each time. If the user does not respond to the prompt, the next delay begins. The final delay prompt includes a countdown and progress bar, and it displays until the user responds, or the final delay expires and the required logoff/reboot occurs.
You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing following no user response to the prompt. To do this, set the registry the following registry value:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"SnoozeBeforeSweep"=DWORD:1
Any non-zero value changes the default behavior to snooze. With no user interaction, encryption processing is delayed up to the number of configurable allowed delays. Encryption processing begins when the final delay expires.
Calculate the maximum possible delay as follows (a maximum delay would involve the user never responding to a delay prompt, each of which displays for 5 minutes):
(NUMBER OF POLICY UPDATE DELAYS ALLOWED × LENGTH OF EACH POLICY UPDATE DELAY) + (5 MINUTES × [NUMBER OF POLICY UPDATE DELAYS ALLOWED - 1])
Change the Default Use of SDUser Key
-
System Data Encryption (SDE) is enforced based on the policy value for SDE Encryption Rules. Additional directories are protected by default when the SDE Encryption Enabled policy is Selected. For more information, search "SDE Encryption Rules" in AdminHelp. When Encryption is processing a policy update that includes an active SDE policy, the current user profile directory is encrypted by default with the SDUser key (a User key) rather than the SDE key (a Device key). The SDUser key is also used to encrypt files or folders that are copied (not moved) into a user directory that is not a encrypted with SDE.
To disable the SDUser key and use the SDE key to encrypt these user directories, create the following registry entry on the computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]
"EnableSDUserKeyUsage"=DWORD:00000000
If this registry key is not present or is set to anything other than 0, the SDUser key is used to encrypt these user directories.
Disable/Enable Encrypt for Sharing in Right-click Context Menu
-
To disable or enable the Encrypt for Sharing option in the right-click menu use the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection\Encryption
"DisplaySharing"=DWORD
0 = disable the Encrypt for Sharing option in the right-click context menu
1 = enable the Encrypt for Sharing option in the right-click context menu
Disable/Enable the notification for Encryption Personal activation
-
HKCU\Software\Dell\Dell Data Protection\Encryption
"HidePasswordPrompt"=DWORD
1 = disables the password prompt for Encryption Personal activation
0 = enables the password prompt for Encryption Personal activation
Disable/Enable the reboot prompt after the Encryption Removal Agent finishes the final stage of decryption
-
To disable prompting the user to reboot their computer after the Encryption Removal Agent finishes its final state in the decryption process, modify the following registry value.
HKLM\Software\Dell\Dell Data Protection
"ShowDecryptAgentRebootPrompt"=DWORD
Default = enabled
1 = enabled (displays prompt)
0 = disabled (hides prompt)