Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

PDF

Dell Encryption Troubleshooting (client and server)

Activation on a Server Operating System

When Encryption is installed on a server operating system, activation requires two phases of activation: initial activation and device activation.

Troubleshooting Initial Activation

Initial activation fails when:

  • A valid UPN cannot be constructed using the supplied credentials.
  • The credentials are not found in the enterprise vault.
  • The credentials used to activate are not domain administrator's credentials.

Error Message: Unknown user name or bad password

The user name or password does not match.

Possible Solution: Try to log in again, ensuring that you type the user name and password exactly.

Error Message: Activation failed because the user account does not have domain administrator rights.

The credentials used to activate do not have domain administrator rights, or the administrator's user name was not in UPN format.

Possible Solution: In the Activation dialog, enter credentials in UPN format for a domain administrator.

Error Messages: A connection with the server could not be established.

or

The operation timed out.

Server Encryption could not communicate with port 8449 over HTTPS to the Dell Server.

Possible Solutions

  • Connect directly to your network and try to activate again.
  • If connected by VPN, try connecting directly to the network and try again to activate.
  • Check the Dell Server URL to ensure it matches the URL supplied by the administrator. The URL and other data that the user entered into the installer are stored in the registry. Check the accuracy of the data under [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield] and [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\Servlet].
  • Disconnect the server from the network. Restart the server and reconnect to the network.

Error Message: Activation failed because the Server is unable to support this request.

Possible Solutions

  • Server Encryption cannot be activated against a legacy server; the Dell Server version must be version 9.1 or higher. If necessary, upgrade your Dell Server to version 9.1 or higher.
  • Check the Dell Server URL to ensure it matches the URL supplied by the administrator. The URL and other data that the user entered into the installer are stored in the registry.
  • Check the accuracy of the data under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield] and [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\Servlet].

Initial Activation Process

The following diagram illustrates a successful initial activation.

The initial activation process of Encryption of server operating systems requires a live user to access the server. The user can be of any type: domain or non-domain, remote-desktop-connected or interactive user, but the user must have access to domain administrator credentials.

The Activation dialog displays when one of two workflows occur:

  • A new (unmanaged) user logs on to the computer.

  • When a new user right-clicks the Encryption icon in the notification area and selects Activate Dell Encryption.

    The initial activation process is as follows:

  1. The user logs in.
  2. Upon detection of a new (unmanaged) user, the Activate dialog displays. The user clicks Cancel.
  3. The user opens the Server Encryption About box to confirm that it is running in Server mode.
  4. The user right-clicks the Encryption icon in the notification area and selects Activate Dell Encryption.

  5. The user enters domain administrator credentials in the Activate dialog.

    NOTE:

    The requirement for domain administrator credentials is a safety measure that prevents Encryption of server operating systems from being rolled out to unsupported server environments. To disable the requirement for domain administrator credentials, see Before You Begin.

  6. Dell Server checks for the credentials in the enterprise vault (Active Directory or equivalent) to verify that the credentials are domain administrator credentials.
  7. A UPN is constructed using the credentials.

  8. With the UPN, the Dell Server creates a new user account for the virtual server user, and stores the credentials in the Dell Server's vault.

    The virtual server user account is for the exclusive use of the Encryption client. It is used to authenticate with the server, to handle Common encryption keys, and to receive policy updates.

    NOTE:

    Password and DPAPI authentication are disabled for this account so that only the virtual server user can access encryption keys on the computer. This account does not correspond to any other user account on the computer or on the domain.

  9. When activation is successful, the user restarts the computer, which kicks off the second phase, authentication and device activation.

Troubleshooting Authentication and Device Activation

Device activation fails when:

  • The initial activation failed.
  • The connection to the server could not be established.
  • The trust certificate could not be validated.

After activation, when the computer is restarted, Encryption for server operating systems automatically logs in as the virtual server user, requesting the Machine key from the Dell Server. This takes place even before any user can log in.

  • Open the About dialog to confirm that Encryption for server operating systems is authenticated and in Server mode.

  • If the Encryption client ID is red, encryption has not yet been activated.
  • In the Management Console, the version of a server with Server Encryption installed is listed as Shield for Server.
  • If the Machine key retrieval fails due to a network failure, Server Encryption registers for network notifications with the operating system.

  • If the Machine key retrieval fails:

    • The virtual server user logon is still successful.

    • Set up the Retry Interval Upon network Failure policy to make key retrieval attempts on a timed interval.

      For details on the Retry Interval Upon network Failure policy, refer to AdminHelp, available in the Management Console.

Authentication and Device Activation

The following diagram illustrates successful authentication and device activation.

  1. When restarted after a successful initial activation, a computer with Server Encryption automatically authenticates using the virtual server user account and runs the Encryption client in Server mode.

  2. The computer checks its device activation status with the Dell Server:

    • If the computer has not previously device-activated, the Dell Server assigns the computer an MCID, a DCID, and a trust certificate, and stores all of the information in the Dell Server's vault.
    • If the computer had previously been device-activated, the Dell Server verifies the trust certificate.
  3. After the Dell Server assigns the trust certificate to the server, the server can access its encryption keys.

  4. Device activation is successful.

    NOTE:

    When running in Server mode, the Encryption client must have access to the same certificate as was used for device activation to access the encryption keys.

(Optional) Create an Encryption Removal Agent Log File

  • Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create this log file.
  • The Encryption Removal Agent log file is not created until after the Encryption Removal Agent service runs, which does not happen until the computer is restarted. Once the client is successfully uninstalled and the computer is fully decrypted, the log file is permanently deleted.
  • The log file path is C:\ProgramData\Dell\Dell Data Protection\Encryption.

  • Create the following registry entry on the computer targeted for decryption.

    [HKLM\Software\Credant\DecryptionAgent]

    "LogVerbosity"=DWORD:2

    0: no logging

    1: logs errors that prevent the service from running

    2: logs errors that prevent complete data decryption (recommended level)

    3: logs information about all decrypting volumes and files

    5: logs debugging information

Find TSS Version

  • TSS is a component that interfaces with the TPM. To find the TSS version, go to (default location) C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin > tcsd_win32.exe. Right-click the file and select Properties. Verify the file version on the Details tab.

Encryption External Media and PCS Interactions

To Ensure Media is Not Read-Only and the Port is Not Blocked

The EMS Access to unShielded Media policy interacts with the Port Control System - Class: Storage > Subclass Storage: External Drive Control policy. If you intend to set the EMS Access to unShielded Media policy to Full Access, ensure that the Subclass Storage: External Drive Control policy is also set to Full Access to ensure that the media is not set to read-only and the port is not blocked.

To Encrypt Data Written to CD/DVD

  • Set Windows Media Encryption = On.
  • Set EMS Exclude CD/DVD Encryption = not selected.
  • Set Subclass Storage: Optical Drive Control = UDF Only.

Use WSScan

  • WSScan allows you to ensure that all data is decrypted when uninstalling Encryption as well as view encryption status and identify unencrypted files that should be encrypted.

  • Administrator privileges are required to run this utility.

    NOTE:WSScan must be run in System Mode with the PsExec tool if a target file is owned by the system account.

Run WSScan

  1. From the Dell installation media, copy WSScan.exe to the Windows computer to scan.
  2. Launch a command line at the location above and enter wsscan.exe at the command prompt. WSScan launches.
  3. Click Advanced.
  4. Select the type of drive to scan: All Drives, Fixed Drives, Removable Drives, or CDROMs/ DVDROMs.
  5. Select the Encryption Report Type: Encrypted FIles, Unencrypted FIles, All FIles, or Unencrypted FIles in Violation:
    • Encrypted FIles - To ensure that all data is decrypted when uninstalling Encryption. Follow your existing process for decrypting data, such as issuing a decryption policy update. After decrypting data, but before performing a restart in preparation for uninstall, run WSScan to ensure that all data is decrypted.
    • Unencrypted FIles - To identify files that are not encrypted, with an indication of whether the files should be encrypted (Y/N).
    • All FIles - To list all encrypted and unencrypted files, with an indication of whether the files should be encrypted (Y/N).
    • Unencrypted FIles in Violation - To identify files that are not encrypted that should be encrypted.

  6. Click Search.

OR

  1. Click Advanced to toggle the view to Simple to scan a particular folder.
  2. Go to Scan Settings and enter the folder path in the Search Path field. If this field is used, the selection in the menu is ignored.
  3. If you do not want to write WSScan output to a file, clear the Output to File check box.
  4. Change the default path and file name in Path, if desired.
  5. Select Add to Existing File if you do not want to overwrite any existing WSScan output files.

  6. Choose the output format:

    • Select Report Format for a report style list of scanned output. This is the default format.
    • Select Value Delimited File for output that can be imported into a spreadsheet application. The default delimiter is "|", although it can be changed to up to 9 alphanumeric, space, or keyboard punctuation characters.
    • Select the Quoted Values option to enclose each value in double quotation marks.
    • Select Fixed Width File for non-delimited output containing a continuous line of fixed-length information about each encrypted file.

  7. Click Search.

    Click Stop Searching to stop your search. Click Clear to clear displayed messages.

WSScan Command Line Usage

WSScan [-ta] [-tf] [-tr] [-tc] [drive] [-s] [-o<filepath>] [-a] [-f<format specifier>] [-r] [-u[a][-|v]] [-d<delimeter>] [-q] [-e] [-x<exclusion directory>] [-y<sleep time>]

Switch

Meaning

Drive

Drive to scan. If not specified, the default is all local fixed hard drives. Can be a mapped network drive.

-ta

Scan all drives

-tf

Scan fixed drives (default)

-tr

Scan removable drives

-tc

Scan CDROMs/DVDROMs

-s

Silent operation

-o

Output file path

-a

Append to output file. The default behavior truncates the output file.

-f

Report format specifier (Report, Fixed, Delimited)

-r

Run WSScan without administrator privileges. Some files may not be visible in this mode.

-u

Include unencrypted files in output file.

This switch is sensitive to order: "u" must be first, "a" must be second (or omitted), "-" or "v" must be last.

-u-

Only include unencrypted files in output file

-ua

Report unencrypted files also, but use all user policies to display the "should" field.

-ua-

Report unencrypted files only, but use all user policies to display the "should" field.

-uv

Report unencrypted files that violate policy only (Is=No / Should=Y)

-uav

Report unencrypted files that violate policy only (Is=No / Should=Y), using all user policies.

-d

Specifies what to use as a value separator for delimited output

-q

Specifies the values that should be in enclosed in quotes for delimited output

-e

Include extended encryption fields in delimited output

-x

Exclude directory from scan. Multiple exclusions are allowed.

-y

Sleep time (in milliseconds) between directories. This switch results in slower scans, but potentially a more responsive CPU.

WSScan Output

WSScan information about encrypted files contains the following information.

Example Output:

[2015-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: "c:\temp\Dell - test.log" is still AES256 encrypted

Output

Meaning

Date/time stamp

The date and time the file was scanned.

Encryption type

The type of encryption used to encrypt the file.

SysData: SDE key.

User: User encryption key.

Common: Common encryption key.

WSScan does not report files encrypted using Encrypt for Sharing.

KCID

The Key Computer ID.

As shown in the example above, "7vdlxrsb"

If you are scanning a mapped network drive, the scanning report does not return a KCID.

UCID

The User ID.

As shown in the example above, "_SDENCR_"

The UCID is shared by all the users of that computer.

File

The path of the encrypted file.

As shown in the example above, "c:\temp\Dell - test.log"

Algorithm

The encryption algorithm being used to encrypt the file.

As shown in the example above, "is still AES256 encrypted"

RIJNDAEL 128

RIJNDAEL 256

AES-128

AES-256

3DES

Use WSProbe

The Probing Utility is for use with all versions of Encryption, with the exception of Encryption External Media policies. Use the Probing Utility to:

  • Scan or schedule scanning of an encrypted computer. The Probing Utility observes the Workstation Scan Priority policy.
  • Temporarily disable or re-enable the current user Application Data Encryption List.
  • Add or remove process names on the privileged list.

  • Troubleshoot as instructed by Dell ProSupport.

Approaches to Data Encryption

If you specify policies to encrypt data on Windows devices, you can use any of the following approaches:

  • The first approach is to accept the default behavior of the client. If you specify folders in Common Encrypted Folders or User Encrypted Folders, or set Encrypt "My Documents", Encrypt Outlook Personal Folders, Encrypt Temporary Files, Encrypt Temporary Internet Files, or Encrypt Windows Paging File to selected, affected files are encrypted either when they are created, or (after being created by an unmanaged user) when a managed user logs on. The client also scans folders specified in or related to these policies for possible encryption/decryption when a folder is renamed, or when the client receives changes to these policies.
  • You can also set Scan Workstation on Logon to Selected. If Scan Workstation on Logon is Selected, when a user logs on, the client compares how files in currently- and previously-encrypted folders are encrypted to the user policies, and makes any necessary changes.

  • To encrypt files that meet your encryption criteria but were created prior to your encryption policies going into effect, but do not want the performance impact of frequent scanning, you can use this utility to scan or schedule scanning of the computer.

Prerequisites

  • The Windows device to work with must be encrypted.

  • The user to work with must be logged on.

Use the Probing Utility

WSProbe.exe is located in the installation media.

Syntax

wsprobe [path]

wsprobe [-h]

wsprobe [-f path]

wsprobe [-u n] [-x process_names] [-i process_names]

Parameters

Parameter

To

path

Optionally specify a particular path on the device to scan for possible encryption/decryption. If you do not specify a path, this utility scans all folders related to your encryption policies.

-h

View command line Help.

-f

Troubleshoot as instructed by Dell ProSupport

-u

Temporarily disable or re-enable the user Application Data Encryption List. This list is only effective if Encryption Enabled is selected for the current user. Specify 0 to disable or 1 to re-enable. The current policy in force for the user is reinstated at the next logon.

-x

Add process names to the privileged list. The computer and installer process names on this list, plus those you add using this parameter or HKLM\Software\CREDANT\CMGShield\EUWPrivilegedList, are ignored if specified in the Application Data Encryption List. Separate process names with commas. If your list includes one or more spaces, enclose the list in double quotes.

-i

Remove process names previously added to the privileged list (you cannot remove hard-coded process names). Separate process names with commas. If your list includes one or more spaces, enclose the list in double quotes.

Check Encryption Removal Agent Status

The Encryption Removal Agent displays its status in the description area of the services panel (Start > Run > services.msc > OK) as follows. Periodically refresh the service (highlight the service > right-click > Refresh) to update its status.

  • Waiting for SDE Deactivation - Encryption is still installed, is still configured, or both. Decryption does not start until Encryption is uninstalled.
  • Initial sweep - The service is making an initial sweep, calculating the number of encrypted files and bytes. The initial sweep occurs one time.
  • Decryption sweep - The service is decrypting files and possibly requesting to decrypt locked files.
  • Decrypt on Reboot (partial) - The decryption sweep is complete and some locked files (but not all) are to be decrypted on the next restart.
  • Decrypt on Reboot - The decryption sweep is complete and all locked files are to be decrypted on the next restart.

  • All files could not be decrypted - The decryption sweep is complete, but all files could not be decrypted. This status means one of the following occurred:

    • The locked files could not be scheduled for decryption because they were too big, or an error occurred while making the request to unlock them.
    • An input/output error occurred while decrypting files.
    • The files could not be decrypted by policy.
    • The files are marked as should be encrypted.
    • An error occurred during the decryption sweep.
    • In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent service to force another decryption sweep. See (Optional) Create an Encryption Removal Agent Log File for instructions.

  • Complete - The decryption sweep is complete. The service, the executable, the driver, and the driver executable are all scheduled for deletion on the next restart.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\