Endpoint Security Suite Pro Advanced Installation Guide v1.8

If a self-signed certificate is used on the Dell Security Management Server for Windows, certificate trust validation must remain disabled on the client computer (trust validation is disabled by default with Security Management Server for Windows). Before enabling trust validation on the client computer, the following requirements must be met.

• A certificate signed by a root authority, such as EnTrust or Verisign, must be imported into Security Management Server/ Security Management Server Virtual.
• The full chain of trust of the certificate must be stored in the Microsoft keystore on the client computer.

• To enable trust validation for the Encryption client, change the value of the following registry entry to 0 on the client computer.

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "IgnoreCertErrors"=DWORD:00000000

  0 = Fail if a certificate error is encountered

  1= Ignores errors

To use smart cards with Windows Authentication, the following registry value must be set on the client computer.

[HKLM\SOFTWARE\DigitalPersona\Policies\Default\SmartCards]

"MSSmartcardSupport"=DWORD:1

To create an Encryption Removal Agent log file, create the following registry entry on the computer targeted for decryption. See (Optional) Create an Encryption Removal Agent Log File.

[HKLM\Software\Credant\DecryptionAgent]

"LogVerbosity"=DWORD:2

0: no logging

1: logs errors that prevent the Service from running

2: logs errors that prevent complete data decryption (recommended level)

3: logs information about all decrypting volumes and files

5: logs debugging information

By default, during installation, the system tray icon is displayed. Use the following registry setting to hide the system tray icon for all managed users on a computer after the original installation. Create or modify the registry setting as follows:

[HKLM\Software\CREDANT\CMGShield]

"HIDESYSTRAYICON"=DWORD:1

By default, all temporary files in the c:\windows\temp directory are automatically deleted during installation. Deletion of temporary files speeds initial encryption and occurs before the initial encryption sweep.

However, if your organization uses a third-party application that requires the file structure within the \temp directory to be preserved, you should prevent this deletion.

To disable temporary file deletion, create or modify the registry setting as follows:

[HKLM\SOFTWARE\CREDANT\CMGShield]

"DeleteTempFiles"=REG_DWORD:0

Not deleting temporary files increases initial encryption time.

The Encryption client displays the length of each policy update delay prompt for five minutes each time. If the user does not respond to the prompt, the next delay begins. The final delay prompt includes a countdown and progress bar, and it displays until the user responds, or the final delay expires and the required logoff/reboot occurs.

You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing following no user response to the prompt. To do this, set the registry the following registry value:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

"SnoozeBeforeSweep"=DWORD:1

Any non-zero value will change the default behavior to snooze. With no user interaction, encryption processing will be delayed up to the number of configurable allowed delays. Encryption processing begins when the final delay expires.

Calculate the maximum possible delay as follows (a maximum delay would involve the user never responding to a delay prompt, each of which displays for 5 minutes):

(NUMBER OF POLICY UPDATE DELAYS ALLOWED × LENGTH OF EACH POLICY UPDATE DELAY) + (5 MINUTES × [NUMBER OF POLICY UPDATE DELAYS ALLOWED - 1])

Use the following registry setting to have the Encryption client poll the Security Management Server/ Security Management Server Virtual for a forced policy update. Create or modify the registry setting as follows:

[HKLM\SOFTWARE\Credant\CMGShield\Notify]

"PingProxy"=DWORD value:1

The registry setting will automatically disappear when done.

Use the following registry settings to either allow the Encryption client to send an optimized inventory to the Security Management Server/ Security Management Server Virtual, send a full inventory to the Security Management Server/ Security Management Server Virtual, or to send a full inventory for all activated users to the Security Management Server/ Security Management Server Virtual.

• Send Optimized Inventory to Security Management Server/ Security Management Server Virtual:

  Create or modify the registry setting as follows:

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "OnlySendInvChanges"=REG_DWORD:1

  If no entry is present, optimized inventory is sent to the Security Management Server/ Security Management Server Virtual.

• Send Full Inventory to Security Management Server/ Security Management Server Virtual:

  Create or modify the registry setting as follows:

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "OnlySendInvChanges"=REG_DWORD:0

  If no entry is present, optimized inventory is sent to the Security Management Server/ Security Management Server Virtual.

• Send Full Inventory for All Activated Users

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

  "RefreshInventory"=REG_DWORD:1

  This entry is deleted from the registry as soon as it is processed. The value is saved in the vault, so even if the computer is rebooted before the inventory upload takes place, the Encryption client still honors this request the next successful inventory upload.

  This entry supersedes the OnlySendInvChanges registry value.

Slotted Activation is a feature that allows you to spread activations of clients over a set time period in order to ease Security Management Server/ Security Management Server Virtual load during a mass deployment. Activations are delayed based on algorithmically generated time slots to provide a smooth distribution of activation times.

For users requiring activation through VPN, a slotted activation configuration for the client may be required, to delay initial activation for long enough to allow time for the VPN client to establish a network connection.

These registry entries require a restart of the computer for the updates to take effect.

• Slotted Activation

  To enable or disable this feature, create a DWORD with the name SlottedActivation under the following parent key:

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]

• Activation Slot

  To enable or disable this feature, create a subkey with the name ActivationSlot under the following parent key:

  [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]

  Activation Slot - a string that defines the period within which the Dell Encryption client will attempt to activate with the Security Management Server/ Security Management Server Virtual. These values are defined in seconds, and the syntax is defined by <lowervalue>,<uppervalue>. An example would be 120,300. This means that the Encryption client will attempt to activate at a random time between 2 minutes and 5 minutes after user login.

  • Calendar Repeat

    To enable or disable this feature, create a subkey with the name CalRepeat under the following parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    CalRepeat - A DWORD that defines the time period in seconds that the activation slot interval occurs. Use this setting to override the time period in seconds that the activation slot interval occurs. 25200 seconds are available for slotting activations during a seven-hour period. The default setting is 86400 seconds, which represents a daily repeat. The suggested decimal value is 600, which represents 10 minutes.

  • Slot Interval

    To enable or disable this feature, create a subkey with the name SlotInterval under the following parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    Slot Interval - A string value that defines the intervals between slot activations. The suggested setting is 45,120. This represents activation time being randomly assigned between 45 and 120 seconds.

  • Missed Threshold

    To enable or disable this feature, create a subkey with the name MissThreshold under the following parent key:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]

    MissThreshold - a DWORD value that contains a positive integer that defines the number of attempts to activate before a log off is required. If the MissThreshold is reached, activation attempts will cease until the next login for the unactivated user. The count for MissThreshold is always reset on logoff.

    The following registry keys collect slotted activation user data:

    [HKCU/Software/CREDANT/ActivationSlot] (per-user data)

    Deferred time to attempt the slotted activation, which is set when the user logs onto the network for the first time after slotted activation is enabled. The activation slot is recalculated for each activation attempt.

    [HKCU/Software/CREDANT/SlotAttemptCount] (per-user data)

    Number of failed or missed attempts, when the time slot arrives and activation is attempted but fails. When this number reaches the value set in ACTIVATION_SLOT_MISSTHRESHOLD, the computer attempts one immediate activation upon connecting to the network.

To detect unmanaged users on the client computer, set the following registry value on the client computer:

[HKLM\SOFTWARE\Credant\CMGShield\ManagedUsers\]

"UnmanagedUserDetected"=DWORD value:1

Detect unmanaged users on this computer=1

Do not detect unmanaged users on this computer=0

To enable silent automatic reactivation in the rare case that a user becomes deactivated, the following registry value must be set on the client computer.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShield]

"AutoReactivation"=DWORD:00000001

0=Disabled (default)

1=Enabled

System Data Encryption (SDE) is enforced based on the policy value for SDE Encryption Rules. Additional directories are protected by default when the SDE Encryption Enabled policy is Selected. For more information, search "SDE Encryption Rules" in AdminHelp. When the Encryption client is processing a policy update that includes an active SDE policy, the current user profile directory is encrypted by default with the SDUser key (a User key) rather than the SDE key (a Device key). The SDUser key is also used to encrypt files or folders that are copied (not moved) into a user directory that is not a encrypted with SDE.

To disable the SDUser key and use the SDE key to encrypt these user directories, create the following registry entry on the computer:

[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]

"EnableSDUserKeyUsage"=DWORD:00000000

If this registry key is not present or is set to anything other than 0, the SDUser key will be used to encrypt these user directories.

For more information about SDUser, see www.dell.com/support/article/us/en/19/SLN304916

Setting the registry entry, EnableNGMetadata, if issues occur related with Microsoft updates on computers with Common key-encrypted data or with encrypting, decrypting, or unzipping large numbers of files within a folder.

Set the EnableNGMetadata registry entry in the following location:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CmgShieldFFE]

"EnableNGMetadata" = DWORD:1

0=Disabled (default)

1=Enabled