-
If a self-signed certificate is used on the Dell
Security Management Server for Windows, certificate trust validation must remain disabled on the client computer (trust validation is
disabled by default with
Security Management Server for Windows). Before
enabling trust validation on the client computer, the following requirements must be met.
-
A certificate signed by a root authority, such as EnTrust or Verisign, must be imported into
Security Management Server/
Security Management Server Virtual.
-
The full chain of trust of the certificate must be stored in the Microsoft keystore on the client computer.
-
To
enable trust validation for the Encryption client, change the value of the following registry entry to 0 on the client computer.
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"IgnoreCertErrors"=DWORD:00000000
0 = Fail if a certificate error is encountered
1= Ignores errors
-
To use smart cards with Windows Authentication, the following registry value must be set on the client computer.
[HKLM\SOFTWARE\DigitalPersona\Policies\Default\SmartCards]
"MSSmartcardSupport"=DWORD:1
-
To create an Encryption Removal Agent log file, create the following registry entry on the computer targeted for decryption.
See
(Optional) Create an Encryption Removal Agent Log File.
[HKLM\Software\Credant\DecryptionAgent]
"LogVerbosity"=DWORD:2
0: no logging
1: logs errors that prevent the Service from running
2: logs errors that prevent complete data decryption (recommended level)
3: logs information about all decrypting volumes and files
5: logs debugging information
-
By default, during installation, the system tray icon is displayed. Use the following registry setting to hide the system
tray icon for all managed users on a computer after the original installation. Create or modify the registry setting as follows:
[HKLM\Software\CREDANT\CMGShield]
"HIDESYSTRAYICON"=DWORD:1
-
By default, all temporary files in the c:\windows\temp directory are automatically deleted during installation. Deletion of
temporary files speeds initial encryption and occurs before the initial encryption sweep.
However, if your organization uses a third-party application that requires the file structure within the \temp directory to
be preserved, you should prevent this deletion.
To disable temporary file deletion, create or modify the registry setting as follows:
[HKLM\SOFTWARE\CREDANT\CMGShield]
"DeleteTempFiles"=REG_DWORD:0
Not deleting temporary files increases initial encryption time.
-
The Encryption client displays the
length of each policy update delay prompt for five minutes each time. If the user does not respond to the prompt, the next delay begins. The final delay prompt
includes a countdown and progress bar, and it displays until the user responds, or the final delay expires and the required
logoff/reboot occurs.
You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing following no
user response to the prompt. To do this, set the registry the following registry value:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"SnoozeBeforeSweep"=DWORD:1
Any non-zero value will change the default behavior to snooze. With no user interaction, encryption processing will be delayed
up to the number of configurable allowed delays. Encryption processing begins when the final delay expires.
Calculate the maximum possible delay as follows (a maximum delay would involve the user never responding to a delay prompt,
each of which displays for 5 minutes):
(NUMBER OF POLICY UPDATE DELAYS ALLOWED × LENGTH OF EACH POLICY UPDATE DELAY) + (5 MINUTES × [NUMBER OF POLICY UPDATE DELAYS
ALLOWED - 1])
-
Use the following registry setting to have the Encryption client poll the
Security Management Server/
Security Management Server Virtual for a forced policy update. Create or modify the registry setting as follows:
[HKLM\SOFTWARE\Credant\CMGShield\Notify]
"PingProxy"=DWORD value:1
The registry setting will automatically disappear when done.
-
Use the following registry settings to either allow the Encryption client to send an optimized inventory to the
Security Management Server/
Security Management Server Virtual, send a full inventory to the
Security Management Server/
Security Management Server Virtual, or to send a full inventory for all activated users to the
Security Management Server/
Security Management Server Virtual.
-
Send Optimized Inventory to
Security Management Server/
Security Management Server Virtual:
Create or modify the registry setting as follows:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"OnlySendInvChanges"=REG_DWORD:1
If no entry is present, optimized inventory is sent to the
Security Management Server/
Security Management Server Virtual.
-
Send Full Inventory to
Security Management Server/
Security Management Server Virtual:
Create or modify the registry setting as follows:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"OnlySendInvChanges"=REG_DWORD:0
If no entry is present, optimized inventory is sent to the
Security Management Server/
Security Management Server Virtual.
-
Send Full Inventory for All Activated Users
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"RefreshInventory"=REG_DWORD:1
This entry is deleted from the registry as soon as it is processed. The value is saved in the vault, so even if the computer
is rebooted before the inventory upload takes place, the Encryption client still honors this request the next successful inventory
upload.
This entry supersedes the OnlySendInvChanges registry value.
-
Slotted Activation is a feature that allows you to spread activations of clients over a set time period in order to ease
Security Management Server/
Security Management Server Virtual load during a mass deployment. Activations are delayed based on algorithmically generated time slots to provide a smooth
distribution of activation times.
For users requiring activation through VPN, a slotted activation configuration for the client may be required, to delay initial
activation for long enough to allow time for the VPN client to establish a network connection.
These registry entries require a restart of the computer for the updates to take effect.
-
Slotted Activation
To enable or disable this feature, create a DWORD with the name
SlottedActivation under the following parent key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]
-
Activation Slot
To enable or disable this feature, create a subkey with the name
ActivationSlot under the following parent key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\]
Activation Slot - a string that defines the period within which the Dell Encryption client will attempt to activate with the
Security Management Server/
Security Management Server Virtual. These values are defined in seconds, and the syntax is defined by <lowervalue>,<uppervalue>. An example would be 120,300.
This means that the Encryption client will attempt to activate at a random time between 2 minutes and 5 minutes after user
login.
-
Calendar Repeat
To enable or disable this feature, create a subkey with the name
CalRepeat under the following parent key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]
CalRepeat - A DWORD that defines the time period in seconds that the activation slot interval occurs. Use this setting to
override the time period in seconds that the activation slot interval occurs. 25200 seconds are available for slotting activations
during a seven-hour period. The default setting is 86400 seconds, which represents a daily repeat. The suggested decimal value
is 600, which represents 10 minutes.
-
Slot Interval
To enable or disable this feature, create a subkey with the name
SlotInterval under the following parent key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]
Slot Interval - A string value that defines the intervals between slot activations. The suggested setting is 45,120. This
represents activation time being randomly assigned between 45 and 120 seconds.
-
Missed Threshold
To enable or disable this feature, create a subkey with the name
MissThreshold under the following parent key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot]
MissThreshold - a DWORD value that contains a positive integer that defines the number of attempts to activate before a log
off is required. If the MissThreshold is reached, activation attempts will cease until the next login for the unactivated
user. The count for MissThreshold is always reset on logoff.
The following registry keys collect slotted activation user data:
[HKCU/Software/CREDANT/ActivationSlot] (per-user data)
Deferred time to attempt the slotted activation, which is set when the user logs onto the network for the first time after
slotted activation is enabled. The activation slot is recalculated for each activation attempt.
[HKCU/Software/CREDANT/SlotAttemptCount] (per-user data)
Number of failed or missed attempts, when the time slot arrives and activation is attempted but fails. When this number reaches
the value set in ACTIVATION_SLOT_MISSTHRESHOLD, the computer attempts one immediate activation upon connecting to the network.
-
To detect unmanaged users on the client computer, set the following registry value on the client computer:
[HKLM\SOFTWARE\Credant\CMGShield\ManagedUsers\]
"UnmanagedUserDetected"=DWORD value:1
Detect unmanaged users on this computer=1
Do not detect unmanaged users on this computer=0
-
To enable silent automatic reactivation in the rare case that
a user becomes deactivated, the following
registry value must be set on the client computer.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShield]
"AutoReactivation"=DWORD:00000001
0=Disabled (default)
1=Enabled
-
System Data Encryption (SDE) is
enforced based on the policy value for SDE Encryption Rules.
Additional directories are protected by default when the SDE
Encryption Enabled policy is Selected. For more information, search
"SDE Encryption Rules" in AdminHelp. When the Encryption client is
processing a policy update that includes an active SDE policy, the
current user profile directory is encrypted by default with the
SDUser key (a User key) rather than the SDE key (a Device key). The
SDUser key is also used to encrypt files or folders that are copied
(not moved) into a user directory that is not a encrypted with
SDE.
To disable the SDUser key and use the
SDE key to encrypt these user directories, create the following
registry entry on the computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]
"EnableSDUserKeyUsage"=DWORD:00000000
If this registry key is not present
or is set to anything other than 0, the SDUser key will be used to
encrypt these user directories.
For more information about SDUser, see
www.dell.com/support/article/us/en/19/SLN304916
-
Setting the registry entry, EnableNGMetadata, if issues occur related with Microsoft updates on computers with Common key-encrypted
data or with encrypting, decrypting, or unzipping large numbers of files within a folder.
Set the EnableNGMetadata registry entry in the following location:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CmgShieldFFE]
"EnableNGMetadata" = DWORD:1
0=Disabled (default)
1=Enabled
-
The non-domain activation feature can be enabled by contacting Dell ProSupport and requesting instructions.