Passer au contenu principal
Quitter

Bienvenue dans l’univers Dell

Mon compte
  • Passer des commandes rapidement et facilement
  • Afficher les commandes et suivre l’état de votre expédition
  • Profitez de récompenses et de remises réservées aux membres
  • Créez et accédez à une liste de vos produits
  • Gérer vos sites, vos produits et vos contacts au niveau des produits Dell EMC à l’aide de la rubrique Gestion des informations de l’entreprise.
Se connecter Créer un compte Connexion au compte Premier Connexion au programme de partenariat
Nous contacter

Vos paniers Dell.com

Endpoint Security Suite Pro Advanced Installation Guide v1.8

PDF

Encryption Client Troubleshooting

Upgrade to the Windows 10 Creators Update

To upgrade to the Windows 10 Creators Update version, follow the instructions in the following article: http://www.dell.com/support/article/us/en/19/SLN298382.

(Optional) Create an Encryption Removal Agent Log File

  • Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create this log file.
  • The Encryption Removal Agent log file is not created until after the Encryption Removal Agent Service runs, which does not happen until the computer is restarted. Once the client is successfully uninstalled and the computer is fully decrypted, the log file is permanently deleted.
  • The log file path is C:\ProgramData\Dell\Dell Data Protection\Encryption.

  • Create the following registry entry on the computer targeted for decryption.

    [HKLM\Software\Credant\DecryptionAgent]

    "LogVerbosity"=DWORD:2

    0: no logging

    1: logs errors that prevent the Service from running

    2: logs errors that prevent complete data decryption (recommended level)

    3: logs information about all decrypting volumes and files

    5: logs debugging information

Find TSS Version

  • TSS is a component that interfaces with the TPM. To find the TSS version, go to (default location) C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin > tcsd_win32.exe. Right-click the file and select Properties. Verify the file version on the Details tab.

Encryption External Media and PCS Interactions

To Ensure Media is Not Read-Only and the Port is Not Blocked

The Encryption External Media Access to unShielded Media policy interacts with Port Control System - Storage Class: External Drive Control policy. If you intend to set the Encryption External Media Access to unShielded Media policy to Full Access, ensure that the Storage Class: External Drive Control policy is also set to Full Access to ensure that the media is not set to read-only and the port is not blocked.

To Encrypt Data Written to CD/DVD

  • Set Windows Media Encryption = On.
  • Set EMS Exclude CD/DVD Encryption = not selected.
  • Set Subclass Storage: Optical Drive Control = UDF Only.

Use WSScan

  • WSScan allows you to ensure that all data is decrypted when uninstalling the Encryption client as well as view encryption status and identify unencrypted files that should be encrypted.

  • Administrator privileges are required to run this utility.

Run WSScan

  1. From the Dell installation media, copy WSScan.exe to the Windows computer to scan.
  2. Launch a command line at the location above and enter wsscan.exe at the command prompt. WSScan launches.
  3. Click Advanced.
  4. Select the type of drive to scan from the drop-down menu: All Drives, Fixed Drives, Removable Drives, or CDROMs/ DVDROMs.
  5. Select the desired Encryption Report Type from the drop-down menu: Encrypted FIles, Unencrypted FIles, All FIles, or Unencrypted FIles in Violation:
    • Encrypted FIles - To ensure that all data is decrypted when uninstalling the Encryption client. Follow your existing process for decrypting data, such as issuing a decryption policy update. After decrypting data, but before performing a restart in preparation for uninstall, run WSScan to ensure that all data is decrypted.
    • Unencrypted FIles - To identify files that are not encrypted, with an indication of whether the files should be encrypted (Y/N).
    • All FIles - To list all encrypted and unencrypted files, with an indication of whether the files should be encrypted (Y/N).
    • Unencrypted FIles in Violation - To identify files that are not encrypted that should be encrypted.

  6. Click Search.

OR

  1. Click Advanced to toggle the view to Simple to scan a particular folder.
  2. Go to Scan Settings and enter the folder path in the Search Path field. If this field is used, the selection in the drop-down box is ignored.
  3. If you do not want to write WSScan output to a file, clear the Output to File check box.
  4. Change the default path and filename in Path, if desired.
  5. Select Add to Existing File if you do not want to overwrite any existing WSScan output files.

  6. Choose the output format:

    • Select Report Format for a report style list of scanned output. This is the default format.
    • Select Value Delimited File for output that can be imported into a spreadsheet application. The default delimiter is "|", although it can be changed to up to 9 alphanumeric, space, or keyboard punctuation characters.
    • Select the Quoted Values option to enclose each value in double quotation marks.
    • Select Fixed Width File for non-delimited output containing a continuous line of fixed-length information about each encrypted file.

  7. Click Search.

    Click Stop Searching to stop your search. Click Clear to clear displayed messages.

WSScan Command Line Usage

WSScan [-ta] [-tf] [-tr] [-tc] [drive] [-s] [-o<filepath>] [-a] [-f<format specifier>] [-r] [-u[a][-|v]] [-d<delimeter>] [-q] [-e] [-x<exclusion directory>] [-y<sleep time>]

Switch

Meaning

Drive

Drive to scan. If not specified, the default is all local fixed hard drives. Can be a mapped network drive.

-ta

Scan all drives

-tf

Scan fixed drives (default)

-tr

Scan removable drives

-tc

Scan CDROMs/DVDROMs

-s

Silent operation

-o

Output file path

-a

Append to output file. The default behavior truncates the output file.

-f

Report format specifier (Report, Fixed, Delimited)

-r

Run WSScan without administrator privileges. Some files may not be visible if this mode is used.

-u

Include unencrypted files in output file.

This switch is sensitive to order: "u" must be first, "a" must be second (or omitted), "-" or "v" must be last.

-u-

Only include unencrypted files in output file

-ua

Report unencrypted files also, but use all user policies to display the "should" field.

-ua-

Report unencrypted files only, but use all user policies to display the "should" field.

-uv

Report unencrypted files that violate policy only (Is=No / Should=Y)

-uav

Report unencrypted files that violate policy only (Is=No / Should=Y), using all user policies.

-d

Specifies what to use as a value separator for delimited output

-q

Specifies the values that should be in enclosed in quotes for delimited output

-e

Include extended encryption fields in delimited output

-x

Exclude directory from scan. Multiple exclusions are allowed.

-y

Sleep time (in milliseconds) between directories. This switch results in slower scans, but potentially a more responsive CPU.

WSScan Output

WSScan information about encrypted files contains the following information.

Example Output:

[2015-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: "c:\temp\Dell - test.log" is still AES256 encrypted

Output

Meaning

Date/time stamp

The date and time the file was scanned.

Encryption type

The type of encryption used to encrypt the file.

SysData: SDE Encryption Key.

User: User Encryption Key.

Common: Common Encryption Key.

WSScan does not report files encrypted using Encrypt for Sharing.

KCID

The Key Computer ID.

As shown in the example above, " 7vdlxrsb"

If you are scanning a mapped network drive, the scanning report does not return a KCID.

UCID

The User ID.

As shown in the example above, " _SDENCR_"

The UCID is shared by all the users of that computer.

File

The path of the encrypted file.

As shown in the example above, " c:\temp\Dell - test.log"

Algorithm

The encryption algorithm being used to encrypt the file.

As shown in the example above, " is still AES256 encrypted"

RIJNDAEL 128

RIJNDAEL 256

AES 128

AES 256

3DES

Use WSProbe

The Probing Utility is for use with all versions of the Encryption client, with the exception of Encryption External Media policies. Use the Probing Utility to:

  • Scan or schedule scanning of an encrypted computer. The Probing Utility observes your Workstation Scan Priority policy.
  • Temporarily disable or re-enable the current user Application Data Encryption List.
  • Add or remove process names on the privileged list.

  • Troubleshoot as instructed by Dell ProSupport.

Approaches to Data Encryption

If you specify policies to encrypt data on Windows devices, you can use any of the following approaches:

  • The first approach is to accept the default behavior of the client. If you specify folders in Common Encrypted Folders or User Encrypted Folders, or set Encrypt "My Documents", Encrypt Outlook Personal Folders, Encrypt Temporary Files, Encrypt Temporary Internet Files, or Encrypt Windows Paging File to selected, affected files are encrypted either when they are created, or (after being created by an unmanaged user) when a managed user logs on. The client also scans folders specified in or related to these policies for possible encryption/decryption when a folder is renamed, or when the client receives changes to these policies.
  • You can also set Scan Workstation on Logon to Selected. If Scan Workstation on Logon is Selected, when a user logs on, the client compares how files in currently- and previously-encrypted folders are encrypted to the user policies, and makes any necessary changes.

  • To encrypt files that meet your encryption criteria but were created prior to your encryption policies going into effect, but do not want the performance impact of frequent scanning, you can use this utility to scan or schedule scanning of the computer.

Prerequisites

  • The Windows device you want to work with must be encrypted.

  • The user you want to work with must be logged on.

Use the Probing Utility

WSProbe.exe is located in the installation media.

Syntax

wsprobe [path]

wsprobe [-h]

wsprobe [-f path]

wsprobe [-u n] [-x process_names] [-i process_names]

Parameters

Parameter

To

path

Optionally specify a particular path on the device that you want to scan for possible encryption/decryption. If you do not specify a path, this utility scans all folders related to your encryption policies.

-h

View command line Help.

-f

Troubleshoot as instructed by Dell ProSupport

-u

Temporarily disable or re-enable the user Application Data Encryption List. This list is only effective if Encryption Enabled is selected for the current user. Specify 0 to disable or 1 to re-enable. The current policy in force for the user is reinstated at the next logon.

-x

Add process names to the privileged list. The computer and installer process names on this list, plus those you add using this parameter or HKLM\Software\CREDANT\CMGShield\EUWPrivilegedList, are ignored if specified in the Application Data Encryption List. Separate process names with commas. If your list includes one or more spaces, enclose the list in double quotes.

-i

Remove process names previously added to the privileged list (you cannot remove hard-coded process names). Separate process names with commas. If your list includes one or more spaces, enclose the list in double quotes.

Check Encryption Removal Agent Status

The Encryption Removal Agent displays its status in the description area of the Services panel (Start > Run... > services.msc > OK) as follows. Periodically refresh the Service (highlight the Service > right-click > Refresh) to update its status.

  • Waiting for SDE Deactivation - The Encryption client is still installed, is still configured, or both. Decryption does not start until the Encryption client is uninstalled.
  • Initial sweep - The Service is making an initial sweep, calculating the number of encrypted files and bytes. The initial sweep occurs one time.
  • Decryption sweep - The Service is decrypting files and possibly requesting to decrypt locked files.
  • Decrypt on Reboot (partial) - The decryption sweep is complete and some locked files (but not all) are to be decrypted on the next restart.
  • Decrypt on Reboot - The decryption sweep is complete and all locked files are to be decrypted on the next restart.

  • All files could not be decrypted - The decryption sweep is complete, but all files could not be decrypted. This status means one of the following occurred:

    • The locked files could not be scheduled for decryption because they were too big, or an error occurred while making the request to unlock them.
    • An input/output error occurred while decrypting files.
    • The files could not be decrypted by policy.
    • The files are marked as should be encrypted.
    • An error occurred during the decryption sweep.
    • In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent Service to force another decryption sweep. See (Optional) Create an Encryption Removal Agent Log File for instructions.

  • Complete - The decryption sweep is complete. The Service, the executable, the driver, and the driver executable are all scheduled for deletion on the next restart.

Évaluez ce contenu

Précis
Utile
Facile à comprendre
Avez-vous trouvé cet article utile ?
0/3000 characters
  Veuillez attribuer une note (1 à 5 étoiles).
  Veuillez attribuer une note (1 à 5 étoiles).
  Veuillez attribuer une note (1 à 5 étoiles).
  Veuillez indiquer si l’article a été utile ou non.
  Les commentaires ne doivent pas contenir les caractères spéciaux : <>()\