Install Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

Table Of Contents

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.1
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- Advanced Threat Prevention
  - Compatibility
- Client Firewall and Web Protection
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- Full Disk Encryption
- Advanced Threat Prevention
- SED Manager
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Endpoint Security Suite Enterprise Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install Advanced Threat Prevention Client
- Install Client Firewall and Web Protection
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Web Protection and Firewall
- Uninstall Advanced Threat Prevention
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client and Advanced Threat Prevention
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
- BitLocker Manager and Advanced Threat Prevention
Provision a Tenant
- Provision a Tenant
Configure Advanced Threat Prevention Agent Auto Update
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- Advanced Threat Prevention Troubleshooting
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

"SmartCardLogonNotify"=DWORD:1

0 = Disabled

1 = Enabled

● To prevent SED Manager from disabling third-party credential providers, create the following registry key:

HKLM\SOFTWARE\Dell\Dell Data Protection\

"AllowOtherCredProviders" = DWORD:1

0=Disabled (default)

1=Enabled

NOTE: This value may prevent the Dell credential provider from properly syncing credentials initially due to third-party

credential providers being disabled. Ensure the devices using this registry key can properly communicate with the Dell

Server.

● To set the interval that SED Manager attempts to contact the Dell Server when it is unavailable to communicate, set the

following value on the target computer:

[HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters]

"CommErrorSleepSecs"=DWORD Value:300

This value is the number of seconds SED Manager waits to attempt to contact the Dell Server if it is unavailable to

communicate. The default is 300 seconds (5 minutes).

● The Security Server host may be changed from the original installation location if needed. The host information is read every

time a policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

"ServerHost"=REG_SZ:<newname>.<organization>.com

● The Security Server port may be changed from the original installation location if needed. This value is read every time a

policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

ServerPort=REG_SZ:8888

● The Security Server URL may be changed from the original install location if needed. This value is read by the client

computer every time a policy poll occurs. Change the following registry value on the client computer:

[HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent]

"ServerUrl"=REG_SZ:https://<newname>.<organization>.com:8888/agent

● (With pre-boot authentication only) If you do not want PBA advanced authentication to change the services associated with

smart cards and biometric devices to a startup type of "automatic", disable the service startup feature. Disabling this feature

also suppresses warnings associated with the required services not running.

When disabled, PBA advanced authentication does not attempt to start these services:

○

SCardSvr - Manages access to smart cards read by the computer. If this service is stopped, this computer is unable to

read smart cards. If this service is disabled, any services that explicitly depend on it fail to start.

○ SCPolicySvc - Allows the system to be configured to lock the user desktop upon smart card removal.

○ WbioSrvc - The Windows biometric service gives client applications the ability to capture, compare, manipulate, and store

biometric data without gaining direct access to any biometric hardware or samples. The service is hosted in a privileged

SVCHOST process.

By default, if the registry key does not exist or the value is set to 0, this feature is enabled.

[HKLM\SOFTWARE\DELL\Dell Data Protection]

SmartCardServiceCheck=REG_DWORD:0

0 = Enabled

1 = Disabled

● To use smart cards with SED PBA Authentication, the following registry value must be set on the client computer that is

equipped with an SED.

Registry Settings