Dell Data Security Endpoint Security Suite Pro Advanced Installation Guide v1.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2017 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 Introduction....................................................................................................................................................6 Before You Begin................................................................................................................................................................6 Using This Guide.................................................................................................................................................
5 Uninstall Using the Endpoint Security Suite Pro Master Installer................................................................. 33 Uninstall the Endpoint Security Suite Pro Master Installer......................................................................................... 33 Command Line Uninstallation................................................................................................................................... 33 6 Install Using the Child Installers............................
Services Panel - Add Domain Account User................................................................................................................ 57 Key Server Config File - Add User for Security Management Server Communication.......................................... 58 Sample Configuration File......................................................................................................................................... 59 Services Panel - Restart Key Server Service.......................
1 Introduction This guide details how to install and configure Threat Protection, the Encryption client, SED management client, Advanced Authentication, and BitLocker Manager. All policy information, and their descriptions are found in the AdminHelp. Before You Begin 1 Install the Security Management Server/Security Management Server Virtual before deploying clients. Locate the correct guide as shown below, follow the instructions, and then return to this guide.
2 Thoroughly read the Requirements chapter of this document. 3 Deploy clients to end users. Using This Guide Use this guide in the following order. • See Requirements for client prerequisites, computer hardware and software information, limitations, and special registry modifications needed for features. • If needed, see Pre-Installation Configuration for SED UEFI, and BitLocker.
Additionally, online support for Dell products is available at dell.com/support. Online support includes drivers, manuals, technical advisories, FAQs, and emerging issues. Be sure to help us quickly connect you to the right technical expert by having your Service Code available when you call. For phone numbers outside of the United States, check Dell ProSupport International Phone Numbers.
2 Requirements All Clients These requirements apply to all clients. Requirements listed in other sections apply to specific clients. • IT best practices should be followed during deployment. This includes, but is not limited to, controlled test environments for initial tests, and staggered deployments to users.
All Clients - Localization • The Encryption, Threat Protection, and BitLocker Manager clients are Multilingual User Interface (MUI) compliant and are localized in the following languages. Language Support • EN - English • JA - Japanese • ES - Spanish • KO - Korean • FR - French • PT-BR - Portuguese, Brazilian • IT - Italian • PT-PT - Portuguese, Portugal (Iberian) • DE - German Encryption Client • The client computer must have network connectivity to activate.
Encryption Client Hardware • The following table details supported hardware. Optional Embedded Hardware • TPM 1.2 or 2.0 Encryption Client Operating Systems • The following table details supported operating systems. Windows Operating Systems (32- and 64-bit) • • • • • • • Windows 7 SP0-SP1: Enterprise, Professional, Ultimate Windows Embedded Standard 7 with Application Compatibility template (hardware encryption is not supported) Windows 8: Enterprise, Pro Windows 8.
NOTE: External media must have approximately 55MB available plus open space on the media that is equal to the largest file to be encrypted to host Encryption External Media. NOTE: Windows XP is supported when using Encryption External Media Explorer only.
Use Application Protocol Transport Port Number Protocol Destination Direction Anti-virus Updates HTTP TCP 443/fallback 80 vs.mcafeeasap.com Outbound Anti-virus Engine/ SSL Signature Updates TCP 443 vs.mcafeeasap.com Outbound Anti-Spam Engine HTTP TCP 443 vs.mcafeeasap.com Outbound Anti-Spam Rules and Streaming Updates TCP 80 vs.mcafeeasap.com Outbound HTTP Notes Packet types: X-SU3X-SU3Component-Name X-SU3-ComponentType X-SU3-Status Reputation Service SSL TCP 443 tunnel.web.
• Configuration of self-encrypting drives for Dell’s SED management differ between NVMe and non-NVMe (SATA) drives, as follows. • Any NVMe drive that is being leveraged as an SED – The BIOS’ SATA operation must be set to RAID ON, as Dell’s SED management does not support AHCI on NVMe drives. • Any NVMe drive that is being leveraged as an SED – The BIOS's boot mode must be UEFI and Legacy option ROMs must be disabled.
Dell Computer Models - UEFI Support • • • • • • • • • • • • • • • • • • • • • • • • • • Latitude 5580 Latitude 7370 Latitude 7380 Latitude E5270 Latitude E5285 Latitude E5289 2-in-1 Latitude E5470 Latitude E5570 Latitude E7240 Latitude E7250 Latitude E7260 Latitude E7265 Latitude E7270 Latitude E7275 Latitude E7280 Latitude E7350 Latitude 7389 2-in-1 Latitude E7440 Latitude E7450 Latitude E7460 Latitude E7470 Latitude E7480 Latitude 12 Rugged Extreme Latitude 12 Rugged Tablet (Model 7202) Latitude 14 Rugge
Non-UEFI PBA Password Fingerprin Contacted SIPR Card t Smart card Windows 8.1 X1 X1 2 Windows 10 X1 X1 2 1. Available when authentication drivers are downloaded from support.dell.com. 2. Available with a supported OPAL SED. UEFI PBA - on supported Dell computers Password Fingerprin Contacted SIPR Card t Smart card Windows 7 Windows 8 X1 X1 Windows 8.1 X1 X1 Windows 10 X1 X1 1. Available with a supported OPAL SED on supported UEFI computers.
Language Support • EN - English • KO - Korean • FR - French • ZH-CN - Chinese, Simplified • IT - Italian • ZH-TW - Chinese, Traditional/Taiwan • DE - German • PT-BR - Portuguese, Brazilian • ES - Spanish • PT-PT - Portuguese, Portugal (Iberian) • JA - Japanese • RU - Russian SED Client Operating Systems • The following table details the supported operating systems.
Contactless Cards • Contactless Cards using Contactless Card Readers built-in to specified Dell laptops Smart Cards • PKCS #11 Smart Cards using the ActivIdentity client NOTE: The ActivIdentity client is not pre-loaded and must be installed separately. • • • • CSP Cards Common Access Cards (CACs) Class B/SIPR Net Cards The following table details Dell computer models supported with SIPR Net cards.
BitLocker Manager Client Prerequisites • The Endpoint Security Suite Pro master installer installs the following prerequisites if not already installed on the computer. When using the child installer, you must install these components before installing BitLocker Manager.
3 Registry Settings • • This section details all Dell ProSupport approved registry settings for local client computers, regardless of the reason for the registry setting. If a registry setting overlaps two products, it will be listed in each category. These registry changes should be done by Administrators only and may not be appropriate or work in all scenarios.
• By default, all temporary files in the c:\windows\temp directory are automatically deleted during installation. Deletion of temporary files speeds initial encryption and occurs before the initial encryption sweep. However, if your organization uses a third-party application that requires the file structure within the \temp directory to be preserved, you should prevent this deletion. To disable temporary file deletion, create or modify the registry setting as follows: [HKLM\SOFTWARE\CREDANT\CMGShield] "De
"OnlySendInvChanges"=REG_DWORD:0 If no entry is present, optimized inventory is sent to the Security Management Server/Security Management Server Virtual. • Send Full Inventory for All Activated Users [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield] "RefreshInventory"=REG_DWORD:1 This entry is deleted from the registry as soon as it is processed.
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield\ActivationSlot] MissThreshold - a DWORD value that contains a positive integer that defines the number of attempts to activate before a log off is required. If the MissThreshold is reached, activation attempts will cease until the next login for the unactivated user. The count for MissThreshold is always reset on logoff.
"EnableNGMetadata" = DWORD:1 0=Disabled (default) 1=Enabled • The non-domain activation feature can be enabled by contacting Dell ProSupport and requesting instructions. Threat Protection Client Registry Settings • Threat Protection events that the client sends to the Security Management Server/Security Management Server Virtual are not automatically archived on the client computer.
• If a self-signed certificate is used on the Security Management Server/Security Management Server Virtual for SED management, SSL/TLS trust validation must remain disabled on the client computer (SSL/TLS trust validation is disabled by default with SED management). Before enabling SSL/TLS trust validation on the client computer, the following requirements must be met.
• The Security Server URL may be changed from the original install location if needed. This value is read by the client computer every time a policy poll occurs. Change the following registry value on the client computer: [HKLM\SYSTEM\CurrentControlSet\services\DellMgmtAgent] "ServerUrl"=REG_SZ:https://..
"DisableSSLCertTrust"=DWORD:0 0 = Enabled 1 = Disabled Dell Data Security Endpoint Security Suite Pro Registry Settings 27
4 Install Using the Master Installer • Command line switches and parameters are case-sensitive. • To install using non-default ports, use the child installers instead of the master installer. • Endpoint Security Suite Pro master installer log files are located at C:\ProgramData\Dell\Dell Data Protection\Installer. • Instruct users to see the following document and help files for application assistance: • See the Dell Encrypt Help to learn how to use the feature of the Encryption client.
6 Click Next to install the product in the default location of C:\Program Files\Dell\Dell Data Protection\. Dell recommends installing in the default location only, as problems may arise when installing in other locations. 7 Select the components to be installed. Security Framework installs the underlying security framework and Advanced Authentication, the advanced authentication client that manages multiple authentication methods, including PBA and credentials such as fingerprints and passwords.
8 Click Install to begin the installation. Installation will take several minutes. 9 Select Yes, I want to restart my computer now and click Finish.
Installation is complete. Install by Command Line Using the Master Installer • The switches must be specified first in a command line installation. Other parameters go inside an argument that is passed to the /v switch. Switches • The following table describes the switches that can be used with the Endpoint Security Suite Pro master installer.
Parameter Description SUPPRESSREBOOT Suppresses the automatic reboot after the installation completes. Can be used in SILENT mode. SERVER Specifies the URL of the Security Management Server/Security Management Server Virtual. InstallPath Specifies the path for the installation. Can be used in SILENT mode. FEATURES Specifies the components that can be installed in SILENT mode.
5 Uninstall Using the Endpoint Security Suite Pro Master Installer • Each component must be uninstalled separately, followed by uninstallation of the Endpoint Security Suite Pro master installer. The clients must be uninstalled in a specific order to prevent uninstallation failures. • Follow the instructions in Extract the Child Installers from the Master Installer to obtain child installers.
6 Install Using the Child Installers • To install each client individually, the child executable files must first be extracted from the Endpoint Security Suite Pro master installer, as shown in Extract the Child Installers from the Master Installer. • Command examples included in this section assume the commands are run from C:\extracted. • Command line switches and parameters are case-sensitive.
• Option Meaning /qb!- Progress dialog without Cancel button, restarts itself after process completion /qn No user interface /norestart Suppress reboot Instruct users to see the following document and help files for application assistance: • See the Dell Encrypt Help to learn how to use the feature of the Encryption client. Access the help from :\Program Files \Dell\Dell Data Protection\Encryption\Help.
Parameters DEVICESERVERURL= (URL used for activation; usually includes server name, port, and xapi) GKPORT= (Gatekeeper port) MACHINEID= (Computer name) RECOVERYID= (Recovery ID) REBOOT=ReallySuppress (Null allows for automatic reboots, ReallySuppress disables reboot) HIDEOVERLAYICONS=1 (0 enables overlay icons, 1 disables overlay icons) HIDESYSTRAYICON=1 (0 enables the systray icon, 1 disables the systray icon) For a list of basic .
DDPE_XXbit_setup.exe /s /v"OPTIN=1 SERVERHOSTNAME=server.organization.com POLICYPROXYHOSTNAME=rgk.organization.com DEVICESERVERURL=https://server.organization.com:8443/ xapi/ MANAGEDDOMAIN=ORGANIZATION" MSI Command: msiexec.exe /i "Dell Data Protection Encryption.msi" OPTIN="1" SERVERHOSTNAME="server.organization.com" POLICYPROXYHOSTNAME="rgk.organization.com" DEVICESERVERURL="https://server.organization.
Command Line Installation • • The following table details the parameters available for the EnsMgmtSdkInstaller.exe file. Parameters Description LoadCert Load the certificate at the specified directory. The following table details the parameters available for the EPsetup.exe file. Parameters Description ADDLOCAL="tp,fw,wc" Identifies the modules to install: tp=Threat Protection fw=Client Firewall wc=Web Protection NOTE: All three modules must be installed.
"Threat Protection\SDK\EnsMgmtSdkInstaller.exe" -LoadCert >"C:\ProgramData\Dell\Dell Data Protection\Installer Logs\McAfeeSDKInstallerBeforeEndPoint.log" NOTE: This installer can be skipped if upgrading. Then: \Threat Protection\EndPointSecurity • The following example installs the Threat Protection, Web Protection, and Client Firewall with default parameters (silent mode, install Threat Protection, Client Firewall, and Web Protection, override the Host Intrusion Prevention, no content update, no settings
Parameters SECURITYSERVERHOST= SECURITYSERVERPORT=8443 ARPSYSTEMCOMPONENT=1 For a list of basic .msi switches and display options that can be used in command lines, refer to Install Using the Child Installers. Example Command Line \Encryption Management Agent • The following example installs remotely managed SED (silent installation, no reboot, no entry in the Control Panel Programs list, installed in the default location of C:\
Parameters ARPSYSTEMCOMPONENT=1 For a list of basic .msi switches and display options that can be used in command lines, refer to Install Using the Child Installers. Example Command Line • The following example installs BitLocker Manager only (silent installation, no reboot, no entry in the Control Panel Programs list, installed in the default location of C:\Program Files\Dell\Dell Data Protection) EMAgent_XXbit_setup.exe /s /v"CM_EDITION=1 SERVERHOST=server.
7 Uninstall Using the Child Installers • To uninstall each client individually, the child executable files must first be extracted from the Endpoint Security Suite Pro master installer, as shown in Extract the Child Installers from the Master Installer Alternatively, run an administrative installation to extract the .msi. • Ensure that the same versions of client are used for uninstallation as installation. • Command line switches and parameters are case-sensitive.
Option Meaning /qb!- Progress dialog without Cancel button, restarts itself after process completion /qn No user interface Uninstall Threat Protection Clients Command Line Uninstallation • Once extracted from the Endpoint Security Suite Pro master installer, the Threat Protection client installer can be located at C: \extracted\Threat Protection\ThreatProtection\WinXXR\DellThreatProtection.msi. • Go to Add/Remove Programs in the Control Panel and uninstall the following components in this order.
• Run WSScan to ensure that all data is decrypted after uninstallation is complete, but before restarting the computer. See Use WSScan for instructions. • Periodically Check Encryption Removal Agent Status. Data decryption is still in process if the Encryption Removal Agent Service still exists in the Services panel. Command Line Uninstallation • Once extracted from the Endpoint Security Suite Pro master installer, the Encryption client installer can be located at C:\extracted \Encryption\DDPE_XXbit_se
• The following example silently uninstalls the Encryption client and downloads the encryption keys from the Security Management Server. DDPE_XXbit_setup.exe /s /x /v"CMG_DECRYPT=1 CMGSILENTMODE=1 DA_SERVER=server.organization.com DA_PORT=8050 SVCPN=administrator@organization.com DA_RUNAS=domain\username DA_RUNASPWD=password /qn" MSI Command: msiexec.exe /s /x "Dell Data Protection Encryption.msi" /qn REBOOT="ReallySuppress" CMG_DECRYPT="1" CMGSILENTMODE="1" DA_SERVER="server.organization.
2 In the left pane, click Protect & Manage > Endpoints. 3 Select the appropriate Endpoint Type. 4 Select Show >Visible, Hidden, or All. 5 If you know the Hostname of the computer, enter it in the Hostname field (wildcards are supported). You may leave the field blank to display all computers. Click Search. If you do not know the Hostname, scroll through the list to locate the computer. A computer or list of computers displays based on your search filter.
8 Commonly Used Scenarios • To install each client individually, the child executable files must first be extracted from the Endpoint Security Suite Pro master installer, as shown in Extract the Child Installers from the Master Installer. • The SED client is required for Advanced Authentication in v8.x, which is why it is part of the command line in the following examples. • Command line switches and parameters are case-sensitive.
• See the Endpoint Security Suite Pro Help to learn how to use the features of Advanced Authentication and Threat Protection. Access the help from :\Program Files\Dell\Dell Data Protection\Endpoint Security Suite\Threat Protection\Help. Encryption Client, Threat Protection, and Advanced Authentication • The following example installs remotely managed SED (silent installation, no reboot, no entry in the Control Panel Programs list, installed in the default location of C:\Program Files\Dell\De
Encryption Client and Threat Protection • The following example installs drivers for Trusted Software Stack (TSS) for the TPM and Microsoft hotfixes at the specified location, does not create an entry in the Control Panel Programs list, and suppresses the reboot. These drivers must be installed when installing the Encryption client. setup.exe /S /z"\"InstallPath=, ARPSYSTEMCOMPONENT=1, SUPPRESSREBOOT=1\"" Then: • The following example installs the Encryption client with default parameters (E
BitLocker Manager and Encryption External Media • The following example installs BitLocker Manager (silent installation, no reboot, no entry in the Control Panel Programs list, installed in the default location of C:\Program Files\Dell\Dell Data Protection). EMAgent_XXbit_setup.exe /s /v"CM_EDITION=1 SERVERHOST=server.organization.com SERVERPORT=8888 SECURITYSERVERHOST=server.organization.
9 Pre-Installation Configuration for SED UEFI, and BitLocker Manager Initialize the TPM • You must be a member of the local Administrators group, or equivalent. • The computer must be equipped with a compatible BIOS and a TPM. • Follow the instructions located at http://technet.microsoft.com/en-us/library/cc753140.aspx.
NOTE: Computers without UEFI firmware do not require configuration. Disable Legacy Option ROMs Ensure that the Enable Legacy Option ROMs setting is disabled in the BIOS. 1 Restart the computer. 2 As it is restarting, press F12 repeatedly to bring up the UEFI computer's boot settings. 3 Press the down arrow, highlight the BIOS Settings option, and press Enter. 4 Select Settings > General > Advanced Boot Options. 5 Clear the Enable Legacy Option ROMs check box and click Apply.
10 Set GPO on Domain Controller to Enable Entitlements • If your clients will be entitled from Dell Digital Delivery (DDD), follow these instructions to set the GPO on the domain controller to enable entitlements (this may not be the same server running the Security Management Server/Security Management Server Virtual). • The workstation must be a member of the OU where the GPO is applied.
6 Right-click the Registry and select New > Registry Item. Complete the following. Action: Create Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Dell\Dell Data Protection Value name: Server Value type: REG_SZ Value data: 7 54 Click OK.
8 Log out and then back into the workstation, or run gpupdate /force to apply the group policy.
11 Extract the Child Installers from the Endpoint Security Suite Pro Master Installer • To install each client individually, extract the child executable files from the installer. • The master installer is not a master uninstaller. Each client must be uninstalled individually, followed by uninstallation of the master installer. Use this process to extract the clients from the master installer so that they can be used for uninstallation. 1 From the Dell installation media, copy the DDSSuite.
12 Configure Key Server for Uninstallation of Encryption Client Activated Against Security Management Server • This section explains how to configure components for use with Kerberos Authentication/Authorization when using an Security Management Server. The Security Management Server Virtual does not use the Key Server. The Key Server is a Service that listens for clients to connect on a socket.
4 Restart the Key Server Service (leave the Services panel open for further operation). 5 Navigate to log.txt to verify that the Service started properly. Key Server Config File - Add User for Security Management Server Communication 1 Navigate to . 2 Open Credant.KeyServer.exe.config with a text editor.
Sample Configuration File [TCP port the Key Server will listen to. Default is 8050.] [number of active socket connections the Key Server will allow] [Security Server (formerly Device Server) URL (the format is 8081/xapi for a pre-v7.
5 In the Account field, add the user that will be performing the administrator activities. The format is DOMAIN\UserName. Click Add Account. 6 Click Users in the left menu. In the search box, search for the username added in Step 5. Click Search. 7 Once the correct user is located, click the Admin tab. 8 Select Forensic Administrator and click Update. The components are now configured for Kerberos Authentication/Authorization.
13 Use the Administrative Download Utility (CMGAd) • This utility allows the download of a key material bundle for use on a computer that is not connected to an Security Management Server/Security Management Server Virtual. • This utility uses one of the following methods to download a key bundle, depending on the command line parameter passed to the application: • Forensic Mode - Used if -f is passed on the command line or if no command line parameter is used.
3 In the Passphrase: field, type a passphrase to protect the download file. The passphrase must be at least eight characters long, and contain at least one alphabetic and one numeric character. Confirm the passphrase. Either accept the default name and location of where the file will be saved to or click ... to select a different location. Click Next. A message displays, indicating that the key material was successfully unlocked. Files are now accessible. 4 62 Click Finish when complete.
Use the Administrative Download Utility in Admin Mode The Security Management Server Virtual does not use the Key Server, so Admin mode cannot be used to obtain a key bundle from a Security Management Server Virtual. Use Forensic mode to obtain the key bundle if the client is activated against a Security Management Server Virtual. 1 Open a command prompt where CMGAd is located and type cmgad.exe -a. 2 Enter the following information (some fields may be pre-populated).
Click Next. A message displays, indicating that the key material was successfully unlocked. Files are now accessible. 4 64 Click Finish when complete.
14 Configure Deferred Activation The Encryption client with Deferred Activation differs from the Encryption client activation in two ways: Device-based Encryption policies The Encryption client policies are user-based; the Encryption client with Deferred Activation's encryption policies are device-based. User encryption is converted to Common encryption.
Prepare the Computer for Installation If the data is encrypted with a non-Dell encryption product, before installing the Encryption client, decrypt data using the existing encryption software, and then uninstall the existing encryption software. If the computer does not restart automatically, restart the computer. Create a Windows Password Dell highly recommends that a Windows password be created (if one does not already exist) to protect access to the encrypted data.
NOTE: Non-domain or personal email addresses cannot be used for activation. 3 Click Close. The Dell Server combines the encryption key bundle with the user's credentials and with the computer's unique ID (machine ID), creating an unbreakable relationship between the key bundle, the specific computer, and the user. 4 Restart the computer to begin the encryption sweep. NOTE: The Local Management Console, accessible from the system tray icon, shows the policies sent by the Server, not the effective policy.
Log out and log back in with the credentials of the activated account and try to access the files again. In the rare event that the Encryption client cannot authenticate the user, the Activation Logon dialog prompts the user for credentials to authenticate and access encryption keys. To use the automatic re-activation feature, the AutoReactivation and AutoPromptForActivation registry keys must BOTH be enabled. Although the feature is enabled by default, it can be manually disabled.
Decrypt and uninstall the Encryption client while logged in as the second activated user. Error Message: Server Error General An error has occurred on the Server. Possible Solution The administrator should check the Server logs to ensure services are running. The user should try to activate later. Tools CMGAd Use the CMGAd utility prior to launching the Encryption Removal Agent to obtain the encryption key bundle.
15 Troubleshooting All Clients - Troubleshooting • Endpoint Security Suite Pro master installer log files are located at C:\ProgramData\Dell\Dell Data Protection\Installer. • Windows creates unique child installer installation log files for the logged in user at %temp%, located at C:\Users\ \AppData\Local\Temp. • Windows creates log files for client prerequisites, such as Visual C++, for the logged in user at %temp%, located at C:\Users \\AppData\Local\Temp. For example, C:\Users\
• The Encryption Removal Agent log file is not created until after the Encryption Removal Agent Service runs, which does not happen until the computer is restarted. Once the client is successfully uninstalled and the computer is fully decrypted, the log file is permanently deleted. • The log file path is C:\ProgramData\Dell\Dell Data Protection\Encryption. • Create the following registry entry on the computer targeted for decryption. [HKLM\Software\Credant\DecryptionAgent] "LogVerbosity"=DWORD:2 0: no
6 • Encrypted FIles - To ensure that all data is decrypted when uninstalling the Encryption client. Follow your existing process for decrypting data, such as issuing a decryption policy update. After decrypting data, but before performing a restart in preparation for uninstall, run WSScan to ensure that all data is decrypted. • Unencrypted FIles - To identify files that are not encrypted, with an indication of whether the files should be encrypted (Y/N).
WSScan Command Line Usage WSScan [-ta] [-tf] [-tr] [-tc] [drive] [-s] [-o] [-a] [-f] [-r] [u[a][-|v]] [-d] [-q] [-e] [-x] [-y] Switch Meaning Drive Drive to scan. If not specified, the default is all local fixed hard drives. Can be a mapped network drive.
Switch Meaning -tc Scan CDROMs/DVDROMs -s Silent operation -o Output file path -a Append to output file. The default behavior truncates the output file. -f Report format specifier (Report, Fixed, Delimited) -r Run WSScan without administrator privileges. Some files may not be visible if this mode is used. -u Include unencrypted files in output file. This switch is sensitive to order: "u" must be first, "a" must be second (or omitted), "-" or "v" must be last.
Output Meaning WSScan does not report files encrypted using Encrypt for Sharing. KCID The Key Computer ID. As shown in the example above, "7vdlxrsb" If you are scanning a mapped network drive, the scanning report does not return a KCID. UCID The User ID. As shown in the example above, "_SDENCR_" The UCID is shared by all the users of that computer. File The path of the encrypted file. As shown in the example above, "c:\temp\Dell - test.
Prerequisites • The Windows device you want to work with must be encrypted. • The user you want to work with must be logged on. Use the Probing Utility WSProbe.exe is located in the installation media. Syntax wsprobe [path] wsprobe [-h] wsprobe [-f path] wsprobe [-u n] [-x process_names] [-i process_names] Parameters Parameter To path Optionally specify a particular path on the device that you want to scan for possible encryption/ decryption.
• • All files could not be decrypted - The decryption sweep is complete, but all files could not be decrypted. This status means one of the following occurred: • The locked files could not be scheduled for decryption because they were too big, or an error occurred while making the request to unlock them. • An input/output error occurred while decrypting files. • The files could not be decrypted by policy. • The files are marked as should be encrypted.
Use Initial Access Code 1 Set a value for the Initial Access Code policy in the Remote Management Console. 2 Save and commit the policy. 3 Start the local computer. 4 Enter the Initial Access Code when the Access Code screen displays. 5 Click the blue arrow. 6 Click OK when the Legal Notice screen displays. 7 Log in to Windows with the user credentials for this computer. These credentials must be part of the domain.
1 Create a file called PBAErr.log at the root level of the USB drive. 2 Insert the USB drive before powering on the computer. 3 Remove the USB drive after reproducing the issue requiring the logs. The PBAErr.log file will be updated and written in real-time. Dell ControlVault Drivers Update Dell ControlVault Drivers and Firmware • Dell ControlVault drivers and firmware that are installed on Dell computers at the factory are outdated and should be updated by following this procedure, in this order.
3 80 Select Drivers & Downloads.
4 Select the Operating System of the target computer. 5 Expand the Security category.
6 Download and save the Dell ControlVault Drivers. 7 Download and save the Dell ControlVault Firmware.
8 Copy the drivers and firmware to the target computers, if needed. Install Dell ControlVault Driver 1 Navigate to the folder which you downloaded the driver installation file. 2 Double-click the Dell ControlVault driver to launch the self-extracting executable file. TIP: Be sure to install the driver first. The filename of the driver at the time of this document creation is ControlVault_Setup_2MYJC_A37_ZPE.exe. 3 Click Continue to begin.
4 Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5 Click Yes to allow the creation of a new folder. 6 Click Ok when the successfully unzipped message displays. 7 The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. In this case, the folder is JW22F.
8 Double-click CVHCI64.MSI to launch the driver installer. [this example is CVHCI64.MSI in this example (CVHCI for a 32-bit computer)]. 9 Click Next at the Welcome screen. 10 Click Next to install the drivers in the default location of C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\.
11 Select the Complete option and click Next. 12 Click Install to begin the installation of the drivers.
13 Optionally check the box to display the installer log file. Click Finish to exit the wizard. Verify Driver Installation • The Device Manager will have a Dell ControlVault device (and other devices) depending on the operating system and hardware configuration.
1 Navigate to the folder which you downloaded the firmware installation file. 2 Double-click the Dell ControlVault firmware to launch the self-extracting executable file. 3 Click Continue to begin. 4 Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5 Click Yes to allow the creation of a new folder.
6 Click Ok when the successfully unzipped message displays. 7 The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. Select the firmware folder. 8 Double-click ushupgrade.exe to launch the firmware installer. 9 Click Start to begin the firmware upgrade.
IMPORTANT: You may be asked to enter the admin password if upgrading from an older version of firmware. Enter Broadcom as the password and click Enter if presented with this dialog. Several status messages display.
Dell Data Security Endpoint Security Suite Pro Troubleshooting 91
10 Click Restart to complete the firmware upgrade. The update of the Dell ControlVault drivers and firmware is complete.
UEFI Computers Troubleshoot Network Connection • In order for preboot authentication to succeed on a computer with UEFI firmware, the PBA mode must have network connectivity. By default, computers with UEFI firmware do not have network connectivity until the operating system is loaded, which occurs after PBA mode.
Constant/Value Description 0x80280008 TPM_E_FAIL The operation failed. 0x80280009 TPM_E_BAD_ORDINAL The ordinal was unknown or inconsistent. 0x8028000A TPM_E_INSTALL_DISABLED The ability to install an owner is disabled. 0x8028000B TPM_E_INVALID_KEYHANDLE The key handle cannot be interpreted. 0x8028000C TPM_E_KEYNOTFOUND The key handle points to an invalid key. 0x8028000D TPM_E_INAPPROPRIATE_ENC Unacceptable encryption scheme. 0x8028000E TPM_E_MIGRATEFAIL Migration authorization failed.
Constant/Value Description 0x80280017 TPM_E_WRONGPCRVAL The named PCR value does not match the current PCR value. 0x80280018 TPM_E_BAD_PARAM_SIZE The paramSize argument to the command has the incorrect value 0x80280019 TPM_E_SHA_THREAD There is no existing SHA-1 thread. 0x8028001A TPM_E_SHA_ERROR 0x8028001B TPM_E_FAILEDSELFTEST 0x8028001C TPM_E_AUTH2FAIL 0x8028001D TPM_E_BADTAG The calculation is unable to proceed because the existing SHA-1 thread has already encountered an error.
Constant/Value Description TPM_E_INVALID_POSTINIT The command was received in the wrong sequence relative to TPM_Init and a subsequent TPM_Startup. 0x80280026 TPM_E_INAPPROPRIATE_SIG Signed data cannot include additional DER information. 0x80280027 TPM_E_BAD_KEY_PROPERTY 0x80280028 TPM_E_BAD_MIGRATION The key properties in TPM_KEY_PARMs are not supported by this TPM. The migration properties of this key are incorrect.
Constant/Value Description TPM_E_INVALID_RESOURCE When saving context identified resource type does not match actual resource. 0x80280035 TPM_E_NOTFIPS 0x80280036 TPM_E_INVALID_FAMILY The TPM is attempting to execute a command only available when in FIPS mode. The command is attempting to use an invalid family ID. 0x80280037 TPM_E_NO_NV_PERMISSION The permission to manipulate the NV storage is not available. 0x80280038 TPM_E_REQUIRES_SIGN The operation requires a signed command.
Constant/Value Description TPM_E_KEY_OWNER_CONTROL The key is under control of the TPM Owner and can only be evicted by the TPM Owner. 0x80280044 TPM_E_BAD_COUNTER The counter handle is incorrect. 0x80280045 TPM_E_NOT_FULLWRITE The write is not a complete write of the area. 0x80280046 TPM_E_CONTEXT_GAP The gap between saved context counts is too large. 0x80280047 TPM_E_MAXNVWRITES 0x80280048 TPM_E_NOOPERATOR The maximum number of NV writes without an owner has been exceeded.
Constant/Value Description TPM_E_DAA_ISSUER_SETTINGS The consistency check on DAA_issuerSettings has failed. 0x80280053 TPM_E_DAA_TPM_SETTINGS The consistency check on DAA_tpmSpecific has failed. 0x80280054 TPM_E_DAA_STAGE 0x80280055 TPM_E_DAA_ISSUER_VALIDITY The atomic process indicated by the submitted DAA command is not the expected process. The issuer's validity check has detected an inconsistency. 0x80280056 TPM_E_DAA_WRONG_W The consistency check on w has failed.
Constant/Value Description TPM_E_NOCONTEXTSPACE There is no room in the context list for additional contexts. 0x80280063 TPM_E_COMMAND_BLOCKED The command was blocked. 0x80280400 TPM_E_INVALID_HANDLE The specified handle was not found. 0x80280401 TPM_E_DUPLICATE_VHANDLE 0x80280402 TPM_E_EMBEDDED_COMMAND_BLOCKED The TPM returned a duplicate handle and the command needs to be resubmitted. The command within the transport was blocked.
Constant/Value Description TBS_E_IOERROR An error occurred while communicating with the TPM. 0x80284006 TBS_E_INVALID_CONTEXT_PARAM One or more context parameters is invalid. 0x80284007 TBS_E_SERVICE_NOT_RUNNING The TBS service is not running and could not be started. 0x80284008 TBS_E_TOO_MANY_TBS_CONTEXTS 0x80284009 TBS_E_TOO_MANY_RESOURCES 0x8028400A TBS_E_SERVICE_START_PENDING A new context could not be created because there are too many open contexts.
Constant/Value Description indicated by the value returned in the Additional Information), or enabling the TPM in the system BIOS.) TBS_E_PPI_FUNCTION_UNSUPPORTED 0x80284014 TBS_E_OWNERAUTH_NOT_FOUND The Physical Presence Interface of this firmware does not support the requested method. The requested TPM OwnerAuth value was not found. 0x80284015 TBS_E_PROVISIONING_INCOMPLETE 0x80284016 TPMAPI_E_INVALID_STATE The TPM provisioning did not complete.
Constant/Value Description TPMAPI_E_TBS_COMMUNICATION_ERROR An error occurred while communicating with the TBS. 0x8029010B TPMAPI_E_TPM_COMMAND_ERROR The TPM returned an unexpected result. 0x8029010C TPMAPI_E_MESSAGE_TOO_LARGE The message was too large for the encoding scheme. 0x8029010D TPMAPI_E_INVALID_ENCODING The encoding in the blob was not recognized. 0x8029010E TPMAPI_E_INVALID_KEY_SIZE The key size is not valid. 0x8029010F TPMAPI_E_ENCRYPTION_FAILED The encryption operation failed.
Constant/Value Description TPMAPI_E_EMPTY_TCG_LOG The TCG Event Log does not contain any data. 0x8029011A TPMAPI_E_INVALID_TCG_LOG_ENTRY An entry in the TCG Event Log was invalid. 0x8029011B TPMAPI_E_TCG_SEPARATOR_ABSENT A TCG Separator was not found. 0x8029011C TPMAPI_E_TCG_INVALID_DIGEST_ENTRY A digest value in a TCG Log entry did not match hashed data. 0x8029011D TPMAPI_E_POLICY_DENIES_OPERATION 0x8029011E TBSIMP_E_BUFFER_TOO_SMALL The requested operation was blocked by current TPM policy.
Constant/Value Description TBSIMP_E_SCHEDULER_NOT_RUNNING The TBS scheduler is not running. 0x8029020A TBSIMP_E_COMMAND_CANCELED The command was canceled. 0x8029020B TBSIMP_E_OUT_OF_MEMORY There was not enough memory to fulfill the request 0x8029020C TBSIMP_E_LIST_NO_MORE_ITEMS 0x8029020D TBSIMP_E_LIST_NOT_FOUND The specified list is empty, or the iteration has reached the end of the list. The specified item was not found in the list.
Constant/Value Description TBSIMP_E_PPI_NOT_SUPPORTED The physical presence interface is not supported. 0x80290219 TBSIMP_E_TPM_INCOMPATIBLE 0x8029021A TBSIMP_E_NO_EVENT_LOG TBS is not compatible with the version of TPM found on the system. No TCG event log is available. 0x8029021B TPM_E_PPI_ACPI_FAILURE 0x80290300 TPM_E_PPI_USER_ABORT A general error was detected when attempting to acquire the BIOS's response to a Physical Presence command. The user failed to confirm the TPM operation request.
Constant/Value Description TPM_E_PCP_INTERNAL_ERROR An unexpected internal error has occurred in the Platform Crypto Provider. 0x80290407 TPM_E_PCP_AUTHENTICATION_FAILED The authorization to use a provider object has failed. 0x80290408 TPM_E_PCP_AUTHENTICATION_IGNORED 0x80290409 TPM_E_PCP_POLICY_NOT_FOUND The Platform Crypto Device has ignored the authorization for the provider object, to mitigate against a dictionary attack. The referenced policy was not found.
Constant/Value Description PLA_E_DCS_NOT_RUNNING Data Collector Set is not running. 0x80300104 PLA_E_CONFLICT_INCL_EXCL_API 0x80300105 PLA_E_NETWORK_EXE_NOT_VALID 0x80300106 PLA_E_EXE_ALREADY_CONFIGURED 0x80300107 PLA_E_EXE_PATH_NOT_VALID 0x80300108 PLA_E_DC_ALREADY_EXISTS A conflict was detected in the list of include/exclude APIs. Do not specify the same API in both the include list and the exclude list. The executable path you have specified refers to a network share or UNC path.
Constant/Value Description PLA_E_CABAPI_FAILURE An error occurred while attempting to compress or extract the data. 0x80300113 FVE_E_LOCKED_VOLUME 0x80310000 FVE_E_NOT_ENCRYPTED This drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel. The drive is not encrypted.
Constant/Value Description FVE_E_AD_NO_VALUES The attribute read from Active Directory does not contain any values. The BitLocker recovery information may be missing or corrupted. 0x8031000D FVE_E_AD_ATTR_NOT_SET 0x8031000E FVE_E_AD_GUID_NOT_FOUND 0x8031000F FVE_E_BAD_INFORMATION 0x80310010 FVE_E_TOO_SMALL 0x80310011 FVE_E_SYSTEM_VOLUME 0x80310012 FVE_E_FAILED_WRONG_FS 0x80310013 FVE_E_BAD_PARTITION_SIZE The attribute was not set.
Constant/Value Description 0x8031001B FVE_E_CONV_WRITE 0x8031001C FVE_E_KEY_REQUIRED 0x8031001D FVE_E_CLUSTERING_NOT_SUPPORTED 0x8031001E FVE_E_VOLUME_BOUND_ALREADY 0x8031001F FVE_E_OS_NOT_PROTECTED 0x80310020 FVE_E_PROTECTION_DISABLED 0x80310021 FVE_E_RECOVERY_KEY_REQUIRED 0x80310022 FVE_E_FOREIGN_VOLUME 0x80310023 FVE_E_OVERLAPPED_UPDATE 0x80310024 FVE_E_TPM_SRK_AUTH_NOT_ZERO A write operation failed while converting the drive. The drive was not converted. Please re-enable BitLocker.
Constant/Value Description FVE_E_WRONG_BOOTSECTOR The system partition boot sector does not perform TPM measurements. Use the Bootrec.exe tool in the Windows Recovery Environment to update or repair the boot sector.
Constant/Value Description a data recovery agent. Check your Group Policy settings configuration. FVE_E_NOT_DECRYPTED The drive must be fully decrypted to complete this operation. 0x80310039 FVE_E_INVALID_PROTECTOR_TYPE The key protector specified cannot be used for this operation. 0x8031003A FVE_E_NO_PROTECTORS_TO_TEST No key protectors exist on the drive to perform the hardware test.
Constant/Value Description FVE_E_AUTH_INVALID_CONFIG The Boot Configuration Data (BCD) settings have changed since BitLocker Drive Encryption was enabled. 0x80310045 FVE_E_FIPS_DISABLE_PROTECTION_NOT_ALLOWED 0x80310046 FVE_E_FS_NOT_EXTENDED 0x80310047 FVE_E_FIRMWARE_TYPE_NOT_SUPPORTED 0x80310048 FVE_E_NO_LICENSE 0x80310049 FVE_E_NOT_ON_STACK The Group Policy setting requiring FIPS compliance prohibits the use of unencrypted keys, which prevents BitLocker from being suspended on this drive.
Constant/Value Description FVE_E_NOT_ALLOWED_IN_VERSION BitLocker Drive Encryption can only be used for limited provisioning or recovery purposes when the computer is running in preinstallation or recovery environments. 0x80310053 FVE_E_NO_AUTOUNLOCK_MASTER_KEY 0x80310054 FVE_E_MOR_FAILED 0x80310055 FVE_E_HIDDEN_VOLUME The auto-unlock master key was not available from the operating system drive. The system firmware failed to enable clearing of system memory when the computer was restarted.
Constant/Value Description FVE_E_POLICY_STARTUP_KEY_NOT_ALLOWED Group policy settings do not permit the use of a startup key. Please choose a different BitLocker startup option. 0x80310062 FVE_E_POLICY_STARTUP_KEY_REQUIRED 0x80310063 Group policy settings require the use of a startup key. Please choose this BitLocker startup option. FVE_E_POLICY_STARTUP_PIN_KEY_NOT_ALLOWED0x8031006 4 Group policy settings do not permit the use of a startup key and PIN.
Constant/Value Description FVE_E_DV_NOT_ALLOWED_BY_GP The selected discovery drive type is not allowed by the computer's Group Policy settings. Verify that Group Policy settings allow the creation of discovery drives for use with BitLocker To Go.
Constant/Value Description 0x80310084 to automatically unlock removable data drives when user recovery option are disabled. If you want BitLocker-protected removable data drives to be automatically unlocked after key validation has occurred, please ask your system administrator to resolve the settings conflict before enabling BitLocker. FVE_E_NON_BITLOCKER_OID The Enhanced Key Usage (EKU) attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption.
Constant/Value Description FVE_E_NON_BITLOCKER_KU The Key Usage (KU) attribute of the specified certificate does not permit it to be used for BitLocker Drive Encryption. BitLocker does not require that a certificate have a KU attribute, but if one is configured it must be set to either Key Encipherment or Key Agreement.
Constant/Value Description FVE_E_PROTECTOR_CHANGE_PIN_MISMATCH Please enter the correct current PIN. 0x803100A1 FVE_E_PROTECTOR_CHANGE_BY_STD_USER_DISALLOWED 0x803100A2 FVE_E_PROTECTOR_CHANGE_MAX_PIN_CHANGE_ATTEMPT S_REACHED 0x803100A3 FVE_E_POLICY_PASSPHRASE_REQUIRES_ASCII 0x803100A4 You must be logged on with an administrator account to change the PIN or password. Click the link to reset the PIN or password as an administrator.
Constant/Value Description 0x803100AF FVE_E_EDRIVE_BAND_IN_USE 0x803100B0 FVE_E_EDRIVE_DISALLOWED_BY_GP 0x803100B1 FVE_E_EDRIVE_INCOMPATIBLE_VOLUME The drive cannot be managed by BitLocker because the drive's hardware encryption feature is already in use. Group Policy settings do not allow the use of hardware-based encryption. The drive specified does not support hardware-based encryption.
Constant/Value Description FVE_E_POLICY_INVALID_ENHANCED_BCD_SETTINGS BitLocker Drive Encryption cannot be applied to this drive because the Group Policy setting for Enhanced Boot Configuration Data contains invalid data. Please have your system administrator resolve this invalid configuration before attempting to enable BitLocker.
Constant/Value Description FVE_E_INVALID_PIN_CHARS_DETAILED Your PIN can only contain numbers from 0 to 9. 0x803100CC FVE_E_DEVICE_LOCKOUT_COUNTER_UNAVAILABLE 0x803100CD FVE_E_DEVICELOCKOUT_COUNTER_MISMATCH BitLocker cannot use hardware replay protection because no counter is available on your PC. Device Lockout state validation failed due to counter mismatch. 0x803100CE FVE_E_BUFFER_TOO_LARGE The input buffer is too large.
16 Glossary Activate - Activation occurs when the computer has been registered with the Security Management Server/Security Management Server Virtual and has received at least an initial set of policies. Active Directory (AD) - A directory service created by Microsoft for Windows domain networks. Advanced Authentication - The Advanced Authentication product supports login with self-encrypting drives, SSO, and manages user credentials and passwords.
the device where they were created. The User Roaming key makes files accessible only to the user who created them, on any Shielded Windows (or Mac) device. Encryption Sweep - An encryption sweep is the process of scanning the folders to be encrypted on a managed endpoint to ensure the contained files are in the proper encryption state. Ordinary file creation and rename operations do not trigger an encryption sweep.
User Encryption – The User key makes files accessible only to the user who created them, only on the device where they were created. When running Dell Server Encryption, User Encryption is converted to Common Encryption. One exception is made for external media devices; when inserted into a server with Encryption installed, files are encrypted with the User Roaming key.
