Dell Encryption Personal Installation Guide v11.1 August 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved.
Contents Chapter 1: Overview...................................................................................................................... 5 Encryption Personal............................................................................................................................................................ 5 Advanced Authentication..................................................................................................................................................
Chapter 9: Data Security Uninstaller........................................................................................... 38 Chapter 10: Policies and Template Descriptions...........................................................................43 Policies................................................................................................................................................................................. 43 Template Descriptions...............................................
1 Overview This guide assumes that Advanced Authentication is installed with Encryption Personal. Encryption Personal The purpose of Encryption Personal is to protect data on your computer, even if the computer is lost or stolen. To ensure the security of your confidential data, Encryption Personal encrypts data on your Windows computer. You can always access the data when logged into the computer, but unauthorized users do not have access to this protected data.
2 Requirements These requirements detail everything needed for Encryption Personal installation. Encryption ● Encryption Personal requires an entitlement to successfully install. The entitlement is supplied when you purchase Encryption Personal. Depending on how you purchase Encryption Personal, you may manually install the entitlement, using the simple instructions that accompany it. You may also enter the entitlement at the command line.
If your organization uses an unlisted antivirus provider or any compatibility issues are being seen, please see KB article 126046 or Contact Dell ProSupport for assistance validating configuration for interoperation between your software solutions and Dell Data Security solutions. ● Operating system re-install is not supported.
Optional Embedded Hardware ○ TPM 1.2 or 2.0 Operating Systems ● The following table details supported operating systems. Windows Operating Systems (32- and 64-bit) ○ ○ ○ ○ ○ Windows Windows Windows Windows Windows 7 SP1: Enterprise, Professional, Ultimate Embedded Standard 7 with Application Compatibility template 8.1: Enterprise, Pro Embedded 8.
Language Support ○ EN - English ○ JA - Japanese ○ ES - Spanish ○ KO - Korean ○ FR - French ○ PT-BR - Portuguese, Brazilian ○ IT - Italian ○ PT-PT - Portuguese, Portugal (Iberian) ○ DE - German SED Management ● IPv6 is not supported. ● Be prepared to shut down and restart the computer after you apply policies and are ready to begin enforcing them. ● Computers equipped with self-encrypting drives cannot be used with HCA cards. Incompatibilities exist that prevent the provisioning of the HCA.
■ ■ RAID ON is not supported because access to read and write RAID-related data (at a sector that is not available on a locked non-NVMe drive) is not accessible at start-up, and cannot wait to read this data until after the user is logged on. The operating system will crash when switched from RAID ON > AHCI if the AHCI controller drivers are not preinstalled. For instructions on how to switch from RAID > AHCI (or vice versa), see KB article 124714.
Windows Operating Systems (32- and 64-bit) ○ Windows 7 SP0-SP1: Enterprise, Professional, Ultimate (supported with Legacy Boot mode but not UEFI) NOTE: NVMe self-encrypting drives are not supported with Windows 7. ○ Windows 8.1: Enterprise, Pro ○ Windows 10: Education, Enterprise, Pro v1803-v21H1 (April 2018 Update/Redstone 4 - May 2021 Update/21H1) Note: Windows 10 v2004 (May 2020 Update/20H1) does not support 32-bit architecture. For more information, see https://docs.microsoft.
3 Download the Software This section details obtaining the software from dell.com/support. If you already have the software, you can skip this section. Go to dell.com/support to begin. 1. On the Dell Support webpage, select Browse all products. 2. Select Security from the list of products. 3. Select Dell Data Security. After this selection has been made once, the website remembers.
4. Select the Dell product. Examples: Dell Encryption Enterprise Dell Endpoint Security Suite Enterprise 5. Select Drivers & downloads. 6. Select the desired client operating system type. 7. Select Dell Encryption in the matches. This is only an example, so it will likely look slightly different. For example, there may not be four files to choose from. 8. Select Download . Proceed to Install Encryption Personal.
4 Installation You can install Encryption Personal using the master installer (recommended), or by extracting the child installers from the master installer. Either way, Encryption Personal can be installed by user interface, command line or scripts, and using any push technology available to your organization. Users should see the following help files for application assistance: NOTE: If Policy-Based Encryption is installed before the Encryption Management Agent, computer crash may occur.
2. Copy DDSSetup.exe to the local computer. 3. Double-click DDSSetup.exe to launch the installer. 4. A dialog displays that alerts you to the status of installing prerequisites. It takes a few minutes. 5. Click Next at the Welcome screen. 6. Read the license agreement, agree to the terms, and click Next. 7. Click Next to install Encryption Personal in the default location of C:\Program Files\Dell\Dell Data Protection\. 8. Authentication is installed by default and cannot be deselected.
A status window displays. This takes several minutes. 10. Select Yes, I want to restart my computer now and click Finish.
11. Once the computer restarts, authenticate to Windows. Installation of Encryption Personal and Advanced Authentication is complete. Encryption Personal Setup Wizard and Configuration is covered separately. Once the Encryption Personal Setup Wizard and Configuration is complete, launch the Encryption Personal Administrator Console. The rest of this section details more installation tasks and may be skipped. Proceed to Advanced Authentication and Encryption Personal Setup Wizards.
Parameters FEATURE=PE ENTITLEMENT=1:PE:{Encryption Personal Entitlement key here} NOTE: This parameter can only be used with Encryption Personal ● Example Command-Line Installation The reboot has been suppressed in the command line examples. However, an eventual reboot is required. Policy Based Encryption cannot begin until the computer has rebooted. Be sure to enclose a value that contains one or more special characters, such as a blank space, in escaped quotation marks. Command lines are case-sensitive.
5 Advanced Authentication and Encryption Personal Setup Wizards Log on with your Windows user name and password. You are seamlessly passed through to Windows. The interface may look different than you are accustomed to seeing. 1. You may be prompted by UAC to run the application. If so, click Yes. 2. After the initial installation reboot, the Advanced Authentication activation wizard displays. Click Next. 3. Type and re-enter a new Encryption Administrator Password (EAP). Click Next.
5. Click Apply to begin Advanced Authentication activation. After the Advanced Authentication activation wizard is finished, proceed to the next step. 6. Launch the Encryption Personal setup wizard from the Dell Encryption icon in the notification area (it may launch on its own). This Setup Wizard helps you use encryption to protect the information on this computer. If this wizard is not completed, encryption cannot begin. Read the Welcome screen and click Next.
7. Select a policy template. The policy template establishes the default policy settings for encryption. You can easily apply a different policy template or customize the selected template in the Local Management Console once initial configuration is complete. Click Next. 8. Read and acknowledge the Windows password warning. If you wish to create a Windows password now, see Requirements. 9. Create a 8-127 character Encryption Administrator Password (EAP) and confirm.
10. Click Browse to choose a network drive or removable storage to back up your encryption keys (which are wrapped in an application named LSARecovery_[hostname].exe). In the event of certain computer failures, these keys are used to recover your data. In addition, future policy changes sometimes require that your encryption keys get backed up again. If the network drive or removable storage is available, backing up of your encryption keys is done in the background.
11. On the Confirm Encryption Settings screen, a list of Encryption Settings display. Review the items and when satisfied with the settings, click Confirm. Configuration of the computer begins. A status bar informs you of the progress of configuration. 12. Click Finish to complete the configuration.
13. A reboot is required once the computer is configured for encryption. Click Reboot Now or you can postpone the reboot 5x20 minutes each. 14. Once the computer is rebooted, open the Local Management Console from the Start menu to see the status of encryption.
Encryption takes place in the background. The Local Management Console can be opened or closed. Either way, encryption of files progresses. You can continue to use your computer as usual while it is encrypting. 15. When the scan is complete, the computer reboots once more. Once all encryption sweeps and reboots are complete, you can verify compliance status by launching the Local Management Console. The drive is labeled as "In Compliance".
Advanced Authentication and Encryption Personal Setup Wizards
6 Configure Console Settings Default settings allow administrators and users to use advanced authentication immediately after activation, without additional configuration. Users are automatically added as advanced authentication users when they log on to the computer with their Windows passwords but, by default, multi-factor Windows authentication is not enabled. To configure advanced authentication features, you must be an administrator on the computer.
6. Enter the password a second time to confirm it, then click Apply. 7. To change the location where the recovery key is stored, in the left pane, select Change Backup Location. 8. Select a new location for the backup, and click Apply. The backup file must be saved either on a network drive or onto removable media. The backup file contains the keys that are needed to recover data on this computer. Dell ProSupport must have access to this file to help you recover data.
Configure Pre-Boot Authentication PBA is available if your computer is equipped with an SED. PBA is configured through the Encryption tab. When Dell Encryption takes ownership of the SED, PBA is enabled. To enable SED management: 1. In the Data Security Console, click the Administrator Settings tile. 2. Ensure that the backup location is accessible from the computer.
6. In the Pre-boot Customization page, enter customized text to display on the Pre-boot Authentication (PBA) screen, and click Next. Pre-boot Title Text This text displays on the top of the PBA screen. If you leave this field blank, no title will be displayed. The text does not wrap, so entering more than 17 characters may result in the text being cut off. Support Information Text Text to display on the PBA support information screen.
7. At the Summary page, click Apply. 8. When prompted, click Shutdown. A full shutdown is required before encryption can begin. 9. After shutdown, restart the computer. Authentication is now managed by the Encryption Management Agent. Users must log in at the PBA screen with their Windows passwords.
● Disable SED management, for example for uninstallation - Click Decrypt. After you first enable SED management and configure Pre-boot Policy and Customization, the following actions are available from the Pre-boot Settings tab: ● Change Pre-boot Policy or Customization - Click the Pre-boot Settings tab and select either Pre-boot Customization or Pre-boot Logon Policies.
7 Uninstall the Master Installer ● Each component must be uninstalled separately, followed by uninstallation of the master installer. The clients must be uninstalled in a specific order to prevent uninstallation failures. ● Follow the instructions in Extract the Child Installers from the Master Installer to obtain child installers. ● Ensure that the same version of master installer (and thereby clients) is used for uninstallation as installation.
8 Uninstall Using the Child Installers ● Dell recommends using the Data Security Uninstaller to remove Encryption Personal. ● The user performing decryption and uninstallation must be a local or domain administrator. If uninstalling by command line, domain administrator credentials are required.
● Do not install Encryption Removal Agent This option uninstalls the Encryption client but does not decrypt files. This option should be used only for troubleshooting purposes, as directed by Dell ProSupport. Click Next. 5. In Backup File, enter the path to the network drive or removable media location of the backup file or click ... to browse to the location. The format of the file is LSARecovery_[hostname].exe. Enter your Encryption Administrator Password.
Option Meaning /qb!- Progress dialog without Cancel button, restarts itself after process completion /qn No user interface ● Once extracted from the master installer, the Encryption client installer can be located at C: \extracted\Encryption\DDPE_XXbit_setup.exe. ● The following table details the parameters available for the uninstallation.
Client Security Framework is uninstalled. Uninstall from the Command-Line ● Once extracted from the master installer, the Encryption Management Agent installer can be located at C: \extracted\Encryption Management Agent\EMAgent_XXbit_setup.exe. ● The following example silently uninstalls SED management. EMAgent_XXbit_setup.exe /x /s /v" /qn" Shut down and restart the computer when finished.
9 Data Security Uninstaller Uninstall Encryption Personal Dell provides the Data Security Uninstaller as a master uninstaller. This utility gathers the currently installed products and removes them in the appropriate order. This Data Security Uninstaller is available in: C:\Program Files (x86)\Dell\Dell Data Protection For more information or to use command line interface (CLI), see KB article 125052. Logs are generated in C:\ProgramData\Dell\Dell Data Protection\ for all of the components that are removed.
Optionally clear any application from removal and click Next. Required dependencies are automatically selected or cleared.
To remove applications without installing the Encryption Removal Agent, choose Do not install Encryption Removal Agent and select Next.
Select Encryption Removal Agent - Import Keys from a File then select Next. Browse to the location of the recovery keys and then enter the Passphrase for the file and click Next. Select Remove to begin the uninstall.
Click Finish to complete removal and reboot the computer. Reboot machine after clicking finished is selected by default. Uninstallation and removal is complete.
10 Policies and Template Descriptions Tooltips display when you hover your mouse over a policy in the Local Management Console.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description value means that no encryption takes place, regardless of other policy values. A True value means that all encryption policies are enabled.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Applicatio n Data Encryptio n List winword.exe excel.exe powerpnt.exe msaccess.exe winproj.exe outlook.exe acrobat.exe visio.exe mspub.exe notepad.exe wordpad.exe winzip.exe winrar.exe onenote.exe onenotem.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Applicatio n Data Encryptio n Key Common Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description Common or User Choose a key to indicate who can access files encrypted by Application Data Encryption List, an
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description CSIDL_INTERNET_CACHE for initial encryption, as well as updates to this policy. This policy is applicable when using Microsoft Internet Explorer only.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Secure PostEncryptio n Cleanup Three Single Pass Overwrite Pass Overwr ite Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description No No Overwrite, Single-pass Overwr Overwrite, Three-pass ite Overwrite, Sev
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Prevent True Unsecure d Hibernatio n Workstati on Scan Priority High Basic Protec tion for All Fixed Drives False Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description True False When enabled, the client does not allow computer hibernation i
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description • Encrypt Temporary Files (\Documents and Settings\username\Local Settings\Temp only) • Encrypt Temporary Internet Files • Encrypt User Profile Documents
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description If this policy is False, no HCA encryption takes place, regardless of other policy values.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Port Control System Disabled Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description Enable or Disable all Port Control System policies.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description Read Only: Allows read capability.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description ECMA-167 and is an open vendor-neutral file system for computer data storage for a broad range of media. This policy has interactions with PCS.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description Read Only: Allows read capability. Write data is disabled. Blocked: Port is blocked from read/write capability.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion EMS Access to unShielde d Media Block Read only Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Full Access Basic Protec tion for Extern al Drives Encry ption Disabl ed Description Read only Full Block, Read Only, Full Access Access This policy has interactions with PC
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description removable media without authenticating can be caught.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description USBSTOR\DISK&VEN _SEAGATE&PROD_US B&REV_0409\2HC015 KJ&0 Specify the following in the EMS Device Whitelist policy: VEN=Vendor (Ex: USBSTOR\DISK&VEN_SE AG
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives EMS Number of Character s.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description A total of 2048 characters are allowed. Space and Enter characters used to add lines between rows count as characters used.
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Force True Reboot on Update Length of Each Reboot Delay 5 Number of Reboot Delays Allowed 1 10 False Description False Setting the value to True causes the computer to immediately
Policy Aggre PCI ssive Regula Protec tion tion for All Fixed Drives and Extern al Drives Data HIPAA Breac Regula h tion Regula tion Basic Protec tion for All Fixed Drives and Ext Drives (Defau lt) Basic Protec tion for All Fixed Drives Basic Protec tion for Syste m Drive Only Basic Protec tion for Extern al Drives Encry ption Disabl ed Description area icon allowing the user to turn this feature on or off. When False, encryption processing occurs any time, even while the user is working.
Security Breach Notification Act) aims to protect California residents from identity theft by requiring organizations that have had computer security breaches to notify all affected individuals. The only way an organization can avoid notifying customers is to be able to prove all personal information was encrypted prior to a security breach. This policy template: ● provides protection of the System Drive and all Fixed Drives. ● prompts users to encrypt removable media devices.
This policy template does not: ● provide protection for the System Drive (typically the C: drive, where the operating system is loaded) or other Fixed Drives. Encryption Disabled This policy template does not provide encryption protection. Take additional measures to safeguard devices from loss and theft when using this template. This template is useful for organizations that prefer to start with no active encryption to transition into security.
11 Extract Child Installers ● To install each client individually, extract the child executable files from the installer. ● If the master installer has been used to install, the clients must be uninstalled individually. Use this process to extract the clients from the master installer so that they can be used for uninstallation. 1. From the Dell installation media, copy the DDSSetup.exe file to the local computer. 2. Open a command prompt in the same location as the DDSSetup.exe file and enter: DDSSetup.
12 Troubleshooting Upgrading to the Windows 10 October 2018 Update Computers running Encryption must use a specially configured Windows 10 Upgrade package to upgrade to the Windows 10 October 2018 Update. The configured version of the upgrade package ensures that Encryption can manage access to your encrypted files to protect them from harm during the upgrade process. To upgrade to the Windows 10 October 2018 Update, follow the instructions in KB article 125419.
● Set EMS Exclude CD/DVD Encryption = not selected. ● Set Subclass Storage: Optical Drive Control = UDF Only. Use WSScan ● WSScan allows you to ensure that all data is decrypted when uninstalling Encryption as well as view encryption status and identify unencrypted files that should be encrypted. ● Administrator privileges are required to run this utility. NOTE: WSScan must be run in System Mode with the PsExec tool if a target file is owned by the system account. Run WSScan 1. 2. 3. 4. 5.
2. Go to Scan Settings and enter the folder path in the Search Path field. If this field is used, the selection in the menu is ignored. 3. If you do not want to write WSScan output to a file, clear the Output to File check box. 4. Change the default path and file name in Path, if desired. 5. Select Add to Existing File if you do not want to overwrite any existing WSScan output files. 6. Choose the output format: ● Select Report Format for a report style list of scanned output. This is the default format.
WSScan information about encrypted files contains the following information. Example Output: [2015-07-28 07:52:33] SysData.7vdlxrsb._SDENCR_: "c:\temp\Dell - test.log" is still AES256 encrypted Output Meaning Date/time stamp The date and time the file was scanned. Encryption type The type of encryption used to encrypt the file. SysData: SDE key. User: User encryption key. Common: Common encryption key. WSScan does not report files encrypted using Encrypt for Sharing. KCID The Key Computer ID.
○ ○ ○ ○ The files could not be decrypted by policy. The files are marked as should be encrypted. An error occurred during the decryption sweep. In all cases, a log file is created (if logging is configured) when LogVerbosity=2 (or higher) is set. To troubleshoot, set the log verbosity to 2 and restart the Encryption Removal Agent service to force another decryption sweep. ● Complete - The decryption sweep is complete.
● Rules have been tested against these iPods: iPod Video 30gb fifth generation iPod Nano 2gb second generation iPod Mini 4gb second generation Dell ControlVault Drivers Update Dell ControlVault Drivers and Firmware ● Dell ControlVault drivers and firmware that are installed on Dell computers at the factory are outdated and should be updated by following this procedure, in this order.
4. Select the Operating System of the target computer. 5. Select the Security category.
6. Download and save the Dell ControlVault Drivers. 7. Download and save the Dell ControlVault Firmware. 8. Copy the drivers and firmware to the target computers, if needed. Install Dell ControlVault Driver 1. Navigate to the folder which you downloaded the driver installation file.
2. Double-click the Dell ControlVault driver to launch the self-extracting executable file. NOTE: Be sure to install the driver first. The file name of the driver at the time of this document creation is ControlVault_Setup_2MYJC_A37_ZPE.exe. 3. Click Continue to begin. 4. Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5. Click Yes to allow the creation of a new folder.
6. Click Ok when the successfully unzipped message displays. 7. The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. In this case, the folder is JW22F. 8. Double-click CVHCI64.MSI to launch the driver installer. [this example is CVHCI64.MSI in this example (CVHCI for a 32-bit computer)]. 9. Click Next at the Welcome screen.
10. Click Next to install the drivers in the default location of C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\. 11. Select the Complete option and click Next.
12. Click Install to begin the installation of the drivers. 13. Optionally check the box to display the installer log file. Click Finish to exit the wizard.
Verify Driver Installation ● The Device Manager will have a Dell ControlVault device (and other devices) depending on the operating system and hardware configuration. Install Dell ControlVault Firmware 1. Navigate to the folder which you downloaded the firmware installation file. 2. Double-click the Dell ControlVault firmware to launch the self-extracting executable file. 3. Click Continue to begin.
4. Click Ok to unzip the driver files in the default location of C:\Dell\Drivers\. 5. Click Yes to allow the creation of a new folder. 6. Click Ok when the successfully unzipped message displays. 7. The folder which contains the files should display after extraction. If not, navigate to the folder to which you extracted the files. Select the firmware folder.
8. Double-click ushupgrade.exe to launch the firmware installer. 9. Click Start to begin the firmware upgrade.
NOTE: You may be asked to enter the administrator password if upgrading from an older version of firmware. Enter Broadcom as the password and click Enter if presented with this dialog. Several status messages display.
Troubleshooting
10. Click Restart to complete the firmware upgrade. The update of the Dell ControlVault drivers and firmware is complete.
Registry Settings This section details all Dell ProSupport approved registry settings for local client computers. Encryption (Optional) Create an Encryption Removal Agent Log File ● Before beginning the uninstall process, you can optionally create an Encryption Removal Agent log file. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create this log file.
● The Encryption client displays the length of each policy update delay prompt for five minutes each time. If the user does not respond to the prompt, the next delay begins. The final delay prompt includes a countdown and progress bar, and it displays until the user responds, or the final delay expires and the required logoff/reboot occurs. You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing following no user response to the prompt.
Advanced Authentication Disable Smart Card and Biometric Services (Optional) If you do not want Advanced Authentication to change the services associated with smart cards and biometric devices to a startup type of "automatic", you can disable the service startup feature. When disabled, Authentication does not attempt to start these three services: ● SCardSvr - Manages access to smart cards read by the computer. If this service is stopped, this computer is unable to read smart cards.
DWORD: DumpPolicies Value=1 Note: a reboot is required for this change to take effect. ● To suppress all Toaster notifications from the Encryption Management Agent, the following registry value must be set on the client computer. [HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection] "PbaToastersAllowClose" =DWORD:1 0=Enabled (default) 1=Disabled Troubleshooting 87
13 Glossary Advanced Authentication - The Advanced Authentication product provides smart card reader options. Advanced Authentication helps manage these multiple authentication methods, supports login with self-encrypting drives, SSO, and manages user credentials and passwords. Encryption Administrator Password (EAP) - The EAP is an administrative password that is unique to each computer. Most configuration changes made in the local Management Console require this password.