Dell Encryption Personal Technical Advisories v11.0 May 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2012-2021 Dell Inc. All rights reserved.
Contents Chapter 1: Technical Advisories..................................................................................................... 6 Contact Dell ProSupport....................................................................................................................................................6 New Features and Functionality v11.0............................................................................................................................
New Features and Functionality v10.0......................................................................................................................... 24 Resolved Technical Advisories v10.0............................................................................................................................ 24 Technical Advisories v10.0..............................................................................................................................................
New Features and Functionality v8.4.1........................................................................................................................ 48 Resolved Technical Advisories v8.4.1........................................................................................................................... 48 Technical Advisories v8.4.1.............................................................................................................................................
1 Technical Advisories To ensure the security of your confidential data, Encryption Personal encrypts the data on your Microsoft Windows computer. You (or authorized users) can always access the data when logged into the computer, but unauthorized users will not have access to this protected data. Data always remains encrypted on the drive, but because our encryption is designed to be transparent to you, there is no need to change the way you work with applications and data.
Technical Advisories v11.0 Encryption v11.0 ● The Dell Encryption Removal agent may not decrypt hydrated OneDrive files. To decrypt these files, either unlink OneDrive, or decrypt these files before uninstall through policy. [DDPC-12444] ● WSDeactivate currently displays a non-functional progress bar. [DDPC-12502] Pre-boot Authentication v11.
Technical Advisories v10.10 Encryption v10.10 ● No technical advisories exist. Pre-boot Authentication v10.10 ● No technical advisories exist. SED Manager v10.10 ● No technical advisories exist. New Features and Functionality v10.9 ● Encryption Personal is now supported with Windows 10 v20H2 (October 2020 Update/20H2). ● Encryption Personal now supports disks with 4k sector formats. ● The Dell Encryption PBA now supports Brazilian ABNTv2 keyboards. Resolved Security Advisories v10.
● An issue resulting in failed Dell Encryption reactivation due to a corrupt System Disk Encryption key vault is resolved. [DDPC-12255] ● An issue resulting in failed Windows 10 Feature Updates and computer crash due to a corrupt System Data Encryption key vault is resolved. [DDPSUS-2862] ● An issue resulting in inaccessible files due to System Data Encryption key handling is resolved. [DDPSUS-2867] Pre-boot Authentication v10.
● If Encryption is not activated on the computer, Encryption Personal now displays a Don't Ask Again checkbox. If the user intends to activate Encryption later and selects this option, change the following registry value: ○ HKCU\Software\Dell\Dell Data Protection\Encryption "HidePasswordPrompt"=DWORD 1 = disables the password prompt for Encryption Personal activation 0 = enables the password prompt for Encryption Personal activation ● SED Manager now supports the following platforms: ○ Latitude 9510 ○ Latit
Pre-boot Authentication v10.8 ● When using Recovery Questions to log in through the PBA, the password reset prompt now only appears for the first 90 seconds after login. [DDPC-11671] ● Right-clicking the username, password, smart card, pin or recovery answer field in the PBA no longer yields a menu. [DDPC-11795] ● An issue resulting in third-party authentication providers being disabled by default is resolved. [DDPC-12057, DDPSUS-2818] SED Manager v10.8 ● No technical advisories exist.
● The Encryption Personal Data Security Console now displays the following message if a user attempts to add a new user before enabling the PBA: Note: Protection must be enabled to add users. ● Encryption Personal now prompts the user to reboot their computer after the Encryption Removal Agent finishes its final state in the decryption process. This prompt can be disabled by configuring the following registry value. HKLM\Software\Dell\Dell Data Protection "ShowDecryptAgentRebootPrompt"=DWORD Default = enabl
● A rare issue resulting in the DiagnosticInfo utility failing to generate a temporary directory for data collection before packaging is resolved. [DDPC-4981] ● An issue resulting in installation files being improperly flagged as threats is resolved. [DDPC-6827, DDPC-11573, DDPC-11844. DDPC-11846] ● The Encryption Personal installation logs now display the correct error message when the registry value located at HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order is missing during installation.
Pre-boot Authentication v10.7 ● The About section in the PBA environment currently lists the incorrect version number. [DDPC-11995] SED Manager v10.7 ● No technical advisories exist. New Features and Functionality v10.6 ● Dell's DiagnosticInfo utility now queries additional registry entries for more comprehensive results. ● SED Manager now supports the following platforms: ○ Latitude 7070 Tower Note: This platform was incorrectly listed as supported in v10.5 Technical Advisories.
Applications and installation packages signed with SHA1 certificates will function but an error will display on the endpoint during installation or execution of the application without these updates installed. Pre-boot Authenticationv10.6 ● No technical advisories exist. SED Managerv10.6 ● No technical advisories exist. New Features and Functionality v10.5 ● ● ● ● Swedish keyboards are now supported by the Pre-boot Authentication environment.
SED Manager v10.5 ● No technical advisories exist. Technical Advisories v10.5 Encryption v10.5 ● Added 12/2019 - In January 2020, SHA1 signing certificates are no longer valid and cannot be renewed. Devices running Windows 7 or Windows Server 2008 R2 must install Microsoft KBs https://support.microsoft.com/help/4474419 and https://support.microsoft.com/help/4490628 to validate SHA256 signing certificates on applications and installation packages.
● Multi-user and domain-based computers no longer invoke activation loss or fail to achieve policy compliance regardless of authentication method or sequence. [DDPC-11053, DDPC-11066] ● Encryption Personal now prompts local users to activate on reboot as expected.
● When Policy Based Encryption and any technology managed by the Encryption Management Agent is installed, removable media may not consistently appear as removable in the Data Security Console and the Security Management Server. [DDPC-9736] ● The Encryption Management Agent no longer outputs policies by default. To output current and newly consumed policies, create the following registry key: HKLM\Software\Dell\Dell Data Protection\ DWORD: DumpPolicies Value=1 Note: a reboot is not required for this change
Resolved Technical Advisories v10.3 Encryption v10.3 ● An issue resulting in failed user activation when a smart card is in use with Policy Based Encryption is resolved. [DDPC-9686, DDPC-9808, DDPC-10592, DDPC-10592, DDPSUS-2402, DDPSUS-2425, DDPSUS-2450] ● An issue resulting with Windows 10 Work Folders failing to sync when attempting to sync encrypted files is resolved. [DDPC-10400, DDPSUS-2269, DDPSUS-2394, DDPSUS-2407] ● Decryption of EMS devices from any endpoint is now enabled.
Technical Advisories v10.3 Encryption v10.3 ● In rare occurrences, when the TPM is in a cleared state in BIOS, Dell Encryption may attempt to take ownership of the TPM and receives a null value. In this situation the Dell Encryption service may crash, resulting in an operating system crash. As a work around, if the TPM is in a cleared state, fully disable the TPM. [DDPC-11095, DDPSUS-2565] Pre-boot Authentication v10.3 ● No technical advisories exist.
New Features and Functionality v10.2 ● Following Windows 10 feature upgrade, a restart is required to finalize Dell Encryption. The following message displays in the notification area after Windows 10 feature upgrades: Resolved Technical Advisories v10.2 Encryption v10.2 ● An issue that caused operating system crash following an Windows update is resolved.
Pre-boot Authentication v10.2 ● No technical advisories exist. SED Management v10.2 ● No technical advisories exist. New Features and Functionality v10.1 ● Added 12/2018 ○ Dell Encryption is now supported with Windows 10 October 2018 Update (Redstone 5 release). ○ SED management and Bitlocker manager are now supported with Windows 10 October 2018 Update (Redstone 5 release). ● Dell Encryption v10.
● In rare occurrences, users may be unable to enroll in recovery questions due to an unresponsive Dell Authentication Service. To work around this issue, reboot the computer. [DDPC-10503] ● After installing Dell Encryption, an error in DellAgent.log stating "Could not locate saasManager plugin" may be safely ignored. [DDPC-10509] ● When attempting to upgrade Windows to a newer feature update, the feature update processes as expected, but registration is lost after the update.
New Features and Functionality v10.0 ● Improvements to Windows Update handling in Self-Encrypting Drive is supported. ● The following non-Dell computers have been validated with Preboot Authentication when running in Legacy Boot mode: ○ HP EliteBook 1040 G3 ○ Lenovo ThinkPad T560 ● The following non-Dell computers have been validated with Preboot Authentication when running in UEFI Boot mode: ○ HP EliteBook 840 G3 ○ Lenovo ThinkPadP50 ● Personal Encryption is versioned to 10.
Technical Advisories v10.0 Encryption ● In some cases, after changing passwords in Windows, the computer may experience slower logins during the first login or auto-reactivation may occur. To work around this issue, run WSDeactivate after changing the password. [DDPC-9459] ● In rare occurrences, when updating to v10.0, an error may present if the user interface is used for the update. This can be safely closed with no impact to the install.
● Starting with the Encryption Client v8.18, the authentication provider component has been fully replaced. This installer will leverage a new Dell built-in credentials provider that is part of the Client Security Framework installer. The old Digital Persona credentials provider is set to a disabled state. If leveraging the fingerprint or smart card contact-less authentication, these will no longer work after an upgrade of Encryption Client v8.18. Resolved Technical Advisories v8.
● Added 11/2018 - Occasionally, Dell Encryption is unable to connect to the local management console. This condition results in Dell Encryption not providing the dialog to enter the password for encrypted external media, it does not prompt to encrypt unprotected media, and the About box does not contain the correct information. A computer restart resolves the issue. [DDPC-10409] Preboot Authentication v8.
○ C:\Users\\AppData\Local\Microsoft\Vault\ Due to these changes, a re-sweep will be performed to ensure that these folders are properly protected by Dell Encryption. This sweep decrypts files that are system-generated files, but will ensure that user-generated data within these folders will stay protected as either Common encrypted or SDUser encrypted data based on currently set policies. These changes can be overridden by adding a Category 3 inclusion to SDE Encryption Rules.
Preboot Authentication ● An issue where a popup notification would warn the user to not to turn off the computer during PBA configuation has now been resolved. [DDPC-7019] Technical Advisories v8.17.1 Encryption ● In some cases, a device may not show in compliance after sweep completes. The current workaround is to reboot the device. [DDPC-7977] Preboot Authentication v8.17.1 ● In some cases, the intensity of USB Type C mouse seems to strengthen while user is in PBA on a UEFI machine.
○ %SystemRoot%\\CbsTemp [DDPC-7881] Preboot Authentication ● Added 05/2018 - The touchpad is now functional at the PBA login screen on non-UEFI computers. [DDPC-5362] ● Added 05/2018 - The touchpad is now functional after the computer resumes from sleep on non-UEFI Dell Latitude computers. [DDPC-5363] ● An issue that resulted in a popup notification that warned the user to not turn off the computer during PBA configuration has been resolved.
● The Windows 10 Feature Update preparation phase will no longer fail to stop the sweep state and will not fail on updating the registry on a computer running Encryption External Media. [DDPC-4254] ● Encryption sweeps no longer pause or require manual intervention to complete. [DDPC-4499] ● Pausing encryption from the system tray icon now properly pauses the encryption sweep.
New Features and Functionality v8.15 ● Added 03/2018-Dell has introduced a change to how built-in encryption exclusions are being handled. Previously, built-in exclusions would prevent the encryption of any file that was created, or copied into a folder that was defined within these exclusion lists. Future hard-coded exclusions introduced in 8.
Technical Advisories v8.15 Encryption ● If the CmgHiber.sys or CmgHiber.dat file is missing from C:\windows\system32\drivers on a computer that hibernates, the computer will not resume. Ensure that disk cleaner and optimization tools do not delete these files. [DDPC-6211] ● Policy updates are not received following a user security identifier (SID) change.
1=Enabled [DDPC-694, DDPC-794, DDPSUS-863] ● Decryption performance is improved when SDE Encryption is enabled. [DDPC-3577, DDPSUS-975] ● The Local Management Console now indicates that an SD card is present in the Ports view as well as in the Device view with External Media Edition and the Port Control policy, Port:SD, set to Bypassed. [DDPC-5037] ● An issue is resolved that occasionally caused the Encryption client to become unresponsive with warnings in the log files.
■ The operating system will crash when switched from RAID ON > AHCI if the AHCI controller drivers are not preinstalled. For instructions on how to switch from RAID > AHCI (or vice versa), see http://www.dell.com/support/ article/us/en/19/SLN306460. Supported OPAL compliant SEDs require updated Intel Rapid Storage Technology Drivers, located at . Dell recommends Intel Rapid Storage Technology Driver version 15.2.0.0 or later, with NVMe drives. [DDPC-5941, DDPC-6219] New Features and Functionality v8.
"CredDBCEFAllowProcessList"=explorer.exe,explorer.ex,explorer.e,explorer.,explorer,explore,explor,dllhost.exe,dllhost.ex,dllh ost.e,dllhost,dllhost [DDPC-4185] ● If Personal Edition is uninstalled before activation, an error message displays: "EmbeddedServer service is in a pending delete state. error 0z430." To work around this issue, before uninstalling, allow the client to activate and then restart the computer before beginning uninstallation.
● The Encryption client now supports Audit Mode. Audit Mode allows administrators to deploy the Encryption client as part of the corporate image, rather than using a third-party SCCM or similar solutions to deploy the Encryption client. To suppress activation until deployment is complete, install the Encryption client and perform the necessary restart when the configuration computer is in Audit Mode. ● The Encryption client is now supported with TPM 2.0. Resolved Technical Advisories v8.10.
● An issue that caused a restart and lock at the Windows startup screen on Windows 7 computers running Bitdefender Antivirus is resolved. [DDPC-2561, DDPSUS-842] ● Default SDE Encryption Rules have been refreshed. [DDPC-2689] ● SDE encryption now proceeds on computers with HCA or a SED, and a log entry stating SDE policies are blocked due to FVE or a SED disk no longer displays. SDE Encryption is now enabled by default in new installations and upgrades, based on the registry entry HKLM\Software\Microsoft\Wi
Resolved Technical Advisories v8.9.1 Encryption ● A Dell Data Protection-encrypted Windows 10 computer can now be upgraded to the Windows 10 Fall Update, after a few prerequisites are met. The prerequisites must be met, due to a change Microsoft has made to the Windows update process beginning with Windows 10. For more information, see Upgrade to the Windows 10 Anniversary Update.
Resolved Technical Advisories v8.9 Encryption ● The Encryption client uninstaller now defaults to the uninstall/decrypt option instead of uninstalling but leaving files encrypted. When the option to uninstall without decrypting is selected, the Encryption Removal Agent is no longer installed. [DDPC-857, DDPC-1455] ● Silent uninstallation now supports decryption with pre-download key material on locally and remotely managed clients.
● Added 8/2017 - When the user inserts EMS-encrypted media and clicks Access Encrypted Files on a Windows 10 computer without the Encryption client installed, the options Install EMS Service and Run EMS Explorer are not available. [DDPC-1449] ● On HCA-encrypted computers running the Windows 10 Fall Update, HCA decryption does not start after the HCA encryption policy is changed to Off.
Preboot Authentication ● With PBA activated on the Dell Latitude E5250, E5450, and E5550, hibernation now proceeds normally. [CSF-5] ● Preboot Authentication now accepts the apostrophe character (') in the username field. [DDPLP-376] New Features and Functionality v8.7 ● The Windows USB selective suspend feature is now supported. Resolved Technical Advisories v8.
Drive Availability Samsung SM850 EVO M.2. MZ-N5E120- MZ-N5E500(M.2. X SED SSD 120GB to 500GB) Standard Opal 2/eDrive Samsung PM851 OPAL SSD - mSATA (mSATA 128GB 512GB) ✓ Opal 2/eDrive Samsung PM851 OPAL SSD - M.2. (M.2. 128GB - 512GB) ✓ Opal 2/eDrive Micron M500 SSD 2.5-inch (120GB - 960GB) X Opal 2/eDrive Micron M500 SSD mSATA (120GB - 480GB) X Opal 2/eDrive Technical Advisories v8.
New Features and Functionality v8.6.1 ● Dell Data Protection | Encryption Personal Edition, External Media Edition, Advanced Authentication clients now support Windows 10. Resolved Technical Advisories v8.6.1 Encryption ● During an upgrade, the following error no longer displays: "error Opendatabase,Databasepath,Openmode/error 80004005, (MSI API error)." This error occurred intermittently and the upgrade successfully completed after the user acknowledged the error.
Resolved Technical Advisories v8.6 Encryption ● At uninstallation, decrypting a registry hive that exceeds 52 MB now succeeds and the computer no longer experiences a blue screen when uninstallation is complete. [DDPC-867] ● Encryption Removal Agent failure due to file sharing violations is now resolved. [DDPMTR-883] ● Issues that resulted in rollback of upgrades when installation was attempted more than once are now resolved. [DDPMTR-1029] ● Upgrade from v8.
● When Encryption with Deferred Activation is installed but not activated, the user cannot uninstall and reinstall a different DDP edition. Because activation did not occur, retrieval of encryption keys and decryption are not possible. A different DDP edition cannot overwrite the deferred activation Encryption client.
● On Dell Latitude E7250, E7350, E7450, and Venue Pro 11 (Model 7139), recovery fails with Dell Opal SED Recovery Utility one-time unlock of the drive. To work around this issue, use the recovery key to unlock a drive on one of these models. [DDPUP-763] Resolved Technical Advisories v8.5.1 All Products ● Enhancements have been made to the installer to ensure that the correct PBAAuthURI is maintained, even if the installation reboot occurs before the authentication agent is upgraded.
● The user now has proper access to User and Common encrypted files after HCA decryption. [28810/DDPC-98] ● Previously, in some scenarios, a delay occurred when moving files between folders during Microsoft Word autosaves when using Trend Micro AV and when DDP encryption was installed. This issue is resolved. [DDPC-127] ● Windows Explorer now updates its icon cache after a successful decrypt/uninstall when running Windows 8.1.
Preboot Authentication ● Previously, on some computers with Security Tools and Preboot Authentication enabled, the computer would not boot after entering credentials into the PBA logon screen, and the computer would halt at a black screen with the words "Parity Error". [DDPLP-137] Technical Advisories v8.4.
New Features and Functionality v8.3.2 ● Dell Data Protection | Encryption Personal Edition, External Media Edition, and Advanced Authentication clients now support Windows 8.1 Update 1. ● This release of adds support for the following platforms when using the DDP | Hardware Crypto Accelerator: ○ ○ ○ ○ ○ ○ ○ Dell Dell Dell Dell Dell Dell Dell Precision M4800 Precision M6800 Precision T1700 OptiPlex 7010 OptiPlex XE2 OptiPlex 9020 AIO OptiPlex 9020 Resolved Technical Advisories v8.3.
4. Login to a computer running Dell Data Protection | Encryption with the same user account that originally encrypted the external media. Older versions of Dell Data Protection | Encryption will also require both the same user and same computer that originally encrypted the external media. 5. Insert the EMS-encrypted external media. 6. You are prompted to perform a recovery. Click Yes. 7. Enter a new password to restore access to encrypted files.
○ Dell Latitude Model E7240 ○ Dell Latitude Model E7440 Resolved Technical Advisories v8.3 Encryption Revised 04-2014 ● The Shield now properly processes category 3 policies to override ADE-encrypted (category 2) files. [25211] ● Previously, a message stating "Invalid Value for 103" was displayed in the local console and current settings were not viewable. This issue has been resolved.
Cloud Edition ● Users can no longer access protected sites when the policy is set to block those sites. [DDPCE-24] ● When using OneDrive and an iOS app, files uploaded to the cloud are no longer deleted by the sync client running on a Windows computer. [DDPCE-97] ● While IPv6 is not supported, the web browser no longer intermittently toggles between protected and unprotected states when IPv6 is enabled on the network adapter. IPv4 should be used, for Cloud Edition for Windows to function properly.
responding, crashed, or lost power unexpectedly." The issue occurs only during a reboot and does not impact the security of the data or the performance of the computer. [28795] ● Amended 12/2014 - Secure Boot is a Unified Extensible Firmware Interface (UEFI) protocol that Windows 8 and 8.1 users can enable in the computer's BIOS to ensure that the computer boots using trusted firmware signed by the computer manufacturer.
When you access a site that contains a logon form you will be prompted with the pre-train icon to capture the logon credentials for the site. [28528, 28678, 28719] ● In Password Manager, the Select Logon Data window does not show the user name of the first enrolled user. [28531] ● When using Password Manager with Firefox, double-clicking the pre-train icon does not open the Add Logon dialog.
Resolved Technical Advisories v8.2.1 Encryption ● Personal Edition provides improved support for the touch keyboard on the Microsoft Windows 8.1 Sign On Screen. ● Log files are now placed in the proper directory on localized operating systems. [25463] ● An unrecoverable error no longer occurs upon encryption completion when the Local Management Console is left open and the computer is locked for an extended period of time. [27545] ● Interoperability issues when using VMware image files have been resolved.
Resolved Technical Advisories v8.1.1 Encryption ● Upon upgrade to 8.1, EMS was failing to prompt CD/DVD media to encrypt due to the controller driver failing to provide the correct device type to EMS. This release resolves the issue and CD/DVD media is now properly prompted to encrypt. [28150] ● Additional hardening and stability fixes have been added to this release. ● This release resolves the issue of encrypting/decrypting files larger than 4GBs. New Features and Functionality v8.
ejecting the media) a new PCS policy comes down that sets the optical drive to 'Read-Only'. The Shield starts a rebootsnooze cycle when changing from 'UDF-Only' to another policy. If the user accepts the reboot request, Windows reboots without closing the session, because it assumes it can close after the reboot. However, after the reboot, the device is in 'Read-Only' mode and Windows cannot close the session, so whatever filesystem changes had been made in that session are now unrecoverable.
● When the local console is left open and the computer sleeps, a message displays that "no fixed storage is found." Closing and re-opening the local console corrects the issue. If the local console cannot contact its internal server because the computer is sleeping, it correctly displays this message. ● When uninstalling Personal Edition, an error may display stating, "An error occurred while trying to uninstall DDP|CSF." You may safely dismiss this error.
from the Driver Development Kit. Other backup and encryption vendors affected by McAfee's patches are also using the same approach to resolve the issue. To resolve this issue, remove the McAfee software patches listed above, restart the computer, and install Dell Data Protection | Encryption v7.2.3. [24085] ● Previously, when waking from a sleep state, a "No fixed storage is found" message was displayed in the local console under the System Storage tab on some X4 and ACER platforms.
Technical Advisories v7.2 Encryption ● When scanning very large files on removable media, there is a slight screen refresh delay between the local console and the External Media Edition dialog that displays the files name that are being processed. No loss of functionality is experienced. [23453] ● When ejecting removable storage without clicking the "safely removing devices" option in the system tray, the local console status line briefly flashes the "Not Attached to the Encryption System" message.
2 Workarounds Before you begin, be aware of the following workarounds that have been identified during testing. ● Encrypted data must be backed up while its owner is logged in. If encrypted files are backed up to an unencrypted location, the result is an unencrypted backup. To work around this issue, back up encrypted data while its owner is logged in.
3 Software and Hardware Compatibility Personal Edition is tested with third-party software and hardware as needed. Dell reports problems found during testing to other vendors, where appropriate. Upgrade to the latest Windows 10 Feature Update ● To upgrade a computer running the Encryption client to the latest version of Windows 10 Feature Update, follow the instructions in the following article: http://www.dell.com/support/article/us/en/19/SLN298382.
McAfee Host Intrusion Detection ● When using the Shield and McAfee HID, McAfee HID may prevent the Encryption client from changing the registries and Services. To work around this issue, add the Encryption client to the McAfee HID trusted applications list. Webroot ● Webroot is not compatible with the Encryption client, with Webroot in its default installation. Webroot places several Encryption client files in quarantine, resulting in the client being unable to access the files for encryption/decryption.