Dell Data Security Endpoint Security Suite Pro Technical Advisories v1.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2017 Dell Inc. All rights reserved.Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 Technical Advisories....................................................................................................................................... 7 Contact Dell ProSupport................................................................................................................................................... 7 New Features and Functionality v1.8...............................................................................................................................
Resolved Technical Advisories v1.5.................................................................................................................................16 Encryption Client v8.11............................................................................................................................................... 16 Preboot Authentication v8.11.....................................................................................................................................
Encryption Client v8.7.1.............................................................................................................................................. 24 Advanced Authentication v8.7.1................................................................................................................................ 24 Preboot Authentication v8.7.1...................................................................................................................................
Advanced Authentication v8.5................................................................................................................................. 33 Preboot Authentication v8.5.....................................................................................................................................33 SED Client v8.5..........................................................................................................................................................
1 Technical Advisories Endpoint Security Suite Pro offers threat protection, authentication, and encryption, all centrally-managed from the Security Management Server or Security Management Server Virtual. With centralized management, consolidated compliance reporting, and console threat alerts, businesses can easily enforce and prove compliance for all of their endpoints.
Encryption Client v8.15 • Performance of Encryption client upgrade that begins during an encryption sweep is improved. [DDPC-4261] • The Encryption client now displays the EMS Device Whitelist policy rather than an error when the policy setting exceeds 2048 characters. [DDPC-4382] • The Local Management Console Preferences setting, Indicate encryption status using Windows Shell Extension icon overlays, is removed.
Encryption Client v8.15 • The Secure Hibernation policy is not supported with Legacy BIOS on Windows 7. [DDPC-2279] • Encryption status displayed in the Dell Data Security application for a fixed or removable drive may differ from the actual status of the drive, which is correctly displayed in the Local Management Console. [DDPC-5521, DDPC-5670] • Encryption is not supported on servers that are part of distributed file systems (DFS). [DDPC-6130] • If the CmgHiber.sys or CmgHiber.
• The backslash/pipe (\ |) key on an Arabic behaves differently than expected. [DDPC-6529] • SSL is no longer supported. TLS 1.0, 1.1, or 1.2 should be used rather than SSL. SED Client v8.15 • SSL is no longer supported. TLS 1.0, 1.1, or 1.2 should be used rather than SSL. BitLocker Manager v8.15 • The Local Management Console does not report status of a drive that is both Dell-encrypted and BitLocker-encrypted when the drive is locked. [DDPC-6329] • SSL is no longer supported. TLS 1.0, 1.1, or 1.
• An issue is resolved that occasionally caused the Encryption client to become unresponsive with warnings in the log files. [DDPC-5311] Advanced Authentication v8.13 • When a user is removed from a computer just before the computer is shut down, the removal process is now completed as expected. [DDPC-4260] Resolved Customer Issues • An issue is resolved that resulted in a delay in displaying the User Account Control prompt. [DDPC-5017] Preboot Authentication v8.
• After policy update that requires reboot, the reboot prompt occasionally displays off-screen on the Dell Latitude 7280. [DDPC-5376] • Encryption overlay icons display on unmanaged users' files when overlay icons are enabled for managed users on the same computer. [DDPC-5415] • High resolution prevents use of the recovery option on the Precision Mobile Workstation 7520 and 7720, due to the sizing of the recovery user interface.
BitLocker Manager v8.13 • The top part of the option "Use a password to unlock the drive" is cut off in the BitLocker Drive Encryption dialog. [DDPC-5728] • Added 8/2017 - Due to changes to Microsoft validation profiles level (PCRs), BitLocker Manager might not begin encrypting on Windows 10. To correct this issue, obtain and apply the Enterprise Server v9.7 update that corrects this issue or upgrade to Security Management Server v9.8. For more information about the v9.7 update, see http://www.dell.
Advanced Authentication v8.12 • The Enroll Credentials window no longer occasionally displays after a computer with fingerprint or smart card enrolled credentials resumes from sleep. [DDPC-4269] • Effective policies from the Dell Server are now automatically exported and stored in C:\ProgramData\Dell\Dell Data Protection\Policy \Policy-xxxxxxxx.xml, where "xxxxxxxx" is the sequence number of the policy. By default, the last 10 policies received from the Server are stored.
SED Client v8.12 • When installing SED Management using the child installers, the installation no longer fails if the Validate URL button is pressed. [DDPC-4271] • Effective policies from the Dell Server are now automatically exported and stored in C:\ProgramData\Dell\Dell Data Protection\Policy \Policy-xxxxxxxx.xml, where "xxxxxxxx" is the sequence number of the policy. By default, the last 10 policies received from the Server are stored.
[DDPC-4185] • When encryption or decryption is paused, the Compliance/Provisioning status may not be accurately indicated in the Local Management Console. [DDPC-5063] Preboot Authentication v8.12 • Added 4/2017 - Changes to the Self-Encrypting Drive policy, Self Help Question/Answer Attempts Allowed, take effect only for users activating PBA after the policy change and for existing PBA users when the updated policy value is lower than the previous value.
Encryption Client v8.11 • Cumulative encryption exclusions are now automatically applied when the Encryption client is upgraded. This will require an encryption sweep for each user upgraded to v8.11 or later. However, subsequent updates will require a sweep only if the update includes new exclusions. [DDPC-1334, DDPC-5138] • In some cases, an encryption sweep pauses and the Local Management Console continues to display "Compliance in progress....
• An issue that caused a prompt to reboot in some cases with SDE encryption enabled is resolved. [DDPC-3525] • If the activation prompt times out for a second or subsequent user on a computer with an activated user, the prompt now displays again. [DDPC-3705] • UEFI computers with Secure Boot enabled now boot as expected after Microsoft Security Bulletin MS16-100 is applied.
• After upgrade from a previous Endpoint Security Suite version the popup message, "The system information has been copied to the clipboard" from the About > Copy Info in the DDP Console, now closes when the user presses the Enter key to select OK. [DDPC-2394] • After upgrade with Preboot Authentication activated, the AntiMalware Management Plugin now displays in the DDP Console Services list as expected.
Encryption Client v8.9.3 • Standard practice is that the master installer version is the same version number as the Encryption client installer. However, in this release, the master installer is v8.10 and the Encryption installer is v8.9.3. Versions will be aligned in the future, to avoid confusion. In the event that you need support, ProSupport will need your Encryption client version number. • To upgrade with HCA-encrypted data, issue a policy of Hardware Crypto Accelerator (HCA) = Off.
• The computer now boots as expected after Intel Rapid Storage Technology drivers are installed. [DDPC-1246] • The HideOverlayIcons registry setting that is used to hide the encryption icons for all managed users on a computer after the original installation now works as expected. The HideOverlayIconsOverlay registry setting now effectively hides Dell Data Protection Encryption overlay icons when File Explorer is refreshed or reopened.
Dell Computer Models - UEFI Support • • • • Latitude 12 Rugged Extreme Latitude 12 Rugged Tablet (Model 7202) Latitude 14 Rugged Extreme Latitude 14 Rugged Preboot Authentication v8.9.1 • A non-administrator user can now run an application through User Account Control on a Windows 8, 8.1, or 10 computer with Security Tools installed. [CSF-1313, DDPC-1578] • The issue that led to shutdown at PBA login on a computer running ActivClient v7.0.2 is resolved.
• Restarting or shutting down a computer during an encryption sweep no longer causes a Shield Service crash. [DDPC-1233] • External Media Shield is now updated on a non-Shielded computer when that computer is used to access an encrypted removable media that has been updated. [DDPC-1259] • An issue that allowed re-encryption of encrypted files when an encryption sweep started and ended during a single user login session is resolved.
Advanced Authentication v8.9 • On UEFI computers running the Windows 10 Fall Update and AVG Antivirus, Advanced Authentication installation with the child installer is interrupted and never completes. [CSF-1192] • The fingerprint reader on the Latitude 7510 running Windows 10 loses functionality after upgrade to Windows 10 Fall Update. To work around this issue, perform two restarts and the fingerprint reader will function again.
Preboot Authentication v8.7.1 • With PBA activated on the Dell Latitude E5250, E5450, and E5550, hibernation now proceeds normally. [CSF-5] • When PBA is disabled by policy, the client DDP Console now indicates that PBA is deactivated. [CSF-1015] • Preboot Authentication now accepts the apostrophe character (') in the username field. [DDPLP-376] Technical Advisories v1.2.1 Preboot Authentication v8.7.
Drive Availability Standard Seagate ST320LT014 (Julius 320GB) ✓ Opal 1 Seagate ST500LM001 (Kahuna 500GB) ✓ Opal 2/eDrive Seagate ST1000LM015 (Kahuna 1000GB) ✓ Opal 2/eDrive Seagate ST500LM023 (Yarra X) ✓ Opal 2/eDrive Seagate ST500LT025 (Yarra R) ✓ Opal 2/eDrive Seagate ST500LT033 (Asagana) ✓ Opal 2/eDrive Seagate ST1000DM004 (Desktop 3.5-inch 1000GB) X Opal 2/eDrive Seagate ST1000DM004 (Desktop 3.5-inch 2000GB) X Opal 2/eDrive Seagate ST1000DM004 (Desktop 3.
• • • • Running Diagnostic Info results in a file archiving error if run when files that must be accessed are locked or in use. [DDPMTR-1830] When running the Setup Wizard after WSDeactivate, access to Common and User encrypted data is lost. To work around this issue, after running WSDeactivate, do not run the Setup Wizard. Instead, perform File/Folder Encryption recovery as explained in the Recovery Guide. Select the option, My system does not allow me to access encrypted data....
• Encryption of the \Regback folder after a scheduled backup no longer requires a reboot for encryption to begin. [DDPSUS-302, DDPSUS-342] Advanced Authentication v8.6.1 • The user can now use the external keyboard, in addition to the virtual keyboard, to submit answers to Recovery Questions. [CSF-332] • When using HCA, an issue with single sign-on with domain smart cards is now resolved. [CSF-94] Preboot Authentication v8.6.
• Password Manager now functions properly with Mozilla Firefox v36.0.1 and later. [CSF-199] • When One-time Password is used to recover access to a computer, if the user enters a blank value for the password, error messages now display "Unknown user name or incorrect password/One or more arguments are not correct." After the user acknowledges the messages, the OTP screen displays. [CSF-233] Preboot Authentication v8.
Advanced Authentication v8.6 • When a user begins credential enrollment but quits without saving before enrollment is complete, the credentials are enrolled rather than discarded. To work around this issue, if policy allows the user to modify their own credentials, the user can open the DDP Console, select the Enrollments tile, select and delete the credentials. Otherwise, an administrator must remove them. [CSF-146] • Password Manager does not support the Windows 10 web browser, Microsoft Edge.
BitLocker Manager v8.6 • Amended 08/2015 - When using the child installer, the installer will effect a reboot only if necessary. To force a restart after installation, add /forcerestart to the installation command. [CSF-246] • Added 08/2015 - If Microsoft TPM Base Services is improperly installed, the following functionality is affected: HCA provisioning, fingerprint enrollment in the DDP Console/Security Console, and BitLocker Manager operation.
• An SED client-side registry setting is now available to configure the retry interval when the Server is unavailable to communicate with the SED client. This registry setting can be used to prevent large numbers of clients from trying to contact the Server at once, thereby compounding the problem. [CSF-24] • The issue of using Security Tools, Windows 8.1, and the GPO "Do Not Display Last Username", causing single sign-on to fail has been resolved.
and retrieval of encryption keys are available from the DDP Server, reducing the work of keeping critical data safe, and reducing the risk that systems are unprotected in the event of loss or attempts at unauthorized access. • BitLocker Manager seamlessly integrates with the other Endpoint Security Suite components through the DDP Server to provide flexible policy enforcement and TPM management, reducing the strain on an organization's IT resources.
SED Client v8.5 • During an update to Intel Rapid Storage Technology Drivers, the self-encrypting drive may become undetectable. To resolve this issue, reboot the computer a second time after the update has been applied. [MMW-633] BitLocker Manager v8.5 • Amended 06/2015 - If a user suspends then turns off BitLocker through the BitLocker dialogs, decryption begins and continues for five minutes after the user suspends BitLocker at which point BitLocker Manager reverts decryption.
Technical Advisories v8.3 All Clients • If Windows updates are not installed before the master installer runs, installation may fail. [28835] Encryption Client • Windows logon fails with some new CAC smart cards, which use multiple certificates with the same name. One certificate is the authentication certificate and the other is a signing certificate. The algorithm used to select the certificate uses the newest certificate. If the newest certificate is the signing certificate, Windows logon will fail.
1 Turn on the power to your Dell computer. If the computer is already powered on, reboot it. 2 Press F2 or F12 continuously during boot until a message displays at the upper right of the screen that is similar to "preparing to enter setup" (F2) or "preparing one-time boot menu" (F12). This launches the system BIOS. 3 In Setting > General > Boot Sequence, ensure that the Legacy Boot List Option is selected.
• The Password Manager version number may differ across web browsers. [28808] • In the Security Console, the Backup and Restore feature is described as providing data backup and restore functions but is specifically related to backup and restore of Password Manager data. [28856] • When dual-factor authentication is enabled and the computer resumes from sleep, the computer intermittently stops responding and the screen is black.
5 In Settings > Secure Boot > Secure Boot Enable, ensure that the Secure Boot Enable selection is Disabled. 6 Apply the changes. 7 Now that the computer BIOS has been changed to legacy boot mode, the computer must be re-imaged. [28790] Technical Advisories v8.2.1 Encryption Client • The Shield is intermittently sending invalid XML characters in the event bundle. The result is that event logs from endpoints are occasionally not parsed or logged for compliance reporting at the Enterprise Server.
Dell Data Protection | Security Tools and the SED client do not support Hybrid Sleep states and SSO when Preboot Authentication (PBA) is Active. Disable Hybrid Sleep when using Preboot Authentication if your organization intends to use SSO. [27496, 25785] • When using a Precision M6800, Single Sign-On will fail if a USB device is currently plugged into the computer.
• On some Dell platforms, the desktop background turns black after the computer wakes from a sleep state. To work around this issue, go to display settings and reset the desktop background. [24574] BitLocker Manager • • Encryption Status Reports will not exactly match the Windows BitLocker encryption dialog window. BitLocker Manager updates encryption status every 30 seconds, therefore there will be a 30 second delay in BitLocker Manager encryption status.
Profiles COM+ DB WFP.dll cache WMI DB IIS Metabase File types which are monitored by System Restore are as specified in http://msdn.microsoft.com/library/en-us/sr/sr/ monitored_file_extensions.asp. Using System Restore on any of these files which are encrypted by the Dell Data Protection | Encryption client can potentially cause corruption. Backup and restoration of Shield-encrypted files should be done at the folder level and not on an individual file basis. [23437] Technical Advisories v7.0/7.0.
2 Workarounds Before you begin, be aware of the following workarounds that have been identified during testing. • To host EMS, external media must have 55 MB available, plus open space on the storage that is equal to the largest file to be encrypted. To work around the issue, free up space on the storage or use media with more storage capacity. [DDPC-243] • Performing an upgrade during an encryption sweep may prevent the Shield Service from restarting normally after the installation finishes.
3 Software and Hardware Compatibility Endpoint Security Suite is tested with third-party software and hardware as needed. Dell reports problems found during testing to other vendors, where appropriate. Upgrade to the Windows 10 Creators Update • To upgrade a computer running the Encryption client to the Windows 10 Creators Update version, follow the instructions in the following article: http://www.dell.com/support/article/us/en/19/SLN298382.
Databases to Exclude druginteractions-nc-2 p002-nc-2 strings-nc-2 drugs-nc-2 p011-nc-2 utilities-nc-2 duse-nc-2 p120-nc-2 version-nc-2 Hacks and Utilities • 44 Hacks or utilities that alter device manufacturer performance specifications are not supported. For example, the AfterBurner hack adjusts the clock speed of a device processor, affecting the results of certain math operations.
