Reference Guide
Security Management Server v10.2.7 AdminHelp
153
• Includes a numeric or text value stored in the registry for the local computer. If you specify a
path but not an item, the client uses the default value
%ENV:envname%
• Includes the value of a Windows local environment variable
%%
• Includes the % character
Windows Policies that Require Reboot
• SDE Encryption Enabled
• Encrypt Windows Paging File
• Secure Windows Credentials
• All PCS policies
Windows Policies that Require Logoff
• SDE Encryption Enabled
• User state change to Suspended
• EMS Encrypt External Media
• EMS Scan External Media
• EMS Encryption Algorithm
• EMS Exclude CD/DVD Encryption
• EMS Data Encryption Key
Advanced Windows Encryption
A word about types of encryption: SDE is designed to encrypt the operating system and program files.
To accomplish this purpose, SDE must be able to open its encryption key while the operating system is
booting without intervention of a password by the user. Its intent is to prevent alteration or offline attacks
on the operating system by an attacker. SDE is not intended for user data. Common and User key
encryption are intended for sensitive user data because they require a user password to unlock
encryption keys.
Policy descriptions also display in tooltips in the Management Console. In this table, master policies are
in bold font.
Policy Default Setting Description
Self-Encrypting Drive (SED)
This technology manages self-encrypting drives (SEDs). Authentication by users through a Pre-Boot
Authentication environment (before the operating system has booted) is required to unlock the drive.
Enable SED Plugin Selected
The plugin must remain selected. To deactivate the PBA and disable SED
Management, toggle the
Self-encrypting Drive policy to OFF.
See basic settings