Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

201

202

203

204

205

206

207

208

209

210

Manage Policies

190

%ENV:SYSTEMDRIVE%\CustomApplication

What this does: This lists the folder \CustomApplication\ for encryption on the default drive where

Windows is installed.

-%ENV:USERPROFILE%\Desktop

What this does: This lists the user who is logged in to have their desktop obtain a category 0

protection.

Application Data Encryption (ADE)

ADE encrypts any file written by a protected application, using a category 2 override. This means that

any directory that has a category 2 protection or better, or any location that has specific extensions

protected with category 2 or better, will cause ADE to not encrypt those files.

For example, ADE does not encrypt any files written into /Windows/System32 folder, because this

directory has a default protection of category 2.

Example Policies for Common/User Key Encryption

The following set of encryption rules encrypts most of the drive, including standard Microsoft Office-type

documents in the Documents and Settings folders. This policy set should only be used for Common

encryption (not User encryption, removable media, or SDE). This is considered a strong policy set, and

will typically require some adjustments for local conditions and requirements.

%ENV:SYSTEMDRIVE%\

^%ENV:USERPROFILE%\;<insert standard office extensions here >

FOLDERID_Documents or %CSIDL:PERSONAL% (pre-Windows 7)

%ENV:USERPROFILE%\Desktop\

^%ENV:USERPROFILE%\;mp3.mp4.mpeg.avi.wmv.wav

-^%ENV:USERPROFILE%\Desktop\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\;<system file extensions to exclude>

-%ENV:SYSTEMDRIVE%\config.msi

What this does:

Encrypts all of C:\, except for protected directories

Encrypts standard Microsoft Office documents across the drive, except for protected directories,

although it will encrypt them in the USERPROFILE directory.

Encrypts all of My Documents

Encrypts all of the Desktop, except for any selected excluded extensions

Excludes common system files from encryption

Excludes all encryption from C:\config.msi directory, due to MSI upgrade migration issues

All paths are dynamic based on environment variables

%ENV:USERPROFILE% (inclusion or exclusion) variable should never be used with SDE

Encryption.

System Data Encryption (SDE)

SDE is an intelligent file-based encryption method where the encryption key is auto-authenticated during

the volume mount process. A unique SDE key is generated for each volume that is targeted for