Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureEncryption

Table Of Contents

Dell Encryption Enterprise Advanced Installation Guide v11.1
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- SED Manager
- Full Disk Encryption
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client
- SED Manager (including Advanced Authentication) and Encryption Client
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
Download the Software
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

Supported Server Operating Systems

● Windows Server 2012 R2

Mac Operating Systems Supported to Access Encrypted Media (64-bit kernels)

● macOS High Sierra 10.13.5 - 10.13.6

● macOS Mojave 10.14.0 - 10.14.4

● macOS Catalina 10.15.1 - 10.15.4

SED Manager

● The computer must have a wired network connection to successfully install SED Manager.

● The computer must have a wired network connection for a smart card user to log in through pre-boot authentication for the

first time.

● Third-party credential providers will not function with SED Manager installed and all third-party credential providers will be

disabled when the PBA is enabled.

● IPv6 is not supported.

● SED Manager is not currently supported within virtualized host computers.

● Dell Encryption utilizes Intel's encryption instruction sets, Integrated Performance Primitives (IPP). For more information,

see KB article 126015.

● Be prepared to shut down and restart the computer after you apply policies and are ready to begin enforcing them.

● Computers equipped with self-encrypting drives cannot be used with HCA cards. Incompatibilities exist that prevent the

provisioning of the HCA. Dell does not sell computers with self-encrypting drives that support the HCA module. This

unsupported configuration would be an after-market configuration.

● If the computer targeted for encryption is equipped with a self-encrypting drive, ensure that the Active Directory option,

User Must Change Password at Next Logon, is disabled. Pre-boot authentication does not support this Active Directory

option.

● Dell recommends that you do not change the authentication method after the PBA has been activated. If you must switch to

a different authentication method, you must either:

○ Remove all the users from the PBA.

○ Deactivate the PBA, change the authentication method, and then re-activate the PBA.

NOTE:

Due to the nature of RAID and SEDs, SED Manager does not support RAID. The issue with RAID=On with SEDs is that

RAID requires access to the disk to read and write RAID-related data at a high sector not available on a locked SED from

start and cannot wait to read this data until after the user is logged on. Change the SATA operation in the BIOS from

RAID=On to AHCI to resolve the issue. If the operating system does not have the AHCI controller drivers pre-installed,

the operating system will crash when switched from RAID=On to AHCI.

● Configuration of self-encrypting drives for SED Manager differ between NVMe and non-NVMe (SATA) drives, as follows.

○ Any NVMe drive that is being leveraged for SED:

￭ The BIOS’ SATA operation must be set to RAID ON, as SED Manager does not support AHCI on NVMe drives.

￭ The BIOS's boot mode must be UEFI and Legacy option ROMs must be disabled.

○ Any non-NVMe drive that is being leveraged for SED:

￭ The BIOS’ SATA operation must be set to AHCI, as SED Manager does not support RAID with non-NVMe drives.

￭ RAID ON is not supported because access to read and write RAID-related data (at a sector that is not available on a

locked non-NVMe drive) is not accessible at start-up, and cannot wait to read this data until after the user is logged

on.

￭ The operating system will crash when switched from RAID ON > AHCI if the AHCI controller drivers are not pre-

installed. For instructions on how to switch from RAID > AHCI (or vice versa), see KB article 124714.

Supported OPAL compliant SEDs require updated Intel Rapid Storage Technology Drivers, located at www.dell.com/support.

Dell recommends Intel Rapid Storage Technology Driver version 15.2.0.0 or later, with NVMe drives.

Requirements