Deployment Guide
Table Of Contents
- Dell Encryption Personal Installation Guide v11.1
- Contents
- Overview
- Requirements
- Download the Software
- Installation
- Advanced Authentication and Encryption Personal Setup Wizards
- Configure Console Settings
- Uninstall the Master Installer
- Uninstall Using the Child Installers
- Data Security Uninstaller
- Policies and Template Descriptions
- Policies
- Template Descriptions
- Aggressive Protection for All Fixed Drives and External Drives
- PCI Regulation Targeted
- Data Breach Regulation Targeted
- HIPAA Regulation Targeted
- Basic Protection for All Fixed Drives and External Drives (Default)
- Basic Protection for All Fixed Drives
- Basic Protection for System Drive Only
- Basic Protection for External Drives
- Encryption Disabled
- Extract Child Installers
- Troubleshooting
- Glossary
● The Encryption client displays the length of each policy update delay prompt for five minutes each time. If the
user does not respond to the prompt, the next delay begins. The final delay prompt includes a countdown and progress bar,
and it displays until the user responds, or the final delay expires and the required logoff/reboot occurs.
You can change the behavior of the user prompt to begin or delay encryption, to prevent encryption processing following no
user response to the prompt. To do this, set the registry the following registry value:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
"SnoozeBeforeSweep"=DWORD:1
Any non-zero value changes the default behavior to snooze. With no user interaction, encryption processing is delayed up to
the number of configurable allowed delays. Encryption processing begins when the final delay expires.
Calculate the maximum possible delay as follows (a maximum delay would involve the user never responding to a delay
prompt, each of which displays for 5 minutes):
(NUMBER OF POLICY UPDATE DELAYS ALLOWED × LENGTH OF EACH POLICY UPDATE DELAY) + (5 MINUTES ×
[NUMBER OF POLICY UPDATE DELAYS ALLOWED - 1])
Change the Default Use of SDUser Key
● System Data Encryption (SDE) is enforced based on the policy value for SDE Encryption Rules. Additional directories are
protected by default when the SDE Encryption Enabled policy is Selected. For more information, search "SDE Encryption
Rules" in AdminHelp. When Encryption is processing a policy update that includes an active SDE policy, the current user
profile directory is encrypted by default with the SDUser key (a User key) rather than the SDE key (a Device key). The
SDUser key is also used to encrypt files or folders that are copied (not moved) into a user directory that is not a encrypted
with SDE.
To disable the SDUser key and use the SDE key to encrypt these user directories, create the following registry entry on the
computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]
"EnableSDUserKeyUsage"=DWORD:00000000
If this registry key is not present or is set to anything other than 0, the SDUser key is used to encrypt these user directories.
Disable/Enable Encrypt for Sharing in Right-click Context Menu
● To disable or enable the Encrypt for Sharing option in the right-click menu use the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection\Encryption
"DisplaySharing"=DWORD
0 = disable the Encrypt for Sharing option in the right-click context menu
1 = enable the Encrypt for Sharing option in the right-click context menu
Disable/Enable the notification for Encryption Personal activation
● HKCU\Software\Dell\Dell Data Protection\Encryption
"HidePasswordPrompt"=DWORD
1 = disables the password prompt for Encryption Personal activation
0 = enables the password prompt for Encryption Personal activation
Disable/Enable the reboot prompt after the Encryption Removal Agent finishes the final stage of decryption
● To disable prompting the user to reboot their computer after the Encryption Removal Agent finishes its final state in the
decryption process, modify the following registry value.
HKLM\Software\Dell\Dell Data Protection
"ShowDecryptAgentRebootPrompt"=DWORD
Default = enabled
1 = enabled (displays prompt)
0 = disabled (hides prompt)
Troubleshooting
85