Install Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

Table Of Contents

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.0
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- Advanced Threat Prevention
  - Compatibility
- Client Firewall and Web Protection
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- Full Disk Encryption
- Advanced Threat Prevention
- SED Manager
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Endpoint Security Suite Enterprise Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install Advanced Threat Prevention Client
- Install Client Firewall and Web Protection
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Web Protection and Firewall
- Uninstall Advanced Threat Prevention
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client and Advanced Threat Prevention
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
- BitLocker Manager and Advanced Threat Prevention
Provision a Tenant
- Provision a Tenant
Configure Advanced Threat Prevention Agent Auto Update
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- Advanced Threat Prevention Troubleshooting
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

● Be prepared to shut down and restart the computer after you apply policies and are ready to begin enforcing them.

● Computers equipped with self-encrypting drives cannot be used with HCA cards. Incompatibilities exist that prevent the

provisioning of the HCA. Dell does not sell computers with self-encrypting drives that support the HCA module. This

unsupported configuration would be an after-market configuration.

● If the computer targeted for encryption is equipped with a self-encrypting drive, ensure that the Active Directory option,

User Must Change Password at Next Logon, is disabled. Pre-boot authentication does not support this Active Directory

option.

● Dell recommends that you do not change the authentication method after the PBA has been activated. If you must switch to

a different authentication method, you must either:

○ Remove all the users from the PBA.

○ Deactivate the PBA, change the authentication method, and then re-activate the PBA.

NOTE:

Due to the nature of RAID and SEDs, SED Manager does not support RAID. The issue with RAID=On with SEDs is that

RAID requires access to the disk to read and write RAID-related data at a high sector not available on a locked SED from

start and cannot wait to read this data until after the user is logged on. Change the SATA operation in the BIOS from

RAID=On to AHCI to resolve the issue. If the operating system does not have the AHCI controller drivers pre-installed,

the operating system will crash when switched from RAID=On to AHCI.

● Configuration of self-encrypting drives for SED Manager differ between NVMe and non-NVMe (SATA) drives, as follows.

○ Any NVMe drive that is being leveraged for SED:

￭ The BIOS’ SATA operation must be set to RAID ON, as SED Manager does not support AHCI on NVMe drives.

￭ The BIOS's boot mode must be UEFI and Legacy option ROMs must be disabled.

○ Any non-NVMe drive that is being leveraged for SED:

￭ The BIOS’ SATA operation must be set to AHCI, as SED Manager does not support RAID with non-NVMe drives.

￭ RAID ON is not supported because access to read and write RAID-related data (at a sector that is not available on a

locked non-NVMe drive) is not accessible at start-up, and cannot wait to read this data until after the user is logged

on.

￭ The operating system will crash when switched from RAID ON > AHCI if the AHCI controller drivers are not pre-

installed. For instructions on how to switch from RAID > AHCI (or vice versa), see KB article 124714.

Supported OPAL compliant SEDs require updated Intel Rapid Storage Technology Drivers, located at www.dell.com/support.

Dell recommends Intel Rapid Storage Technology Driver version 15.2.0.0 or later, with NVMe drives.

NOTE:

The Intel Rapid Storage Technology Drivers are platform dependent. You can find your system's driver at the link

above based on your computer model.

● The master installer installs these components if not already installed on the target computer. When using the child

installer, you must install these components before installing the clients.

Prerequisite

○ Visual C++ 2017 or later Redistributable Package (x86 or x64)

Visual C++ 2017 requires Windows Update KB2999226 if installed on Windows 7.

○ In January 2020, SHA1 signing certificates are no longer valid and cannot be renewed. Devices running Windows

7 or Windows Server 2008 R2 must install Microsoft KBs https://support.microsoft.com/help/4474419 and

https://support.microsoft.com/help/4490628 to validate SHA256 signing certificates on applications and installation

packages.

Applications and installation packages signed with SHA1 certificates will function but an error will display on the

endpoint during installation or execution of the application without these updates installed

● SED Manager is not supported with Encryption on server operating systems or Advanced Threat Prevention on a server

operating system.

●

NOTE:

A password is required with pre-boot authentication. Dell recommends a minimum password setting compliant

with internal security policies.

Requirements 21