Install Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

Table Of Contents

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.0
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- Advanced Threat Prevention
  - Compatibility
- Client Firewall and Web Protection
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- Full Disk Encryption
- Advanced Threat Prevention
- SED Manager
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Endpoint Security Suite Enterprise Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install Advanced Threat Prevention Client
- Install Client Firewall and Web Protection
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Web Protection and Firewall
- Uninstall Advanced Threat Prevention
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client and Advanced Threat Prevention
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
- BitLocker Manager and Advanced Threat Prevention
Provision a Tenant
- Provision a Tenant
Configure Advanced Threat Prevention Agent Auto Update
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- Advanced Threat Prevention Troubleshooting
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

BitLocker Manager

● Consider reviewing Microsoft BitLocker requirements if BitLocker is not yet deployed in your environment,

● Ensure that the PBA partition is already set up. If BitLocker Manager is installed before the PBA partition is set up, BitLocker

cannot be enabled and BitLocker Manager will not be operational. See Pre-Installation Configuration to Set Up a BitLocker

PBA Partition.

● A Dell Server is required to use BitLocker Manager.

● Ensure a signing certificate is available within the database. For more information, see KB article 124931.

● The keyboard, mouse, and video components must be directly connected to the computer. Do not use a KVM switch to

manage peripherals as the KVM switch can interfere with the computer's ability to properly identify hardware.

● Turn on and enable the TPM. BitLocker Manager takes ownership of the TPM and does not require a reboot. However, if a

TPM ownership already exists, BitLocker Manager begins the encryption setup process (no restart is required). The point is

that the TPM must be owned and enabled.

● The BitLocker Manager uses the approved AES FIPS validated algorithms if FIPS mode is enabled for the GPO security

setting "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" on the device and you

manage that device via our product. BitLocker Manager does not force this mode as default for BitLocker-encrypted clients

because Microsoft now suggests customers not use their FIPS validated encryption due to numerous issues with application

compatibility, recovery, and media encryption: http://blogs.technet.com.

● BitLocker Manager is not supported with Encryption of server operating systems or Advanced Threat Prevention on a server

operating system.

● When using a Remote Desktop connection with an endpoint leveraging BitLocker Manager, Dell recommends running any

Remote Desktop sessions in console mode to avoid any UI interaction issues with the existing user session via the following

command:

mstsc /admin /v:<target_ip_address>

● The master installer installs these components if not already installed on the target computer. When using the child

installer, you must install these components before installing the clients.

Prerequisite

○ Visual C++ 2017 or later Redistributable Package (x86 or x64)

Visual C++ 2017 requires Windows Update KB2999226 if installed on Windows 7.

○ In January 2020, SHA1 signing certificates are no longer valid and cannot be renewed. Devices running Windows

7 or Windows Server 2008 R2 must install Microsoft KBs https://support.microsoft.com/help/4474419 and

https://support.microsoft.com/help/4490628 to validate SHA256 signing certificates on applications and installation

packages.

Applications and installation packages signed with SHA1 certificates will function but an error will display on the

endpoint during installation or execution of the application without these updates installed

●

NOTE:

Computers protected by Bitlocker Manager must be updated to Windows 10 v1703 (Creators Update/Redstone

2) or later before updating to Windows 10 v1903 (May 2019 Update/19H1) or later. If this upgrade path is attempted, an

error message displays.

●

NOTE:

In-place operating system upgrades to a newer version - such as Windows 7 or Windows 8.1 - to Windows 10 is

not supported.

Hardware

● The following table details supported hardware.

Optional Embedded Hardware

○ TPM 1.2 or 2.0

Operating Systems

● The following table details supported operating systems.

Requirements