Install Guide

ManualsBrandsDell ManualsConverged InfrastructureEndpoint Security Suite Enterprise

Table Of Contents

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.0
Contents
Introduction
- Before You Begin
- Using This Guide
- Contact Dell ProSupport
Requirements
- All Clients
- Encryption
- Full Disk Encryption
- Encryption on Server Operating Systems
- Advanced Threat Prevention
  - Compatibility
- Client Firewall and Web Protection
- SED Manager
- BitLocker Manager
Registry Settings
- Encryption
- Full Disk Encryption
- Advanced Threat Prevention
- SED Manager
- BitLocker Manager
Install Using the Master Installer
- Install Interactively Using the Master Installer
- Install by Command Line Using the Master Installer
Uninstall the Master Installer
- Uninstall the Endpoint Security Suite Enterprise Master Installer
Install Using the Child Installers
- Install Drivers
- Install Encryption
- Install Full Disk Encryption
- Install Encryption on Server Operating System
- Install Advanced Threat Prevention Client
- Install Client Firewall and Web Protection
- Install SED Manager and PBA Advanced Authentication
- Install BitLocker Manager
Uninstall Using the Child Installers
- Uninstall Web Protection and Firewall
- Uninstall Advanced Threat Prevention
- Uninstall Full Disk Encryption
- Uninstall SED Manager
- Uninstall Encryption and Encryption on Server Operating System
- Uninstall BitLocker Manager
Data Security Uninstaller
Commonly Used Scenarios
- Encryption Client and Advanced Threat Prevention
- SED Manager and Encryption External Media
- BitLocker Manager and Encryption External Media
- BitLocker Manager and Advanced Threat Prevention
Provision a Tenant
- Provision a Tenant
Configure Advanced Threat Prevention Agent Auto Update
Pre-Installation Configuration for SED UEFI, and BitLocker Manager
- Initialize the TPM
- Pre-Installation Configuration for UEFI Computers
- Pre-Installation Configuration to Set Up a BitLocker PBA Partition
Designate the Dell Server through Registry
Extract Child Installers
Configure Key Server
- Services Panel - Add Domain Account User
- Key Server Config File - Add User for Security Management Server Communication
- Services Panel - Restart Key Server Service
- Management Console - Add Forensic Administrator
Use the Administrative Download Utility (CMGAd)
- Use Forensic Mode
- Use Admin Mode
Configure Encryption on a Server Operating System
Configure Deferred Activation
- Deferred Activation Customization
- Prepare the Computer for Installation
- Install Encryption with Deferred Activation
- Activate Encryption with Deferred Activation
- Troubleshoot Deferred Activation
Troubleshooting
- All Clients - Troubleshooting
- All Clients - Protection Status
- Dell Encryption Troubleshooting (client and server)
- Advanced Threat Prevention Troubleshooting
- SED Troubleshooting
- Dell ControlVault Drivers
  - Update Dell ControlVault Drivers and Firmware
- UEFI Computers
- TPM and BitLocker
Glossary

Rules" in AdminHelp. When Encryption is processing a policy update that includes an active SDE policy, the current user

profile directory is encrypted by default with the SDUser key (a User key) rather than the SDE key (a Device key). The

SDUser key is also used to encrypt files or folders that are copied (not moved) into a user directory that is not a encrypted

with SDE.

To disable the SDUser key and use the SDE key to encrypt these user directories, create the registry on the computer:

[HKEY_LOCAL_MACHINE\SOFTWARE\Credant\CMGShield]

"EnableSDUserKeyUsage"=DWORD:00000000

If this registry key is not present or is set to anything other than 0, the SDUser key will be used to encrypt these user

directories.

For more information about SDUser, see KB article 131035

● Setting the registry entry, EnableNGMetadata, if issues occur related with Microsoft updates on computers with Common

key-encrypted data or with encrypting, decrypting, or unzipping large numbers of files within a folder.

Set the EnableNGMetadata registry entry in the following location:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CmgShieldFFE]

"EnableNGMetadata" = DWORD:1

0=Disabled (default)

1=Enabled

●

The non-domain activation feature can be enabled by contacting Dell ProSupport and requesting instructions.

● The Encryption Management Agent no longer outputs policies by default. To output future consumed policies, create the

following registry key:

HKLM\Software\Dell\Dell Data Protection\

" DumpPolicies" = DWORD

Value=1

Note: Logs are written to C:\ProgramData\Dell\Dell Data Protection\Policy .

● To disable or enable the Encrypt for Sharing option in the right-click menu use the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Dell\Dell Data Protection\Encryption

"DisplaySharing"=DWORD

0 = disable the Encrypt for Sharing option in the right-click context menu

1 = enable the Encrypt for Sharing option in the right-click context menu

Full Disk Encryption

● This section details all Dell ProSupport approved registry settings for local computers, regardless of the reason for the

registry setting. If a registry setting overlaps two products, it is listed in each category.

● These registry changes should be done by administrators only and may not be appropriate or function in all scenarios.

● To set the retry interval when the Dell Server is unavailable to communicate with Full Disk Encryption, add the following

registry value.

[HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters]

"CommErrorSleepSecs"=DWORD:300

This value is the number of seconds Full Disk Encryption waits to attempt to contact the Dell Server if it is unavailable to

communicate with Full Disk Encryption. The default is 300 seconds (5 minutes).

● If a self-signed certificate is used on the Dell Server for Full Disk Encryption, SSL/TLS trust validation must remain disabled

on the client computer (SSL/TLS trust validation is disabled by default with Full Disk Encryption). Before enabling SSL/TLS

trust validation on the client computer, the following requirements must be met.

○ A certificate signed by a root authority, such as EnTrust or Verisign, must be imported into Dell Server.

○ The full chain of trust of the certificate must be stored in the Microsoft keystore on the client computer.

○ To enable SSL/TLS trust validation for Dell Encryption management, change the value of the following registry entry to 0

on the client computer.

Registry Settings