This post is more than 5 years old
10 Posts
0
12747
DDP | EE Shield status as "Not protected" for policy-based encryption when SED drive is detected
Hello
I'm trying to troubleshoot an issue with PCs coming up as not-protected and I have noticed the entry which seems common among these not-protected devices:
DeviceEngine.cp: 3729 W] ...One of the disks is SED
If this is coming up, the workstation doesn't come up as protected even after a month after having shield installed.
Is this the right assumption? How do I fix that with policies?
Thanks in advance!
SteveO1683
Moderator
Moderator
•
146 Posts
1
May 3rd, 2017 07:00
Hello Alexsander,
By default when the shield sees a SED (self-encrypting drive) it will not deploy our SDE (System Data Encryption) protection. You can force this level of protection by adding the below registry key to your systems and rebooting.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]
AlwaysApplySDE=REG_DWORD:1
If you are running the Enterprise Edition or Virtual Edition server management for your agents in the latest 9.6 server version along with a 8.12 or newer DDP|E agent you can automate this via new policy additions in that server version as well.
Aleksander Pawlak
10 Posts
0
May 3rd, 2017 08:00
Thank you - it initially seems to help however something bothers me: why is this not a default setting? What would be the risks associated with this policy setting? Is it more plausible to cause OS outage?
SteveO1683
Moderator
Moderator
•
146 Posts
0
May 4th, 2017 10:00
The thinking behind this is that if a customer has a SED that they might use our our Security Tools application to manage that SED and protect the entire drive from a hardware level. If that's enabled then the DDP|E agent could just protect some of the user created content on the drive and not worry about protecting system files.
With regards to OS outages \ issues we work very closes with Microsoft to ensure our products function with current operating systems \ updates as well as updates coming in the future.
Aleksander Pawlak
10 Posts
0
May 4th, 2017 10:00
Hello
Thank you for the explanation. I have enabled the policy on one affected user and got 2 bluescreen events during the encryption process - after the encryption has finished running the sweep the issues were gone too - we will have to give it a bit more observation before being able to decide on enterprise-wide policy.
Thank you again for answer!
With best regards
Aleksander Pawlak
SteveO1683
Moderator
Moderator
•
146 Posts
0
May 4th, 2017 12:00
Very strange. One of the best practices for the SDE policy is to have a policy similar to the below as this is our new default baseline.
F#:\
-^%ENV:SYSTEMDRIVE%\System Volume Information
-^%ENV:SYSTEMROOT%\;dll.exe.sys.ocx.man.cat.manifest.policy
-^%ENV:SYSTEMROOT%\System32
-^%ENV:SYSTEMROOT%\SysWow64
-^%ENV:SYSTEMROOT%\WinSxS
-^%ENV:SYSTEMROOT%\Fonts
-^3@%ENV:SYSTEMROOT%\SYSTEM32\;exe
-^3@%ENV:SYSTEMROOT%\SYSTEM32\cmd.exe;exe
-^3@%ENV:SYSTEMROOT%\SYSTEM32\autochk.exe;exe
-^3@%ENV:SYSTEMROOT%\SYSTEM32\winresume.exe;exe
-^3@%ENV:SYSTEMROOT%\SYSTEM32\csrss.exe;exe
-^F#:\boot
-^F#:\bootmgr
-^3F#:\EFI\
In addition to this it's also highly recommended to exclude any AV\Anti-Malware software that is running on the machine. You can review this KB article for proper exclusions to make in your AV system as well as what exclusions to add to the SDE\Common area for DDP|E.
www.dell.com/.../how-to-exclude-credant-or-dell-data-protection-encryption-from-antivirus-applications