I'm trying to troubleshoot an issue with PCs coming up as not-protected and I have noticed the entry which seems common among these not-protected devices:
DeviceEngine.cp: 3729 W] ...One of the disks is SED
If this is coming up, the workstation doesn't come up as protected even after a month after having shield installed.
Is this the right assumption? How do I fix that with policies?
Thanks in advance!
By default when the shield sees a SED (self-encrypting drive) it will not deploy our SDE (System Data Encryption) protection. You can force this level of protection by adding the below registry key to your systems and rebooting.
If you are running the Enterprise Edition or Virtual Edition server management for your agents in the latest 9.6 server version along with a 8.12 or newer DDP|E agent you can automate this via new policy additions in that server version as well.
Senior Principal Engineer, Support & Delivery Services
Dell Data Security
Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039
Thank you - it initially seems to help however something bothers me: why is this not a default setting? What would be the risks associated with this policy setting? Is it more plausible to cause OS outage?
The thinking behind this is that if a customer has a SED that they might use our our Security Tools application to manage that SED and protect the entire drive from a hardware level. If that's enabled then the DDP|E agent could just protect some of the user created content on the drive and not worry about protecting system files.
With regards to OS outages \ issues we work very closes with Microsoft to ensure our products function with current operating systems \ updates as well as updates coming in the future.
Thank you for the explanation. I have enabled the policy on one affected user and got 2 bluescreen events during the encryption process - after the encryption has finished running the sweep the issues were gone too - we will have to give it a bit more observation before being able to decide on enterprise-wide policy.
Thank you again for answer!
With best regards
Very strange. One of the best practices for the SDE policy is to have a policy similar to the below as this is our new default baseline.
-^%ENV:SYSTEMDRIVE%\System Volume Information
In addition to this it's also highly recommended to exclude any AV\Anti-Malware software that is running on the machine. You can review this KB article for proper exclusions to make in your AV system as well as what exclusions to add to the SDE\Common area for DDP|E.