DDP | EE Shield status as "Not protected" for policy-based encryption when SED drive is detected - Dell DSS - Security - Dell Community

DDP | EE Shield status as "Not protected" for policy-based encryption when SED drive is detected

Security

Security
All things Dell Security related

DDP | EE Shield status as "Not protected" for policy-based encryption when SED drive is detected

This question has been answered by DELL-Steve O

Hello

I'm trying to troubleshoot an issue with PCs coming up as not-protected and I have noticed the entry which seems common among these not-protected devices:

DeviceEngine.cp: 3729 W]   ...One of the disks is SED

If this is coming up, the workstation doesn't come up as protected even after a month after having shield installed.

Is this the right assumption? How do I fix that with policies? 

Thanks in advance!

Verified Answer
  • Hello Alexsander,

    By default when the shield sees a SED (self-encrypting drive) it will not deploy our SDE (System Data Encryption) protection.  You can force this level of protection by adding the below registry key to your systems and rebooting.  

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

    AlwaysApplySDE=REG_DWORD:1

    If you are running the Enterprise Edition or Virtual Edition server management for your agents in the latest 9.6 server version along with a 8.12 or newer DDP|E agent you can automate this via new policy additions in that server version as well.

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039

All Replies
  • Hello Alexsander,

    By default when the shield sees a SED (self-encrypting drive) it will not deploy our SDE (System Data Encryption) protection.  You can force this level of protection by adding the below registry key to your systems and rebooting.  

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield]

    AlwaysApplySDE=REG_DWORD:1

    If you are running the Enterprise Edition or Virtual Edition server management for your agents in the latest 9.6 server version along with a 8.12 or newer DDP|E agent you can automate this via new policy additions in that server version as well.

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039

  • Thank you - it initially seems to help however something bothers me: why is this not a default setting? What would be the risks associated with this policy setting? Is it more plausible to cause OS outage?

  • The thinking behind this is that if a customer has a SED that they might use our our Security Tools application to manage that SED and protect the entire drive from a hardware level.  If that's enabled then the DDP|E agent could just protect some of the user created content on the drive and not worry about protecting system files.  

    With regards to OS outages \ issues we work very closes with Microsoft to ensure our products function with current operating systems \ updates as well as updates coming in the future.  

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039

  • Hello

    Thank you for the explanation. I have enabled the policy on one affected user and got 2 bluescreen events during the encryption process - after the encryption has finished running the sweep the issues were gone too - we will have to give it a bit more observation before being able to decide on enterprise-wide policy.

    Thank you again for answer!

    With best regards

    Aleksander Pawlak

  • Very strange.  One of the best practices for the SDE policy is to have a policy similar to the below as this is our new default baseline.

    F#:\

    -^%ENV:SYSTEMDRIVE%\System Volume Information

    -^%ENV:SYSTEMROOT%\;dll.exe.sys.ocx.man.cat.manifest.policy

    -^%ENV:SYSTEMROOT%\System32

    -^%ENV:SYSTEMROOT%\SysWow64

    -^%ENV:SYSTEMROOT%\WinSxS

    -^%ENV:SYSTEMROOT%\Fonts

    -^3@%ENV:SYSTEMROOT%\SYSTEM32\;exe

    -^3@%ENV:SYSTEMROOT%\SYSTEM32\cmd.exe;exe

    -^3@%ENV:SYSTEMROOT%\SYSTEM32\autochk.exe;exe

    -^3@%ENV:SYSTEMROOT%\SYSTEM32\winresume.exe;exe

    -^3@%ENV:SYSTEMROOT%\SYSTEM32\csrss.exe;exe

    -^F#:\boot

    -^F#:\bootmgr

    -^3F#:\EFI\

    In addition to this it's also highly recommended to exclude any AV\Anti-Malware software that is running on the machine.  You can review this KB article for proper exclusions to make in your AV system as well as what exclusions to add to the SDE\Common area for DDP|E.

    www.dell.com/.../how-to-exclude-credant-or-dell-data-protection-encryption-from-antivirus-applications

    Best Regards,

    Stephen O

    Senior Principal Engineer, Support & Delivery Services

    Dell Data Security

    Need Immediate help? Please call DDS Support @ +1.877.459.7304 Ext. 4310039