0% found this document useful (0 votes)
722 views73 pages

Trellix Drive Encryption 7.4.x Product Guide 10-5-2023

Uploaded by

Umer Siddiqui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
722 views73 pages

Trellix Drive Encryption 7.4.x Product Guide 10-5-2023

Uploaded by

Umer Siddiqui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 73

Trellix Drive Encryption 7.4.

x Product
Guide
Contents

Product overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Key features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How it works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Product components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Trellix ePO - On-prem Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Policy management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Product extensions and packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

LDAP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Client system components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Machine Key Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Managing Drive Encryption policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Policy categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Create a policy from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Edit Drive Encryption policy settings from the Policy Catalog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Assign a policy to a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Enforce Drive Encryption policies on a system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Managing Drive Encryption users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Manage the users assigned to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Add group users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Add local domain users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

User management through User Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Manage Organizational Units from the User Directory page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Manage Users from the User Directory page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Edit user inheritance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

How Drive Encryption controls the Windows logon mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Windows Hello authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Enable Single-Sign-On (SSO) on a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Synchronize the Drive Encryption password with the Windows password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Password synchronization with autoboot enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configure password content rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Manage a disabled user in Microsoft Active Directory or User Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Managing the blacklist rule with the ALDU function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Add an ALDU blacklist policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configure global user information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Manage logon hours. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Define Drive Encryption permission sets for Trellix ePO - On-prem users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

How disabling/deleting a user in Active Directory affects the Drive Encryption user. . . . . . . . . . . . . . . . . . . . . . . . . . 29

Managing client computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Add a system to an existing system group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Move systems between groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Select the disks for encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Enable or disable automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Enable or disable temporary automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Set the priority of encryption providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Maintain a list of incompatible products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Enable accessibility in the preboot environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Allow user to reset self-recovery answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Manage the default and customized themes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Assign a customized theme to a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Manage simple words. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Drive Encryption system recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Managing servers and client systems — general recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Configure role-based access control for managing Drive Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Managing Opal self-encrypting drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Trusted Platform Module support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Use of TPM for automatic booting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Protection of systems in Windows lock, log off, and standby states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Configuring and managing tokens and readers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Modify the token type associated with a system or group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Using a Stored Value token in Drive Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Associate a Stored Value token with a system or group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Using Single-Sign-On (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Using a PKI token in Drive Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Associate a PKI token with a system or group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using Single-Sign-On (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using a Self-Initializing token in Drive Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Associate a Self-Initializing token with a system or group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using Single-Sign-On (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Setup scenarios for the Read Username from Smartcard feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting up your environment using the Subject field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting up your environment using the Subject Alternative Name - Other Name field. . . . . . . . . . . . . . . . . . . . 53

Managing Drive Encryption reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Queries as dashboard monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Create Drive Encryption custom queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

View the standard Drive Encryption reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Drive Encryption client events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Create the Drive Encryption dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

View the Drive Encryption dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58


Report the encrypted and decrypted systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Recovering users and systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Enable or disable the self-recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Perform self-recovery on the client computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Enable or disable the administrator recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Perform administrator recovery on the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Generate the challenge code in DETech tool within the boot menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Generate the response code for the administrator recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Smartphone recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Enable or disable the smartphone recovery functionality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Perform smartphone recovery on the client system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Perform system recovery using the Data Protection Self Service Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Configure DPSSP server settings on Trellix ePO - On-prem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Enable the DPSSP permission set for unblocking users or IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

How to instantly unblock a user or IP address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Obtain a recovery key on the client system using DPSSP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

View the Data Protection Self Service Portal (DPSSP) reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

User guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
1| Product overview

Product overview
Overview
Trellix Drive Encryption features deliver encryption that protects data from unauthorized access, loss, and exposure using
preboot authentication and a powerful encryption engine.

The Drive Encryption suite provides multiple layers of defense against data loss with integrated modules that address specific
areas of risk.

Drive Encryption allows you to:

• Enforce access control with pre-boot authentication


• Use certified encryption algorithms (FIPS, Common Criteria)
• Support mixed device environments, including solid-state drives
• Support Trusted Computing Group (TCG) Opal v1.0 self-encrypting drives

Drive Encryption provides protection for individual computers and roaming laptops with Basic Input Output System (BIOS) and
Unified Extensible Firmware Interface (UEFI). The software supports UEFI-based tablets and uses a Trellix ePO - On-prem Tablet
Test tool to verify if the preboot environment responds to the tablet touch interface. For more information about this tool, see
KB78050.

The Drive Encryption software includes the encryption software that is installed on client systems, and the managing component
on the servers. It is deployed and managed through Trellix ePolicy Orchestrator - On-prem.

Policies determine how Drive Encryption software functions on the user's computer. The disk encryption process is transparent
to the user and has little impact on the computer's performance.

Key features
The Drive Encryption features provide full disk encryption for Microsoft Windows laptops and desktop PCs and prevent the loss
of sensitive data, especially from lost or stolen equipment.

• Centralized management — Drive Encryption integrates fully into Trellix ePO - On-prem, leveraging the Trellix ePO -
On-prem infrastructure for automated security reporting, monitoring, deployment, and policy administration.
• Transparent encryption — Drive Encryption enables transparent encryption without hindering users or system
performance.
• Access control — Drive Encryption enforces access control with Pre-Boot Authentication.
• Recovery —The recovery feature allows the user to perform emergency recovery when the system fails to reboot or its
Pre-Boot File System (PBFS) is corrupt.
• Support for self-encrypting drives — Drive Encryption and Trellix ePO - On-prem enable centralized management of
self-encrypting drives that conform to the Opal standard from Trusted Computing Group (TCG), including locking and
unlocking, reporting, recovery, policy enforcement, and user management.

6 Trellix Drive Encryption 7.4.x Product Guide


1| Product overview

• Trusted Platform Module (TPM) — Drive Encryption supports TPM 2.0 on Windows 8 and later UEFI systems to provide
platform authentication without the need for Pre-Boot Authentication (PBA).

How it works
Trellix Drive Encryption protects the data on a system by taking control of the hard disk or self-encrypting drive (Opal) from the
operating system. When you use it with self-encrypting drives, Drive Encryption manages the disk authentication keys with drives
that are not self-encrypted.

1. The Trellix ePO - On-prem administrator configures Drive Encryption policies, runs Drive Encryption queries and reports,
and performs Drive Encryption system recovery if required.
2. The Trellix ePO - On-prem administrator installs the Drive Encryption extension on the Trellix ePO - On-prem server. The
Drive Encryption software is checked in to Trellix ePO - On-prem and the Drive Encryption packages are deployed to the
client system. When Drive Encryption is installed and activated, it takes control of the hard disk or self-encrypting drive
(Opal), and policies are assigned to the client system.

Note

During the activation process, the system synchronizes with Trellix ePO - On-prem and acquires user data, token data,
and preboot theme data. You can also use the Offline Activation feature to activate Drive Encryption on a client system
without connecting to the Trellix ePO - On-prem server.

3. The Trellix DEAgent package is deployed to the required client systems. The Drive Encryption driver encrypts all data that is
written to the disk and decrypts the data that is read on the disk.
4. After successful activation and system restart, the user is authenticated and logs on through the preboot environment,
which then loads the operating system.

Trellix Drive Encryption 7.4.x Product Guide 7


2| Product overview

8 Trellix Drive Encryption 7.4.x Product Guide


2| Product components

Product components
Trellix ePO - On-prem Server
The Trellix ePO - On-prem server provides a scalable platform for centralized policy management and enforcement of your
security products and systems they are deployed to.

Trellix ePO - On-prem server


The Trellix ePO - On-prem console:

• Allows you to manage Trellix Drive Encryption policies on the client computer
• Allows you to deploy and manage Trellix Drive Encryption products
• Provides comprehensive reporting and product deployment capabilities through a single point of control

Note

This guide does not provide detailed information about installing or using the Trellix ePO - On-prem software. See the Trellix
ePO - On-prem product documentation for detailed information about your version of Trellix ePO - On-prem.

Policy management
Trellix Drive Encryption is managed through Trellix ePO - On-prem using a combination of user-based policies and product
settings policies.

Trellix ePO - On-prem allows you to enforce policies across groups of computers or on a single computer. Any new policy
enforcement through Trellix ePO - On-prem overrides the existing policy that is already set on the individual systems. For
information about policies and how they are enforced, see the product documentation for your version of Trellix ePO - On-prem.

Product extensions and packages


The Drive Encryption extension installed in Trellix ePO - On-prem defines the encryption algorithm for the client system. The
Drive Encryption software packages that are checked in to Trellix ePO - On-prem define the Drive Encryption software that is
installed on the client system.

LDAP server
Drive Encryption acquires users through the Microsoft Active Directory (AD) or through the Trellix ePO - On-prem User Directory.
You must have a registered LDAP server or have the User Directory installed to use Policy Assignment Rules to enable
dynamically assigned permission sets, and to enable manual and automatic user account creation.

Trellix Drive Encryption 7.4.x Product Guide 9


2| Product components

Note

Drive Encryption can also acquire users through standalone user management using the User Directory feature, which
removes the dependency on LDAP server. For more information, see User management through User Directory.

How does LDAP Sync work

In Active Directory, it is possible to create a group structure where a group contains several other groups. With LDAP Sync, all the
groups can be synchronized recursively.

Consider the following AD structure, where:

• Group A contains Group B and Group C


• Group B contains Group D
If EEAdmin registers for Group A to perform recursive sync, the users of Group B, Group D, and Group C are synchronized
recursively.

Client system components


For Trellix ePO - On-prem to communicate with a client system, the client system is configured with these components:

• Windows operating system


• Trellix Agent for Windows
The Trellix ePO - On-prem server can be configured to deploy Trellix Agent, Drive Encryption Agent, and the Drive Encryption
product to client system using Trellix ePO - On-prem client tasks.

For more information, see the product documentation for your version of Trellix ePO - On-prem.

10 Trellix Drive Encryption 7.4.x Product Guide


3| System requirements

System requirements
Make sure that your server and client systems meet these pre-requisites before installing Drive Encryption.

System requirements

Systems Requirements

Trellix ePO - On-prem server systems See the product documentation for your version of
Trellix ePO - On-prem.

Client systems
• CPU: Pentium III 1 GHz or higher
• RAM: 512 MB minimum (1 GB recommended)
• Hard Disk: 200 MB minimum free disk space

Software requirements

Systems Requirements

Trellix ePO - On-prem 5.10.0 or later

Drive Encryption Extensions:

• EEAdmin.zip
• EEPC.zip
• help_de_740.zip
• EEGO.zip
• UserDirectory.zip

Software packages:

• MfeEEPC.zip
• MfeEEAgent.zip

Microsoft Windows Installer 3.0 Redistributable See the product documentation for your version of
package (for Trellix ePO - On-prem) Trellix ePO - On-prem.

Microsoft .NET Framework 2.0 Redistributable See the product documentation for your version of
package (for Trellix ePO - On-prem) Trellix ePO - On-prem.

Trellix Drive Encryption 7.4.x Product Guide 11


3| System requirements

Systems Requirements

Microsoft MSXML 6 (for Trellix ePO - On-prem) See the product documentation for your version of
Trellix ePO - On-prem.

Operating system requirements

Systems Software

Trellix ePO - On-prem server systems See the product documentation for your version of
Trellix ePO - On-prem.

Client systems For the latest information on supported platforms,


environments, and operating systems, see KB79422.
For the latest information about Windows 10
compatibility with Trellix products, see KB85784.

12 Trellix Drive Encryption 7.4.x Product Guide


4| Machine Key Management

Machine Key Management


The purpose of encrypting the client's data is to control access to the data by controlling access to the encryption keys. It is
important that keys are not accessible to users.

The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as Machine Keys. Each system has
its own unique Machine Key. The Machine Key is stored in the Trellix ePO - On-prem database to be used for client recovery when
required.

Note

For more information about reusing Machine Keys, see KB71839.

Machine Key re-use


The Machine Key re-use option is used to activate the system with the existing key on the Trellix ePO - On-prem server. This
option is highly useful when a boot disk gets corrupted and the user cannot access the system. Other disks on the corrupted
system can be recovered by activating it with the same key from Trellix ePO - On-prem.

Note

The Machine Key re-use feature is not applicable for self-encrypting (Opal) drive systems.

What happens to Machine Keys when a Drive Encryption active system is re-imaged?
All existing system data is lost, therefore the Machine Key is lost when a Drive Encryption active system is re-imaged.

What happens to the Machine Key when you delete a Drive Encryption active system from Trellix ePO
- On-prem?
The Machine Key remains in the Trellix ePO - On-prem database; however, the key association with the client system is lost when
the client system is deleted from Trellix ePO - On-prem. When the client system reports back to Trellix ePO - On-prem during
the next ASCI, it appears as a new node. A new node does not have any users assigned to the client system. The administrator
must therefore assign users to allow logon, or enable the Add local domain user option in the Product Setting Policy. The
administrator must also configure the required policies in Trellix ePO - On-prem.

The next data channel communication after adding the users and configuring the policies makes sure that:

• The Machine Key is re-associated with the client system and the recovery key is available. When the associated Machine
Key is not present with the new node, Trellix ePO - On-prem sends a Machine Key request. If the user is logged on to
the client system, an agent-server communication between the client and the Trellix ePO - On-prem server ensures the
Machine Key is updated in Trellix ePO - On-prem and the users are updated on the client. Thereafter, the Machine Key is
available and administrator recovery and policy enforcement work.
• The users are assigned to the client system. Therefore, these users can straightaway log on to the client system.

Trellix Drive Encryption 7.4.x Product Guide 13


4| Machine Key Management

Note

Although Drive Encryption 7.3.x or later increases the number of users that pre-boot can support to 1000s rather than 100s,
we recommend minimizing the number of users assigned per node. Firstly, best security practice aims to limit the number of
users that can access a system to the smallest group of users. Secondly, assigning large numbers of users to each node might
affect the overall scalability of the entire system and reduce the maximum number of nodes that can be supported by Drive
Encryption.

What happens to Machine Keys when transferring a client system from one Trellix ePO - On-prem
server to another?
The Machine Key remains in the Trellix ePO - On-prem database, however, the key association with the client system is lost when
the client system is transferred from another Trellix ePO - On-prem server.

When a transferred client system reports back to Trellix ePO - On-prem during the next ASCI, it appears as a new node and
therefore has no users assigned to it. The administrator must assign users to allow logon at PBA, assign users to the Trellix ePO
- On-prem branch where the systems are added (by default LOST&FOUND), and enable the Add local domain user option in the
Product Setting Policy. The administrator must also configure the required policies in Trellix ePO - On-prem.

Note

To transfer all systems between Trellix ePO - On-prem servers, the best process is to follow the Trellix ePO - On-prem Disaster
Recovery process. For more information, see KB66616.

The next data channel communication after adding the users and configuring the policies ensures:

• The Machine Key is re-associated with the client system and the recovery key is available. When the associated Machine
Key is not present with the new node, Trellix ePO - On-prem sends a Machine Key request. If the user is logged on to
the client system, an agent-server communication between the client and the Trellix ePO - On-prem server ensures the
Machine Key is updated in Trellix ePO - On-prem and the users are updated on the client. Thereafter, the Machine Key
will be available and administrator recovery and policy enforcement will work.
• The users are assigned to the client system and can log on to the client system.
For details about transferring a client system from one Trellix ePO - On-prem server to another, see Trellix Drive Encryption 7.4.x
Client Transfer Migration Guide.

What happens to Machine Keys when moving systems from one branch to another in Trellix ePO -
On-prem?
The LeafNode is not deleted from Trellix ePO - On-prem database when a system is moved from one branch to another in Trellix
ePO - On-prem, hence the Machine Key is available for the particular client system.

How to destroy the recovery information for a Drive Encryption installed system
When you want to secure-erase the drives in your Drive Encryption installed system, remove all users from the system (including
those inherited from parent branches in the system tree). This makes the disks inaccessible through normal authentication as
there are no longer any users assigned to the system. You must then destroy the recovery information for the system using
the option Menu | Systems | System Tree | Systems tab | Actions | Drive Encryption | Destroy All Recovery Information in

14 Trellix Drive Encryption 7.4.x Product Guide


4| Machine Key Management

the Trellix ePO - On-prem console. You must also disable the Add local domain user option in the Product Setting Policy. This
means that the system can never be recovered.

Trellix Drive Encryption 7.4.x Product Guide 15


5| Managing Drive Encryption policies

Managing Drive Encryption policies


Managing Drive Encryption from a single location is achieved by integrating the Drive Encryption software into ePolicy
Orchestrator. This management is accomplished through the combination of product policies.

Are you configuring policies for the first time?


When configuring policies for the first time:

1. Plan product policies for the segments of your System Tree.


2. Create and assign policies to groups and systems.

Policy categories
Policy settings for Drive Encryption are grouped by category. Each policy category refers to a specific subset of policy settings.

On the Policy Catalog page, policies appear under Drive Encryption and the individual policies appear under a specific category.

• Product settings
• User-based settings
• Server settings
• Add local domain user settings You can add regular expressions to blacklist user accounts. For details, see section Add an
ALDU blacklist policy in this Product Guide.

When you open or edit an existing policy or create a new policy under Drive Encryption, the policy settings are organized in a
series of tabs.

The settings and recommended settings policy options are organized into tabs. For details, see Trellix Drive Encryption 7.4.x
Interface Reference Guide.

Create a policy from the Policy Catalog


You can add a custom policy to the Policy Catalog before or after the Drive Encryption software is deployed.

Task
1. Click Menu → Policy → Policy Catalog.
2. Click Actions → New Policy.
3. Select the policy category from the drop-down list.
4. From the Create a policy based on this existing policy drop-down list, select the policy that you want to duplicate.
5. Type a name for the new policy.
6. Type a description in the Notes field, if required, then click OK to open the Policy Settings wizard.
7. Edit the policy settings on each tab as needed, then click Save.

What to do next

By default, the new policy is not assigned to any groups or systems.

16 Trellix Drive Encryption 7.4.x Product Guide


5| Managing Drive Encryption policies

Edit Drive Encryption policy settings from the Policy Catalog


Modify and assign the Drive Encryption policies to systems or users, as appropriate, to meet your corporate requirements. Use
Trellix ePO - On-prem to modify the settings of a policy.

Before you begin


Your user account must have administrator rights to edit policy settings for the required product.

Task
1. Click Menu → Policy → Policy Catalog, then from the Product drop-down list, select Drive Encryption 7.x.
2. Select the policy Category from the drop-down list. The policies for the selected category appear in the details pane.
3. Click the required policy, edit the required settings, then click Save.

Assign a policy to a system group


Assign a policy to multiple managed systems within a group. You can assign policies before or after deploying Drive Encryption to
the client systems.

Task
1. Click Menu → Systems → System Tree → Systems, then select a group in the System Tree. All the systems within this group
(but not its subgroups) appear in the details pane.
2. Select a system, then click Actions → Agent → Modify policies on a single system. The Policy Assignment for My
Organization page appears.
3. From the Product drop-down list, select Drive Encryption 7.x.
4. Select the Category and Policy from the drop-down lists, then click Save.

Enforce Drive Encryption policies on a system group


Enable or disable policy enforcement for a product on a System Tree group. Policy enforcement is enabled by default, and is
inherited in the System Tree.

Task
1. Click Menu → Systems → System Tree → Assigned Policies tab, then select a group in the System Tree.
2. Select Drive Encryption from the Product drop-down list, then click Enforcing next to Enforcement Status. The
Enforcement page appears.
3. To change the enforcement status, you must first select Break inheritance and assign the policy and settings below.
4. Next to Enforcement status, select Enforcing or Not enforcing accordingly.
5. Select whether to lock policy inheritance so that groups and systems that inherit this policy can't break enforcement, then
click Save.

Trellix Drive Encryption 7.4.x Product Guide 17


6| Managing Drive Encryption users

Managing Drive Encryption users


The Trellix ePO - On-prem server allows administrators to assign users from Microsoft Active Directory or User Directory to Drive
Encryption managed systems.

The user's authentication credentials, token type, and the user information fields are managed from the Trellix ePO - On-prem
server. Drive Encryption gives the administrator the freedom of adding and removing the users to and from systems or system
groups at any time.

Manage the users assigned to a system


You can use the Trellix ePO - On-prem server to view the Drive Encryption users assigned to the client system. The Drive
Encryption software can be activated on a client system only after adding one or more users and enforcing the required
encryption policies correctly.

Before you begin


You must have administrator rights to perform this task.

You can also remove users from a client system. Make sure that you have assigned the user at the system level or branch level. If
a user is assigned at the branch level, the user is assigned to other client systems even after removing one system.

Task
1. Click Menu → Data Protection → Encryption Users to open the My Organization page.
2. From the System Tree pane, select a system.
3. Click Actions → Drive Encryption → View Users. The Encryption Users page lists the users for the selected system.

Note

This page does not display the user groups that are assigned at the branch level.

4. To remove a user:
a. Select the user name from the list, then click Actions → Drive Encryption → Delete Users.
b. When prompted for confirmation, click Yes to delete the selected user.

Add group users


Group Users are the Drive Encryption user accounts that are allocated to every encrypted system. They are typically
administration accounts used for troubleshooting and supporting the client in a given group.

18 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

Note

If you choose to add a Group or an Organizational Unit (OU), the individual user names do not appear. Instead, the entire
Domain Name of the Group or Organizational unit appears.

If you do not follow the recommendations on Change default password and Do not prompt for default password options, then
all Drive Encryption user accounts, including Group User accounts, are assigned the default password upon creation.

When you log on for the first time as a group user, you must use the default password assigned to you from the user-based
policy. For new installations, the default password is 1234567. If you are upgrading to Drive Encryption 7.4.x, the default
password remains the same. The default password before Drive Encryption 7.4.x was 12345.

Note

You might not be prompted for the default password if the User-Based Policy is configured to Do not prompt for default
password.

If you want the system to automatically capture the user's credentials without requiring them to use a default password on PBA,
enable the Do not Prompt for default password option under User Based Policies | Password.

Users

To access the data on an encrypted computer, the user must go through the PBA. If the Enable automatic booting option is not
enabled, the client user is presented with the PBA screen when the system is restarted after activating Drive Encryption.

During the first pre-boot after activation, the user needs to initialize the user account with the default password and enroll for
self recovery (if enabled in the policy).

Note

Make sure that at least one manually added user is assigned to the client system. For example, this could be an admin user
assigned to all systems.

During the initialization process, users set up their pre-boot credentials to unlock the disk.

Note

At least one Drive Encryption user must be assigned to Drive Encryption on each client; this could be an administrative user.

Add local domain users

This option automatically adds the previously logged in domain users to the client system, so that administrators don't have to
manually assign users to the client systems in the ePolicy Orchestrator console.

Trellix Drive Encryption 7.4.x Product Guide 19


6| Managing Drive Encryption users

This option can be enabled when needed through the Drive Encryption Product Settings Policies (Menu | Policy | Policy Catalog
| Drive Encryption 7.x (Product Settings) | Log on tab | Add local domain users).

When enabled, the DEAgent queries the client system for the currently/previously logged on domain users. The DEAgent then
sends the collected data to the Trellix ePO - On-prem server. These users are then assigned to the client system.

Note

We recommend that you enable this option so that you can authenticate to the client preboot without having to manually
assign the users to the client system in the ePolicy Orchestrator console. However, it is the responsibility of the administrator
to decide whether or not this is required depending on corporate requirements.

Prerequisites
These prerequisites must be met to add the local domain users to the Drive Encryption client systems:

• The Trellix Agent package is deployed.


• The Trellix DEAgent package is deployed to the required client systems.
• The Drive Encryption package is deployed to the required client systems.
• Registered Active Directory is added and configured correctly.

Note

The Add local domain users option is supported with Active Directory only.

• An automated LDAP Server User/Group Synchronization task (LdapSync: Sync across users from LDAP) is scheduled and
run.

Note

This task is used to map Active Directory attributes to the Drive Encryption settings. This is required for every
Registered LDAP server that is to be used with Drive Encryption.

• Client systems should use Active Directory for authentication.


These domain users must be previously or currently logged in users.
At the client side
The Add local domain user option is processed during the next agent-server communication. If this option is enabled in the
policy settings, the DEAgent queries the client system for the domain users who have logged on to the client. The DEAgent then
sends the collected data to the Trellix ePO - On-prem server.

The transmitted data is a list of user names and the domain names. Local Domain users are detected by examining the Windows
registry that has the profile list, which lists the users who have logged in to the system.

20 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

At the server side


When the DE administrator receives a message for adding local domain users, it executes these steps.

• It attempts to find the domain name that the user belongs to. This is done by querying the Registered Active Directory
that is configured with the automated LdapSync: Sync across users from LDAP task.
• If a registered LDAP server is found, then it matches the domain name of the user. An LDAP query is performed and
attempts to find an LDAP node with a samaccountname that matches the user name.

If the user name is found, it is assigned to the corresponding client system. You can query the added users by using the View
Users option under Menu | Data Protection | Encryption Users | Actions | Drive Encryption | View Users.

User management through User Directory


Drive Encryption provides support for user management using the User Directory feature to remove the dependency on LDAP
server.

The User Directory feature utilizes the LDAP Sync extension within Trellix ePO - On-prem and provides user management for
Drive Encryption users using the UserDirectory.zip extension. Once you install the UserDirectory.zip extension into the Trellix
ePO - On-prem server, you can create Organizational Units (OUs) and users and manage them on the User Directory page,
without requiring to register on LDAP server.

You can also perform user management through User Directory using Web API commands. For more information, see Trellix
Drive Encryption 7.4.x Scripting Guide.

Note

User Directory does not support user certificates for Drive Encryption 7.2.x or later.

Note

User Directory does not support adding groups. Groups can only be added for users who are created from registered LDAP
servers.

Manage Organizational Units from the User Directory page

You can manage Organizational Units (OUs) on the User Directory page using the Tree Tasks function.

Task
1. Click Menu → User Management → User Directory.
2. To add an OU:
Click Tree Tasks → Add sub-OU, enter the OU name, then click OK.

Trellix Drive Encryption 7.4.x Product Guide 21


6| Managing Drive Encryption users

Note

An error message appears when you add a sub-OU using the Internet Explorer (IE) 8.0.7601.17514 browser version. We
recommend you to use the 8.0.6001.18702 version, if you are using the IE 8 version.

3. To edit an OU, select the OU, then click Tree Tasks → Edit OU.
4. To delete an OU, select the OU, then click Tree Tasks → Delete OU. When prompted for confirmation, click Yes.
5. To move an OU, select the OU, click Tree Tasks → Move OU, then select the destination OU and click OK.

Manage Users from the User Directory page

You can manage Organizational Units (OUs) on the User Directory page using the options in Actions menu.

Task
1. Click Menu → User Management → User Directory.
2. To add a user:
Click Actions → Add user, enter the user name and enable the user account control, if required, then click OK.
3. To edit a user, select the user, then click Actions → Edit user.
You can add or remove the user's attributes by using the + and - buttons.
4. To delete a user, select the user, then click Actions → Delete user(s). When prompted for confirmation, click Yes.
5. To enable a user, select the user, then click Actions → Enable user(s). When prompted for confirmation, click Yes.
6. To disable a user, select the user, then click Actions → Disable user(s). When prompted for confirmation, click Yes.
7. To move a uses, select the user, click Actions → Move user(s), then select the destination OU and click OK.

Edit user inheritance


You can group users at different organizational levels and edit the inheritance as required. Inheritance is used to assign multiple
users to systems from a centralized location without having to work on the individual systems.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Data Protection → Encryption Users to open the My Organization page.
2. Select the Organizational Unit from the System Tree, then click the Group Users tab.
3. Click Edit in Inheritance broken to open the Edit Group Inheritance page.
4. Select Break inheritance, then click OK.

The user inheritance broken status appears:

• True — Specifies that the inheritance is broken. Breaking inheritance on a branch prevents inheritance of users and
groups from any parent branch. It has no effect on users and groups assigned to the branch or child.
• False — Specifies that the inheritance is not broken. When inheritance is not broken on a branch, users and groups
are inherited from the parent until the inheritance is broken.

22 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

How Drive Encryption controls the Windows logon mechanism


Drive Encryption supports the Single Sign On architecture and implements a Credential Provider to communicate with Windows.
Drive Encryption displays each token as a potential logon method. During log on, Drive Encryption prompts for your Windows
credentials only for the first time and Drive Encryption stores the Windows credentials securely. On subsequent logon events,
Drive Encryption retrieves the stored Windows credentials to log on. The Credential Provider can also be used to synchronise the
users’ Windows password to their corresponding MDE user password.

Windows Hello authentication


Windows Hello provides end users with simple authentication (PIN, fingerprint, face, security key, picture password). It helps
to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric
information or PIN, it's much more difficult to gain access without the user's knowledge.

By default, Windows Hello authentication is allowed by the DE credential provider. But DE credential provider features like Single
Sign-On, Password synchronisation, or Logon-managed autoboot will not function when Windows Hello credential providers are

used. If the users want the DE credential features, they can disable Windows Hello providers in Product Settings | Log On |

Windows Hello authentication.

Enable Single-Sign-On (SSO) on a system


Enabling SSO on a system allows the user to log on to the system with a single authentication process. It allows automatic logon
to the operating system once the user authenticates through the Pre-Boot Authentication page.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select the target system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment
page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy or create a new policy.
7. On the Log On tab, select Enable SSO under Windows.
8. If required, select these options:

• Must match user name — This option makes sure that the SSO details are captured only when the user’s Drive
Encryption and Windows user name match. This should be used, where possible, to make sure that the Drive
Encryption user who authenticated through pre-boot does not inadvertently capture SSO for a different user.
• Using smart card PIN — This option allows the administrator to capture the smart card PIN for SSO.
• Synchronize Drive Encryption password with Windows — When the user changes on the client, this option
synchronizes the new password to the Drive Encryption user.

Trellix Drive Encryption 7.4.x Product Guide 23


6| Managing Drive Encryption users

• Allow user to cancel SSO — This option allows the user to cancel the SSO to Windows in the pre-boot stage only.
When this option is enabled, an additional checkbox appears at the bottom of the Pre-Boot logon dialog box. This
setting lasts for a single boot only.

9. Click Save on the Policy Settings page, then click Save on the Product Settings page.
10. Send an agent wake-up call.

Synchronize the Drive Encryption password with the Windows


password
Use this task to synchronize the Drive Encryption password with the Windows password. This synchronizes the Windows
password to the Drive Encryption password, so the user needs to authenticate on the Pre-Boot Authentication page with
Windows password.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption displays the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Log On tab, click Enable SSO, then select Synchronize Drive Encryption password with Windows under Windows
pane.
8. Click Save on the Policy Settings page, then click Save on the Product Settings page.

Note

Make sure that the Windows password adheres to the Drive Encryption password restriction policy. Otherwise, the
password synchronization does not run.

9. Send an agent wake-up call.

Password synchronization with autoboot enabled


Drive Encryption previously required a user to authenticate through preboot before password synchronization could be
performed. This caused two major pain points.

• After a period of autoboot use, it was difficult to re-enable preboot because user credentials were no longer in sync.
• When using TPM autoboot, users do not routinely use preboot. When a TPM measurement changes and preboot shows,
users were unable to log in with their Windows password.

24 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

From version Trellix Drive Encryption 7.4.2 onward, password synchronization can now be performed even when autoboot is
enabled. This is configurable via policy. When a password is synchronized to a user who has not logged in through preboot, the
user is re-initialized (Q&A self-recovery, SSO, and password history are all reset), and the password is updated to match their
Windows password.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Log On tab, enable Password synchronization, then select Synchronize password for matching usernames, when
autoboot is enabled .
8. Click Save on the Policy Settings page, then click Save on the Product Settings page.
9. Send an agent wake-up call.

Configure password content rules


This policy setting determines whether the Drive Encryption passwords must meet complexity requirements. Complexity
requirements are enforced when the updated policy is assigned to the required user on a system.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Systems → System Tree, then select the group from the System Tree.
2. Select the system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the User Based Policy category, then click Edit Assignments to open the policy page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Password Content Rules tab, enable the Display list of password rules option to display the password
requirements to users.
8. Enter the Password Length in the Minimum and Maximum fields.
9. Under Enforce password content, type the number of Alpha, Numeric, Alphanumeric, and Symbols characters required to
form a password.
10. Under Password content restrictions, select or deselect the options to define the password content restriction rules.
11. Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
12. Send an agent wake-up call.

Trellix Drive Encryption 7.4.x Product Guide 25


6| Managing Drive Encryption users

Note

When changing the Windows password and synchronizing to Drive Encryption password, Windows does not provide the
old password.

Manage a disabled user in Microsoft Active Directory or User


Directory
Use this task to disable, delete, or ignore a user who has been disabled in Active Directory or User Directory.

Task
1. Click Menu → Configuration → Server Settings.
2. In the Setting Categories pane, click Drive Encryption, then click Edit to open the Drive Encryption page.
3. On the General tab, select Disable, Ignore or Delete from the If user disable in directory drop-down list.

Note

Options in the drop-down list are applicable only to users disabled in the Active Directory or User Directory.

4. Click Save.

Managing the blacklist rule with the ALDU function


With the Add Local Domain User (ALDU) function, domain users who have previously and are currently logged on to the client
system can authenticate through the Pre-Boot, even if the administrator has not explicitly assigned the user to the client system.

While this captures the regular users of the system, in some cases, an administrator who has previously configured the system is
also granted access. This might be applicable to some, but not all, users.

To address this situation, you can add a blacklist of users to the Add Local Domain User Settings policy. Users added to the
blacklist are excluded from the list of users assigned by the ALDU function.

Note

Prioritization of policy assignment rules is not applicable to the ALDU blacklist policy.

Add an ALDU blacklist policy

You can add regular expressions to blacklist user accounts. Any users who match the configured regular expression are excluded
from the ALDU list. Regular Expression ECMA 262 standard is supported with the ALDU blacklist policy.

Before you begin


• You must have administrator rights to perform this task.
• Make sure that you have installed the DEAdmin extension on the Trellix ePO - On-prem server.

26 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Add Local Domain User Settings policy category, then click Edit Assignments.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. Click Add from Regular expression and type the regular expressions that help to exclude the local domain users from being
assigned to the client system.

• \\\\domainname\\username — This blacklists the specified user from the given domain.
• \\\\.*\\username — This blacklists the specified user name from all the domains available.
• \\\\.*\\a.* — This blacklists all user names that starts with the letter "a" from all available domains.
• \\\\.*\\[a-n]* — This blacklists all user names that starts with the letter "a" to "n", from all available domains.

Note

You can add multiple regular expressions under a single policy. All comparisons are case-insensitive.

8. Click Test to verify the regular expression.


9. Enter the user name in the Value field and validate the specified regular expression.
10. On the Policy Settings page, click Save, then click Save on the Product Settings page.
11. Send an agent wake-up call.

Results

During
Notethe next ASCI, this rule is applied to the new local domain users assigned to the client system where the policy is
enforced.
Users assigned before the blacklist is assigned are not removed from the system.

You can also add or remove a blacklist rule to or from an existing ALDU blacklist policy.

Configure global user information


Global users have read and write permissions to all operations. You can create additional global administrator accounts for
people who require global administrator rights.

Configure the user information fields in the Server Settings within Drive Encryption.

Task
1. Click Menu → Configuration → Server Settings.

Trellix Drive Encryption 7.4.x Product Guide 27


6| Managing Drive Encryption users

2. Click Drive Encryption in the Setting Categories pane, then click Edit. The Edit Drive Encryption page opens to the General
tab.
3. Click Add next to the user information fields.
4. Type the question related to the user, then select the required user attribute name from the LDAP Attribute Name list.

Note

LDAP refers to Microsoft Active Directory.

5. Click + or - in the interface to add or remove user information fields.


6. Click Save.

Note

User information fields can be set by selecting the individual user in the DE User Query. To display the users, click Menu
→ Reporting → Queries → Shared Groups → Drive Encryption, then click Run in DE:Users.

Manage logon hours


You can control and limit the timeline when a user can log on to the Drive Encryption client system.

This option does not force users to log off from the current session. However, once the user logs out from the system, the user
will not be able to log on to the client system until the next allowed logon hour.

Note

Logon hours policy is applied only when the user is not logged on.

Task
1. Click Menu → Systems → System Tree then select a group from the System Tree.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption displays the
system's assigned policy.
4. Select the User Based Policy category, then click Edit Assignments to open the User Based Policies page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Authentication tab, select Apply restrictions in Logon Hours, then schedule the logon timing by blocking or
allowing specific logon hours.
8. Click Save in the Policy Settings page, then click Save in the User Based Policies page.
9. Send an agent wake-up call.

28 Trellix Drive Encryption 7.4.x Product Guide


6| Managing Drive Encryption users

Define Drive Encryption permission sets for Trellix ePO - On-prem


users
User accounts provide a means for users to access and use the Drive Encryption software. They are associated with permission
sets that define what users are allowed to do with the software.

You must create user accounts and permission sets to accommodate the needs of each user who logs on to the Trellix ePO -
On-prem server.

The administrator can set up Drive Encryption product-specific permission sets for different users and systems on Trellix ePO -
On-prem.

Task
1. Click Menu → User Management → Permission Sets.
2. Click New Permission Set.
3. Enter a permission set name in the Name field.
4. Select the Active Directory groups mapped to this permission set. To add a new Active Directory group, click Add, then
browse to the group and click OK.
5. Select the Server name, then click Save to open the Permission Set page.
6. Click Edit next to Drive Encryption under the new permission set to open the Edit Permission Set page.
7. Select the required permission settings, then click Save.

Note

You can assign this permission set to a new or existing Trellix ePO - On-prem user by selecting Menu → User
Management → Users.

How disabling/deleting a user in Active Directory affects the Drive


Encryption user
Every user account has an objectGUID in LDAP. If a user account is deleted from LDAP and another is created with the same user
name, this new user account is a different entity. This is because the new user has a different objectGUID.

How to delete a user in LDAP


You must first delete the user in LDAP, then run the LdapSync: Sync across users from LDAP task and send an Agent wake-up
call. The user disappears from DE Users list after the LdapSync: Sync across users from LDAP task is complete.

The Trellix ePO - On-prem Server Settings option If user is disabled in LDAP server within Configuration | Server Settings |
Drive Encryption | General | Edit can be configured to disable, delete, or ignore the user if the user has been disabled in the
LDAP Server. The default setting is Disable.

Trellix Drive Encryption 7.4.x Product Guide 29


6| Managing Drive Encryption users

What if a user is disabled from LDAP?


If a user account is initialized on the client system and is later disabled from LDAP, it is automatically disabled or deleted from the
client or ignored when the next LdapSync: Sync across users from LDAP task runs. To authenticate through the client PBA with a
disabled or deleted LDAP user name, you should set the policy to ignore or again enable this user in the LDAP, then initialize the
same user name on the client with the default password.

This does not remove the user from the DE Users list in ePolicy Orchestrator, however, it removes the users from the client
system based on the option set in the Server Settings.

Is it possible to just disable the Drive Encryption user when removed from LDAP?
It is not possible to disable a Drive Encryption user when it has been removed from LDAP. The deleted user is removed from the
DE Users list in LDAP during the next LdapSync: Sync across users from LDAP task.

What if the Drive Encryption user assignment is deleted/removed?


If the Drive Encryption user assignment is deleted from a system, the user might still be assigned back to the client system
if the Add local domain users option is enabled in the Product Settings Policy. For this to work, the user must have logged
on to Windows at least once and the domain to which client system is connected should have been registered in ePolicy
Orchestrator. You can also manually add users using the Menu | Data Protection | Encryption users | Add Users option in
ePolicy Orchestrator.

30 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

Managing client computers


System management helps administrators import system information from the Active Directory server into Trellix ePO - On-
prem. This is useful in the process of installing Drive Encryption and assigning the users to the systems.

Add a system to an existing system group


Use Trellix ePO - On-prem to import systems from your Network Neighborhood to groups for working with Drive Encryption. You
can also import a network domain or Active Directory container.

Task
1. Click Menu → Systems → System Tree, then click Actions → New Systems.
2. Select the required option under How to add systems.
3. In the Systems to add field, type the NetBIOS name for each system, separated by commas, spaces, or line breaks.
Alternatively, click Browse to select the systems.
4. If you select Push agents and add systems to the current group, you can enable automatic System Tree sorting. Do this to
apply the sorting criteria to these systems.
Select the following options:

Option Action

Agent version Select the agent version to deploy.

Installation path Configure the agent installation path or accept the


default.

Credentials for agent installation Enter valid credentials to install the agent:

• Domain: The domain of the system


• User name: The login user name
• Password: The login password

Number of attempts Type an integer for the specified number of


attempts, or type zero for continuous attempts.

Retry interval Type the number of seconds between two


attempts.

Abort After Type the number of minutes before stopping the


connection.

Trellix Drive Encryption 7.4.x Product Guide 31


7| Managing client computers

Option Action

Connect using (Trellix ePO - On-prem 4.6) or Select the connection used for the deployment:
Push Agent using (Trellix ePO - On-prem 5.3)
• Selected Agent Handler — Select the server
from the list
• All Agent Handlers

5. Click OK.

Move systems between groups


You can move systems from one group to another in the System Tree. You can also move systems from any page that displays a
table of systems, including the results of a query.

Even if you have a well organized System Tree that mirrors your network hierarchy, and uses automated tasks and tools for
synchronization, you can manually move systems between groups. For example, you can move systems from the Lost&Found
group.

Note

You can also drag-and-drop systems from the Systems table to any group in the System Tree.

Task
1. Click Menu → Systems → System Tree → Systems, then browse and select the systems.
2. Click Actions → Directory Management → Move Systems to open the Select New Group page.
3. Select whether to enable or disable or maintain the System Tree sorting on the selected systems when they are moved.
4. Select the group where you want to place the systems, then click OK.

Select the disks for encryption


To encrypt the target disk on your client system, you need to select the required encryption type and set the encryption priority
from the Product Setting policy available with the Drive Encryption product.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System. The Policy Assignment page for that
system appears.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.

32 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. Select the policy from the Assigned policy drop-down list, then click Edit Policy to open the Policy Settings page.
From this location, you can edit the selected policy or create a new policy.
7. On the Encryption tab, select the disks to be encrypted. For the Self-Encrypting (Opal) drives, select PC Opal with All disks
or Boot only.
The Encryption type options such as None, All disks except boot disk, and Selected partitions are not applicable to
Self-Encrypting (Opal) drives.

Note

To initiate the encryption on the client, the user must select any one of the options other than None. The default option,
None, does not initiate the encryption.

8. On the Policy Settings page, click Save, then click Save on the Product Settings page.
9. Send an agent wake-up call.

Enable or disable automatic booting


The Drive Encryption preboot logon environment allows you to select a logon method and to require authentication credentials
such as user name and password.

If the user provides the correct authentication details, the Drive Encryption boot code starts the crypt driver in memory and
boots the original operating system of the protected system.

Enabling automatic booting removes the preboot authentication from the client system.

Note

If you enable this option without requiring the use of TPM, Drive Encryption doesn't protect the data on the drive when it is
not in use, because unauthorized users can boot the system.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.

Trellix Drive Encryption 7.4.x Product Guide 33


7| Managing client computers

7. From the Log On tab, select Enable automatic booting under the Drive Encryption pane to enable the preboot
environment.
A security warning This will remove the pre-boot authentication. Are you sure? appears.
8. Click Yes to enable the automatic booting.
9. Set the expiration date and time for the automatic booting, if required.
10. Click Save on the Policy Settings page, then click Save on the Product Settings page.
11. Send an agent wake-up call.

Note

If password synchronization is in use, enabling autoboot for any period of time can cause DE user credentials to go
out of sync with Windows user credentials. Therefore, it is recommended to enable "Password synchronization with
autoboot enabled". For more details, see Password synchronization with autoboot enabled.

Enable or disable temporary automatic booting


Drive Encryption allows you to turn on the preboot authentication screen with a client-side utility. This feature eliminates the
need to modify the policy in Trellix ePO - On-prem, and fully automates patching and other client management scenarios.

Task
1. In the Drive Encryption administrator Tools directory, extract EEAdminTools.zip, and locate the EpeTemporaryAutoboot.exe
file. Distribute this file to your client systems.
2. Log on to Trellix ePO - On-prem and navigate to Menu → Policy → Policy Catalog, select Drive Encryption 7.x from the
Product drop-down list, then select Product Settings from the Category drop-down list.
3. Click the policy that you want to change.
4. On the Log on tab, select Allow temporary automatic booting.

Note

If this option is not selected, you can't use EpeTemporaryAutoboot.exe on the client system.

5. Send an agent wake-up call, so that the client systems receive this new policy. You can now use this feature on the client
systems.
6. Write a script or use a client management application to run EpeTemporaryAutoboot.exe.

There are four basic options available that must be run with administrator rights on the client system.

• Temporarily reboot for X number of reboots. Example syntax: EpeTemporaryAutoboot.exe -- number-of-reboots


3.
• Temporarily reboot for X number of minutes. Example syntax: EpeTemporaryAutoboot.exe -- timeout-in-minutes
15.
• To clear the temporary autoboot. Example syntax: EpeTemporaryAutoboot.exe --clear.
• For help. Example syntax: EpeTemporaryAutoboot.exe --help.

34 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

When autoboot is enabled, windows password is synchronized to the PBA password. For more details, see Password
synchronization with autoboot enabled.

Set the priority of encryption providers


The priority of the encryption providers (PC software and Opal) can be set using the Drive Encryption Product Setting policy.

Before you begin


You must have administrator rights to perform this task.

You can set the encryption priority by moving the encryption provider rows up and down, as appropriate. The encryption priority
determines the encryption technology applied.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system appears.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Encryption tab, set the Encryption Provider priority by moving the encryption provider rows up and down, as
appropriate. The encryption priority determines the order of encryption on the client systems.

Note

By default, software encryption is used on both Opal and non-Opal systems in this version of Drive Encryption. To
ensure that Opal technology is the preferred software encryption option, we recommend that you always set Opal as
the default encryption provider by moving it to the top of the list on the Encryption Providers page. This makes sure
that Opal management is used on Opal drives; non-Opal drives default to software encryption.

8. Click Save in the Policy Settings page, then click Save in the Product Settings page.
9. Send an agent wake-up call.

Maintain a list of incompatible products


Using Trellix ePO - On-prem, you can create and import a rule with a set of product names that are marked as incompatible with
Drive Encryption.

Before you begin


You must have administrator rights to perform this task.

Trellix Drive Encryption 7.4.x Product Guide 35


7| Managing client computers

Task
1. Click Menu → Configuration → Server Settings.
2. Click Drive Encryption in the Setting Categories pane, then Manage incompatible products. The Drive Encryption
incompatible products page lists the products that are not compatible with Drive Encryption.
3. To import an incompatible product definition, click Actions → Import incompatible product rule.
4. Browse and select the .xml file that defines the rule to detect the incompatible products, then click OK. The products are
added to the incompatible product list.

Enable accessibility in the preboot environment


The USB audio functionality enables visually challenged users to listen to a voice (spoken words) as guidance when the user
moves the focus from one field to the next using mouse or keyboard in the preboot environment.

Accessibility allows any external USB audio device to be used and to play back pre-recorded audio files. These vocal prompts can
indicate which control or option has the focus (that is, Username, Password, OK) and specific error conditions.

Note

This functionality provides the audio guidance in the English language only.

When you install or update the product, the vocal prompts are installed on the client system only. Only when the policy setting is
enabled, the audio files are transferred to the PBFS. This saves space in the PBFS system, which does not need this functionality.

Note

Drive Encryption 7.2.10 adds 508 compliance system beeps to UEFI. For details, see KB69853.

Task
1. Click Menu | Systems | System TreeMenu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Boot Options tab, select Always enable pre-boot USB support to enable USB on the client system. Make sure that
you also enable the Enable Accessibility option under Log On | Drive Encryption.
8. Click Save on the Policy Settings page, then click Save on the Product Settings page.
9. Send an agent wake-up call.

36 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

Results

When the user tries to authenticate on the client system after enforcing this policy, the user can listen to the audio guidance in
the preboot environment.

Allow user to reset self-recovery answers


The client user's self-recovery details can be reset using the Allow users to re-enroll self-recovery information at PBA option
available with the Product Settings policy.

Before you begin


Make sure that the Enable Self-recovery option is enabled under User Based Policy → Self-recovery.

Task
1. Click Menu | Systems | System Tree, then select a group under System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy Categories under Drive Encryption appears with
the system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Recovery tab, select Allow users to re-enroll self-recovery information at PBA to enable the option.
8. Click Save on the Policy Settings page, then click Save on the Product Settings page.
9. Send an agent wake-up call.

Results

When this policy is saved and enforced to the client system, the preboot authentication (Username) screen includes the
Reset Self Recovery option. The user selects this option and is prompted for a password, and then the self-recovery enrollment.
The user should then enroll the self-recovery details with new self-recovery answers.

Note

Only initialized users can reset their self-recovery details.

Manage the default and customized themes


The default theme is downloaded to the client system when the DEAgent and Drive Encryption software package deployment
task is sent to the client computers. You can add and manage a theme to be used as a background in the Pre-Boot
Authentication page.

Trellix Drive Encryption 7.4.x Product Guide 37


7| Managing client computers

Before you begin


You must have administrator rights to perform this task.

The Drive Encryption Themes package is added automatically to the Master Repository after installing the EEAdmin.zip
extension in Trellix ePO - On-prem.

Task
1. Click Menu → Configuration → Server Settings.
2. On the Setting Categories pane, click Drive Encryption, then click Manage Themes to open the Drive Encryption Theme
page.
3. Click Actions → Add.
4. Type a theme name in the Name field, then select Create a new theme based on an existing theme option.
5. Select a theme from the Based on drop-down list.
6. Browse to the Background Image, then click OK. This creates the new theme package in the C:\Program
Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EETHEME\DAT\0000 folder.

Note

You can also browse and install a theme package using the Select Theme package to install option.

7. Download the custom themes on the client using one of these methods:

• Update Now option under Menu → Systems → System Tree → Actions → Agent in ePolicy Orchestrator
• Product Update task
• Update Security from the client

Note

All themes have a unique ID. When you run the update task, the theme IDs are verified against the existing theme IDs
on the client, then the new theme is downloaded to the client if it has changed.

The downloaded theme packages are stored in this folder on the client:

C:\Program files\McAfee\Endpoint Encryption Agent\Repository\Themes

8. Change the theme in the Product Setting Policy, then send an agent wake-up call to apply the customized theme.

Assign a customized theme to a system


You can customize an existing theme and assign it to a client system and the customized theme can be used as a background in
the preboot authentication page.

Before you begin


You must have administrator rights to perform this task.

38 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

To create a custom theme, you need to make sure the following:

• The image must have the dimensions 1024x768


• Required file format is .PNG
• The .PNG file size limit that can be uploaded is 2.5 MB
Task
1. Click Menu → Systems → System Tree, then select the group from the System Tree.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Theme tab, select the customized theme from the Select theme drop-down list.
8. Click Save on the Policy Settings page, then click Save on the Product Settings page.
9. Send an agent wake-up call.

Manage simple words


Use Trellix ePO - On-prem to add and manage simple words that can't be used as passwords. The Drive Encryption simple words
are added to the Master Repository when you select Regenerate Missing Simple Word package in Manage Simple Words that is
available after the EEAdmin.zip extension is installed on Trellix ePO - On-prem.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Configuration → Server Settings.
2. Click Drive Encryption in the Setting Categories pane, then click Manage simple words.
3. Click Group Actions → Add group.
4. Type the name of the group, then click OK to create the simple word group.
5. Click Actions → Add, then type the simple words that can't be used as passwords.
6. Click Group Actions → Regenerate missing simple word package, then click Yes when prompted for
confirmation. This creates the simple words package (.xml file) for the simple words group in the C:\Program
Files\McAfee\ePolicyOrchestrator\DB\Software\Current\EESWORD\DAT\0000 folder.
7. Download the simple word package on the client using one of these methods:

• Update Now option under Menu → Systems → System Tree → Actions → Agent in Trellix ePO - On-prem
• Product Update task
• Update Security from the client

Trellix Drive Encryption 7.4.x Product Guide 39


7| Managing client computers

Note

All simple word packages (.xml file) have a unique ID. When you run the update task, the package IDs are verified
against the existing package IDs on the client, then the new package file is downloaded to the client if it has changed.

The downloaded simple word packages are stored in these folders on the client system:

• DE: Windows — C:\Program files\McAfee\Drive Encryption Agent\Repository\SimpleWords


8. Enable the No simple words option under User Based policies → Password Content Rules, select the required word group
from the drop-down list, then send an agent wake-up call to apply the policy to the client.

Drive Encryption system recovery


The purpose of encrypting the client's data is to control access to the data by controlling access to the encryption keys. It is
important that keys are not accessible to users.

The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as Machine Keys. Each system has
its own unique Machine Key. The Machine Key is stored in the Trellix ePO - On-prem database to be used for client recovery,
when required. There are four different system recovery options available in Drive Encryption that can be reached through:
Menu → Systems → System Tree → System → Actions → Drive Encryption.

Drive Encryption system recovery

Option Definition

Decrypt offline recovery file The encrypted machine key is stored in a recovery
information file (xml) on the client system. To enable
the recovery procedures on the client systems, the
user can use Trellix ePO - On-prem to decrypt the
offline recovery file that is retrieved from the client
system.

Destroy all recovery information When you want to secure-erase the drives in your
Drive Encryption installed system, remove all users
from the system (including those inherited from
parent branches in the System Tree). This makes
the disks inaccessible through normal authentication
as there are no longer any users assigned to the
system. You need to then destroy the recovery
information for the system using the option Menu
→ Systems → System Tree → Systems → Actions
→ Drive Encryption → Destroy All Recovery

40 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

Option Definition

Information in the Trellix ePO - On-prem console.


This means that the system can never be recovered.

Key Re-use This option is used to activate the system with the
existing key present in the Trellix ePO - On-prem
server. This option is highly useful when a boot
disk gets corrupted and the user cannot access the
system. Other disks on the system can be recovered
by activating it with the same key from Trellix ePO -
On-prem.

Export recovery information This option is used to export the recovery


information file (.xml) for the desired client system
from Trellix ePO - On-prem. Every client system that
is encrypted using Drive Encryption has a recovery
information file in Trellix ePO - On-prem. Any user
trying to enable the recovery procedures on the
client systems should get the file from the Trellix ePO
- On-prem administrator for Drive Encryption. For
more information, see the DETech User Guide.

Note: The recovery information file has a


general format of client system name.xml.

Export recovery information based on Disk This option is used to export the recovery
Keycheck information file (.xml) for a disk of a client system
from Trellix ePO - On-prem. Every disk of a client
system has a disk keycheck value. For instance, if
a client system has a disk called 'Disk1', you can
recover that client system (when on unrecoverable
state) using the keycheck value of 'Disk1'. However,
if a new disk 'Disk2' is installed and activated in that
same client system, you must use the keycheck value
of 'Disk2' and the keycheck value of 'Disk1' loses
priority.
To perform this task, you need to access the client
system using DETech and obtain the disk keycheck
value using the Disk Information option from the
DETech user interface.

Trellix Drive Encryption 7.4.x Product Guide 41


7| Managing client computers

Option Definition

• In Trellix ePO - On-prem, click Actions → Drive


Encryption → Export recovery information based
on Disk Keycheck and enter the obtained disk
keycheck value in the Key Check field.
• The recovery information file (.xml) appears, export
it to the inserted removable media.
• Use this file to authenticate to the client system
using DETech. For more information, see DETech
User Guide.

What happens to the Machine Key when you delete a Drive Encryption active system from Trellix ePO
- On-prem?
The Machine Key remains in the Trellix ePO - On-prem database; however, the key association with the client system is lost when
the client system is deleted. When the client system reports back to Trellix ePO - On-prem during the next ASCI, it appears as
a new node. A new node does not have any users assigned to the client system. The administrator must assign users to allow
logon, assign administrative users to the Trellix ePO - On-prem branch where the systems are added (by default. Lost&Found),
or enable the Add local domain user option in the Product Setting Policy.The administrator must also configure the required
policies in Trellix ePO - On-prem.

After adding the users and configuring the policies, the next agent-server communication makes sure that:

• The Machine Key is re-associated with the client system and the recovery key is available. When the associated Machine
Key is not present with the new node, Trellix ePO - On-prem sends a Machine Key request. If the user is logged on to the
client system, an agent-server communication between the client and the Trellix ePO - On-prem server makes sure that
the Machine Key is updated in Trellix ePO - On-prem and the users are updated on the client. After that, the Machine Key
becomes available and administrator recovery and policy enforcement work.
• The users are assigned to the client system and can log on to the client system.
You cannot log on to the client system before a proper agent-server communication occurs. In this situation, use the DETech
tool to obtain the Key Check value from the client and obtain the recovery key for this machine from the Trellix ePO - On-prem
console to perform an Emergency Boot.

Managing servers and client systems — general recommendations


Client deployment in batches for a considerable number of systems is a good practice in itself.

Keep these recommendations in mind when managing servers and client systems:

• Do not try to create the Drive Encryption deployment task at the root level of your System Tree and activate it. It is a
good practice to deploy Drive Encryption to the systems at the sub-level branches.
• Do not deploy Drive Encryption to the server systems, especially the server hosting your Trellix ePO - On-prem server.

42 Trellix Drive Encryption 7.4.x Product Guide


7| Managing client computers

• Secure your Trellix ePO - On-prem server and database system in the most secured location and keep it accessible for
authorized personnel only.

Configure role-based access control for managing Drive Encryption


ePolicy Orchestrator administrator rights management determines what administrators can do while managing the Drive
Encryption software.

The administrator can set up Drive Encryption-specific permission sets for different users in ePolicy Orchestrator. The permission
sets can be created for a variety of roles including but not restricted to Executive Reviewer, Global Reviewer, Group Admin, and
Group Reviewer. The Drive Encryption extension enables ePolicy Orchestrator administrators to control Drive Encryption Systems
that are managed through ePolicy Orchestrator.

The Trellix ePO - On-prem administrator for Drive Encryption can:

• Manage Drive Encryption users, policies and server settings


• Run queries to view the encryption status of the client systems
• View client system audits
• View Trellix user audits
• Manage Drive Encryption providers

Administrative roles can be configured and implemented using the User Management → Permission Sets option in ePolicy
Orchestrator. It is possible to configure a number of admin roles using this option. For example, you can create admin roles such
as:

• Drive Encryption Administrator: User accounts in this level have full control of Drive Encryption, but cannot manage any
other software in ePolicy Orchestrator.
• Drive Encryption Helpdesk: User accounts in this level can do Drive Encryption password resets only.
• Drive Encryption Engineer: User accounts in this level can do password resets as well as export recovery files to be used
with DETech tool.
• Drive Encryption Auditor: User accounts in this level can view Drive Encryption reports only.
For more information on configuring roles, see the documentation for the relevant version of ePolicy Orchestrator.

Before you begin:

• Make sure that your LDAP server is configured and registered in ePolicy Orchestrator.
• Make sure that you schedule and run the LdapSync: Sync across users from LDAP task.
• Make sure that you enable the Active Directory User Login option in ePolicy Orchestrator. To enable, navigate through
Menu | Configuration | Server Settings | Active Directory User Login | Edit, then enable Allow Active Directory users
to login if they have at least one permission set option.

You can create different permission roles and assign them with different Drive Encryption Permission Sets to different users.

To verify the configured permission sets, log off from ePolicy Orchestrator, then log on with a user account that belongs to any
one of the new roles.

Trellix Drive Encryption 7.4.x Product Guide 43


7| Managing client computers

Note

Use the correct format of the user name when logging on to ePolicy Orchestrator.

44 Trellix Drive Encryption 7.4.x Product Guide


8| Managing Opal self-encrypting drives

Managing Opal self-encrypting drives


Opal drives are self-contained, standalone hard disk drives (HDDs) that conform to the TCG Opal standard. Drive Encryption
provides a management tool for Opal drives.

By default, it is recommended to use the PC Software encryption. OPAL encryption relies on the firmware implementation of the
disk, and therefore “outsources” an important part of the overall security of the encryption solution to a 3rd-party vendor.

Background

An Opal drive is always encrypted by the onboard crypto processor; however, it might or might not be locked. Although the Opal
drives handle all of the encryption, the unlock keys need to be managed by Drive Encryption. If an Opal drive is not managed, it
behaves and responds like a non-Opal HDD.

Management of Opal drives

The combination of Drive Encryption and Trellix ePO - On-prem for Opal provides these features:

• Centralized management
• Reporting and recovery functionality
• Secure preboot authentication that unlocks the Opal drive
• Efficient user management
• Continuous policy enforcement

Note

In some cases, Drive Encryption installed systems might fail to lock OPAL disks during reboot. Subsequent policy enforcement
might fail until a full power-cycle is performed.

Recovery

Importantly, the overall experience for administrators and users in installing and using Drive Encryption is the same, whether
the target system has an Opal drive or a non-Opal HDD. The installation of the product extension, deployment of the software
packages, policy definition and enforcement, recovery, and the method of management are the same for systems with Opal and
non-Opal HDDs. You can apply the same policy to Opal and non-Opal systems, and the client system will choose the appropriate
encryption provider for the system, giving Drive Encryption a powerful, seamless, and transparent approach to managing Opal
and non-Opal systems in the same environment.

Note

To activate a system using Opal encryption, Windows 7 SP1 or later is required. On systems with Opal drives where the
operating system is Windows 7 RTW or earlier, software encryption is used.

Trellix Drive Encryption 7.4.x Product Guide 45


8| Managing Opal self-encrypting drives

Note

Opal activation might occasionally fail because certain Microsoft APIs used in the activation process fail. If this occurs, the
activation will restart at the next ASCI.

Important note about reimaging Opal drives

When any OPAL system activated using OPAL encryption is reimaged and restarted without removing Drive Encryption prior to
reimaging, the user will be locked out of the system. This happens because:

• The preboot remains active, but the authentication screen is not displayed, and the user is locked out, even though, you
have reimaged the disk
• The preboot File System (PBFS) is destroyed during the imaging process, thereby user data is not available to
authenticate.

Compatible systems

Opal self-encrypting drives are supported on:

• Systems that boot using BIOS in AHCI mode


• Systems that boot using UEFI only where the UEFI protocol EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is present
on the system. This protocol is only guaranteed to be present if the system is Windows 8 logo compliant and the system
was shipped from the manufacturer fitted with an Opal self-encrypting drive.

Drive Encryption provides support for Opal Compatibility tool that tests the Opal drive on your systems to verify if it is
compatible to use the Opal features. For more information about this tool, see KB76182.

Opal self-encrypting drives might not be supported on UEFI systems if the system is not Windows 8, Windows 8.1, or Windows
10 compliant, or if the system is not shipped from the manufacturer fitted with an Opal self-encrypting drive. A UEFI security
protocol that is required for Opal management is only mandatory on Windows 8 logo-compliant systems where an Opal self-
encrypting drive is fitted at the time of shipping. Systems shipped without self-encrypting drives might not include the required
security protocol. Without the security protocol, Opal management is not possible, since Drive Encryption cannot communicate
with the security features of the drive in the preboot environment.

This does not affect support for Opal drives under BIOS.

46 Trellix Drive Encryption 7.4.x Product Guide


9| Trusted Platform Module support

Trusted Platform Module support


Trusted Platform Module (TPM) 2.0 provides platform authentication support for Windows 8 and above UEFI systems, without
the need for preboot authentication (PBA).

TPM is a platform that allows encryption to occur using keys within the TPM. TPM is also implemented in firmware for tablets.

Drive Encryption supports TPM 2.0 and TPM 1.2 on Windows 8 and above UEFI systems for the TPM autoboot and cold-boot
protection features.

Use temporary autoboot feature during patching to reduce issues of preboot authentication. For details about TPM autoboot,
see KB79784.

Use of TPM for automatic booting


The existing automatic booting feature creates a copy of the system's encryption key as a plain-text file in the Pre-Boot File
System. With the TPM autoboot feature, Drive Encryption uses TPM to encrypt this file.

The file can only be decrypted on the system that encrypted it and only if the boot path is unmodified from when it was
encrypted. This makes sure that only the specific TPM can decrypt the file, and moreover (like SecureBoot) ensures that malware
has not changed the boot path. A combination of TPM encryption and boot path measurements allow the user to securely
bypass Pre-Boot Authentication (PBA) through to Windows logon, where user authentication occurs.

Note

Any software update that changes the boot path, like a Microsoft update to the UEFI bootloader will result in pre-boot being
displayed since the boot path has changed, and therefore the disk encryption key cannot be unsealed.

When autoboot is enabled, windows password is synchronized to the PBA password. For more details, see Password
synchronization with autoboot enabled.

Protection of systems in Windows lock, log off, and standby states


In a world where more and more systems stay switched on but in low-power states (Always-On Always-Connect - AOAC), Drive
Encryption 7.3.x provides an additional level of protection for these systems, and extended the protection to protect systems
where the user has locked the screen or logged off.

Drive Encryption currently protects systems that are certified for Connected Standby.

How does cold-boot protection work


The AOAC model requires systems to be in low power states to enable the system to receive push-notifications from a server,
or to periodically wake to pull data from servers while the system "sleeps". Since this process must happen automatically and
without user intervention, user authentication is not possible and therefore the disk encryption key must be kept in RAM, so that

Trellix Drive Encryption 7.4.x Product Guide 47


9| Trusted Platform Module support

the disk can be accessed during the wake period. This allows applications and services to access the hard disk even when the
user is not physically with the system.

Hence the system is vulnerable to cold-boot and other sophisticated RAM-based attacks.

To help defend against this problem, Drive Encryption has implemented a new security mode called Elevated Secure Crypt using
the AES256-CBC encryption algorithm. This feature is only available when using software encryption; it is not available if you are
using Opal drives.

How does Elevated Security Crypt mode work


The Drive Encryption driver now operates in two modes, Standard Crypt mode or Elevated Security Crypt mode. When a
Windows user is logged on to the system, the encryption driver operates in the Standard Crypt mode. When the user puts the
system to Standby state, locks the screen, or logs off from Windows, the encryption driver switches to the Elevated Security Crypt
mode, and the encryption key is removed from DRAM and stored elsewhere in a location that is available for use in the Elevated
Security Crypt AES algorithm.

The Drive Encryption driver is therefore able to continue to access the hard disk, allowing applications and services to continue to
function; since the key is no longer in DRAM, the system is harder to attack.

Note

Make sure to note that policy enforcement from Trellix ePO - On-prem to the client systems is disabled when the system is in
Elevated Security Crypt mode.

Until the user resumes from Standby and (importantly) authenticates through to Windows, or while the system sits at the
Windows logon or screen lock screens, the encryption driver remains in Elevated Security Crypt mode. Once the user has
authenticated back into Windows, the encryption driver transfers the key back into DRAM, effectively switching back into the
Standard Crypt mode.

Note

When the system is on Elevated Security Crypt mode, there is an impact on the system's performance. However, since the
system gets into the Elevated Security Crypt mode only during Windows log off, lock, standby states, or during authentication,
it will not be noticed when the user is logged on to the system, as the system switches to Standard Crypt mode.

Note

The two crypt modes work in conjunction with TPM-based autoboot:

• If TPM is used to autoboot the system, the Elevated Security Crypt mode is used throughout the boot process until a
Windows user has authenticated when Standard Crypt mode is used.

48 Trellix Drive Encryption 7.4.x Product Guide


10| Configuring and managing tokens and readers

Configuring and managing tokens and readers


Drive Encryption supports multi-factor authentication (MFA) in the form of Stored Value, PKI SmartCards, and CAC SmartCards.

This section describes how to configure the Drive Encryption software to support these smart cards.

Modify the token type associated with a system or group


You can create a new user-based policy with a required token type and deploy it to the required system or a system group. You
can also edit and deploy an existing policy.

Before you begin


Make sure that:

• The user is already created in Active Directory.


• Drive Encryption is installed on at least the minimum supported Trellix ePO - On-prem version.
• The server task DE LDAP Server User/Group Synchronization is scheduled and runs normally between Trellix ePO -
On-prem and Microsoft Active Directory.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree pane.
2. Select a System, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the User Based Policy category, then click Edit Assignments to open the User Based Policies page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned Policy drop-down list, select the policy, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. From the Token type drop-down list on the Authentication tab, select the required token type.

Note

For SmartCards that conform to the PKI, PIV, or CAC standards, Drive Encryption uses the information present in a
public certificate store of a PKI smartcard to look up users and encrypt their unique Drive Encryption key with the public
key available in their certificate. This certificate must be configured while selecting the PKI SmartCard token.

8. Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
9. Send an agent wake-up call.

Trellix Drive Encryption 7.4.x Product Guide 49


10| Configuring and managing tokens and readers

Using a Stored Value token in Drive Encryption


A Stored Value token supported in Drive Encryption stores some token data on the token itself. You must initialize these tokens
with Drive Encryption before you can use them for authentication. The token needs to contain the necessary token data to allow
successful authentication of the user.

The Stored Value token is initialized the first time the user logs on to the Pre-Boot environment or the Windows authentication
page. Drive Encryption, primarily the Pre-Boot environment, is responsible for initializing the token. The initialization process
does not require access to the Active Directory.

Associate a Stored Value token with a system or group

You can add a user or group to a system and associate a Stored Value token with that user or group. This task explains how to
use a Stored Value token with a single user.

Before you begin


You must have administrator rights to perform this task.

Task
1. Create or edit a user-based policy with the Stored Value token type and deploy it to the required system or group. See
Modify the token type associated with a system or group.
2. In the Policy Settings page, in the Authentication tab, from the Token type drop-down list, select the required token type,
then click Save.
3. Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4. Send an agent wake-up call.

Using Single-Sign-On (SSO)

If you selected SSO to be enforced in your policy, on the initial boot, Drive Encryption captures the SSO credentials when the
user logs on to Windows. On subsequent boots, the user only has to authenticate in Pre-Boot because SSO credentials are now
captured.

Using a PKI token in Drive Encryption


A PKI token is a smartcard supported in Drive Encryption that finds the necessary certificate information for the user in a PKI
store (such as Active Directory) and used to initialize the Drive Encryption token data. You must initialize these tokens before they
can be used to authenticate a user.

The Trellix ePO - On-prem extensions initializes the token using the relevant certificate information present in Active Directory.
This information is obtained through the Lightweight Directory Access Protocol (LDAP) synchronization task that is created when
Drive Encryption is first installed on Trellix ePO - On-prem, and before users are assigned to systems.

The token data for the user is contained in the PBFS on the client. It can be successfully unlocked when the user presents the
appropriate smartcard, which matches the certificate information found in Active Directory, and the correct PIN.

50 Trellix Drive Encryption 7.4.x Product Guide


10| Configuring and managing tokens and readers

Associate a PKI token with a system or group

You can add a user or group to a system and associate a PKI token with that user or group. This section explains how to use a PKI
token with a single user.

Task
1. Create or edit a user-based policy with the PKI token type and deploy it to the required system or group. See Modify the
token type associated with a system or group.
2. From the Token type drop-down list on the Policy Settings page, select the required token type, then click Save.
3. Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4. Send an agent wake-up call.

Using Single-Sign-On (SSO)

If you selected SSO to be enforced in your policy, on the initial boot, Drive Encryption captures the SSO credentials when the
user logs on to Windows. On subsequent boots, the user only has to authenticate in Pre-Boot because SSO credentials are now
captured.

Using a Self-Initializing token in Drive Encryption


A Self-Initializing token is a form of PKI token, but rather than referencing certificate information and pre-initializing the token
data in Trellix ePO - On-prem, the client sees the card and performs the necessary initialization steps. Only the client performs
the initialization of the token data. One of the assumptions for using a Self-Initializing token is that the necessary certificate
information cannot be referenced in Active Directory or any other supported Directory Service.

The token is initialized the first time the card is presented to Drive Encryption, which happens in the Pre-Boot environment.

Associate a Self-Initializing token with a system or group

You can add a user or group to a system and associate a Self-Initializing token with that user or group. This section explains how
to use a Self-Initializing token with a single user.

Task
1. Create or edit a user-based policy with the Self-Initializing token type and deploy it to the required system or group. See
Modify the token type associated with a system or group.
2. On the Policy Settings page, from the Token type drop-down list on the Authentication tab, select the required token type,
then click Save.
3. Click Save in the Policy Settings page, then click Save in the User Based Policies settings page.
4. Send an agent wake-up call.

Using Single-Sign-On (SSO)

If you selected SSO to be enforced in your policy, on the initial boot, Drive Encryption captures the SSO credentials when the
user logs on to Windows. On subsequent boots, the user only has to authenticate in Pre-Boot because SSO credentials are now
captured.

Trellix Drive Encryption 7.4.x Product Guide 51


10| Configuring and managing tokens and readers

Setup scenarios for the Read Username from Smartcard feature


You can set up your environment using the new Drive Encryption feature Read Username from Smartcard.

Before you begin


• Make sure that you have enabled the Read Username from Smartcard option under Product Settings → My Default →
Log On.
• Make sure you have scheduled and run the DE LDAP Sync,.
These scenario examples are provided to help you with the installation:

• Set up using the Subject field.


• Set up using the Subject Alternative Name - Other Name field.
Finding the Read Username from Smartcard feature in Trellix ePO - On-prem
The Read Username from Smartcard feature is configured on the Log On tab of Product Settings page.

Finding the LDAP Sync Task User Name attribute field in Trellix ePO - On-prem
TheLDAP Sync Task User Name attribute is configured on the Server Task Builder page . Click Menu → Automation → Server
Tasks, select the server task name you created for your LDAP Sync Task, then click Actions → Edit to edit the task properties.

Setting up your environment using the Subject field

This example shows setting up your environment using the Subject field.

• The user has a token that supports the Read Username from Smartcard feature.
• The user wants to log on asUser1, which is the Drive Encryption user name.
• The user name that the user wants to log on as (User1) resides in the Subject field on the certificate (for example:
CN=User1,DC=DomainComponent,DC=com).
• Therefore, under Trellix ePO - On-prem Logon Product Settings, the user should select Subject as the certificate field
that contains the user name.
• Because the user wants to match the whole certificate field, deselect Match certificate username field up to the @ sign.
• The user should check their DE LDAP Sync Task User Name attribute field in Trellix ePO - On-prem. In this situation,
distinguishedname is the correct field to use because it contains the exact same information as the cert field Subject, so
a valid comparison can be made.
• Finally, the user should run their DE LDAP Sync Task, and synch their product policy on the system where they want to
use the Read Username from Smartcard feature.

Note

It is essential to understand that the distinguishedname LDAP attribute is now used. If the user ever has to log on manually
at the Pre-Boot Authentication stage, the user must type the distinguished name in the User name field (for example,
CN=User1,DC=DomainComponent,DC=com).

52 Trellix Drive Encryption 7.4.x Product Guide


10| Configuring and managing tokens and readers

Setting up your environment using the Subject Alternative Name - Other Name field

This example shows setting up your environment using the Subject Alternative Name - Other Name field.

• The user has a token that supports the Read Username from Smartcard feature.
• The user wants to log on as User2, which is the Drive Encryption user name.
• The user wants to poll the Subject Alternative Name - Other Name field on the certificate. The user name that the user
wants to log on as (User2) resides in the Subject Alternative Name - Other Name field on the certificate (for example,
Other Name: Principal [email protected]).
• Under Trellix ePO - On-prem Logon Product Settings, the user should select Subject Alternative Name - Other Name as
the certificate field that contains the user name.
• Because the user wants to match only the user name from the certificate field, and not the whole certificate field, select
Match certificate username field up to @ sign.
• The user should check their EE LDAP Sync Task User Name attribute field in Trellix ePO - On-prem. In this situation, the
default samaccountname is the correct field to use because this contains the Drive Encryption user name User2, which
the user normally logs on with, and this field can be found on the certificate field Subject Alternative Name - Other
Name.
• Finally, the user should run their DE LDAP Sync TasePOk, and synchronize their product policy onto the system they wish
to use the Poll Card feature on.

Trellix Drive Encryption 7.4.x Product Guide 53


11| Managing Drive Encryption reports

Managing Drive Encryption reports


Drive Encryption queries are configurable objects that retrieve and display data from the database. These queries can be
displayed in charts and tables.

Query results can be exported to a variety of formats, any of which can be downloaded or sent as an attachment to an email
message. Most queries can be used as a dashboard monitor.

Queries as dashboard monitors


Most queries can be used as a dashboard monitor, except those using a table to display the initial results. Dashboard monitors
are refreshed automatically on a user-configured interval (five minutes by default).

Exported results
Drive Encryption query results can be exported to four different formats. Exported results are historical data and are not
refreshed like other monitors when used as dashboard monitors. Like query results and query-based monitors displayed in the
console, you can drill down into the HTML exports for more detailed information.

Reports are available in these formats:

• CSV — Use the data in a spreadsheet application (for example, Microsoft Excel).
• XML — Transform the data for other purposes.
• HTML — View the exported results as a webpage.
• PDF — Print the results.

Create Drive Encryption custom queries


You can create queries that retrieve and display the details like disk status, users, encryption provider, and product client events
for Drive Encryption. With this wizard you can configure which data is retrieved and displayed, and how it is displayed.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Reporting → Queries & Reports, then click Actions → New to open the Query Builder wizard.
2. On the Result Type page, select Drive Encryption, then select Result Type for the query, then click Next to open the Chart
page.
This choice determines the options available on subsequent pages of the wizard.
3. Select the type of chart or table to display the primary results of the query, then click Next to open the Columns page.
If you select Boolean Pie Chart, you must configure the criteria to include in the query.
4. Select the columns to be included in the query, then click Next to open the Filter page.
If you had selected Table on the Chart page, the columns you select here are the columns of that table. Otherwise, these
are the columns that make up the query details table.

54 Trellix Drive Encryption 7.4.x Product Guide


11| Managing Drive Encryption reports

5. Select properties to narrow the search results, then click Run. The Unsaved Query page displays the results of the query,
which is actionable, so you can take any available actions on items in any tables or drill-down tables.
Selected properties appear in the content pane with operators that can specify criteria used to narrow the data that is
returned for that property.

• If the query does not return the expected results, click Edit Query to go back to the Query Builder and edit the
details of this query.
• If you don’t need to save the query, click Close.
• If this is a query you want to use again, click Save and continue to the next step.
6. In the Save Query page, type a name for the query, add any notes, and select one of these options:

• New Group — Type the new group name and select either:
Private group (My Groups)
Public group (Shared Groups)

• Existing Group — Select the group from the list of Shared Groups.
7. Click Save.

View the standard Drive Encryption reports


You can run and view the standard Drive Encryption reports from the Queries page.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Reporting → Queries & Reports.
2. In the Groups pane, select Drive Encryption from the Shared Groups drop-down list to open the Standard DE query list.

Note

To open DE: Out-of-band action queue, select Drive Encryption Out-of-band from Shared Groups in the Groups pane.

Query Definition

DE: Activation Failures Displays the list of systems that have failed
activation and allows you to identify the reason for
failure for each system.

DE: Disk Status Displays the status of the disk.

Trellix Drive Encryption 7.4.x Product Guide 55


11| Managing Drive Encryption reports

Query Definition

Note: Partitions without drive letters


assigned will be excluded from encryption.

DE: Disk Status (Rollup) Displays the DE: Disk Status compiled from
various Trellix ePO - On-prem servers.

Note: Drive Encryption 7.2.x or later


supports both Full and Incremental rollup
reports. For details, see the product
documentation for your version of Trellix ePO -
On-prem.

DE: Encryption Provider Displays which encryption provider is active on


each system.

DE: Installed version Displays the version of the Drive Encryption


installed in systems.

DE: Installed Version (Rollup) Displays the DE: Installed version details compiled
from various Trellix ePO - On-prem servers.

Note: Drive Encryption 7.2.x or later


supports both Full and Incremental rollup
reports. For details, see the product
documentation for your version of Trellix ePO -
On-prem.

DE: Product Client Events Displays Drive Encryption client events.

DE: Systems With Uninitialized Users Displays the list of active systems containing
uninitialized users that are potentially insecure.

DE: Systems reporting a failed ePO system Displays systems reporting failure during system
server transfer to this ePO server.

56 Trellix Drive Encryption 7.4.x Product Guide


11| Managing Drive Encryption reports

Query Definition

DE: Users Lists all Drive Encryption users. From here, the
user can use these options to manage the users
in the selected system:

• Clear SSO details — Clears the SSO details of the


selected user (only for Windows).
• Configure UBP enforcement — Allows a user to
use a non-default User Based Policy.
• Force user to change password — Prompts
the user to change the password in the Drive
Encryption authentication.
• Reset Token — Resets the token associated with
the selected user.
• Reset self-recovery — The client user's self-
recovery details is reset, then the user has to
enroll the self-recovery details with new self-
recovery answers.
• User Information — Maintains the user
information with a list of questions and answers.

DE: Volume Status Displays the encryption status of the disk volumes.
For self-encrypted (Opal) drives, the DE: Volume
Status appears blank without any details because
it does not allow volume level encryption.

DE: Volume Status (Rollup) Displays the DE: Volume Status compiled from
various ePolicy Orchestrators.

Note: Drive Encryption 7.2.x or later


supports both Full and Incremental rollup
reports. For more information, see the product
documentation for your version of Trellix ePO -
On-prem.

3. Select a query from the Queries list.


4. Click Actions → Run to display the query results.
5. Drill down into the report and take actions on items as necessary. Available actions depend on the permissions of the user.

Trellix Drive Encryption 7.4.x Product Guide 57


11| Managing Drive Encryption reports

Note

The user can edit the query and view the query details.

6. Click Close when finished.

Drive Encryption client events


While implementing and enforcing the Drive Encryption policies that control how sensitive data is encrypted, the administrators
can monitor real-time client events and generate reports using the DE: Product client events query.

For details about Drive Encryption client events, see KB84622.

Create the Drive Encryption dashboard


Dashboards are collections of user-selected and configured monitors that provide current data about your environment. You can
create your own dashboards from query results or use default Trellix ePO - On-prem dashboards.

Before you begin


You must have administrator rights to perform this task.

Task
1. Click Menu → Reporting → Dashboards, then click Options → Manage Dashboards.
2. Click New Dashboard, then enter a new name.
3. For each monitor, click New Monitor, select the monitor from the shared groups Drive Encryption to display in the
dashboard, then click OK.
4. Click Save.

Tip

You can make this dashboard public by editing the dashboard and selecting PUBLIC.

Results

All new dashboards are saved to the private My Dashboards category.

View the Drive Encryption dashboard


You can select and configure monitors that provide current data about your data protection status and other environments and
make them part of your active set of dashboards.

Task
1. Click Menu → Reporting → Dashboards, then select a private dashboard.
2. Open the Drive Encryption queries to view the selected dashboard.

58 Trellix Drive Encryption 7.4.x Product Guide


11| Managing Drive Encryption reports

Report the encrypted and decrypted systems


The disk and volume status reflects the encryption and decryption status of the managed client system, for example, Encrypted
or Decrypted .

Task
1. Click Menu → Reporting → Queries & Reports to open the Query page.
2. In the Groups pane, click Shared Groups → Drive Encryption.

Note

Edit the DE: Disk Status and DE: Volume Status queries to display the system details in table format. This gives you
a simplified view of the system and the encryption status. Make sure to include the State (Disk) and State (Volume)
columns in the table.

3. Click Run in the DE: Disk Status and DE: Volume Status from the Queries list.

Results

The DE: Disk Statusand DE: Volume Statuspages appear accordingly with the list of client systems and their details configured in

the query. The State (Disk)and State (Volume)columns indicate the system's status as Encryptedor Decrypted.

Trellix Drive Encryption 7.4.x Product Guide 59


12| Recovering users and systems

Recovering users and systems


Resetting a remote user’s password or replacing the user's lost logon token requires a challenge and response procedure.

Enable or disable the self-recovery functionality


The Self-recovery option allows the user to reset a forgotten password by answering a set of security questions. A list of security
questions is set by the administrator using Trellix ePO - On-prem. If the answers from the user match what has been stored with
their self-recovery information, they can proceed through the recovery process.

A list of security questions is set by the administrator using Trellix ePO - On-prem. If the answers from the user match what is
stored with their self-recovery information, they can proceed through the recovery process.

Use Trellix ePO - On-prem to enable or disable the self-recovery functionality in the client computer.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Locate a User Based Policies policy category, then click Edit Assignments to open the User Based Policies page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. Select a policy from the Assigned policy drop-down list, then click Edit Policy to open the Policy Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Self-recovery tab, enable or disable the self-recovery functionality for the specified user or user group.
8. Select Invalidate self-recovery after no. of attempts and type the number of attempts.

Note

The self-recovery token is invalidated if the user types invalid answers for more than the number of attempts specified
in the policy.

9. Type the number of Questions to be answered to perform the self-recovery. The client user is prompted with these
questions when trying to recover the user account at the client system.
10. Type the number of Logons before forcing user to set answers to determine how many times a user can log on without
setting their self-recovery questions and answers.
11. Click + to create a new question, then select the question Language and type the Min answer length for the answer to this
question.

60 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

Note

Answers to these questions are typed by the user on the client system during the recovery process. The user is
prompted for recovery enrollment during every logon. The user can cancel the enrollment until the user exceeds the
specified number of logon attempts. After exceeding the defined number of logon attempts, the Cancel button is
disabled and the user is forced to enroll for self-recovery.

12. Click Save.


13. Send an agent wake-up call.

Perform self-recovery on the client computer


Use this option to recover the user on the client computer, if the user's password or the logon token has been lost.

Before you begin


Make sure that you have successfully enrolled for self-recovery on the client system. This task should be performed by the client
user on the client computer.

Task
1. Click Options → Recovery.
2. Select Self-recovery for the recovery type.
3. Enter the user name, then click OK. The Recovery dialog box lists the questions that the user answered while enrolling for
the self-recovery.
4. Enter the answers for the prompted questions, then click Finish to open the Change Password dialog box.
5. Enter and confirm the new password, then click OK.

Enable or disable the administrator recovery functionality


The client system prompts for authentication on the preboot logon page to access the system. When a user forgets the
password, is disabled in the Active Directory, or loses the token, the user can't log on to the system.

Resetting the user’s password, unlocking the disabled user, replacing a lost logon token, and performing machine recovery

require a challenge and response procedure. The users must start their system and click Recovery on the Drive Encryption
preboot logon page. This option needs to be enabled on the Trellix ePO - On-prem server before performing this task on the
client systems.

Use Trellix ePO - On-prem to enable or disable the administrator (system and user) recovery functionality on the client computer.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.

Trellix Drive Encryption 7.4.x Product Guide 61


12| Recovering users and systems

6. From the Assigned policy drop-down list, select a product setting policy, then click Edit Policy to open the policy Product
Settings page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Recovery tab, enable or disable the system recovery functionality.
8. From the Key size drop-down list, select the required recovery key size, then enter the message to appear on the recovery
page.
9. Click Save on the Product Settings page.
10. Send an agent wake-up call.

Perform administrator recovery on the client system


If the user's password or the logon token has been lost, perform this task on the client computer to recover the user or the
system.

Important

Make sure that the client user performs this task on the client system.

Task
1. Restart the client system.
2. Click Options → Recovery.
3. Select the Administrator / Smartphone Recovery for the recovery type, then click OK to open the Recovery dialog box with
the challenge code.
4. Read the Challenge Code and get the Response Code from the administrator who manages Trellix ePO - On-prem.

Note

It is the administrator's responsibility to authenticate that the client user's identity.

5. Enter the response code in the Line field, then click Enter.

Note

Each line of the code is checked when it is entered.

6. Click Finish.

Note

The generated response code depends on the recovery key size set in the policy and the selected recovery type, that is,
machine recovery or user recovery.

62 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

Generate the challenge code in DETech tool within the boot menu
Use DETech tool within the boot menu to recover systems instead of creating DETech standalone boot disk.

Before you begin


Make sure Drive Encryption 7.3.x or later is installed on the client system.

Task
1. Restart the client system.
2. On the Boot Manager page, click Trellix Drive Encryption Recovery.

3. By default, DETech tool opens with the challenge code.


Click Cancel to see Recovery option.
Generate the challenge code on DETech tool using Recovery option.

Results

The Challenge code is generated from DETech tool within the boot menu.

Generate the response code for the administrator recovery


The administrator types the challenge code, which is provided by the user, on the Trellix ePO - On-prem console and generates
the response code required for the administrator (system and user) recovery.

Before you begin


Make sure that Trellix ePO - On-prem administrator performs this task in Trellix ePO - On-prem.

Trellix Drive Encryption 7.4.x Product Guide 63


12| Recovering users and systems

Task
1. Click Menu → Data Protection → Encryption Recovery. The Drive Encryption Recovery wizard displays the Challenge Code
field.
2. Ask the client user to read the Challenge Code and get the Response Code from the administrator who manages Trellix
ePO - On-prem.

Note

It is the administrator's responsibility to authenticate that the client user's identify.

3. Type the Challenge Code, then click Next to open the Recovery Type page.
4. Select the required recovery type from the Recovery Type list, then click Next to open the Response Code page with the
response codes.

Note

The generated response code depends on the recovery key size set in the policy and the selected recovery type, system
recovery or user recovery.

5. Read out the response code to the user.

Smartphone recovery
When a Drive Encryption user forgets the PBA password or loses the logon token, the user must perform the smartphone
recovery on the client system to reset the password or replace the logon token.

To perform the smartphone recovery, the user must first download and install the Trellix Endpoint Assistant application onto
the smartphone or tablet. The user can download the Trellix Endpoint Assistant free application from Google Play for Android
supported smartphones or Apple Appstore for iOS supported smartphones.

Note

Trellix recommends the Drive Encryption users to perform smartphone recovery over administrator recovery and self
recovery for a quicker and better experience.

Enable or disable the smartphone recovery functionality

You must enable the smartphone recovery functionality in Trellix ePO - On-prem if a user forgets the PBA password and requires
to reset it.

The client system prompts for authentication on the preboot logon page to access the system. When a user forgets the
password, is disabled in the Active Directory, or loses the token, the user can't log on to the system.

64 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

Resetting the user’s password, unlocking the disabled user, replacing a lost logon token, and performing system recovery require
a challenge and response procedure. The users must start their system and click Recovery on the Drive Encryption preboot
logon page. This option needs to be enabled on the Trellix ePO - On-prem server before performing this task on the client
systems.

Use Trellix ePO - On-prem to enable or disable the administrator (system and user) recovery functionality on the client computer.

Task
1. Click Menu → Systems → System Tree, then select a group from the System Tree.
2. Select a system, then click Actions → Agent → Modify Policies on a Single System to open the Policy Assignment page for
that system.
3. From the Product drop-down list, select Drive Encryption 7.x. The policy categories under Drive Encryption display the
system's assigned policy.
4. Select the Product Settings policy category, then click Edit Assignments to open the Product Settings page.
5. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
6. From the Assigned policy drop-down list, select a product setting policy, then click Edit Policy to open the Product Settings
page.
From this page, you can edit the selected policy, or create a new policy.
7. On the Companion Devices tab, enable or disable the Enable Companion Device Support option to perform system
recovery through smartphone.
8. Click Save.
9. Select the User Based Policies policy category, then click Edit Assignments to open the User Based Policies page.
10. If the policy is inherited, select Break inheritance and assign the policy and settings below next to Inherit from.
11. From the Assigned policy drop-down list, select a user based policy, then click Edit Policy to open the User Based Policies
page.
From this page, you can edit the selected policy, or create a new policy.
12. On the Companion Devices tab, enable or disable the Recovery option to perform system recovery through smartphone.
13. Select the required Password Definition option to create a password according to the option selected.
If the user has once set a higher password definition to the system, the user cannot change the password to a lower
password definition (that is less secure) even if that policy is set in Trellix ePO - On-prem.
14. Click Save on the User Based Policies page.
15. Send an agent wake-up call.

Perform smartphone recovery on the client system

To perform smartphone recovery on the client system, the user must first register the client system with the smartphone or
tablet, and then perform the recovery process on the client system.

Smartphone registration

Task
1. During Pre-Boot Authentication (PBA), in the User Selection screen, select the Register Smartphone option.

Trellix Drive Encryption 7.4.x Product Guide 65


12| Recovering users and systems

The Smartphone Registration page may also appear automatically the first time a user logs on to a system, or the first time
that the user logs on after the policy was enabled in Trellix ePO - On-prem (policy option to support smartphone recovery
has been set for the user in Trellix ePO - On-prem).
2. Enter your credentials and authenticate.
When the password is accepted, the QR Code Recovery Registration window is shown on PBA.
3. Open the Endpoint Assistant application on your smartphone or tablet and click Scan to scan the image that appears on
the QR Code Recovery Registration dialog box.
After the image is scanned properly, you will receive a successful notification on your smartphone or tablet specifying that
you have registered the system with your smartphone or tablet.
4. On the QR Code Recovery Registration window, click Finish to proceed to Windows.

Note

The first time a user logs on to initialize or the first time the policy option to support smartphone recovery is switched
on, the system displays the registration screen automatically. However, if the user clicks Finish, the screen does not
appear again. If the user clicks Skip, it appears again at the next logon attempt.

Recovery process

Task
1. Click Options → Recovery.
2. Select the Administrator / Smartphone Recovery recovery type, then click OK to open the Recovery dialog box that
appears with the challenge code.
3. On your smartphone or tablet, select Tap to Scan to scan the image that appears on the Recovery dialog box.
Once the image is scanned properly, you will receive the response code on your smartphone or tablet.
4. Click Next.
5. Enter the Response Code in the Line field, then click Enter.
Each line of the code is checked when it is entered.
6. Click Finish.

Note

You can also manage your keys by selecting the Manage option on your smartphone or tablet.

Perform system recovery using the Data Protection Self Service Portal
This section describes the installation, configuration, and operation of the Data Protection Self Service Portal (DPSSP), which can
be used with DE to allow users to obtain the recovery key or response code for a Drive Encryption system.

Important: Privacy Notice

66 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

DPSSP collects users' login names, system names, IP addresses, and audit data. Access to this information is available in DPSSP
reports within Trellix ePO - On-prem. Ensure that access to these reports is authorized and appropriately managed.

The administrator must first install the dpssp.zip extension in Trellix ePO - On-prem, and make the required DPSSP server
settings. An authorized client user can open the DPSSP portal on a system to obtain a response code for Drive Encryption upon
entering the corresponding challenge code for the system to be recovered.

The full DPSSP URL in displayed in Menu → Configuration → Server Settings → DPSSP Settings.

The DPSSP URL will be of the general form https://<ePO_IP_address>:<Port_Number>/dpssp/selfRecovery.

Important

The default port number used in the DPSSP URL is 8443. To review an issue where using Port 8444 causes a problem with the
website's security certificate when accessing DPSSP, see KB86781.

Configure DPSSP server settings on Trellix ePO - On-prem

The administrator must configure DPSSP server settings within Trellix ePO - On-prem to allow a user to obtain the recovery key or
response code on the client system using DPSSP.

Before you begin


Make sure that you have installed the dpssp.zip extension on the Trellix ePO - On-prem server before performing this task.

Task
1. Log on to the Trellix ePO - On-prem server as an administrator.
2. Click Menu → Configuration → Server Settings.
3. On the left pane, select DPSSP Settings and click Edit to open the Edit DPSSP Settings page.
4. Enable the Self Service Portal option.
5. Next to ePO user, type the Trellix ePO - On-prem user name.

Note

Make sure that the Trellix ePO - On-prem user name that you enter has the permission to perform recovery operations
in Drive Encryption. We recommend that you create a specific Trellix ePO - On-prem user for DPSSP recoveries, and limit
the permission set privileges to Drive Encryption recovery only.

6. Next to Authentication, select the Active Directory sever that the users need to authenticate to.

Note

Make sure to note that the administrator has selected the registered AD in Trellix ePO - On-prem.

7. Next to Logging, enable the Log authentication attempts and Log user activity options.

Trellix Drive Encryption 7.4.x Product Guide 67


12| Recovering users and systems

8. Next to Blocking, enable the Enable IP address blocking option, and perform the following operations:
a. Block IP address after (failed logins) — Type the numeric value to block the IP address after the specified number of
unsuccessful logon attempts.
b. Unblock after (minutes) — Type the numeric value in minutes to unblock the respective IP address after the specified
number of minutes.

Note

To instantly unblock an IP address, refer to the How to instantly unblock a user or IP address section.

9. Next to Blocking, enable the Enable user blocking option, and perform the following operations:
a. Block user after (failed logins) — Type the numeric value to block the user after the specified number of unsuccessful
logon attempts.
b. Unblock after (minutes) — Type the numeric value in minutes to unblock the respective user after the specified
number of minutes.

Note

If you either install the dpssp.zip extension or restart the Trellix ePO - On-prem system, you cannot block or
unblock users for 10 minutes.

Note

To instantly unblock a user, refer to the How to instantly unblock a user or IP address section.

10. Next to Session, type the numeric value in minutes to log off the user's session after the specified number of minutes.
11. Click Save.

Enable the DPSSP permission set for unblocking users or IP addresses

Enabling the DPSSP permission set allows you to remove users or IP addresses from the blocked list in the event of multiple
failed logons (in the DPSSP portal) by users or IP addresses leading to being blocked.

To enable the DPSSP permission set for unblocking users or IP addresses, follow these steps:

Task
1. Click Menu → User Management → Permission Sets.
2. Next to the Data Protection Self Service Portal permission set, click Edit.
3. Next to the Data Protection Self Service Portal option, select Unblock users or IP addresses.
4. Click Save.

How to instantly unblock a user or IP address

To instantly unblock a user or IP address after the specified number of unsuccessful logon attempts, follow these steps:

68 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

Task
1. Log on to the Trellix ePO - On-prem server as an administrator.
2. Click Menu → Reporting → Queries & Reports.
3. On the Groups pane, under Trellix Groups category, select Data Protection Self Service Portal.
4. Select the Blocked users or Blocked IP addresses query, click Actions → Run.
5. Select the required user or IP address, click Actions → Unblock users or IP addresses.
6. Click Yes when the system prompts Are you sure? to unblock the selected user or IP address.

Obtain a recovery key on the client system using DPSSP

When DPSSP is used for recovery with systems managed with Drive Encryption, the user must open the DPSSP portal, enter the
serial number or recovery key ID for the FileVault or BitLocker system respectively, and obtain the recovery key.

Before you begin


Make sure to note that this task must be performed by the client user on the system.

Task
1. In the address bar of a web browser, enter the URL for the DPSSP provided by your administrator or Help Desk, which
will be of the general form, https://<ePO_IP_address>:<Port_Number>/dpssp/selfRecovery, then press Enter to open the
Data Protection Self Service Portal (DPSSP) page.
2. Select the required Language, type the domain user name prefixed with domain name, type the password, then click Login.

Note

• If you exceed the specified number of unsuccessful logon attempts as set in Trellix ePO - On-prem, your user
account will be blocked and you will see the message "Login failed." In that case, you must wait for the specified
number of minutes as set in Trellix ePO - On-prem to get your account unlocked.
• Upon a successful login to DPSSP, if MNE and Drive Encryption are both installed in the environment managed
by Trellix ePO - On-prem, the user will need to select the appropriate product for which recovery information is
required.

3. Type the recovery key ID for the Drive Encryption system to be recovered, then click Get key.
4. Obtain the Recovery code that will be displayed to recover the Drive Encryption system.

Important

Make sure to note that you must be listed as a user against the client system you are trying to recover.

Note

If the entered recovery key ID is not recognized, the user should check the value entered was correct and then contact
the help desk. The help desk can then check the Trellix ePO - On-prem User Audit log for more detailed information.

Trellix Drive Encryption 7.4.x Product Guide 69


12| Recovering users and systems

5. Click Logout.

View the Data Protection Self Service Portal (DPSSP) reports

You can run and view the standard DPSSP reports from the Queries & Reports page.

Important: Privacy and DPSSP reports

Ensure that access to these reports is authorized and appropriately managed. DPSSP reports within Trellix ePO - On-prem
contain users' login names, system names, IP addresses, and audit data.

Task
1. Log on to the Trellix ePO - On-prem server as an administrator.
2. Click Menu → Reporting → Queries & Reports.
3. On the Groups pane, under the Trellix Groups category, select Data Protection Self Service Portal.
You can view these standard reports:

Query Description

Blocked IP addresses Displays the IP addresses of client systems that


are blocked.

Blocked users Displays the list of users who are blocked.

Number of recoveries per point product in the Displays the number of recoveries per point
last 24 hours product in the last 24 hours.

Number of recoveries per point product in the Displays the number of recoveries per point
last 30 days product in the last 30 days.

Number of recoveries per user in the last 24 Displays the number of recoveries per user in the
hours last 24 hours.

Number of recoveries per user in the last 30 Displays the number of recoveries per user in the
days last 30 days.

4. From the Queries list, select the required query.


5. Click Actions → Run. The query results appear.

70 Trellix Drive Encryption 7.4.x Product Guide


12| Recovering users and systems

Note

You can also edit or duplicate the query, and view the details.

6. Click Options → Export Data, make the required selections, then click Export to export the query data.
7. Click on the .xml link to open the query data or right-click and save the .xml file to the required location.
8. Click Close.

Trellix Drive Encryption 7.4.x Product Guide 71


13| User guidance

User guidance
Administrators should make sure that the users are aware of how to construct strong passwords.

• Use passwords with eight characters or more.


• Do not use words that are available in the dictionary.
• Do not use a name, or any variation of the account name or administrator identity.
• Do not use accessible information such as phone numbers, birthdays, license plates, or social security numbers.
• Use a mixture of uppercase and lowercase letters, as well as digits or punctuation. When choosing a new password,
make sure it is unrelated to any previous password.

72 Trellix Drive Encryption 7.4.x Product Guide


COPYRIGHT
Copyright © 2023 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.

You might also like