trend micro, the trend micro t-ball logo, officescan, and

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,please review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx

Trend Micro, the Trend Micro t-ball logo, OfficeScan, and Control Manager aretrademarks or registered trademarks of Trend Micro Incorporated. All other product orcompany names may be trademarks or registered trademarks of their owners.

Copyright © 2016. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM57327/160222

Release Date: March 2016

Protected by U.S. Patent No.: Patents pending.


This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable in the Trend Micro Online Help and/or the Trend Micro Knowledge Base atthe Trend Micro website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

mailto:[email protected]


i

Table of Contents

Chapter 1: Home

Chapter 2: IntroductionFeatures and Benefits ..................................................................................... 2-3

What's New ..................................................................................................... 2-4

About PolicyServer ....................................................................................... 2-12

Management Consoles ................................................................................. 2-13Trend Micro Control Manager ........................................................... 2-15About PolicyServer MMC ................................................................... 2-15

Endpoint Encryption Agents ..................................................................... 2-16

Authentication Methods .............................................................................. 2-17ColorCode ............................................................................................. 2-18Domain Authentication ....................................................................... 2-18Fixed Password ..................................................................................... 2-19PIN ......................................................................................................... 2-19Remote Help ......................................................................................... 2-19Self Help ................................................................................................ 2-20Smart Card ............................................................................................. 2-20

Chapter 3: Getting StartedSystem Requirements ..................................................................................... 3-2

PolicyServer System Requirements ...................................................... 3-2PolicyServer MMC System Requirements .......................................... 3-7Full Disk Encryption System Requirements ...................................... 3-8File Encryption System Requirements ................................................ 3-9Encryption Management for Microsoft BitLocker SystemRequirements ........................................................................................ 3-10Encryption Management for Apple FileVault System Requirements .................................................................................................................. 3-11

Trend Micro Endpoint Encryption 5.0 Patch 4 Administrator Guide

ii

Setting Up Control Manager ....................................................................... 3-12Control Manager Architecture ........................................................... 3-13Adding PolicyServer as a Managed Product to Control Manager 3-16Configuring Directory Management for PolicyServer .................... 3-18Configuring Proxy Settings ................................................................. 3-19

Active Directory Synchronization .............................................................. 3-21Active Directory Overview ................................................................. 3-21Configuring Active Directory ............................................................. 3-22Importing Active Directory Users ..................................................... 3-24Managing Password Setting Objects from Active Directory ........ 3-27

Chapter 4: DashboardTabs .................................................................................................................. 4-3

Default Tabs ............................................................................................ 4-3Adding a New Tab ................................................................................. 4-3Modifying Tab Settings .......................................................................... 4-4Deleting a Tab ......................................................................................... 4-4

Widgets ............................................................................................................. 4-5Adding Widgets to a Tab ...................................................................... 4-6Widget Options ....................................................................................... 4-7

Endpoint Encryption Users .......................................................................... 4-8Add New User Options ........................................................................ 4-9Policy Membership .............................................................................. 4-10Importing Users from a CSV File ...................................................... 4-11Importing Active Directory Users ..................................................... 4-12

Endpoint Encryption Devices .................................................................... 4-15Device Actions ...................................................................................... 4-16Device Attributes ................................................................................. 4-18

Full Disk Encryption Status ........................................................................ 4-20Full Disk Encryption Status Report .................................................. 4-21

Endpoint Encryption Unsuccessful Device Logon ................................ 4-22Unsuccessful Device Logon Report .................................................. 4-23

Endpoint Encryption Unsuccessful User Logon .................................... 4-25Unsuccessful User Logon Report ...................................................... 4-26

Table of Contents

iii

Endpoint Encryption Device Lockout ..................................................... 4-27Device Lockout Report ....................................................................... 4-28

Endpoint Encryption Security Violations Report ................................... 4-29Consecutive Unsuccessful Device Logon Report ........................... 4-30Policy Tampering Report .................................................................... 4-31Log Integrity Report ............................................................................ 4-31

Chapter 5: PoliciesAuthentication Overview .............................................................................. 5-2

Devices ..................................................................................................... 5-2Users ......................................................................................................... 5-3Groups ..................................................................................................... 5-4

Policies in Control Manager .......................................................................... 5-5Policy Options ........................................................................................ 5-7Policy Types ............................................................................................ 5-9

Creating a Policy ............................................................................................. 5-9Specifying Policy Targets .................................................................... 5-11

Configuring Endpoint Encryption Users Rules ...................................... 5-13

Configuring Full Disk Encryption Rules .................................................. 5-15

Configuring File Encryption Rules ............................................................ 5-17

Configuring Common Policy Rules ........................................................... 5-19Lockout Actions ................................................................................... 5-22

Migrating Groups to Control Manager ..................................................... 5-23

Chapter 6: Full Disk EncryptionFull Disk Encryption Tools .......................................................................... 6-3

Full Disk Encryption Context Menu ........................................................... 6-4

Full Disk Encryption Preboot ...................................................................... 6-5Menu Options ......................................................................................... 6-6Network Connectivity ........................................................................... 6-6Network Information ............................................................................ 6-9On-Screen Keyboard ............................................................................. 6-9Changing the Keyboard Layout ......................................................... 6-10


iv

Changing Authentication Methods .................................................... 6-10Changing Passwords ............................................................................ 6-11Remote Help ......................................................................................... 6-15Smart Card ............................................................................................. 6-16Self Help ................................................................................................ 6-17

Full Disk Encryption Policy Synchronization .......................................... 6-19Full Disk Encryption Connectivity Requirements .......................... 6-20Manually Updating Full Disk Encryption Agents ........................... 6-21

Patch Management with Full Disk Encryption ....................................... 6-21Using the Command Line Helper ..................................................... 6-22Patching Process for Full Disk Encryption ..................................... 6-23

Chapter 7: File EncryptionRegistering File Encryption ........................................................................... 7-2

File Encryption Actions ................................................................................. 7-3Encrypting a File or Folder ................................................................... 7-4Using File Encryption Secure Delete ................................................ 7-10

File Encryption Context Menu .................................................................. 7-10Changing Password in File Encryption ............................................ 7-12Using Remote Help to Unlock a File Encryption Device ............. 7-13

File Encryption Authentication .................................................................. 7-14Domain Authentication Requirements ............................................. 7-15Forced Password Reset ....................................................................... 7-16Endpoint Encryption Device Policy Rules ...................................... 7-16

Policy Synchronization ................................................................................ 7-17

Chapter 8: Encryption Management for Third-PartyProducts

About Encryption Management Agents ..................................................... 8-2

Encryption Management Agent Policy Limitations .................................. 8-2

Encryption Management for Microsoft BitLocker ................................... 8-4Viewing Encryption Status ................................................................... 8-4Understanding Encryption Status ........................................................ 8-5

Table of Contents

v

Understanding Agent Information ...................................................... 8-7Synchronizing Policies with PolicyServer ........................................... 8-8

Encryption Management for Apple FileVault ........................................... 8-9Viewing Encryption Status ................................................................. 8-10Understanding Encryption Status ...................................................... 8-11Understanding Agent Information .................................................... 8-12Synchronizing Policies with PolicyServer ......................................... 8-13Creating a Mobile Account for Active Directory on Mac OS ...... 8-15Troubleshooting Password and Encryption Issues ........................ 8-17

Chapter 9: RecoveryFull Disk Encryption Recovery Methods ................................................... 9-2

Recovery Console ........................................................................................... 9-3Recovery Console Options ................................................................... 9-4Accessing the Recovery Console from Full Disk Encryption Preboot .................................................................................................................... 9-5Accessing Recovery Console from Windows .................................... 9-6Using Decrypt Disk ................................................................................ 9-6Mount Partitions ..................................................................................... 9-8Restore Boot ........................................................................................... 9-9Manage Full Disk Encryption Users ................................................... 9-9Manage Policies .................................................................................... 9-11View Logs .............................................................................................. 9-12Network ................................................................................................. 9-12

Recovery Tool ............................................................................................... 9-16Preparing the Recovery Tool .............................................................. 9-16Scanning and Repairing a Disk ........................................................... 9-18Recovery Tool Options ....................................................................... 9-20Advanced Functions ............................................................................ 9-21

Remote Help Assistance .............................................................................. 9-22

Chapter 10: Resolved and Known IssuesResolved Issues ............................................................................................. 10-2

Resolved Issues in Endpoint Encryption 5.0 Patch 4 Update 1 ... 10-2Resolved Issues in Endpoint Encryption 5.0 Patch 4 .................... 10-3


vi

Resolved Issues in Endpoint Encryption 5.0 Patch 3 .................... 10-5Resolved Issues in Endpoint Encryption 5.0 Patch 2 .................... 10-6Resolved Issues in Endpoint Encryption 5.0 Patch 1 .................... 10-7

Known Issues .............................................................................................. 10-10PolicyServer MMC Issues ................................................................. 10-11Control Manager Integration Issues ................................................ 10-11Endpoint Encryption Deployment Tool Plug-in Issues .............. 10-11Full Disk Encryption Issues ............................................................. 10-12File Encryption Issues ....................................................................... 10-14Encryption Management for Microsoft BitLocker Issues ........... 10-14Encryption Management for Apple FileVault Issues ................... 10-15

Chapter 11: Technical SupportTroubleshooting Resources ........................................................................ 11-2

Contacting Trend Micro .............................................................................. 11-3

Sending Suspicious Content to Trend Micro ........................................... 11-4

Other Resources ........................................................................................... 11-5Documentation Feedback ................................................................... 11-5

AppendicesAppendix A: Maintenance Tools

Using the Diagnostics Monitor ................................................................... A-2

Using the Log Server Tool ........................................................................... A-5

Using the PolicyServer Change Settings Tool ........................................... A-6

Appendix B: PolicyServer Message IDsAdministrator Alerts ...................................................................................... B-2

Audit Log Alerts ............................................................................................. B-6

Certificate Alerts ............................................................................................. B-7

Device Alerts .................................................................................................. B-8

Table of Contents

vii

Error Alerts ................................................................................................... B-10

Full Disk Encryption Activity Alerts ........................................................ B-10

Installation Alerts ......................................................................................... B-13

Login / Logout Alerts ................................................................................. B-13

Mobile Device Alerts ................................................................................... B-17

OCSP Alerts ................................................................................................. B-18

OTA Alerts ................................................................................................... B-18

Password Alerts ............................................................................................ B-19

PIN Change Alerts ...................................................................................... B-22

Smart Card Alerts ........................................................................................ B-23

Appendix C: Endpoint Encryption Services

Appendix D: Policy Mapping Between ManagementConsoles

Appendix E: Glossary

IndexIndex .............................................................................................................. IN-1

1-1

Chapter 1

HomeThis guide is intended to help security administrators and IT administrators manageEndpoint Encryption users, devices, policies, and agents. This documentation assumesgeneral knowledge about encryption methods, device formatting and partioning, andclient-server architecture.

This guide is for assistance with managing Endpoint Encryption using Trend MicroControl Manager. If you intend to use PolicyServer MMC as your primary managementconsole, see the Endpoint Encryption PolicyServer MMC Guide.

Important help topics:

• Introduction on page 2-1

• System Requirements on page 3-2

• What's New on page 2-4

• Resolved and Known Issues on page 10-1

2-1

Chapter 2

IntroductionTrend Micro™ Endpoint Encryption™ ensures privacy by encrypting data stored onendpoints, files and folders, and removable media in a variety of platform options.Endpoint Encryption provides granular policy controls and flexibly integrates with otherTrend Micro management tools, including Control Manager and OfficeScan. Innovativedeployment capabilities help you easily deploy agent software using FIPS-complianthardware-based or software-based encryption that is fully transparent to end users,without disrupting productivity. Once deployed, automated reporting, auditing, andpolicy synchronization with Endpoint Encryption PolicyServer simplifies endpointsecurity management.

Endpoint Encryption has capabilities to deploy remote commands, recover lost data,and protect user identity while maintaining real-time policy synchronization. In the eventthat an endpoint is lost or stolen, remotely initiate a reset or “kill” command toimmediately protect corporate information. Many recovery tools are also available tohelp end users rescue data from a corrupted hard disk. Assimilating into existingcorporate identity controls, Endpoint Encryption has a variety of authenticationmethods, including Active Directory integration and resources for end users who haveforgotten their credentials.

Topics include:

• Features and Benefits on page 2-3

• What's New on page 2-4

• About PolicyServer on page 2-12


2-2

• Management Consoles on page 2-13

• Endpoint Encryption Agents on page 2-16

• Authentication Methods on page 2-17

Introduction

2-3

Features and BenefitsThe following table explains Endpoint Encryption key features and benefits.

TABLE 2-1. Endpoint Encryption Key Features

FEATURE BENEFITS

Encryption • Protection for the full disk, including the master boot record(MBR), operating system, and all system files

• Hardware-based and software-based encryption for mixedenvironments

• Comprehensive data protection of files, folders, andremovable media

Authentication • Flexible authentication methods, including both single andmulti-factor

• Control password strength and regularity for passwordchanges

• Policy updates before authentication and system boot

• Configurable actions on failed password attempt threshold

Device management • Policies to protect data on endpoints and removable media

• Ability to remotely lock, reset, wipe, or kill a device


2-4

FEATURE BENEFITS

Central administration • Flexibly use either PolicyServer MMC or Control Managerto manage PolicyServer

• Deploy Endpoint Encryption agents to endpoints alreadymanaged by OfficeScan

• Enforce security policies to individual users and policygroups from a single policy server

• Instantly protect end user data by sending lock or erasecommands to lost or stolen Endpoint Encryption devices

• Automate policy enforcement with remediation of securityevents

• Update security policies in real-time, before authentication,to revoke user credentials before booting the operatingsystem

Record keeping,reports, and auditing

• Advanced real-time reporting and auditing to ensuresecurity compliance

• Analyze usage statistics with scheduled reports and alertnotifications

What's NewTrend Micro Endpoint Encryption 5.0 Patch 4 offers the following new features andenhancements.

TABLE 2-2. What's New in Endpoint Encryption 5.0 Patch 4

FEATURES / ENHANCEMENTS DESCRIPTION

Supported Platform Endpoint Encryption supports Encryption Management forApple FileVault agent installation on Mac OS X™ “ElCapitan”.

Introduction

2-5


Apple Fusion Drive Support The Encryption Management for Apple FileVault agentsupports policies, encryption, decryption, device locking,and device unlocking for Apple Fusion Drives on thefollowing versions of Mac OS X:

• OS X™ “El Capitan”

• OS X™ Yosemite

• OS X™ “Mavericks”

• OS X™ “Mountain Lion”, for builds Mac OS 10.8.2 orlater

Language Display in FullDisk Encryption Preboot

The Full Disk Encryption preboot now displays the currentkeyboard language and allows the user to switch thelanguage directly from the preboot Log On screen.

Full Disk EncryptionRecovery Tool

Trend Micro provides a new Recovery Tool that can helpusers fix issues if they are unable to access Windows orthe Full Disk Encryption preboot. The Recovery Toolallows users to do the following:

• Scan and repair Full Disk Encryption issues thatprevent users from logging on Windows

• Open the Full Disk Encryption preboot if the agent isunable to access the preboot normally

• Recover files from an encrypted disk

The new Full Disk Encryption Recovery Tool replaces theRepair CD that was provided with previous versions ofEndpoint Encryption.


2-6


Network and ConnectionInformation in Preboot andRecovery Console

The Full Disk Encryption preboot and Recovery Consoleinclude improvements to display network and connectioninformation. This version includes the following specificenhancements:

• The Full Disk Encryption preboot now includes thenew screen Network Information. This screendisplays a summary of the current connection status,including hardware, IP address, DNS, andPolicyServer information.

• The Recovery Console now includes the new screenTroubleshooting. The two tabs on this screen allowyou to scan through DHCP client logs and performtraceroutes.

With this change, the previous Network Setupselection has been renamed to Network. Afterclicking Network, the two options Setup andTroubleshooting appear. The Setup screen has notbeen changed this version.



Supported Platforms Endpoint Encryption supports agent installation on thefollowing platforms:

• Windows 10 (32-bit/64-bit)

Supported agents: Full Disk Encryption and FileEncryption

• Windows 10 Enterprise and Professional editions (32-bit/64-bit)

Supported agent: Encryption Management forMicrosoft BitLocker

• Windows Embedded POSReady 7 (32-bit/64-bit)

Supported agents: Full Disk Encryption, FileEncryption, and Encryption Management for MicrosoftBitLocker

Introduction

2-7


In-place Windows Upgrade Endpoint Encryption supports upgrading devicesencrypted by Full Disk Encryption to Windows 8.1 andWindows 10 without decrypting the boot device.

To perform an in-place Windows upgrade, you will need tomodify the Windows ISO file.

Wi-Fi SettingsEnhancements

To prevent users from unintentionally modifying Wi-Fisettings, the Wi-Fi settings have been enhanced asfollows:

• Administrators can apply a policy to prevent or allowusers to configure Wi-Fi settings. To modify the Wi-Fisettings policy, on PolicyServer MMC, go to Policies> Full Disk Encryption > Agent > Allow User toConfigure Wi-Fi.

• Wi-Fi settings have been moved to the RecoveryConsole accessible from the Full Disk EncryptionPreboot. To see the Wi-Fi settings, on the prebootRecovery Console, go to the Wi-Fi tab on theNetwork Setup screen. If users are allowed toconfigure Wi-Fi settings, users can still use thewireless connection icon ( ) to access Wi-Fisettings.

Active Directory Fine-Grained Password PolicySupport

Endpoint Encryption supports fine-grained password andaccount lockout policies for Windows Server 2008 andWindows Server 2012 Active Directory servers. To enablethis feature, add the PolicyServer computer to thePassword Setting object (PSO) Security list on the ActiveDirectory server.

Usability Enhancement The Full Disk Encryption preboot logon screen nowdisplays indicators if Caps Lock or Num Lock are enabled.


2-8


NEW FEATURE DESCRIPTION

Active DirectorySynchronization acrossMultiple OUs

Endpoint Encryption now supports policy enforcement,authentication, and synchronization across multipleorganizational units (OUs). This enhancement allowsadministrators to manage users with the same policy overdifferent security groups, cross-functional groups, orregional groups. Endpoint Encryption requires thatseparate OUs must be within the same Active Directorytree.

Simplified Active DirectoryIntegration

The process for enabling automatic accountsynchronization from Active Directory has beenstreamlined. When managing Endpoint Encryption fromControl Manager, administrators no longer need to accessPolicyServer MMC in addition to the Control Manager webconsole.

In addition, when configuring Active Directory fromPolicyServer MMC, administrators no longer need to usethe AD Synchronization Configuration Tool to completeconfiguration.

Supported Platforms Endpoint Encryption supports PolicyServer installation onthe following operating systems:

• Windows Server 2012

• Windows Server 2012 R2

Endpoint Encryption supports the following databasemanagement systems for PolicyServer:

• Microsoft SQL Server 2012

• Microsoft SQL Server 2012 Express

Endpoint Encryption supports Encryption Management forApple FileVault installation on the following operatingsystem:

• Mac OS X Yosemite™

Introduction

2-9


Automated Deployment ofEncryption Management forApple FileVault

Endpoint Encryption supports automated deployments ofEncryption Management for Apple FileVault agents. Theprocess uses the same parameters and Command LineHelper tool for automated deployments of Full DiskEncryption, File Encryption, and Encryption Managementfor Microsoft BitLocker agents.

SanDisk Self-EncryptingSSD Support

Endpoint Encryption supports enabling and disabling ofhardware-based full disk encryption of SanDisk™ self-encrypting solid-state drives (SSDs).



Control Manager LicenseManagement

Endpoint Encryption PolicyServer integrates with ControlManager License Management. Control Manager supportsthe following features with Endpoint Encryption:

• View the current Endpoint Encryption licenseinformation

• Deploy a full license to PolicyServer

• Renew a license to PolicyServer

Control Manager User-Centered Visibility

Endpoint Encryption integrates with Control ManagerUser-Centered Visibility. The status logs sent to ControlManager include the user information for the followingEndpoint Encryption endpoints:

• Full Disk Encryption

• File Encryption

• Encryption Management for Microsoft BitLocker

• Encryption Management for Apple FileVault


2-10


NIC and Wi-Fi adapterSupport

Endpoint Encryption supports the following groups ofnetwork interface controllers (NIC):

• Intel Ethernet Controller l217 Family

• Intel Ethernet Controller l218 Family

Endpoint Encryption also supports the Intel Dual Band AC7260 Wi-Fi adapter.

TABLE 2-6. What's New in Endpoint Encryption 5.0


New CommunicationInterface

Endpoint Encryption 5.0 introduces a new communicationinterface (Endpoint Encryption Service) that all EndpointEncryption 5.0 agents and management consoles use tocommunicate with PolicyServer. Endpoint EncryptionService uses a Representational State Transfer web API(RESTful) with an AES-GCM encryption algorithm.Endpoint Encryption Service has three key features:

• Access control: After user authentication,PolicyServer generates a token for that user in thatsession only.

• Policy control: Before user authentication, EndpointEncryption Service restricts all PolicyServer MMC,Control Manager, and OfficeScan policy transactionsuntil after user authentication.

• Automatic policy updates: After successfullyregistering with PolicyServer, Endpoint Encryptionagents automatically obtain new policies without userauthentication.

Control Manager Integration Endpoint Encryption 5.0 integrates Control Manager forPolicyServer management.

For information about Control Manager, see ManagementConsoles on page 2-13.

Introduction

2-11


OfficeScan Integration Endpoint Encryption 5.0 provides support for OfficeScandeployments. Use the new Endpoint EncryptionDeployment Tool plug-in to centrally deploy or uninstallEndpoint Encryption agents to any endpoint currentlymanaged by OfficeScan.

License Management Endpoint Encryption 5.0 integrates with the Trend Microlicensing portal. As in previous product versions, you cantry Endpoint Encryption free for 30 days. After the triallicense expires, an Activation Code is required.

Support for AppleFileVault™ and MicrosoftBitLocker™

Endpoint Encryption 5.0 advances Full Disk Encryption byintegrating with encryption solutions built into the hostoperating system through two new Endpoint Encryptionagents:

• Encryption Management for Microsoft BitLocker

• Encryption Management for Apple FileVault

PolicyServer centrally manages both agents with policycontrols to remotely wipe or kill the Endpoint Encryptiondevice.

FileArmor Name Changeand Move to CommonFramework

Endpoint Encryption 5.0 renames the FileArmor agent toFile Encryption to better match the Endpoint Encryptionagent's new functionality. File Encryption has the benefitsfrom FileArmor 3.1.3, including improved support forremovable media.

File Encryption is also now better aligned with Full DiskEncryption for improved password and policymanagement.


2-12


Maintenance, Log, andReport Enhancements

Endpoint Encryption 5.0 has several improvements toproduct maintenance, logs and reports.

• Mechanism to purge log database: It is now possibleto purge the log database based on specific criteria.

• Delete inactive Endpoint Encryption users anddevices: To clean up the Enterprise devices andusers, it is now possible to purge devices and usersthat are inactive for a specified time period.

• Enterprise report for inactive users: The newEnterprise report shows all Endpoint Encryption userswho have not logged on Endpoint Encryption devicesfor a specified period of time.

• Enterprise report for inactive devices: The newEnterprise report shows all Endpoint Encryptiondevices that have not been logged on to for aspecified duration of time.

Smart Card Enhancements Endpoint Encryption 5.0 provides the following smart cardenhancements:

• Improved Endpoint Encryption agent deployment inenvironments using smart cards

• Support for smart card password-sharing

About PolicyServerTrend Micro PolicyServer manages encryption keys and synchronizes policies across allendpoints in the organization. PolicyServer also enforces secure authentication andprovides real-time auditing and reporting tools to ensure regulatory compliance. You canflexibly manage PolicyServer with PolicyServer MMC or with Trend Micro ControlManager. Other data management features include user-based self-help options anddevice actions to remotely reset or “kill” a lost or stolen device.

The following table describes the PolicyServer components that you can deploy on oneserver or multiple servers, depending on environmental needs.

Introduction

2-13

TABLE 2-7. PolicyServer Components

COMPONENT DESCRIPTION

Enterprise The Endpoint Encryption Enterprise is the unique identifier aboutthe organization in the PolicyServer database configured duringPolicyServer configuration. One PolicyServer database may haveone Enterprise configuration.

Database The PolicyServer Microsoft SQL database securely stores all user,device, and log data. The database is either configured on adedicated server or added to an existing SQL cluster. The log andother databases can reside separately.

PolicyServerWindows Service

PolicyServer Windows Service manages all communicationtransactions between the host operating system, EndpointEncryption Service, Legacy Web Service, Client Web Proxy, andSQL databases.

EndpointEncryption Service

All Endpoint Encryption 5.0 agents use Endpoint EncryptionService to communicate with PolicyServer. Endpoint EncryptionService uses a Representational State Transfer web API (RESTful)with an AES-GCM encryption algorithm. After a user authenticates,PolicyServer generates a token related to the specific policyconfiguration. Until the Endpoint Encryption user authenticates, theservice denies all policy transactions.

Legacy WebService

All Endpoint Encryption 3.1.3 and earlier agents use Simple ObjectAccess Protocol (SOAP) to communicate with PolicyServer. Undercertain situations, SOAP may allow insecure policy transactionswithout user authentication. Legacy Web Service filters SOAP callsby requiring authentication and limiting the commands that SOAPaccepts. This service is optional, and can be installed on the sameendpoint as the Endpoint Encryption Service using the EndpointEncryption proxy installer.

Management ConsolesFlexibly manage Endpoint Encryption using only PolicyServer MMC or manageEndpoint Encryption using Control Manager for policy, user and device managementand PolicyServer MMC for advanced log management and reporting.


2-14

The following illustration shows how to deploy Endpoint Encryption using ControlManager to manage PolicyServer. In a Control Manager deployment, administrators useControl Manager for all Endpoint Encryption policy, user, and device controls, and onlyuse PolicyServer MMC for advanced Enterprise maintenance.

Note

In environments that use Control Manager, changes to PolicyServer policies are alwayscontrolled by Control Manager. Any changes made using PolicyServer MMC areoverwritten the next time that Control Manager synchronizes policies to the PolicyServerdatabase.

Introduction

2-15

Trend Micro Control ManagerTrend Micro™ Control Manager™ is a central management console that managesTrend Micro products and services at the gateway, mail server, file server, and corporatedesktop levels. The Control Manager web-based management console provides a singlemonitoring point for managed products and services throughout the network.

Control Manager allows system administrators to monitor and report on activities suchas infections, security violations, or virus entry points. System administrators candownload and deploy components throughout the network, helping ensure thatprotection is consistent and up-to-date. Control Manager allows both manual and pre-scheduled updates, and the configuration and administration of products as groups or asindividuals for added flexibility.

About PolicyServer MMCThe PolicyServer Microsoft Management Console plug-in (PolicyServer MMC) is thenative management console for Endpoint Encryption policy, user, and deviceadministration.

Use PolicyServer MMC to centrally manage:

• All Endpoint Encryption users, devices, and groups

• All policies including encryption, password complexity and authentication

• Remote device actions, including killing a device, erasing data, or delayingauthentication

• Event logs about authentication events, management events, device encryptionstatus, and security violations

• Remote Help password reset process

• Auditing and reporting options


2-16

Endpoint Encryption AgentsThe following table describes the Endpoint Encryption agents available for a variety ofenvironments.

AGENT DESCRIPTION

Full Disk Encryption The Endpoint Encryption agent for hardware and softwareencryption with preboot authentication. Full DiskEncryption secures data files, applications, registrysettings, temporary files, swap files, print spoolers, anddeleted files on any Windows endpoint. Strong prebootauthentication restricts access vulnerabilities until the useris validated.

The Full Disk Encryption agent may be installed on thesame endpoint as the File Encryption agent. The Full DiskEncryption agent may not be installed on the sameendpoint as either the Encryption Management forMicrosoft BitLocker agent or the Encryption Managementfor Apple FileVault agent.

Encryption Management forMicrosoft BitLocker

The Endpoint Encryption Full Disk Encryption agent forMicrosoft Windows environments that simply need toenable Microsoft BitLocker on the hosting endpoint.

The Encryption Management for Microsoft BitLocker agentmay be installed on the same endpoint as the FileEncryption agent.

Encryption Management forApple FileVault

The Endpoint Encryption Full Disk Encryption agent forMac OS environments that simply need to enable AppleFileVault on the hosting endpoint.

File Encryption The Endpoint Encryption agent for file and folderencryption on local drives and removable media. FileEncryption protects files and folders located on virtuallyany device that appears as a drive within the hostoperating system.

The File Encryption agent may be installed on the sameendpoint as either the Full Disk Encryption agent or theEncryption Management for Microsoft BitLocker agent.

Introduction

2-17

Authentication MethodsEndpoint Encryption administrators and users have several authentication methods tolog on to Endpoint Encryption devices. The methods available are determined by thePolicyServer policy configuration.

Note

You must use PolicyServer MMC to configure the authentication methods available toEndpoint Encryption users. It is not possible to use Control Manager to configure theallowed authentication methods. However, you can configure Control Manager for domainauthentication.

TABLE 2-8. Supported Authentication Methods

AUTHENTICATIONMETHOD

DESCRIPTION

ColorCode on page2-18

A unique sequence of colors.

DomainAuthentication onpage 2-18

Active Directory LDAP synchronization for single sign-on (SSO).

Fixed Password onpage 2-19

A string of characters, numbers, and symbols.

PIN on page 2-19 A standard Personal Identification Number (PIN).

Remote Help onpage 2-19

Interactive authentication for users who forget their credentials ordevices that have not synchronized policies within apredetermined amount of time.

Self Help on page2-20

Question and answer combinations that allow users to reset aforgotten password without contacting Technical Support.

Smart Card onpage 2-20

A physical card used in conjunction with a PIN or fixed password.


2-18

ColorCodeColorCode™ is a unique authentication method designed for quick access and easymemorization. Rather than alphanumeric characters or symbols for the password,ColorCode authentication consists of a user-created color sequence (example: red, red,blue, yellow, blue, green).

FIGURE 2-1. ColorCode Authentication Screen

Domain AuthenticationEndpoint Encryption integrates with Active Directory using LDAP configured inPolicyServer. Endpoint Encryption domain authentication allows Endpoint Encryptionusers to use single sign-on (SSO) between the operating system and the EndpointEncryption agent. For example, Endpoint Encryption users with domain authenticationmust only provide their credentials once to authenticate to the Full Disk Encryptionpreboot, log on to Windows, and access the files protected by File Encryption.

For seamless Active Directory integration, make sure that the following requirementsare met:

• All Endpoint Encryption devices are in the same domain as PolicyServer.

Introduction

2-19

• The user names configured in Active Directory exactly match the user namesconfigured in PolicyServer (including case).

• The user names are located within a PolicyServer group and the DomainAuthentication policy is enabled.

• The host name and domain name are configured correctly based on the LDAP orActive Directory server settings.

Note

For information about configuring LDAP and Active Directory settings, see the EndpointEncryption Installation Guide available at:


Fixed Password

Fixed password authentication is the most common authentication method. The fixedpassword is created by the user and can be almost any string of numbers, characters, orsymbols. You can place restrictions on fixed passwords to ensure that they are not easilycompromised.

PIN

A Personal Identification Number (PIN) is common identification method requiring aunique sequences numbers. The PIN is created by the user and can be almost anything.Similar to fixed passwords, you may place restrictions on the PIN combination.

Remote Help

Remote Help allows Group or Enterprise Authenticators to assist Endpoint Encryptionusers who are locked out and cannot log on to Endpoint Encryption devices after toomany unsuccessful log on attempts, or when the period between the last PolicyServersynchronization has been too long.



2-20

Note

Remote Help authentication is triggered by Endpoint Encryption device policy rules.Remote Help policy rules are configurable in both PolicyServer MMC and ControlManager.

Self HelpSelf Help authentication allows Endpoint Encryption users who have forgotten thecredentials to answer security questions and log on to Endpoint Encryption deviceswithout getting Technical Support assistance. Self Help requires the EndpointEncryption user to respond with answers to predefined personal challenge questions.Self Help can replace fixed password or other authentication methods.

Consider the following when choosing your authentication method or when configuringSelf Help:

• Self Help is not available for Administrator and Authenticator accounts.

• Self Help is not available for accounts that use domain authentication. PolicyServeris unable to change or retrieve previous domain passwords.

• Self Help has a maximum of six questions for each user account. Users may beunable to log on using Self Help if more than six questions are configured.

• Self Help is only configurable with PolicyServer MMC.

Smart CardSmart card authentication requires both a PIN and a physical token to confirm the useridentity. Smart card certificates are associated with the user account and the user'sassigned group. Once registered, the user can use smart card authentication from anyEndpoint Encryption device in that group. Users are free to use any EndpointEncryption device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are met:

• The smart card reader is connected to the endpoint and the smart card is insertedinto the smart card reader.

Introduction

2-21

• ActivClient 6.1 with all service packs and updates are installed.

• Specify the smart card PIN in the password field.

WARNING!

Failure to provide a correct password sends a password error and may result inlocking the smart card.

Note

Smart card authentication is only configurable with PolicyServer MMC.

3-1

Chapter 3

Getting StartedThis chapter explains how to get started using Trend Micro Control Manager to managePolicyServer.

Topics include:

• System Requirements on page 3-2

• Setting Up Control Manager on page 3-12

• Active Directory Synchronization on page 3-21


3-2

System RequirementsThis chapter outlines the system requirements for Trend Micro Endpoint Encryption.

Topics include:

• PolicyServer System Requirements on page 3-2

• PolicyServer MMC System Requirements on page 3-7

• Full Disk Encryption System Requirements on page 3-8

• File Encryption System Requirements on page 3-9

• Encryption Management for Microsoft BitLocker System Requirements on page3-10

• Encryption Management for Apple FileVault System Requirements on page 3-11

PolicyServer System Requirements

Hardware and Scaling Requirements

The following shows deployment and scaling requirements in several different-sizedenvironments. In smaller network environments, PolicyServer SQL databases can beinstalled on the same server. For PolicyServer deployments in environments greater than1500 devices, Trend Micro recommends having at least two dedicated servers:

1. A dedicated server for the PolicyServer services, also known as the “front-endserver”

2. A dedicated server for the database, or add the database to an existing SQL cluster

With larger environments, Trend Micro recommends adding additional servers to avoidhaving single points of failure. The following table displays two sets of requirements forthe PolicyServer SQL database: one set for the basic requirements at that scale, and oneset for an environment with increased redundancy.

Getting Started

3-3

DEVICESPOLICYSERVER FRONT-

END REQUIREMENTSPOLICYSERVER SQL

DATABASE REQUIREMENTS

POLICYSERVER SQLDATABASE WITH ZERO

SINGLE POINTS OFFAILURE (RECOMMENDED)

1,500 • One front-end andSQL databasemulti-role serverwith an Intel Xeonquad-core 2.0 GHzprocessor orequivalent

• 8 GB RAM

• 120 GB hard drive

Installed onPolicyServer front-endserver

Not recommended fordeployments at thisscale

3,000 • One front-endserver with two IntelXeon quad-core 2.0GHz processors orequivalent

• 4 GB RAM


• One SQL databaseserver with an IntelXeon quad-core 2.0GHz processor orequivalent

• 8 GB RAM


Not recommended fordeployments at thisscale

10,000 • Two front-endservers each withan Intel Xeon quad-core 2.0 GHzprocessor orequivalent

• 4 GB RAM



• 8 GB RAM


• One SQL servercluster of twonodes, each withan Intel Xeon quad-core 2.0 GHzprocessor orequivalent

• 8 GB RAM

• 60 GB RAID 5 harddrive

• 150 GB sharedSAN RAID 5 harddrive


3-4

DEVICESPOLICYSERVER FRONT-

END REQUIREMENTSPOLICYSERVER SQL

DATABASE REQUIREMENTS

POLICYSERVER SQLDATABASE WITH ZERO

SINGLE POINTS OFFAILURE (RECOMMENDED)

20,000 • Four front-endservers each withtwo Intel Xeonquad-core 2.0 GHzprocessors orequivalent

• 4 GB RAM



• 16 GB RAM

• 160 GB RAID 5hard drive

• One SQL servercluster of twonodes, each withan Intel Xeon quad-core 2.0 GHzprocessor orequivalent

• 8 GB RAM



40,000 • Eight front-endservers each withtwo Intel Xeonquad-core 2.0 GHzprocessors orequivalent

• 4 GB RAM


• Two SQL databasecluster serverseach with an IntelXeon quad-core 2.0GHz processor orequivalent

• 16 GB RAM


• Four SQL databasecluster serverseach with an IntelXeon quad-core 2.0GHz processor orequivalent

• 16 GB RAM



Note

Virtual hardware is supported under VMware Virtual Infrastructure.

Microsoft or VMware on virtual hardware does not support Microsoft Cluster Service.

Getting Started

3-5

Software Requirements

SPECIFICATION REQUIREMENTS

Operating system • Windows Server 2008 / 2008 R2 (64-bit)

• Windows Server 2012 / 2012 R2 (64-bit)

Database server • Microsoft SQL Server 2005 SP3 / 2008 / 2008R2 / 2012

• Microsoft SQL Server Express 2005 SP3 / 2008 /2012

• Mixed Mode Authentication (SA password)installed

• Reporting services installed

NoteFor Windows Server 2008 R2, you must installSQL Server 2008 SP1.

Application server PolicyServer 5.0 Patch 4 requires Microsoft InternetInformation Services (IIS) with the following rolesinstalled and enabled:

• Application Development

• ASP.NET

• ASP

• ISAPI Extensions

• ISAPI Filters

• Management Tools

• IIS Management Console

• IIS Management Scripts and Tools

• Management Service

• IIS 6 Management Compatibility

• IIS 6 Metabase Compatibility


3-6


For Windows Server 2008 and 2008 R2 you mustinstall the “Application server” role and the “Webserver” role. Additionally, you must add SMTP andMicrosoft IIS Support features.

Legacy Endpoint Encryption environments (version3.1.3 and earlier) require Client Web Service. If youinstall Client Web Service on a remote endpoint, installMicrosoft IIS on that endpoint.

Other software • Both Microsoft .NET Framework 2.0 SP2 (or 3.5)and 4.0

• Windows Installer 4.5 (SQL Express)

Installation Files

FILE PURPOSE

PolicyServerInstaller.exe Installs PolicyServer databases and services.Optionally, the PolicyServer MMC can install atthe same time.

PolicyServerMMCSnapinSetup.msi

Installs the PolicyServer MMC only.

TMEEProxyInstaller.exe Installs the Client Web Service and the TrafficForwarding Service. These services function asweb proxies and communication protocols forenvironments that have PolicyServer andEndpoint Encryption agents in different LANs.Client Web Service functions for 3.1.3 or earlieragents and Traffic Forwarding Service functionsfor 5.0 or later agents.

Note

PolicyServer includes a 30-day trial license. To upgrade to the full product version, registeryour product with your Activation Code in Control Manager or PolicyServer MMC.

Getting Started

3-7

Required Accounts

ACCOUNT FUNCTION DESCRIPTION

SQL SA PolicyServer Installer Account is used only to create thePolicyServer databases

SQL MADB PolicyServer Windows Service Account created during installationto authenticate to PolicyServerdatabases

LocalAdministrator

PolicyServer Windows Serviceand IIS

Account used to run thePolicyServer Windows Service andweb service application pools

PolicyServer MMC System Requirements

Note

PolicyServer MMC can be installed on the PolicyServer front-end server or on a differentendpoint that has network connectivity with PolicyServer.


Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

RAM 512 MB

Disk space 100 MB

Network connectivity Connectivity with PolicyServer

Operating system Any Microsoft Windows operating system supported byPolicyServer or the Endpoint Encryption agents

Others Microsoft .NET Framework 4.0


3-8

Full Disk Encryption System Requirements



RAM 1 GB

Disk space • 30 GB

• 20% free disk space

• 256 MB contiguous free space

Network connectivity Communication with PolicyServer required for managedagents

Operating system • Windows™ Embedded POSReady 7 (32-bit/64-bit)

• Windows™ 10 (32-bit/64-bit)

• Windows™ 8.1 (32-bit/64-bit)



• Windows™ Vista with SP1 (32-bit/64-bit)

• Windows™ XP with SP3 (32-bit only)

Firmware interface • BIOS: all supported operating systems

• For devices with UEFI, set the boot priority to LegacyFirst.

Other software • Microsoft .NET Framework 3.5 (Windows 7 and lateroperating systems)

• Microsoft .NET Framework 2.0 SP1 (Windows XP)

• Microsoft Windows Installer (Windows XP)

Getting Started

3-9


Hard disk Full Disk Encryption uses software-based encryption for allstandard drives (drives without self-encryption).

Full Disk Encryption uses hardware-based encryption for thefollowing self-encrypting drives (SEDs):

• Seagate DriveTrust drives

• Seagate OPAL and OPAL 2 drives

• SanDisk self-encrypting solid-state drives

Full Disk Encryption has the following limitations:

• Full Disk Encryption does not support endpoints withmultiple hard disks.

• Full Disk Encryption does not support RAID and SCSIdrives.

• Full Disk Encryption does not support eDrive drives forWindows 8 or later environments.

• Full Disk Encryption does not support GUID PartitionTable (GPT) drives.

Hard disk controllers • Software encryption: ATA, AHCI, or IRRT hard diskcontroller

• Hardware encryption: AHCI hard disk controller

File Encryption System Requirements

The following table explains the File Encryption system requirements.



RAM 1 GB




3-10


Network connectivity Communication with PolicyServer required for managedagents

Operating system • Windows™ 10 (32-bit/64-bit)

• Windows™ 8.1 (32-bit/64-bit)



• Windows™ Vista with SP1 (32-bit/64-bit)

• Windows™ XP with SP3 (32-bit only)

Other software • Microsoft .NET Framework 3.5 (Windows 8 and lateroperating systems)

• Microsoft .NET Framework 2.0 SP1 or later (WindowsXP)

• Microsoft Windows Installer 3.1

Encryption Management for Microsoft BitLocker SystemRequirements

This following table explains the minimum and recommended Encryption Managementfor Microsoft BitLocker system requirements.



RAM Requirements are the based on Windows systemrequirements:

• 64-bit systems: 2 GB

• 32-bit systems: 1 GB



Getting Started

3-11


Hard disk • Standard drives supported by Windows

Network connectivity Connectivity with PolicyServer

Operating system • Windows™ Embedded POSReady 7 (32-bit/64-bit)

• Windows™ 10 Enterprise and Professional editions (32-bit/64-bit)

• Windows™ 8.1 Enterprise and Professional editions (32-bit/64-bit)



Other software • Trusted Platform Module (TPM) 1.2 or higher

• Full Disk Encryption is not installed

• Windows BitLocker is disabled

• Microsoft .NET Framework 3.5

Encryption Management for Apple FileVault SystemRequirements

This following table explains the minimum and recommended Encryption Managementfor Apple FileVault system requirements.

SPECIFICATION REQUIREMENT


Memory • 512 MB minimum

• 1 GB recommended

Disk space • 400 MB minimum

Network connectivity • Connectivity with PolicyServer


3-12

SPECIFICATION REQUIREMENT

Operating system • OS X™ “El Capitan”

• OS X™ “Yosemite”

• OS X™ “Mavericks”

• OS X™ “Mountain Lion”

Other software • Mono runtime environment (MRE) 2.1

• Apple FileVault is disabled

Hardware considerations • Mac OS local accounts or mobile accounts are able toinitiate encryption on Mac OS X Mountain Lion or later.Other Mac OS user account types will be unable toinitiate encryption.

To create a mobile account for Active Directory on yourMac, see Creating a Mobile Account for Active Directoryon Mac OS on page 8-15.

• Encryption Management for Apple FileVault supportsApple Fusion Drives on Mac OS X Mountain Lion or later(starting with Mac OS build 10.8.2).

Setting Up Control ManagerThe following procedure provides an overview to configure Control Manager forEndpoint Encryption management.

Note

For information about individual policy configurations, see Policies on page 5-1.

Procedure

1. Install and configure PolicyServer.

See the Endpoint Encryption Installation and Migration Guide.

2. Connect PolicyServer to Control Manager.

Getting Started

3-13

a. Adding PolicyServer as a Managed Product to Control Manager on page3-16

b. Configuring Directory Management for PolicyServer on page 3-18

3. Add policy targets.

See Creating a Policy on page 5-9.

4. Verify the policy configuration on PolicyServer MMC.

Related information

➥ Control Manager Architecture➥ Adding PolicyServer as a Managed Product to Control Manager➥ Configuring Directory Management for PolicyServer➥ Configuring Proxy Settings

Control Manager ArchitectureTrend Micro Control Manager provides a means to control Trend Micro products andservices from a central location. This application simplifies the administration of acorporate virus/malware and content security policy. The following table provides a listof components Control Manager uses.


3-14

TABLE 3-1. Control Manager Components


Control Manager server Acts as a repository for all data collected from the agents. Itcan be a Standard or Advanced Edition server. A ControlManager server includes the following features:

• An SQL database that stores managed productconfigurations and logs

Control Manager uses the Microsoft SQL Serverdatabase (db_ControlManager.mdf) to store dataincluded in logs, Communicator schedule, managedproduct and child server information, user account,network environment, and notification settings.

• A web server that hosts the Control Manager webconsole

• A mail server that delivers event notifications throughemail messages

Control Manager can send notifications to individualsor groups of recipients about events that occur on theControl Manager network. Configure Event Center tosend notifications through email messages, Windowsevent log, MSN Messenger, SNMP, Syslog, pager, orany in-house/industry standard application used byyour organization to send notification.

• A report server, present only in the Advanced Edition,that generates antivirus and content security productreports

A Control Manager report is an online collection offigures about security threat and content securityevents that occur on the Control Manager network.

Getting Started

3-15


Trend Micro ManagementCommunication Protocol

MCP handles the Control Manager server interaction withmanaged products that support the next generation agent.

MCP is the new backbone for the Control Manager system.

MCP agents install with managed products and useone/two way communication to communicate with ControlManager. MCP agents poll Control Manager for instructionsand updates.

Trend Micro ManagementInfrastructure

Handles the Control Manager server interaction with oldermanaged products.

The Communicator, or the Message Routing Framework, isthe communication backbone of the older Control Managersystem. It is a component of the Trend Micro ManagementInfrastructure (TMI). Communicators handle allcommunication between the Control Manager server andolder managed products. They interact with ControlManager 2.x agents to communicate with older managedproducts.

Control Manager 2.xAgents

Receives commands from the Control Manager server andsends status information and logs to the Control Managerserver

The Control Manager agent is an application installed on amanaged product server that allows Control Manager tomanage the product. Agents interact with the managedproduct and Communicator. An agent serves as the bridgebetween managed product and communicator. Therefore,install agents on the same computer as managed products.

Web-based managementconsole

Allows an administrator to manage Control Manager from acomputer with an Internet connection and Microsoft InternetExplorer

The Control Manager management console is a web-basedconsole published on the Internet through the MicrosoftInternet Information Server (IIS) and hosted by the ControlManager server. It lets you administer the Control Managernetwork from any computer using a compatible webbrowser.


3-16


Widget Framework Allows an administrator to create a customized dashboardto monitor the Control Manager network.

Adding PolicyServer as a Managed Product to ControlManager

Endpoint Encryption allows administrators to use Trend Micro Control Manager tocontrol PolicyServer and manage Endpoint Encryption agent policies or use TrendMicro OfficeScan to deploy Endpoint Encryption agent software on managedendpoints.

To use Control Manager to manage PolicyServer, you must add PolicyServer as amanaged product.

Important

Endpoint Encryption supports only one configured PolicyServer instance in ControlManager at a time. It is not possible to add multiple PolicyServer configurations.

Procedure

1. Log on to Control Manager.

2. Go to Administration > Managed Servers.

The Managed Servers screen appears.

3. In the Server Type drop-down list, select Endpoint Encryption.

4. Click Add.

Getting Started

3-17

The Add Server screen appears.

5. Specify Server Information options.

• Server: Specify the PolicyServer host name and the port number. Use thefollowing format:

http://<server_name>:port_number

Note

Control Manager communicates with PolicyServer Endpoint EncryptionService. The default port number is 8080.

• Display name: Specify the name for PolicyServer shown in the ManagedServers screen.

6. Under Authentication, specify the user name and password of the EndpointEncryption Enterprise Administrator account and the Enterprise specified duringPolicyServer installation.

7. Under Connection, select Use a proxy server for the connection if PolicyServerrequires a proxy connection.

8. Click Save.

Note

Synchronization between Control Manager and PolicyServer may require severalminutes to complete.


3-18

PolicyServer is added as a new managed product to Control Manager.

Configuring Directory Management for PolicyServerThe following procedure explains how to configure Directory Management for the newPolicyServer data source. The Directory Management screen displays the available policytargets in the directory tree.

Add PolicyServer to Control Manager as a managed server before starting thisprocedure. For more information, see Adding PolicyServer as a Managed Product toControl Manager on page 3-16.

Procedure

1. Go to Policies > Policy Resources > Managed Servers.


2. Click Directory Management.

The Directory Management screen appears.

3. Select the server and then click Add Folder.

Getting Started

3-19

The Add Directory screen appears.

4. Specify a directory name and then click Save.

5. Click OK to confirm.

The new folder is created.

6. Drag the previously added PolicyServer data source into the new folder.


8. Click < Back to return to the Policy Management screen.

Configuring Proxy SettingsUse a proxy server to connect to the managed products.

Procedure

1. Go to Administration > Managed Servers.


2. Click Proxy Settings.


3-20

The Proxy Settings screen appears.

3. Specify your proxy settings.

OPTION DESCRIPTION

Protocol Endpoint Encryption supports proxy connection over HTTP orSOCKS5 protocols.

Server Specify the IP address or URL of the proxy server.

Port Specify the listening port of the proxy server.

User name Specify the user name to access the server if the proxy requiresauthentication.

Password Specify the password to access the server if the proxy requiresauthentication.

4. Click Save.

5. Click the Edit button next to your Endpoint Encryption server.

Getting Started

3-21

The Edit Server screen appears.

6. Select Use a proxy server for the connection.

7. Click Save.

Active Directory SynchronizationPolicyServer supports Active Directory (AD) synchronization for a configuredPolicyServer group. Synchronization will automatically add and remove AD users fromconfigured PolicyServer groups.

Topics include:

• Active Directory Overview on page 3-21

• Configuring Active Directory on page 3-22

• Importing Active Directory Users on page 3-24

• Managing Password Setting Objects from Active Directory on page 3-27

Active Directory Overview

Three items are required to enable PolicyServer AD synchronization:

1. A configured AD domain.


3-22

2. A PolicyServer group configured to point to one or more valid AD organizationalunits (OUs).

3. Appropriate credentials to access the AD domain that match the PolicyServergroup's distinguished name.

When configured properly, synchronization automatically creates new PolicyServer usersand moves them to the appropriate paired groups on PolicyServer. Duringsynchronization, PolicyServer is updated to reflect current users and group assignmentsfor paired groups.

Adding a new user to the domain and placing that user in an organizational unit will flagthat user so that during the next synchronization, AD will create that user inPolicyServer and then move that user into the appropriate paired PolicyServer group.

Deleting a user from AD will automatically remove that user from a PolicyServer pairedgroup and from the enterprise.

To add non-domain users to groups that are synchronized with the domain, you cancreate unique Endpoint Encryption users and add them to paired PolicyServer groupswithout having those users modified by the synchronization system.

If you remove the Endpoint Encryption user from a paired group in PolicyServer, thatdomain user will not automatically be re-added by the synchronization system. Thisprevents overriding the your action for this Endpoint Encryption user. If you manuallymove a synchronized domain user back into a paired group then the synchronizationsystem will again begin to automatically maintain the user in the group.

Configuring Active Directory

This task assumes the domain controller is set up on Windows Server 2012 and thatActive Directory (AD) is installed.

Procedure

1. Go to Start > Administrative Tools > Active Directory Users and Computers.

The Active Directory Users and Computer screen appears.

Getting Started

3-23

FIGURE 3-1. Active Directory Users and Computers

2. Create your organizational units (OUs).

For each OU you intend to create, perform the following steps:

a. Right-click the new domain created during AD installation and then selectNew.

b. Select Organizational Unit.

c. From the New Object - Organizational Unit screen, specify the new nameand click OK.

The new group appears in the left navigation under the domain name.Perform this step for as many organizational units you intend to use withPolicyServer.

Important

Endpoint Encryption supports up to 12 OUs per policy.


3-24

The new groups will be used to synchronize with a PolicyServer group. Beforesynchronization, users must be added to the groups.

3. Add new users to your OUs.

For each user you intend to create, perform the following steps:

a. Right-click the intended OU and go to New > User.

b. From the New Object - User screen, specify the new user's accountinformation and click Next.

c. Specify and confirm the new user's domain password and click Next.

Note

Clear User must change password at next login and select the Password neverexpires option to simplify other testing later.

d. When prompted to complete, click Finish.

The domain controller is configured with a new OU and a user in that group.To synchronize that group with PolicyServer, install PolicyServer and create agroup for synchronization. This next section assumes that PolicyServer isalready installed.

Importing Active Directory UsersPolicyServer maintains a user directory separate from the Active Directory database.This allows PolicyServer absolute security over access to all Endpoint Encryptiondevices, user rights, and authentication methods.

Use the Endpoint Encryption Users widget in Control Manager to import ActiveDirectory users. For more information about managing users with the EndpointEncryption Users widget, see Endpoint Encryption Users on page 4-8.

Procedure


Getting Started

3-25

2. Go to the Endpoint Encryption Users widget.

3. Click the icon.

4. Select Import Users from Active Directory.

The Import Users from Active Directory screen appears.

5. Specify your credentials for the Active Directory LDAP server.

Note

For Port, the value “0” specifies the default port. The default port is 389.

6. Click Next.

7. Wait for the specified Active Directory domain to populate.


3-26

The Active Directory tree for the specified domain appears in the left pane.

8. From the left pane, use the navigation tree to select the container from which toadd users.

The available users populate in the right pane.

9. Do one of the following:

• Select individual users, then click Import Selected Users.

• Click Import Everyone in this Container.

10. Click OK to add the users to the specified location.

A confirmation window appears.


An import status message displays.

12. Click Close to finish, or repeat the procedure to select more users to import.

Getting Started

3-27

Managing Password Setting Objects from ActiveDirectory

Endpoint Encryption supports fine-grained password policies through Active Directory.If PolicyServer is in the Active Directory computer list, password policies in ActiveDirectory supersede PolicyServer policy settings from both Control Manager andPolicyServer MMC.

The following procedure shows how to add PolicyServer to the Active Directorycomputer list.

Procedure

1. Open your Password Settings object (PSO) Security settings.

a. Go to Start > Administrative Tools > Active Directory Users and Computers.

b. In the View menu, verify that Advanced Features are enabled.

c. Locate your domain node in Active Directory Users and Computers

d. Go to System > Password Settings Container.

e. Select the PSO Property that you intend to use for password policymanagement.

f. Go to the Security tab.

2. Add the PolicyServer endpoint to the Group or user names list.

a. Under the Group or user names list, click Add....

b. In the Object Types window, select Computers.

c. Select the PolicyServer endpoint.

3. Verify and confirm your changes.

4-1

Chapter 4

DashboardThe Control Manager dashboard provides at-a-glance information for the ControlManager network. The dashboard is comprised of two components:

• Tabs: Allow administrators to create a screen that contains one or more widgets

• Widgets: Provide specific information about various security-related events andperform user and device management

Each user account displays its own dashboard. When a user logs on to Control Managerfor the first time, the default tabs and the widgets contained within the tabs appear onthe dashboard.

Each user account can customize the dashboard, tabs, and widgets for the account’sspecific needs. Customizing the dashboard, tabs, or widgets for one user account has noeffect on the dashboard, tabs, or widgets for a different user account. Each user accounthas a completely independent dashboard, tabs, and widgets from every other useraccount.

Topics include:

• Tabs on page 4-3

• Widgets on page 4-5

• Endpoint Encryption Users on page 4-8

• Endpoint Encryption Devices on page 4-15


4-2

• Full Disk Encryption Status on page 4-20

• Endpoint Encryption Unsuccessful Device Logon on page 4-22

• Endpoint Encryption Unsuccessful User Logon on page 4-25

• Endpoint Encryption Device Lockout on page 4-27

• Endpoint Encryption Security Violations Report on page 4-29

Dashboard

4-3

TabsTo customize the Control Manager Dashboard, add additional tabs, name the new tabsas needed, and add the appropriate widgets. You can modify or delete added tabs.

Default TabsThe dashboard provides the following tabs:

• Summary

• DLP Incident Investigation

• Data Loss Prevention

• Compliance

• Threat Detection

• Smart Protection Network

Note

Deleting the default tabs permanently removes the tabs from viewing for the user accountthat removed the tabs. There is no way to recover a deleted tab. Deleting a default tab hasno impact on the dashboard for other user accounts.

Adding a New Tab

Procedure

1. Go to the Dashboard.

2. Click the to the right of the last named tab.

The New Tab screen appears.

3. Specify a name for the Title of the new tab.


4-4

4. Select the radio button for the appropriate layout style.

5. Select Auto-fit On to make the height all widgets on the tab consistent.

6. Click Save.

The new tab is added to the right of existing tabs.

Modifying Tab Settings

Procedure

1. Go to the Dashboard and then open the appropriate tab.

2. Click Tab Settings at the upper-right corner of the tab.

3. Make the needed changes to:

• Title

• Layout

• Auto-fit

4. Click Save.

Deleting a Tab

Note

Deleting the default tabs permanently removes the tabs from viewing for the user accountthat removed the tabs. There is no way to recover a deleted tab. Deleting a default tab hasno impact on the dashboard for other user accounts.

Procedure

1. Go to the Dashboard.

Dashboard

4-5

2. Open the tab to delete.

3. Click the X next to the name of the tab.


The tab is deleted.

WidgetsWidgets are the core components for the dashboard. Tabs provide the layout andwidgets provide the actual data for the dashboard.

Note

Customizing the dashboard, tabs, or widgets for one user account has no effect on thedashboard, tabs, or widgets for a different user account. Each user account has acompletely independent dashboard, tabs, and widgets from every other user account.

Download the Control Manager widget pool (under Product programs and widget poolon the Manual Download and Scheduled Download screens) periodically to check fornew or updated widgets.

The data a widget displays comes from one of the following places:

• Control Manager database

• Trend Micro Smart Protection Network

• Managed products added to the Dashboard Server Visibility list

Note

Smart Feedback must be enabled to display data for widgets that include data from SmartProtection Network.

The data a widget displays is controlled in two ways:


4-6

TABLE 4-1. Widget Data

ITEM DETAILS

User account A user’s account grants or restricts access to any managedproduct registered to Control Manager.

Scope The data scope on many widgets can be individually configured.

This means a user can further specify the data source location forthe widget.

Example: An OfficeScan administrator, who manages multipleOfficeScan servers, could create one tab and add widgets thatdisplay data for only one OfficeScan server.

Adding Widgets to a Tab

After adding widgets to a tab, drag-and-drop the widgets to various locations within thetab.

Procedure

1. Go to the Dashboard and then open the appropriate tab.

2. Click the Add Widgets at the upper right corner of the tab.

The Add Widgets screen appears.

3. Do the following:

• Click a category from the left and then select the check box next to the nameof all applicable widgets that appear.

• Use the search bar to select a specific widget.

4. Click Add.

All selected widgets are added to the tab.

Dashboard

4-7

Widget OptionsThe following illustration and table provide a general overview of available widgetoptions. Different widgets may have different options available.

FIGURE 4-1. Widget Options

TABLE 4-2. Widget Option Descriptions

ITEM DESCRIPTION

1 The total number of objects (examples: events, devices, logs) that thewidget gathers data about. Click the number to view additionalinformation.

2 The information that the widget displays.

3 The Enterprise associated with the widget data.

4 The name of the widget. Change the name in the Widget Settingswindow.

5 Click the icon to manually refresh widget data. The default refreshrate is controlled by the Control Manager dashboard settings atAdministration > Settings > Web Console Settings.


4-8

ITEM DESCRIPTION

6 Click the

icon to display the following widget options:

• Widget Settings: Configure the displayable options for that widget.

• Help: Access the Endpoint Encryption Online Help for that widget.

• Close Widget: Remove the widget from the current tab.

7 View the last time that the widget refreshed data.

8 Click the number or icon to access specific widget data, such as eventlogs or reports.

Endpoint Encryption UsersThe Endpoint Encryption Users widget provides user management capability directlyfrom the Control Manager dashboard. Use the Endpoint Encryption Users widget toadd or remove Endpoint Encryption user accounts, reset passwords, changepermissions, configure policy group priority, import from Active Directory, and searchfor specific user accounts.

Note

For information about adding existing Endpoint Encryption users to a policy, seeConfiguring Endpoint Encryption Users Rules on page 5-13.

Dashboard

4-9

ITEM DESCRIPTION

Show Select which users to display: all users in the Enterprise, or usersin a specific policy.

Search ( ) Click the icon to filter which Endpoint Encryption usersappear in the table. Use the search field to specify parameters tosearch against.

Settings ( )

Right-click a user

Click the icon to view user attributes or to perform actions onany selected user.

Add users ( ) Click the icon to add individual users, import users from a CSVfile, or import users from Active Directory LDAP.

Number of users View the total number of users in the entire Enterprise, selectedpolicy, or specified search.

Add New User OptionsThe following table explains the options available when adding a new EndpointEncryption user.


4-10

TABLE 4-3. Add New User Options

OPTION DESCRIPTION

User name Specify the account user name that the user uses toauthenticate.

First name Specify the user's first name.

Last name Specify the user's last name.

Employee ID Specify the user's employee ID (optional).

Email address Specify user's email address (optional).

Freeze Select Yes to temporarily lock the account. A locked accountcannot log on to Endpoint Encryption devices.

User type Select User, Authenticator, or Administrator.

For more information about user roles, see Users on page5-3.

One group Select Yes to only allow the user to belong to one policy at atime. The user may not be added to any other policy groups.

If you set this option to Yes and set the User type toAuthenticator or Administrator, the user will be a groupauthenticator or group administrator respectively.

Authenticationmethod

Select the authentication method available to the user.

Policy MembershipThe following table explains how to understand Endpoint Encryption user policymembership.

Dashboard

4-11

Note

Encryption Management for Apple FileVault and Encryption Management for MicrosoftBitLocker do not require authentication and are not affected by authentication policies.Client, login, password, and authentication policies, or allowing the user to uninstall theEndpoint Encryption agent software only affects the Full Disk Encryption and FileEncryption agents.

HEADER EXAMPLE DESCRIPTION

Priority 1, 2. 3 Shows the order that Endpoint Encryptionapplies policies. When a policy is triggeredthat affects a user, Endpoint Encryptiontakes the action, and then no other policiesaffect the user for that event.

Policy Name GP1 Shows the name of all policies that theuser is currently assigned.

Description Temporaryemployees policy.

Shows the description of the policy.

Allow Install Yes, No Shows whether the user can install newEndpoint Encryption devices.

Importing Users from a CSV FileFormat each line in the CSV file as follows:

<User ID (required)>, <first name>, <last name>, <employee ID>,<email address>

For fields with no data, use a comma as a placeholder. The following is an example CSVentry:

example_id, name,,, [email protected]

Procedure

1. From the Endpoint Encryption Users widget, click Add User and then selectImport Users from a File.


4-12

The Import Users from a File screen appears.

2. Click Choose File to select the CSV file.

The Open CSV File window appears.

3. Select the file and then click Open.

4. Click Add.

The users in the CSV file are imported.

Importing Active Directory UsersPolicyServer maintains a user directory separate from the Active Directory database.This allows PolicyServer absolute security over access to all Endpoint Encryptiondevices, user rights, and authentication methods.

Use the Endpoint Encryption Users widget in Control Manager to import ActiveDirectory users. For more information about managing users with the EndpointEncryption Users widget, see Endpoint Encryption Users on page 4-8.

Procedure


2. Go to the Endpoint Encryption Users widget.

3. Click the icon.

4. Select Import Users from Active Directory.

Dashboard

4-13

The Import Users from Active Directory screen appears.

5. Specify your credentials for the Active Directory LDAP server.

Note

For Port, the value “0” specifies the default port. The default port is 389.

6. Click Next.

7. Wait for the specified Active Directory domain to populate.


4-14

The Active Directory tree for the specified domain appears in the left pane.

8. From the left pane, use the navigation tree to select the container from which toadd users.

The available users populate in the right pane.


• Select individual users, then click Import Selected Users.

• Click Import Everyone in this Container.

10. Click OK to add the users to the specified location.

A confirmation window appears.


An import status message displays.

12. Click Close to finish, or repeat the procedure to select more users to import.

Dashboard

4-15

Endpoint Encryption DevicesEndpoint Encryption devices are Endpoint Encryption agents that have registered withPolicyServer. Installing any Endpoint Encryption agent automatically registers theendpoint with PolicyServer as a new Endpoint Encryption device. Since multipleEndpoint Encryption agents may protect a given endpoint, a single endpoint may appearas more than one Endpoint Encryption device on PolicyServer.

The Endpoint Encryption Devices widget provides Endpoint Encryption devicemanagement capability directly from the Control Manager dashboard. Use the EndpointEncryption Devices widget to monitor activity, search for Endpoint Encryption devices,or secure endpoint data by initiating lock or kill commands when an endpoint is lost orstolen.

Note

For information about adding Endpoint Encryption devices to a policy, see SpecifyingPolicy Targets on page 5-11.


4-16

OPTIONS DESCRIPTION

Show Select which devices to display: all devices in the Enterprise, ordevices in a specific policy.

Search ( ) Click the icon to select the Endpoint Encryption agent andfilter the devices shown in the table. Use the search field tospecify parameters to search against. Any attributes listed indevices attributes can be searched.

Settings ( )

Right-click a device

Select a device and click the icon or right-click a device to viewdevice attributes or to perform actions on the selected device.

See Device Actions on page 4-16.

Number of devices View the total number of devices in the entire Enterprise, selectedpolicy, or specified search.

Device ActionsSelect a device and click the icon or right-click a device to perform the followingactions:

ACTION DESCRIPTION

Delete device Deleting any Endpoint Encryption device from the Enterprise alsoremoves the device from all policy groups. The deleted EndpointEncryption device continues functioning as long as connectivityand password policies are current on the device. The agent will beunable to synchronize its policy with PolicyServer.

WARNING!Before deleting a Full Disk Encryption device, decrypt yourdisk, and uninstall the Full Disk Encryption agent. If youdelete a Full Disk Encryption device without deleting theagent, the Full Disk Encryption preboot may be unable toauthenticate with PolicyServer and the data may becomeinaccessible.

Dashboard

4-17

ACTION DESCRIPTION

Soft token Generating a “software token” creates a unique string that youcan use to unlock Endpoint Encryption devices and to remotelyhelp Endpoint Encryption users reset forgotten passwords.

The software token is only available in the full version of Full DiskEncryption, not Encryption Management for Apple FileVault orEncryption Management for Microsoft BitLocker.

For information about resetting passwords or unlocking a useraccount, see Remote Help Assistance on page 9-22.

Recovery key Generating a “recovery key” allows the user to decrypt a hard diskwhen the user has forgotten the original password or key.

The recovery key is only available to Encryption Management forApple FileVault and Encryption Management for MicrosoftBitLocker agents because they do not use the other recoverymethods available in Full Disk Encryption.

For information about resetting passwords or unlocking a useraccount, see Remote Help Assistance on page 9-22.

Device attributes View a current snapshot of the selected device.

See Device Attributes on page 4-18.

Kill device Initiating a “kill” command deletes all Endpoint Encryption devicedata. The deleted data is different depending on the scope of datathat the associated Endpoint Encryption agent manages. Forexample, initiating a “kill” command to a Full Disk Encryptiondevice deletes all data from the endpoint, while initiating a “kill”command to a File Encryption device deletes all files and foldersin local or removable storage protected by the File Encryptionagent. The “kill” command is issued when the Endpoint Encryptionagent communicates with PolicyServer.

WARNING!Killing a device cannot be undone. Back up all the databefore initiating a kill command.


4-18

ACTION DESCRIPTION

Lock device Initiating a “lock” command to the Endpoint Encryption deviceprevents Endpoint Encryption user access until after performing asuccessful Remote Help authentication. Locking a device rebootsthe endpoint and forces it into a state that requires Remote Help.The lock command is issued when the Endpoint Encryption agentcommunicates with PolicyServer.

See Remote Help Assistance on page 9-22.

Soft reset Initiating a “soft reset” command reboots the endpoint. Thecommand issues the next time that the agent communicates withPolicyServer.

Device AttributesThe following table describes the Endpoint Encryption device attributes.

ATTRIBUTE NAME EXAMPLE DESCRIPTION

.NET Version 2.0.50727.3620 The version and build number for theinstalled .NET framework.

CommonFramework BuildNumber

5.0.0.84 The Endpoint Encryption agent uses acommon framework for encryption. Thebuild number is used to tell whether theagent is up-to-date.

Disk Model VMware Virtual IDE The hard disk model.

Disk Name \\.\PHYSICALDRIVE0

The name of the hard disk.

Disk Partitions 1 The number of partitions on the disk withthe agent installed.

Disk Size 10733990400 The total capacity of the hard disk (inbytes).

Domain Name WORKGROUP The domain that the endpoint is a member.

Dashboard

4-19


Endpoint ID 85b1e3e2a3c25d882540ef6e4818c3e4

The unique ID of the endpoint used forControl Manager integration.

<Agent> User john_smith The user name for the last logged on used.

<Agent> Version 5.0.0.260 The version and build number for the agentinstallation.

Hostname TREND-4136D2DB3

The endpoint's host name.

IP Address 10.1.152.219 The endpoint's IP address.

Locale English (UnitedStates)

The language and region that the endpointis configured.

Machine Name TREND-4136D2DB3

The computer name that the endpointused.

Manufacturer VMware, Inc. The manufacturer of the hard disk.

Model VMware VirtualPlatform

The model of the hard disk.

Operating System Microsoft WindowsNT 5.1.2600Service Pack 3

The operating system installed on thesame hard disk as the agent.

Operating SystemName

Microsoft WindowsXP Professional

The common name of the operatingsystem installed on the same hard disk asthe agent.

Operating SystemService Pack

Service Pack 3 The service pack number of the operatingsystem installed on the same hard disk asthe agent.

Operating SystemVersion

5.1.2600.196608 The version number of the operatingsystem installed on the same hard disk asthe agent.

Partition Scheme Classical MBR The partition scheme for the hard disk.


4-20


Processor x86 Family 6 Model30 Stepping 5,Genuine Intel

The processor make and model of theendpoint.

Processor Count 2 The number of processors in the endpoint.

Processor Revision 1e05 The processor revision number.

Time Zone Taipei StandardTime

The time zone that the endpoint resides.

Total PhysicalMemory

2047MB The total RAM installed in or allocated tothe endpoint.

Type X86-based PC The endpoint processor type.

Windows UserName

TREND-4136D2DB3\admin

The user name of the Windows accountthat last logged on the endpoint.

Full Disk Encryption StatusThe Full Disk Encryption Status widget shows the current encryption status of anyEndpoint Encryption in the Enterprise.

Dashboard

4-21

COLUMN DESCRIPTION

Status The status of the Endpoint Encryption device. Statuses include:

• Encrypted: The Endpoint Encryption device is 100%encrypted.

• Encrypting: The Endpoint Encryption device is currentlyencrypting the hard disk. The status changes to “FullyEncrypted” once encryption completes and the endpointrestarts.

• Not encrypted: The Endpoint Encryption device is 0%encrypted.

• Decrypting: The Endpoint Encryption device is currentlydecrypting the hard disk. The status changes to NotEncrypted once the decryption completes and the endpointrestarts.

• Unknown: The Endpoint Encryption device synchronized,but PolicyServer cannot determine the encryption status.

Rate The percentage that the Endpoint Encryption device is encrypted.

Devices The number of Endpoint Encryption devices with that currentstatus. Click the number to view the Endpoint Encryption Devicesreport. For more information, see Full Disk Encryption StatusReport on page 4-21.

Note

At the bottom of the widget, click the number next to Total to view the EndpointEncryption Status report.

Full Disk Encryption Status ReportThe following table describes the Full Disk Encryption Status report. Use it tounderstand how to read the report details.


4-22

TABLE 4-4. Full Disk Encryption Status Report Example


Policy GP1 The title of the policycontrolling the EndpointEncryption device.

Device Name TREND-4136D2DB3 The computer name usedby the Endpoint Encryptiondevice.

Device ID 1fabfbff-0001-06e5-000c-297085710000

The unique ID establishedafter the EndpointEncryption agent wasinstalled on the endpointand a new EndpointEncryption device wasregistered withPolicyServer.

Agent Full Disk Encryption The currently installedEndpoint Encryption agent.

Status Not Encrypted The current state of theEndpoint Encryption device.

Last Synchronized Date 10/07/2013 11:05 am The timestamp when theEndpoint Encryption devicelast updated policies fromPolicyServer.

Last Policy Enforcement 10/07/2013 11:05 am The timestamp when theControl Manager lastenforced policy changes onPolicyServer.

Endpoint Encryption Unsuccessful DeviceLogon

The Endpoint Encryption Unsuccessful Device Logon widget shows all EndpointEncryption devices that had unsuccessful logon attempts by any user (Endpoint

Dashboard

4-23

Encryption user or non-Endpoint Encryption user). Unsuccessful device logon eventsmay represent a security breach or the Endpoint Encryption user may have forgottenthe logon credentials.

COLUMN DESCRIPTION

Device Name The computer name of the Endpoint Encryption device.

Policy The policy managing the Endpoint Encryption device.

Events The number of logon attempts. Click the number to viewthe Endpoint Encryption Unsuccessful Device Logonreport.

Unsuccessful Device Logon ReportThe following table explains the Endpoint Encryption Unsuccessful Device Logonreport. Use it to understand how to read the report details.


4-24

TABLE 4-5. Endpoint Encryption Unsuccessful Device Logon Example


Event Timestamp 07/02/2012 01:56pm

When the event occurred.

Policy GP1 The title of the policy controlling theEndpoint Encryption device.

Device Name TREND-4136D2DB3 The computer name used by theEndpoint Encryption device.


The unique ID established after theEndpoint Encryption agent wasinstalled on the endpoint and a newEndpoint Encryption device wasregistered with PolicyServer.

IP Address 10.1.152.219 The Endpoint Encryption device IPaddress.

Agent Full Disk Encryption The currently installed EndpointEncryption agent.

User Name user325 The user name used to attempt to logon to the Endpoint Encryption device.

Display Name Mary Jones The first and last name of the EndpointEncryption user account. If thespecified user name is not a validEndpoint Encryption user name, thecolumn shows “Not Recorded”.

Event Unsuccessful FixedPassword Login

The logged event including theauthentication method.

Dashboard

4-25

Endpoint Encryption Unsuccessful User LogonThe Endpoint Encryption Unsuccessful User Logon widget shows all attempts by anyuser (Endpoint Encryption user or non-Endpoint Encryption user) to log on to anyEndpoint Encryption device.

COLUMN DESCRIPTION

User Name The user name used to attempt to log on to the EndpointEncryption device.

Display Name The display name of the user account that attempted tolog on to the Endpoint Encryption device.

Events The number of authentication attempts. Click the numberto view the Endpoint Encryption Unsuccessful User Logonreport.


4-26

Unsuccessful User Logon ReportThe following table explains the Endpoint Encryption Unsuccessful User Logon report.Use it to understand how to read the report details.

TABLE 4-6. Endpoint Encryption Unsuccessful User Logon Report Example


Event Timestamp 07/02/2012 01:56pm

When the event occurred.

Policy GP1 The title of the policy controlling theEndpoint Encryption device.

Device Name TREND-4136D2DB3 The computer name used by theEndpoint Encryption device.


The unique ID established after theEndpoint Encryption agent wasinstalled on the endpoint and a newEndpoint Encryption device wasregistered with PolicyServer.

IP Address 10.1.152.219 The Endpoint Encryption device IPaddress.

Agent Full Disk Encryption The currently installed EndpointEncryption agent.

User Name user325 The user name used to attempt to logon to the Endpoint Encryption device.

Display Name Mary Jones The first and last name of the EndpointEncryption user account. If thespecified user name is not a validEndpoint Encryption user name, thecolumn shows “Not Recorded”.

Event Unsuccessful FixedPassword Login

The logged event including theauthentication method.

Dashboard

4-27

Endpoint Encryption Device LockoutThe Endpoint Encryption Device Lockout widget shows Endpoint Encryption devicesthat are locked out due to policy restrictions.

Note

For information about Endpoint Encryption device lockout rules, see Lockout Actions onpage 5-22.

HEADER DESCRIPTION

Device Name The computer name used by the Endpoint Encryptiondevice.

Policy The title of the policy controlling the Endpoint Encryptiondevice.

Lockout The timestamp when PolicyServer issued the device lockcommand. The Endpoint Encryption device does notactually lock until after the Endpoint Encryption agentsynchronizes policies with PolicyServer.


4-28

HEADER DESCRIPTION

Details Click details icon to view the Endpoint Encryption DeviceLockout report.

At the bottom of the widget, click the number next to Total to view the report.

Device Lockout Report

The following table explains the Endpoint Encryption Device Lockout report. Use it tounderstand how to read the report details.

Note

For information about account lockout and device lock actions, see Lockout Actions onpage 5-22.

TABLE 4-7. Endpoint Encryption Device Lockout Report Example


Event Timestamp 07/02/2012 01:56 pm When the event occurred.

Policy GP1 The title of the policycontrolling the EndpointEncryption device.



The unique ID establishedafter the EndpointEncryption agent wasinstalled on the endpointand a new EndpointEncryption device wasregistered withPolicyServer.

Dashboard

4-29


IP Address 10.1.152.219 The Endpoint Encryptiondevice IP address.

Agent Full Disk Encryption The currently installedEndpoint Encryption agent.

User Name user325 The user name used toattempt to log on to theEndpoint Encryption device.

Display Name Mary Jones The first and last name ofthe Endpoint Encryptionuser account. If thespecified user name is not avalid Endpoint Encryptionuser name, the columnshows “Not Recorded”.

Event Locked device due toinvalid login attemptviolation.

The logged event includingthe authentication method.

Endpoint Encryption Security ViolationsReport

The Endpoint Encryption Security Violations Report widget shows the securityviolations assessed by the following reports:

• Endpoint Encryption Consecutive Unsuccessful Device Logon

• Endpoint Encryption Policy Tampering

• Endpoint Encryption Log Integrity


4-30

Generating a report gathers all security violations currently logged by PolicyServer. Oncegenerated, click the number on the Reports column to view generated reports for thatviolation.

HEADER DESCRIPTION

Violation report type The available report types for various violations.

Action Click Generate to create a new report.

Reports The total number of generated reports for that violation.Click the number to view available reports.

Consecutive Unsuccessful Device Logon Report

The following table explains the Endpoint Encryption Consecutive Unsuccessful DeviceLogon report. Use it to understand when the logon attempt occurred, the affectedEndpoint Encryption device, and how many times the user attempted to log on to theEndpoint Encryption device.

TABLE 4-8. Endpoint Encryption Consecutive Unsuccessful Device Logon ReportExample

ENTRY EXAMPLE DESCRIPTION



Dashboard

4-31

ENTRY EXAMPLE DESCRIPTION

Attempts 5 The number of times that auser attempted to log on tothe Endpoint Encryptiondevice.

Policy Tampering ReportThe following table explains the Endpoint Encryption Policy Tampering report. Use itto understand how to read the report details.

TABLE 4-9. Endpoint Encryption Policy Tampering Report Example



Event Policy Value Integrity CheckFailed

The logged event includingthe authentication method.

Log Integrity ReportThe following table explains the Endpoint Encryption Log Integrity report. Use it tounderstand how to read the report details.

TABLE 4-10. Endpoint Encryption Log Integrity Report Example



Event Audit Log Record Missing The logged event includingthe authentication method.

5-1

Chapter 5

PoliciesThis chapter explains how to use policies and provides detailed information aboutindividual policy setting values.

Topics include:

• Authentication Overview on page 5-2

• Policies in Control Manager on page 5-5

• Creating a Policy on page 5-9

• Configuring Endpoint Encryption Users Rules on page 5-13

• Configuring Full Disk Encryption Rules on page 5-15

• Configuring File Encryption Rules on page 5-17

• Configuring Common Policy Rules on page 5-19

• Migrating Groups to Control Manager on page 5-23


5-2

Authentication OverviewThe primary form of protection that Endpoint Encryption delivers is prevention ofunauthorized user access to encrypted endpoints and devices. Correctly configuringEndpoint Encryption devices, users, and policy groups prevents data loss risk fromaccidental information release or deliberate sabotage.

Devices on page5-2

Endpoint Encryption counts the amount of consecutive logonattempts on a given device and the amount of time since the lastcommunication with PolicyServer for a given length of time. If adevice violates the policy criteria, Endpoint Encryption can reset,lock, or erase the disk.

Users on page5-3

In addition to checking authentication attempts on a device,Endpoint Encryption also counts the amount of consecutive logonattempts by a particular user account. If that user violates thepolicy criteria, Endpoint Encryption can reset, lock, or erase thedisk.

Groups on page5-4

Groups act as a container for users for policy management.Administrators and authenticators within a group have thosespecial privileges only within that group, but unassignedadministrators and authenticators have that role throughout theEnterprise.

For a complete list of the configurable methods to authenticate users and devices, seeAuthentication Methods on page 2-17.

DevicesEndpoint Encryption devices are Endpoint Encryption agents that have registered withPolicyServer. Installing any Endpoint Encryption agent automatically registers theendpoint with PolicyServer as a new Endpoint Encryption device. Since multipleEndpoint Encryption agents may protect a given endpoint, a single endpoint may appearas more than one Endpoint Encryption device on PolicyServer.

Depending on the policy settings, Endpoint Encryption takes one of the followingactions when users attempt to consecutively log on that device unsuccessfully:

• Delay the next authentication attempt

Policies

5-3

• Lock the device

• Erase all data on the device

Note

To configure Endpoint Encryption devices, use the Endpoint Encryption Devices widget.See Endpoint Encryption Devices on page 4-15.

UsersEndpoint Encryption users are any user account manually added to PolicyServer orsynchronized with Active Directory.

Endpoint Encryption has several types of account roles and authentication methods forcomprehensive identity-based authentication and management. Using Control Manageror PolicyServer MMC, you can add or import user accounts, control authentication,synchronize with the Active Directory, and manage policy group membership, asneeded.

The following table describes the Endpoint Encryption user roles:

ROLE DESCRIPTION

Administrator Administrators may access the management consoles andperform any configurations within their domain. This role hasdifferent rights depending on the level that the administrator role isadded:

• Enterprise administrator: These administrators have controlover all policies, groups, users, and devices in the enterprise.

• Group administrator: These administrators have control overusers and devices that authenticate within a specific group.Control Manager makes a group for each policy, so theseadministrators may also be known as “policy administrators”.


5-4

ROLE DESCRIPTION

Authenticator Authenticators provide remote assistance when users forget theirEndpoint Encryption passwords or have technical problems. Thisrole has different rights depending on the level that theauthenticator role is added:

• Enterprise authenticator: These authenticators can assist anyusers in the enterprise.

• Group authenticator: These authenticators can assist anyusers within a specific group. Control Manager makes agroup for each policy, so these authenticators may also beknown as “policy authenticators”.

User Basic end users have no special privileges. The user role may notlog on the Endpoint Encryption management consoles. Unlessallowed by PolicyServer, the user role also may not use recoverytools.

Note

To configure Endpoint Encryption users, use the Endpoint Encryption Users widget. SeeEndpoint Encryption Users on page 4-8.

GroupsEndpoint Encryption manages policies by user groups. Groups management differsbetween PolicyServer MMC and Control Manager. After modifying policies and groups,PolicyServer synchronizes groups across both consoles.

Important

Control Manager always takes precedence over PolicyServer MMC for policy and groupassignment. Any modifications to the group assignment in PolicyServer MMC areautomatically overwritten the next time that Control Manager synchronizes withPolicyServer.

Policies

5-5

CONSOLE GROUP MANAGEMENT

ControlManager

Endpoint Encryption automatically creates a group each time a policywith specific targets is deployed. After deployment, modify the groupsa user is in from the Endpoint Encryption Users widget, and modifythe users in the policy from the Policy Management screen.

PolicyServerMMC

Add and modify groups directly from the left pane of PolicyServerMMC. Groups in PolicyServer MMC can be assigned as follows:

• Top Group: Top Groups are the highest level of groups under theEnterprise. Each Top Group has a unique node underneath theEnterprise.

• Subgroup: Subgroups are created within Top Groups. Subgroupsinherit the policies of the Top Group on creation, but do not inheritchanges made to the Top Group. Subgroups may not be morepermissive than the Top Group.

NoteYou must manually assign devices and users to eachsubgroup. Adding Endpoint Encryption users to a subgroupdoes not automatically add the users to the Top Group.However, you can add users to both the Top Group andsubgroup.

Note

To configure the users within a policy group on Control Manager, use the EndpointEncryption Users widget. See Endpoint Encryption Users on page 4-8.

To configure users within a policy group on PolicyServer MMC, see the EndpointEncryption PolicyServer MMC Guide.

Policies in Control ManagerThe policy list displays the information and status of policies created by all users. Whena new endpoint registers to Control Manager, it goes through the filtered policies in thelist in descending order. Control Manager assigns the new endpoint to a filtered policywhen the following conditions are both satisfied:


5-6

• The new endpoint matches the target criteria of the policy

• The policy creator has the permission to manage the new endpoint

The following table describes the items in the policy list.

MENU ITEM DESCRIPTION

Priority This column is not used in Endpoint Encryption. Thiscolumn only displays the following:

• Locked: The policy has been created and is beingused.

• Blank: The policy is a draft and is not currently beingused.

Policy Displays the name of the policy.

Targets Displays how administrators select targets for the policy.

• Specified: Uses the browse or search function toselect specific targets for the policy. Specified policiesremain static on the top of the policy list and takepriority over filtered policies.

• Filtered: This option is not used in EndpointEncryption.

• None: The policy creator saved the policy as a draftwithout selecting any targets.

Deployed Displays the number of targets that have applied the policysettings.

Policies

5-7


Pending Displays the number of targets that have not applied thepolicy settings. Click the pending number to check thepolicy status.

Creator Displays the user who created the policy.

Endpoints/Products withoutpolicies

Displays the number of managed products or endpoints towhich Control Manager has not assigned a policy.

Total endpoints/products Displays the number of managed products or endpointsavailable for policy management.

Note

The numbers in Deployed, Pending, Endpoints/Products without policies, and Totalendpoints/products only reflect the endpoints or managed products an administrator hasthe permissions to manage.

Policy OptionsPolicy management allows administrators to enforce product settings on managedproducts and endpoints from a single management console. Administrators create apolicy by selecting the targets and configuring a list of product settings.

Control Manager policies have the following attributes:

TABLE 5-1. Control Manager Policy Options

ATTRIBUTE DESCRIPTION

Policy name The name of the policy configuration.


5-8

ATTRIBUTE DESCRIPTION

Targets Administrators can select targets to assign to their policies. Thetarget selection method determines the policy type and how thepolicy works.

Administrators can manually select targets or use a filter toautomatically assign targets to their policies. The target selectionmethod determines the policy type and how the policy works.

See Policy Types on page 5-9 for more information about policytypes.

To include a managed product or endpoint as the target, makesure the product version of the managed product or endpointsupports policy management in Control Manager. The PolicyTemplate Settings screen contains information about supportedproduct versions.

Settings Once Control Manager deploys a policy to the targets, the settingsdefined in the policy overwrite the existing settings in the targets.Control Manager enforces the policy settings in the targets every24 hours. Although local administrators can make changes to thesettings from the managed product console, the changes areoverwritten every time Control Manager enforces the policysettings.

NoteSince policy enforcement only occurs every 24 hours, theproduct settings in the targets may not align with the policysettings if local administrators make changes through themanaged product console between the enforcement period.

Note

Make sure to use the Product Directory to move the managed PolicyServer instance fromthe New Entity folder to the Endpoint Encryption folder in the Product Directory.

Policies

5-9

Policy Types

Control Manager provides three types of policies administrators can create. Each policytype differs in the target selection method, which affects how a policy works. The policylist arranges the policy types in the order as described in the following table.

TABLE 5-2. Policy Types

POLICY TYPE DESCRIPTION

Specified • Uses the search or browse function to locate specific targets andmanually assigns them to the policy

• Useful when administrators plan to deploy specific settings only toa certain targets

• Remains static on the top of the policy list and takes priority overany filtered policies

Filtered NoteEndpoint Encryption does not support filtered policies.

Draft Allows administrators to save policy settings as a draft without selectingany targets. Control Manager saves draft policies with the lowestpriority at the bottom of the list.

Creating a PolicyThe following procedure explains how to configure a Control Manager policy thataffects Endpoint Encryption users and devices.

Procedure

1. Set up your Endpoint Encryption users and devices.

Endpoint Encryption user and device configuration uses the Endpoint EncryptionUsers and Endpoint Encryption Devices widgets. See Endpoint Encryption Userson page 4-8 and Endpoint Encryption Devices on page 4-15 respectively.


5-10

If your environment includes Active Directory, ensure that you have configuredActive Directory and synchronized all users. See Active Directory Synchronizationon page 3-21.

For a general description of authentication process, see Authentication Overviewon page 5-2.

2. Go to the Create Policy screen.

a. Go to Policies > Policy Management.

b. From the Product drop-down list, select Endpoint Encryption.

c. Click Create.

The Create Policy screen appears.

3. Specify a policy name.

4. Select one of the following policy target options:

• None (Draft Only): Create a policy with no targets (endpoints)

A policy with no targets may not be deployed. After creating a draft policy,edit the policy later to specify targets and deploy it to your environment.

• Filter by Criteria: Endpoint Encryption does not support filtering by criteria

• Specify Target(s): Specify existing endpoints.

Policies

5-11

Note

For more information about policy targets, see Specifying Policy Targets onpage 5-11.

5. Specify Endpoint Encryption policy settings.

Endpoint Encryption settings are divided into the following rule sets:

RULE SET REFERENCE

Users Configuring Endpoint Encryption Users Rules on page 5-13

Full DiskEncryption

Configuring Full Disk Encryption Rules on page 5-15

File Encryption Configuring File Encryption Rules on page 5-17

Common Configuring Common Policy Rules on page 5-19

6. Click Save.

Specifying Policy TargetsUse the Specify Target(s) screen to assign Endpoint Encryption devices to the policy.

Note

The Specify Target(s) screen is available when creating a new policy.

For information about creating a policy, see Creating a Policy on page 5-9.


5-12

FIGURE 5-1. Specifying Policy Targets

Procedure

1. From the Specify Target(s) screen, click the Browse tab.

2. From the left pane, expand the tree to select the managed folder.

Example: CM-PI-2K8 > Local Folder > TMEE > TMEE > QA2

3. Select any appropriate Endpoint Encryption devices, or select the top check box toselect all Endpoint Encryption devices listed on the current page.

4. Click Add Selected Targets.

Note

To immediately select all devices in the managed folder, click Add All from SelectedFolder.

“View Action List” and “View Results” update based on the selection.

Policies

5-13

5. Click OK.

Configuring Endpoint Encryption Users RulesThe following procedure explains the configurable options for policy rules that affectauthentication and Endpoint Encryption user accounts.

Procedure

1. Create a new Endpoint Encryption policy.


2. Click Users.

The Users policy rules settings appear.

FIGURE 5-2. Endpoint Encryption Users Policy Rules

3. If users require domain authentication, select Enable domain authentication underDomain User Settings.

If you selected Enable domain authentication, specify the server information foryour Active Directory (AD) account.


5-14

a. Configure the AD domain name.

b. Configure the host name of the AD server.

c. Select the server type:

• LDAP

• LDAP proxy

4. Under User Management, configure user access.

OPTION DESCRIPTION

All EndpointEncryptionusers

Allow all users, domain and local accounts, to authenticateEndpoint Encryption devices.

ActiveDirectory users

Allow users from organizational units (OUs) within an AD toauthenticate Endpoint Encryption devices.

NoteSelect Enable domain authentication to enable the ActiveDirectory users option.

To configure domain authentication, see Active DirectorySynchronization on page 3-21.

Select specificusers

Specify which already added Endpoint Encryption users canauthenticate to managed endpoints.

NoteIn order to select specific users with this option, you must populatethe user list. Add OUs with the Active Directory users option oradd users with the Endpoint Encryption Users widget.

For more information about the Endpoint Encryption Users widget,see Endpoint Encryption Users on page 4-8.

5. If you selected Active Directory users, add OUs to the policy by their distinguishedname.

Policies

5-15

After selecting Active Directory users, the following additional options appear:

OPTION DESCRIPTION

User name Specify your Active Directory user name.

Password Specify your Active Directory password.

Distinguishedname

Specify each OU by its sequence of relative distinguishednames (RDN) separated by commas.

Example: OU=TW, DC=mycompany, DC=com

After specifying the OU distinguished name, click OK.

ImportantEndpoint Encryption supports up to 12 OUs per policy.

Configuring Full Disk Encryption RulesThe following procedure explains the configurable options for policy rules affecting FullDisk Encryption devices.


5-16

Note


Procedure



2. Click Full Disk Encryption.

The Full Disk Encryption policy rules settings appear.

FIGURE 5-3. Full Disk Encryption Policy Rules

3. Under Encryption, select Encrypt device to start full disk encryption when theEndpoint Encryption agent synchronizes policies with PolicyServer.

Policies

5-17

WARNING!

Do not deploy encryption to Full Disk Encryption agents without first preparing theendpoint's hard drive.

For information about preparing the hard drive, see Full Disk EncryptionDeployment Outline in the Endpoint Encryption Installation Guide.

4. Under Agent Settings, select the following options:

• Select Bypass Full Disk Encryption Preboot to allow the user to authenticatedirectly into Windows without protection from preboot authentication.

• Select Users are allowed to access system recovery utilities on the device toallow the user to access the Recovery Console.

For information about configurable options and available tools in Full DiskEncryption, see Recovery Console on page 9-3.

5. Under Notifications, configure the following options:

• Select If found, display the following message on the device to show amessage when the If Found policy is active.

• Select Display Technical Support contact information to show a message afterthe user logs on to the Full Disk Encryption agent.

• Select Show a legal notice to show the specific legal message at start up oronly after installing the Full Disk Encryption agent.

Configuring File Encryption RulesThe following procedure explains the configurable options for policy rules affecting FileEncryption devices.

Procedure




5-18

2. Click File Encryption.

The File Encryption policy rules settings appear.

FIGURE 5-4. File Encryption Policy Rules

3. Under Folder to Encrypt, specify folders that are automatically created andencrypted on the endpoint when the File Encryption agent synchronized policies.

4. Under Encryption Key, select the encryption for the File Encryption encryptedfolder.

• User key: Use a unique key for each Endpoint Encryption user. Only theEndpoint Encryption user can decrypt files that he or she encrypted.

Policies

5-19

• Policy key: Use a unique key for each policy. Only Endpoint Encryption usersand devices in the policy can decrypt files.

• Enterprise key: Any Endpoint Encryption user or device in the Enterprise candecrypt the files.

Note

Selecting Policy key or Enterprise key controls the sharing for the File Encryptionshared key. For more information, see File Encryption Actions on page 7-3.

5. Under Storage Devices, configure the following options:

• Select Disable optical drives to control whether removable media is accessiblefrom the endpoint.

• Select Disable USB drives to control when the USB ports are disabled.Options are:

• Always

• Logged out

• Never

• Select Encrypt all files and folders on USB devices to automatically encrypt allthe files and folders on removable drives when plugged into the endpoint.

• Select Specify the file path to encrypt on USB devices to add or removeencrypted folders to USB drives. If a folder does not exist, it is created. If nodrive letter is specified, all USB devices are affected.

6. Under Notifications, select Show a legal notice to show the specific legal messageat start up or only after installing the File Encryption agent.

Configuring Common Policy RulesThis section explains the configurable options for policy rules affecting all EndpointEncryption devices.


5-20

Procedure



2. Click Common.

The Common policy rules settings appear.

FIGURE 5-5. Common Policy Rules

3. Under Allow User to Uninstall, select Allow User (non-administrator) accounts touninstall agent software to allow any Endpoint Encryption user to uninstall theagent.

Policies

5-21

Note

By default, only Administrator accounts can uninstall Endpoint Encryption agents.

4. Under Lockout and Lock Device Actions, configure the following options:

• Select Lock account after <number> days to specify the number of days thatthe Endpoint Encryption device locks if it does not synchronize policies.

• Use Account lockout action to specify whether the remoteauthentication or erase action occurs at lockout.

Note

For information about lock options, see Lockout Actions on page 5-22

• Select Failed log on attempts allowed to specify how many times that a usercan attempt to authenticate before the Endpoint Encryption device locks.

• For Full Disk Encryption or File Encryption devices, separately configure thefollowing:

• Use Device locked action to specify whether the “RemoteAuthentication” or the “Erase” action occurs at lockout.

Note

For information about lock options, see Lockout Actions on page 5-22

• Use Number of minutes to lock device to specify the duration that timedelay locks the Endpoint Encryption device from authentication

5. Under Password, configure the following options:

• Select Users must change password after <number> days to control when auser is prompted to update password.

• Select Users cannot reuse the previous <number> passwords to specify howmany previous passwords the user may reuse.

• Select Number of consecutive characters allowed in a password to specifyhow many repeated characters a user may specify in the password.


5-22

• Select Minimum length allowed for passwords to specify how many charactersthe user is required to use in the password.

6. Under Password Requirements, specify the password character limitations.

• Letters

• Lowercase characters

• Uppercase characters

• Numbers

• Symbols

Important

The sum total of letters, numbers, and symbols cannot exceed 255 characters.

Lockout Actions

Some policies have settings to lock out a user account or to lock a device based oncertain criteria. Account lockout and device lockout actions affect the EndpointEncryption device whether or not the agent synchronizes policies with PolicyServer. Forexample, if the Endpoint Encryption agent does not communicate with PolicyServer fora certain period of time, the Endpoint Encryption agent automatically locks theEndpoint Encryption device. Use the tables below to understand the actions availablefor the account lockout and device lock actions.

The following table describes when the lockout actions occur:

TYPE DESCRIPTION

Account lockout Account lockout actions take effect when the Endpoint Encryptionagent does not communicate with PolicyServer for a certainperiod of time as set by the policy.

Policies

5-23

TYPE DESCRIPTION

Full Disk Encryptiondevice lockout

Full Disk Encryption device lockout actions take effect when theEndpoint Encryption user exceeds the number of unsuccessfullogon attempts to that Full Disk Encryption device as set by thepolicy.

File Encryptiondevice lockout

File Encryption device lockout actions take effect when theEndpoint Encryption user exceeds the number of unsuccessfullogon attempts to that File Encryption device as set by the policy.

The options for lockout actions are as follows:

ACTION DESCRIPTION

Erase PolicyServer erases all data controlled by the associatedEndpoint Encryption agent.

WARNING!The Endpoint Encryption user cannot recover the eraseddata.

Remoteauthentication

PolicyServer locks the Endpoint Encryption device until theEndpoint Encryption user contacts receives Remote Helpauthentication from an authenticator or from Support.

See Remote Help on page 2-19.

Time delay PolicyServer temporarily locks the Endpoint Encryption deviceand notifies the Endpoint Encryption user that the device islocked. The ability to authenticate or reset the password isdisabled during the time delay. The duration of the time delay isdetermined by policy. Once the time delay has expired, the useris permitted to authenticate.

Migrating Groups to Control ManagerUse the following procedure to add existing groups from PolicyServer MMC to ControlManager.


5-24

Procedure

1. Log on to PolicyServer MMC.

2. Gather the following information:

• Total number of groups, their names, and the subgroups

• All users assigned to each group

• The policy configuration of each group


4. For each group in PolicyServer MMC, configure a new policy that matches thecorresponding group policy configuration.

Note

Subgroups are not supported in Control Manager. To replicate the subgroup policysettings, create a separate policy for each subgroup.

5. Add users to each corresponding new policy.

6. Deploy each policy.

6-1

Chapter 6

Full Disk EncryptionFull Disk Encryption provides comprehensive endpoint data security using mandatorystrong authentication and full disk encryption. Full Disk Encryption secures not only thedata files, but also all applications, registry settings, temporary files, swap files, printspoolers, and deleted files. Until the user is validated, strong preboot authenticationrestricts access to the vulnerable host operating system.

The Full Disk Encryption agent uses FIPS-compliant XST-AES encryption algorithmsand mandatory authentication to make data inaccessible without authentication. FullDisk Encryption prevents data loss by encrypting the whole drive, including operatingsystem, program, temporary, and end user files. Administrators can choose either 128-bit or 256-bit key size depending on the need for encryption strength or performance intheir environment.

Full Disk Encryption allows for the flexibility to use either software-based encryptedhard drives or hardware-based encrypted hard drives as needed. Seagate DriveTrust™,OPAL, OPAL2, and SanDisk™ self-encrypting solid-state drives are supported. Whilehardware-based encryption is simpler to deploy on new hardware, easier to maintain,and offers a higher level of performance, software-based encryption does not requireany hardware and is cheaper to deploy to existing endpoints.

Trend Micro PolicyServer controls policies affecting Full Disk Encryption, ensuringcomplete endpoint security centrally managed across the Enterprise. Full DiskEncryption is network-aware and updates policies before allowing authentication. Youcan also remotely lock or wipe data on the endpoint before the operating system or anyother sensitive data is accessed.


6-2

Topics include:

• Full Disk Encryption Tools on page 6-3

• Full Disk Encryption Context Menu on page 6-4

• Full Disk Encryption Preboot on page 6-5

• Full Disk Encryption Policy Synchronization on page 6-19

• Patch Management with Full Disk Encryption on page 6-21

Full Disk Encryption

6-3

Full Disk Encryption ToolsThe following table describes the various tools available for Endpoint Encryption.

TOOL DESCRIPTION

Context Menu Access the Full Disk Encryption agent from the Full DiskEncryption icon ( ) in the system tray. From the contextmenu, you can view the device encryption status andsynchronize with PolicyServer.

See Full Disk Encryption Context Menu on page 6-4.

Preboot Authenticate with PolicyServer through the Full DiskEncryption preboot. The preboot loads when the endpointstarts before Windows loads. Use the Full Disk Encryptionpreboot to configure your network and Wi-Fi settings andtroubleshoot issues with credentials.

Command Builder Use Command Builder to generate scripts for automatedinstallations and to create encrypted values for credentialswhen creating the scripts.

For more information, see the Endpoint EncryptionInstallation Guide.

Command Line Helper Use Command Line Helper to create encrypted values tosecure credentials when creating an installation script.

See Using the Command Line Helper on page 6-22.

DAAutoLogin Use DAAutoLogin for Windows patching. DAAutoLoginallows for a one-time bypass of Endpoint Encryption Preboot.

See Patching Process for Full Disk Encryption on page6-23.

Recovery Console Use Recovery Console to recover from an operating systemcritical error, troubleshoot network issues, and manage usersor logs.

See Recovery Console on page 9-3.


6-4

TOOL DESCRIPTION

Recovery Tool Use the bootable Repair CD to decrypt the hard disk beforeremoving Full Disk Encryption in the event that the diskbecomes corrupted. Only use the Repair CD if standardremoval methods are not possible. A typical symptom of acorrupted disk is a black screen.

See Recovery Tool on page 9-16.

Full Disk Encryption Context MenuUse the Full Disk Encryption icon ( ) in the system tray to access to the Full DiskEncryption agent. Right-click the agent icon to display the menu items. The followingtable explains the available menu options.

TABLE 6-1. Full Disk Encryption Agent Menu Options

MENU ITEM FUNCTION

Synchronize Policies Manually download policy updates from PolicyServer.

NoteFull Disk Encryption agents can synchronize policieswithout user authentication.

Full Disk Encryption agents automatically update policysettings based on your PolicyServer configurations. For moreinformation, see Policy Synchronization on page 7-17.

Hide Icon Temporarily removes the Full Disk Encryption tray icon.

To show the Full Disk Encryption tray icon again, run FullDisk Encryption from your desktop or Start menu.

About Full DiskEncryption

Displays Full Disk Encryption information including version,last synchronization time, and authenticated user. TheEncryption Status tab displays the status of each individualdisk managed by this agent.


6-5

MENU ITEM FUNCTION

Online Help View the Full Disk Encryption documentation online.

Full Disk Encryption PrebootAfter installing Full Disk Encryption, the Full Disk Encryption preboot appears beforeWindows loads. The Full Disk Encryption preboot ensures that only authorized usersare able to access endpoints and updates local security policies when connected toPolicyServer.

Note

Use PolicyServer MMC to optionally make the user name case sensitive.

FIGURE 6-1. The Full Disk Encryption Preboot Screen


6-6

Menu OptionsThere are several options available in the upper-left menu of Full Disk EncryptionPreboot.

TABLE 6-2. Full Disk Encryption Preboot Menu Options


Authentication Change the authentication method used to log on to EndpointEncryption devices.

Communications Manually synchronize with PolicyServer.

NoteThe Communication menu item is not available forunmanaged endpoints.

Computer View information about Full Disk Encryption, view your networkinformation, change the keyboard layout, access the on-screenkeyboard, or restart or shut down the endpoint.

Network ConnectivityThe network connection icon ( ) appears in the upper-right corner when Full DiskEncryption is installed as a managed endpoint. The icon is only highlighted when thedevice is connected to the network and has communication with PolicyServer. WhenFull Disk Encryption is unmanaged, the network icon never displays.

Connecting to a Wireless Network

The wireless connection icon ( ) appears in the upper-right corner of the Full DiskEncryption preboot logon when the endpoint has a detected wireless card installed. Ifthere is no wireless card detected, the wireless network icon does not display.


6-7

Note

The Full Disk Encryption preboot cannot automatically detect the authentication for WEPsecurity. If the authentication type is WEP-OPEN or WEP-PSK, manually specify thesecurity type.

If your enterprise policy does not allow Wi-Fi configuration, the All Access Points andDisconnect buttons will be disabled.

For more information, see the Administrator's Guide for PolicyServer MMC.

Procedure

1. Click the wireless connection icon in the upper-right corner of the Full DiskEncryption preboot logon.

The Wireless Access screen appears.


6-8

2. Click All Access Points.

The Wireless Network Configuration screen appears.

3. Select your network.

• To use a listed network, select the SSID, then click OK.

• To configure an unlisted network, click Other Network, specify the SSIDsettings, then click Connect.

Important

Do not close the screen or restart your endpoint during configuration.

4. Click Close to complete the wireless network setup.


6-9

Network InformationView network and connection information from the Full Disk Encryption preboot bygoing to Menu > Computer > Network Information.

The Network Information screen includes the following:

SECTION DESCRIPTION

HardwareInformation

This section shows the detected Ethernet controller.

Network Information This section shows the network identification information for eachEthernet port, including the following:

• MAC address

• IPv4 and IPv6 addresses

• Subnet mask

• Default gateway

• Network link status, which shows whether the Ethernet port isconnected or not

DNS Resolution This section shows the DNS resolution results including theservers and addresses contacted while looking up PolicyServer.

PolicyServerInformation

This section shows the PolicyServer URL. If the URL includes theserver host name, PolicyServer must also perform host nameresolution to find the associated IP address. If the URL insteadincludes the IP address of PolicyServer, the Full Disk Encryptionpreboot skips host name resolution.

PolicyServerConnection Status

This section shows whether the Full Disk Encryption prebootsuccessfully connected to PolicyServer or not.

Click Reconnect to attempt to connect to PolicyServer again, or to refresh the currentinformation.

On-Screen KeyboardAccess the on-screen keyboard from Full Disk Encryption preboot by going to Menu >Computer > On-Screen Keyboard.


6-10

To insert the cursor in the desired field when the keyboard is displayed, click Focus onthe bottom-right corner of the keyboard.

Changing the Keyboard Layout

Changing the keyboard layout affects both keystrokes and the on-screen keyboard. OnceWindows boots, the keyboard layout is set by the Windows operating system. A restartis required to commit the keyboard layout changes.

Procedure

1. Go to Menu > Computer > Change Keyboard Layout.

The Select the keyboard language (layout) window appears.

2. Select a keyboard layout.

3. Click OK.

4. Click OK to restart the endpoint.

Changing Authentication Methods

Note

For information about authentication methods, see Authentication Methods on page 2-17.

Procedure

1. From the Full Disk Encryption preboot, select Change Password After Login.

2. Specify the user name and password.

3. Click Login.


6-11

The Change Password window appears. The interface is different for differentauthentication methods.

FIGURE 6-2. Example Of Changing A Fixed Password

4. From the upper-left menu, select Authentication, then select the desiredauthentication method.

The New Password window for the chosen authentication method appears.

5. Provide and confirm the new password, and then click Next.

The device boots into Windows.

Changing Passwords

The following procedure explains how to change the Endpoint Encryption user accountpassword using the Full Disk Encryption preboot.


6-12

Procedure

1. Specify the Endpoint Encryption user name and password.

2. select Change Password After Login.

3. Click Login.

The Change Password window appears. The interface is different for differentauthentication methods.

FIGURE 6-3. Changing A Fixed Password Screen

4. Provide and confirm the new password, and click Next.


ColorCode

ColorCode™ is a unique authentication method designed for quick access and easymemorization. Rather than alphanumeric characters or symbols for the password,


6-13

ColorCode authentication consists of a user-created color sequence (example: red, red,blue, yellow, blue, green).

FIGURE 6-4. ColorCode Authentication Screen

Creating a ColorCode Password

The total number of steps in the ColorCode (count) is defined by PolicyServer. Thedefault count is six.

Procedure

1. Start the endpoint and wait for the Full Disk Encryption preboot to appear.

2. Follow the instructions to change passwords.

See Changing Passwords on page 6-11.

3. Change the authentication method to ColorCode.


6-14

Note

For information about changing authentication methods, see ChangingAuthentication Methods on page 6-10.

The ColorCode Change Password screen appears.

FIGURE 6-5. ColorCode Change Password Screen

4. Select the first color by clicking it using the square to the left.

The count increases by one.

5. Click additional colors in the sequence.

Tip

Click Back to change the last color clicked, or click Clear to start over.

6. After the sequence is complete, confirm the ColorCode password using the squareto the right.

7. Click Next to finish.


6-15

Remote HelpRemote Help allows Group or Enterprise Authenticators to assist Endpoint Encryptionusers who are locked out and cannot log on to Endpoint Encryption devices after toomany unsuccessful log on attempts, or when the period between the last PolicyServersynchronization has been too long.

Note

Remote Help authentication is triggered by Endpoint Encryption device policy rules.Remote Help policy rules are configurable in both PolicyServer MMC and ControlManager.

Using Remote Help to Unlock Full Disk Encryption Devices

Important

• Restarting the Endpoint Encryption device resets the challenge code.

• Manually synchronizing policies with PolicyServer also resets the challenge code.

• The challenge code and response code are not case sensitive.

Procedure

1. From the Full Disk Encryption preboot, go to Menu > Authentication > RemoteHelp.

2. Provide the Challenge Code to the Policy/Group Administrator.

3. Specify the Response Code provided by the Policy/Group Administrator.

4. Click Login.

The Change Password screen appears.

Note

If the account uses domain authentication, the endpoint boots directly into Windows.


6-16

5. Specify and confirm new password, then click Next.


Smart Card

Smart card authentication requires both a PIN and a physical token to confirm the useridentity. Smart card certificates are associated with the user account and the user'sassigned group. Once registered, the user can use smart card authentication from anyEndpoint Encryption device in that group. Users are free to use any EndpointEncryption device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are met:

• The smart card reader is connected to the endpoint and the smart card is insertedinto the smart card reader.

• ActivClient 6.1 with all service packs and updates are installed.

• Specify the smart card PIN in the password field.

WARNING!

Failure to provide a correct password sends a password error and may result inlocking the smart card.

Note

Smart card authentication is only configurable with PolicyServer MMC.

Smart Card Registration

Smart card certificates are associated with the user account and the user's assignedgroup. Once registered, the user can use smart card authentication from any EndpointEncryption device in that group. Users are free to use any Endpoint Encryption devicein their group and do not need to ask for another one-time password.


6-17

Registering a Smart Card in Full Disk Encryption Preboot

Procedure

1. Follow the instructions to change passwords, then select Smart Card.

See the Administrator's Guide for PolicyServer MMC.

2. Insert the smart card in the reader.

3. Connect the reader to the endpoint.

4. Specify the user name and fixed password.

5. Click Continue.

6. At the confirmation message, click Continue.

7. At the Register Token window, do the following:

a. Type the new PIN provided by the Group or Enterprise Administrator.

b. Confirm the new PIN.

c. Select the smart card type from the Token drop-down list.

d. Click Continue to finish registering the smart card token.

Self Help

Self Help authentication allows Endpoint Encryption users who have forgotten thecredentials to answer security questions and log on to Endpoint Encryption deviceswithout getting Technical Support assistance. Self Help requires the EndpointEncryption user to respond with answers to predefined personal challenge questions.Self Help can replace fixed password or other authentication methods.

Consider the following when choosing your authentication method or when configuringSelf Help:

• Self Help is not available for Administrator and Authenticator accounts.


6-18

• Self Help is not available for accounts that use domain authentication. PolicyServeris unable to change or retrieve previous domain passwords.

• Self Help has a maximum of six questions for each user account. Users may beunable to log on using Self Help if more than six questions are configured.

• Self Help is only configurable with PolicyServer MMC.

Setting Up Self HelpIf the Self Help policy is enabled, the user is prompted to define answers for the SelfHelp questions after his/her first login. If the user changes their password, they mustdefine Self Help question answers again.

Note

Self Help answers are stored on the device. If a user logs on another Full Disk Encryptiondevice, the user must define Self Help answers for that device.

Procedure

1. Provide the user name and password.

2. Click Login.

The Self Help window appears.

3. Define answers for all of the Self Help questions.

4. Click Next.


Using Self Help

Procedure

1. From the top-left menu of Full Disk Encryption Preboot, go to Menu >Authentication > Self Help.


6-19


2. Answer all of the Self Help questions.

3. Click Login.

4. Define a new password, and then click Next.


Changing Self Help Answers

Procedure

1. From the Full Disk Encryption preboot, provide the credentials, select ChangePassword After Login, then click Login.

The Change Password window appears.

2. Provide and confirm the new password, then click Next.


3. Define new answers for all Self Help questions, then click Next.

The Endpoint Encryption device boots into Windows.

Full Disk Encryption Policy SynchronizationThe following list explains the events that initiate policy synchronization between agentsand PolicyServer:

• After the operating system loads and the agent service starts

For information about Endpoint Encryption services, see Endpoint EncryptionServices on page C-1.

• When the Full Disk Encryption preboot starts


6-20

• At regular intervals based on the PolicyServer synchronization policy

• Manually, from the agent context menu or from the Full Disk Encryption preboot

See Manually Updating Full Disk Encryption Agents on page 6-21.

Note

Device actions initiate after the agent receives policy updates.

Full Disk Encryption Connectivity Requirements

Endpoint Encryption uses a FIPS 140-2 approved encryption process for data passedbetween the Full Disk Encryption preboot and PolicyServer. Full Disk Encryptionagents that have network connectivity to PolicyServer can receive policy updates andupload audit data from the agent. All client-server communications are internallyencrypted and can be sent over insecure connections such as the Internet.

You can place PolicyServer within a DMZ (Demilitarized Zone) for access to bothinternal networks and the Internet. For information about different network topologyconfigurations, see the Endpoint Encryption Installation Guide.

TABLE 6-3. Full Disk Encryption Connectivity Requirements

RESOURCE FUNCTION

PolicyServer Updated security policies from PolicyServer are sent tothe Full Disk Encryption preboot or by connectivityestablished within Windows, LAN, or VPN.

TCP/IP Access Network connectivity requires full TCP/IP networkaccess; dial-up or telephone access cannot be used toprovide connectivity with PolicyServer during prebootauthentication.

Port Endpoint Encryption agents communicate using port8080 by default. To change the default port number, goto Recovery Console and update the PolicyServer. Fordetails, see Changing the Full Disk EncryptionPolicyServer on page 9-13.


6-21

Manually Updating Full Disk Encryption AgentsFull Disk Encryption agents automatically receive policy updates from PolicyServer atintervals determined by policy.

Do either of the following to manually update policies.

Procedure

• Use the Full Disk Encryption preboot.

a. Go to Communications > Synchronize policies.

b. Go to Computer > About Full Disk Encryption.

The timestamp of the latest PolicyServer policy synchronization displays.

• Use the Full Disk Encryption agent.

a. Double-click the Full Disk Encryption icon ( ) in the Windows system tray.

The Full Disk Encryption agent opens.

b. Click Synchronize with PolicyServer.

After a moment PolicyServer enforces all new policies changes.

Patch Management with Full Disk EncryptionUse the Command Line Helper and DAAutoLogin together to run Windows patchmanagement on devices with Full Disk Encryption installed. Command Line Helpercreates encrypted values for scripts and DAAutoLogin grants a one-time bypass of theFull Disk Encryption Preboot.

Use DAAutoLogin in various combinations to accomplish different needs. Patches canbe pushed out, and followed by a script using DAAutoLogin to send a reboot commandfor the device to display the Windows GINA for confirmation of successful patching orto another round of patches can be deployed.

DAAutoLogin accepts the following switches:


6-22

DAAutoLogin <pre-boot Username> <pre-boot Password> [<DomainName> <Domain Username> <Domain Password>]

Each required value can be passed and separated with a space. Adding in the domainswitches allows for Windows authentication.

Note

• Make sure to run both tools on a Full Disk Encryption device.

• Both tools are available in the tools folder of the zip file received from Trend Micro.For assistance, contact Trend Micro Support.

Using the Command Line HelperCommand Line Helper enables encrypted values to pass via the installation script to theFull Disk Encryption preboot and installer. You can manually use Command LineHelper to generate encrypted values of strings for installation scripts or patchmanagement.

Procedure

1. Download the Command Line Helper tool and locate the tool in your EndpointEncryption download folder.

The Command Line Helper tool is part of the PolicyServer installation package.Go to Trend Micro Download Center, select the Endpoint Encryption, anddownload the PolicyServer package.

http://downloadcenter.trendmicro.com/

The Command Line Helper tool is located in the following directory:

<download_directory>\TMEE_PolicyServer\Tools\Command LineHelper

2. Open a command prompt.

3. Change the directory to the directory of the Command Line Helper tool.

Example:



6-23

cd C:\TMEE_PolicyServer\Tools\Command Line Helper

4. Type CommandLineHelper.exe followed by the string that you want to encrypt,and press ENTER.

Example:

CommandLineHelper.exe examplepassword

Tip

It may be easier to copy the generated value directly from a text file.

In that case, the above example would be modified as follows:

CommandLineHelper.exe examplepassword > file.txt

The Command Line Helper produces an encrypted string.

Patching Process for Full Disk Encryption

Procedure

1. Push patches to targeted Full Disk Encryption devices.

2. Follow up with a script using DAAutoLogin.

3. Send a reboot command for the Full Disk Encryption device to load WindowsGINA for confirmation of successful patching or to push another round ofpatches.

7-1

Chapter 7

File EncryptionThe Trend Micro File Encryption agent uses AES encryption to protect data that isshared between Endpoint Encryption users, stored on removable media, or saved onnetwork resources. File Encryption can also protect different files with different keys,allowing you to set access policies to the File Encryption agent and then create separatepolicies for access to certain files, which is useful in environments where multiple usersaccess the same endpoint. Encryption is performed after authentication takes place.

End users also have the flexibility to locally manage File Encryption by encryptingindividual files, folders, or removable media on the fly, safeguarding their data regardlessof where it travels.

File Encryption can also protect different files with different keys, allowing you to setaccess policies to the File Encryption device and separate policies for access to certainfiles. This is useful in environments where multiple users access one endpoint.

Topics include:

• Registering File Encryption on page 7-2

• File Encryption Actions on page 7-3

• File Encryption Context Menu on page 7-10

• File Encryption Authentication on page 7-14

• Policy Synchronization on page 7-17


7-2

Registering File EncryptionAfter File Encryption is installed, an initial registration is required to identifyPolicyServer. The fixed password authentication method is the default method and isrequired for initial registration. Other options may be available depending on policysettings.

Important

Without authenticating to File Encryption, access to files and removable media is denied.

Procedure

1. The Login window appears the next time your endpoint starts after File Encryptioninstallation. If you need to access the Login screen at a later time, right-click theFile Encryption tray icon, and then select Register.

2. Specify the Endpoint Encryption user name and password.

3. Specify the PolicyServer IP address (or host name) and the Enterprise.

4. Click OK.

The Change Password screen appears.

5. Select any available authentication method.

For more information about authentication methods, see File EncryptionAuthentication on page 7-14.

6. Specify and confirm the new password.

7. Click OK.

The new password is updated and a confirmation message appears.

File Encryption

7-3

File Encryption ActionsAfter registering the File Encryption agent, File Encryption options become availablefor files and folders. Right-click a file or folder to see options available.

FIGURE 7-1. File Encryption Actions

Use the following table to understand the available menu options.

TABLE 7-1. File Encryption Context Menu Options

MENU OPTION DESCRIPTION

Archive Create an encrypted copy of the specified file.

See Encrypting a File or Folder on page 7-4.

Expand Archive Open a previously created archive.


7-4

MENU OPTION DESCRIPTION

Archive and Burn Create an encrypted copy of the specified file and write it to aCD or DVD.

See Encrypting a File or Folder on page 7-4.

Secure Delete Securely erase the selected files and the file history from theFile Encryption device.

See Using File Encryption Secure Delete on page 7-10.

Encrypting a File or Folder

Procedure

1. Right-click on the file or folder that you want to encrypt.

2. Choose the location to create the encrypted file.

OPTION DESCRIPTION DETAILS

Archive Create the encrypted filelocally.

The encrypted file will appear inthe same folder as the originalfile.

Archive andBurn

Write the encrypted file to a CDor DVD.

In the authentication window,you will be prompted to selectyour writable disk drive.

3. Choose the authentication method to access the encrypted file.

File Encryption

7-5

OPTION DESCRIPTION NOTES

Local Key Create an encrypted filethat can only be accessedby the user who createdit.

This option is only available if you selectArchive.

No window will display after selectingthis option. The encrypted file will becreated immediately.

Depending on the Windows operatingsystem, a user may view folder contentsif switching from one user to a separateuser without restarting Windows. Whilefile names and folder content may beviewed, the file contents are notavailable. This is due to Windowsoperating system caching the filestructure for quick search capability.

SharedKey

Create an encrypted filethat can only be accessedby any member of thecurrent user's policygroup.

This option is only available if you selectArchive.

No window will display after selectingthis option. The encrypted file will becreated immediately.

Depending on the Windows operatingsystem, a user may view folder contentsif switching from one user to a separateuser without restarting Windows. Whilefile names and folder content may beviewed, the file contents are notavailable. This is due to Windowsoperating system caching the filestructure for quick search capability.

FixedPassword

Create an encrypted filethat requires a passwordto access.

There is no functionality available forpassword recovery with self-extractingfiles. If a password is forgotten, theencrypted file cannot be recovered.

Due to a Windows limitation, executable(self-extracting) files cannot be largerthan 2 GB.


7-6

OPTION DESCRIPTION NOTES

Certificate Create an encrypted filethat requires specificdigital certificates toaccess.

The digital certificates may be stored onsmart cards depending on yourenvironment and policy settings.

FIGURE 7-2. File Encryption Actions

4. If a window appears, complete all on-screen instructions.

File Encryption creates the encrypted file in the intended location. The originalfiles or folders are unchanged and can be kept or deleted.

File Encryption

7-7

File Encryption Fixed Password Encryption

If you attempt to encrypt a file or folder using a fixed password, the following screendisplays:

The options for this window are as follows:

TABLE 7-2. Fixed Password Options

OPTION DETAILS

Password

Confirm

Type and confirm a password that will be required to openthe encrypted file.


7-8

OPTION DETAILS

Burn using Select the drive with the CD or DVD to write the encryptedfile to. If you have not already done so, insert a writableCD or DVD with available free space.

This option is only available if you select Archive andBurn.

Output encrypted data aself-extracting archive.

Select this option to create the encrypted file as a self-extracting archive. Self-extracting archives may beopened on devices that do not have File Encryptionagents.

Due to a Windows limitation, executable (self-extracting)files cannot be larger than 2 GB.

NoteThere is no functionality available for passwordrecovery with self-extracting files. If a password isforgotten, the encrypted file cannot be recovered.

File Encryption

7-9

File Encryption Digital Certificate Encryption

If you attempt to encrypt a file or folder using a digital certificate, the following screendisplays:

The options for this window are as follows:

TABLE 7-3. Certificate Options

OPTION DETAILS

Certificates Store Select a group from the drop-down list and click GatherCertificates to see a window with a list of certificatesrelated to that group. From the Certificate Selectionwindow, select a certificate and click OK to add thatcertificate to Selected Recipient Certificates.


7-10

OPTION DETAILS

Selected RecipientCertificates

View the list of currently selected certificates. Thesecertificates will be required to open the encrypted file.

Click Clear to remove all certificates.

ImportantThere is no available method to remove individualcertificates. If you must remove one or morecertificates, remove all certificates, and add therequired certificates again.

Burn using Select the drive with the CD or DVD to write the encryptedfile to. If you have not already done so, insert a writableCD or DVD with available free space.

This option is only available if you select Archive andBurn.

Using File Encryption Secure Delete

Use Secure Delete to securely erase the selected files and the file history from the FileEncryption device.

Procedure

1. Right-click the file and go to File Encryption > Secure Delete.

2. Click Yes to permanently delete the file.

File Encryption Context MenuUse the File Encryption icon ( ) in the system tray to access to the File Encryptionagent. Right-click the agent icon to display the menu items. The following table explainsthe available menu options.

File Encryption

7-11

TABLE 7-4. File Encryption Agent Menu Options

MENU ITEM FUNCTION

Register First-time user registration of File Encryption with thePolicyServer. For more information, see Registering FileEncryption on page 7-2.

This option only appears if you have not completed FileEncryption registration.

Log In / Log Out Authenticate with PolicyServer.

Change Password Permits users to change their password and theirauthentication method. For more information, see ChangingPassword in File Encryption on page 7-12.

Remote Help Unlock File Encryption using Remote Help to authenticate ifthe user forgets the Endpoint Encryption password, therewere too many unsuccessful authentication attempts, or theEndpoint Encryption device has not communicated with thePolicyServer for a specified duration. For more information,see Using Remote Help to Unlock a File Encryption Deviceon page 7-13.

This option is only available if the File Encryption agent islocked. For more information about locked accounts, seeForced Password Reset on page 7-16.

Synchronize Policies Manually download policy updates from PolicyServer.

NoteFile Encryption agents can synchronize policieswithout user authentication.

File Encryption agents automatically update policy settingsbased on your PolicyServer configurations. For moreinformation, see Policy Synchronization on page 7-17.

Synchronize OfflineFiles

Synchronizing with PolicyServer offline files enforces newsecurity policies using an import file instead ofcommunicating directly with PolicyServer.


7-12

MENU ITEM FUNCTION

Show / HideNotifications

Silences all File Encryption notifications.

Hide Icon Temporarily removes the File Encryption tray icon.

To show the File Encryption tray icon again, run FileEncryption from your desktop or Start menu.

About File Encryption Displays File Encryption information including version, lastsynchronization time, and authenticated user.

You can change the PolicyServer that synchronizes policieswith your File Encryption agent from the About FileEncryption window. To change your PolicyServer, click EditPolicyServer.

Online Help View the File Encryption documentation online.

Changing Password in File EncryptionTo change the password, the user must authenticate to File Encryption with a Useraccount role. The user can then change the password using any authentication methodallowed by policy.Use PolicyServer MMC to manage the policy at:

Group Name > Policies > File Encryption > Login > Authentication Methods Allowed

Procedure

1. Right-click the File Encryption tray icon, then select Change Password.

2. Specify the password.

3. Click Next.

4. Select any available authentication method.

For more information about authentication methods, see File EncryptionAuthentication on page 7-14.

5. Specify and confirm the new password.

File Encryption

7-13

6. Click OK.

The new password is updated and a confirmation message appears.

Using Remote Help to Unlock a File Encryption DeviceIf a user exceeds the number of authentication attempts and policies are set to enactRemote Authentication, File Encryption locks Endpoint Encryption folders and notifiesthe user that Remote Help is required. Using Remote Help to unlock File Encryptionrequires assistance from the Enterprise Authenticator or Group Authenticator.

Note

For information about using Remote Help, see Remote Help on page 2-19.

Procedure

1. Right-click the File Encryption tray icon, then select Remote Help.


7-14

The Remote Help screen appears.

FIGURE 7-3. File Encryption Remote Help

2. Specify the user name.

3. Click Get Challenge.

4. Type the Response provided by the Enterprise/Group Authenticator.

5. Click Log In.

The user is authenticated to File Encryption and a notification displays.

File Encryption AuthenticationThis section explains how to authenticate to and use File Encryption. All authenticationmethods for Endpoint Encryption are available in File Encryption.

File Encryption

7-15

Note

For information about authentication methods, see Authentication Methods on page 2-17.

Endpoint Encryption administrators and users have several authentication methods tolog on to File Encryption. The methods available are determined by the PolicyServerpolicy configuration.

TABLE 7-5. Supported Authentication Methods

AUTHENTICATIONMETHOD

DESCRIPTION

ColorCode™ A unique sequence of colors.

See ColorCode on page 2-18.

Domainauthentication

Active Directory LDAP synchronization for single sign-on (SSO).

See Domain Authentication on page 2-18.

Fixed password A string of characters, numbers, and symbols.

See Fixed Password on page 2-19.

Smart card A physical card used in conjunction with a PIN or fixed password.

See Smart Card on page 2-20.

Domain Authentication RequirementsFor domain authentication single sign-on (SSO), ensure that the following requirementsare met:

• The user belongs to a policy group with domain authentication enabled.

• Make sure that the Host Name and Domain Name are configured properly.

• PolicyServer and all Endpoint Encryption devices using domain authentication arein the same domain.

• The user account is configured in both Active Directory and PolicyServer. The username is case sensitive and must match exactly.


7-16

Additionally, domain authentication has the following limitations:

• Domain authentication cannot be used with a Smart Card PIN.

• Remote Help is available to domain users. However, the domain password must bereset in Active Directory if it is forgotten.

Forced Password ResetFile Encryption prevents unauthorized access to encrypted files and folders by lockingprotected files when there are too many unsuccessful authentication attempts or if theendpoint has not communicated with PolicyServer for a specified duration of time.Depending on the policy configuration, File Encryption locks a user from access orenacts a time delay before authentication attempts can be made.

Endpoint Encryption Device Policy RulesThe following table explains the security policy rules for lost or stolen EndpointEncryption devices. Depending on the policy settings, too many consecutiveunsuccessful authentication attempts to the Endpoint Encryption devices delays thenext authentication attempt, locks the Endpoint Encryption device, or erases all datacontrolled by the associated Endpoint Encryption agent.

TABLE 7-6. Device Security Options

SECURITY OPTION DESCRIPTION

Time delay PolicyServer temporarily locks the Endpoint Encryption device andnotifies the Endpoint Encryption user that the device is locked. Theability to authenticate or reset the password is disabled during thetime delay. The duration of the time delay is determined by policy.Once the time delay has expired, the user is permitted toauthenticate.

NoteThe Endpoint Encryption user may use Self Help or RemoteHelp authentication to avoid waiting for the time delay periodto expire.

File Encryption

7-17

SECURITY OPTION DESCRIPTION

Remoteauthenticationrequired

PolicyServer locks the Endpoint Encryption device until the EndpointEncryption user contacts receives Remote Help authentication froman authenticator or from Support.

NoteFor more information, see Remote Help on page 2-19.

Erase the device PolicyServer erases all data controlled by the associated EndpointEncryption agent.

WARNING!The Endpoint Encryption user cannot recover the erased data.

Policy SynchronizationThe following list explains the events that initiate policy synchronization between agentsand PolicyServer:


Note



• Manually, by clicking the Synchronize Policies button in the agent context menu

Note


8-1

Chapter 8

Encryption Management for Third-Party Products

A key feature of Full Disk Encryption is the ability to manage third-party encryptionproducts. The Endpoint Encryption agents fully integrate with the encryption solutionsbuilt into the host operating systems.

Topics include:

• About Encryption Management Agents on page 8-2

• Encryption Management Agent Policy Limitations on page 8-2

• Encryption Management for Microsoft BitLocker on page 8-4

• Encryption Management for Apple FileVault on page 8-9


8-2

About Encryption Management AgentsThe following table explains the two Full Disk Encryption agents for third-partyproduct encryption management.

Note

For information about all available Endpoint Encryption agents, see Endpoint EncryptionAgents on page 2-16.

TABLE 8-1. Encryption Management Agents

AGENT DESCRIPTION

Encryption Management forMicrosoft BitLocker

The Endpoint Encryption Full Disk Encryption agentfor Microsoft Windows environments that simply needto enable Microsoft BitLocker on the hosting endpoint.

Encryption Management forApple FileVault

The Endpoint Encryption Full Disk Encryption agentfor Mac OS environments that simply need to enableApple FileVault on the hosting endpoint.

Encryption Management Agent PolicyLimitations

The following table explains the policy limitations for Encryption Management forApple FileVault and Encryption Management for Microsoft BitLocker. To use allpolicies, install the Full Disk Encryption agent instead.

Note



8-3

The following table explains the policies affecting each agent. Use it to understand thepolicy limitations of third-party agents.

TABLE 8-2. Policies Affecting Full Disk Encryption Agents

POLICYFULL DISK

ENCRYPTION

ENCRYPTIONMANAGEMENT FORAPPLE FILEVAULT

ENCRYPTIONMANAGEMENT FOR

MICROSOFTBITLOCKER

Allow UserRecovery

Allow User toUninstall

Encrypt Device

Account LockoutAction

Account LockoutPeriod

Dead Man Switch

Device LockedAction

Device Killed Action

Failed LoginAttempted Allowed

If Found

Legal Notice

Lock Device TimeDelay

Preboot Bypass


8-4

POLICYFULL DISK

ENCRYPTION

ENCRYPTIONMANAGEMENT FORAPPLE FILEVAULT

ENCRYPTIONMANAGEMENT FOR

MICROSOFTBITLOCKER

Support Info

TokenAuthentication

AuthenticationMethods Allowed

Sync Interval

Encryption Management for MicrosoftBitLocker

Encryption Management for Microsoft BitLocker manages BitLocker DriveEncryption™ for endpoints running Microsoft Windows. Encryption Management forMicrosoft BitLocker is designed to protect data by providing encryption for entirevolumes. By default, BitLocker uses the AES encryption algorithm in CBC mode with a128-bit or 256-bit key.

Viewing Encryption Status

Procedure

1. Click the Full Disk Encryption icon ( ).

• For Windows, go to the system tray.

• For Mac OS, go to the menu bar.

2. Open the Encryption Status tab.


8-5

3. See Understanding Encryption Status on page 8-5 for details.

Understanding Encryption Status

The Encryption Status tab provides details about the encrypted drives, the types ofencryption, and the ratio that the drive is encrypted or not encrypted. See the figure anddescription below for more information.

TABLE 8-3. Device Encryption Status

ITEM DESCRIPTION

Pie Chart The pie chart represents the ratio that the hard disk is encryptedand not encrypted.

Drive The hard disk with the agent installed.


8-6

ITEM DESCRIPTION

Encrypted The percentage that the drive is encrypted.

Action The current encryption status.

Encryption The type of encryption deployed on the endpoint.

NoteEncryption Management for Apple FileVault and EncryptionManagement for Microsoft BitLocker always use software-based encryption.

FIPS mode Whether FIPS is enabled.


8-7

Understanding Agent Information

The Information tab provides detailed information about the user account, EndpointEncryption device, and policy synchronization. See the figure and description below formore information.

TABLE 8-4. Agent Information

LABEL DESCRIPTION

TMEE username

The Endpoint Encryption account used to log on the EndpointEncryption device. This is different from the Windows logon.

Device ID The unique ID that identifies the agent and endpoint to PolicyServer.

Operatingsystem

The operating system and version currently installed on the endpoint.


8-8

LABEL DESCRIPTION

Computername

The endpoint computer name to identify it on the network.

Last sync The timestamp for the last policy synchronization to PolicyServer.

Sync withPolicyServer

Forces an immediate policy update.

Synchronizing Policies with PolicyServerThere are two ways to synchronize policies with PolicyServer. For information aboutpolicies affecting Encryption Management for Microsoft BitLocker devices, seeEncryption Management Agent Policy Limitations on page 8-2.

• Synchronizing Policies From the Menu Bar on page 8-15

• Synchronizing Policies from the About Screen on page 8-9

Policy Synchronization

The following list explains the events that initiate policy synchronization between agentsand PolicyServer:


Note




Note



8-9

Synchronizing Policies from the About Screen

For information about policies limitations affecting the Encryption Management forMicrosoft BitLocker agent, see Encryption Management Agent Policy Limitations onpage 8-2.

Procedure

1. Make sure that the Endpoint Encryption device has network access.

2. Click the agent icon ( ).

3. Select About Full Disk Encryption to open the agent menu.

4. Open the Information tab.

5. Click Sync with PolicyServer.

If successful, all Endpoint Encryption policies are up-to-date.

Synchronizing Policies From the System Tray

Procedure



3. Select Sync with PolicyServer.


Encryption Management for Apple FileVaultEncryption Management for Apple FileVault manages Apple FileVault™ to encrypt theentire OS X startup volume, which typically includes the home directory, abandoningthe disk image approach. Encryption Management for Apple FileVault manages


8-10

encryption using Apple FileVault with the user's password as the encryption pass phrase.Encryption Management for Apple FileVault uses the AES-XTS mode of AES with 128bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST. Onlyunlock-enabled users can start or unlock the drive. Once unlocked, other users may alsouse the computer until it is shut down.

Note

Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS XMountain Lion or later. Other Mac OS user account types will be unable to initiateencryption.

To create a mobile account for Active Directory on your Mac, see Creating a MobileAccount for Active Directory on Mac OS on page 8-15.

Viewing Encryption Status

Procedure

1. Click the Full Disk Encryption icon ( ).

• For Windows, go to the system tray.

• For Mac OS, go to the menu bar.

2. Open the Encryption Status tab.

3. See Understanding Encryption Status on page 8-5 for details.


8-11

Understanding Encryption Status

The Encryption Status tab provides details about the encrypted drives, the types ofencryption, and the ratio that the drive is encrypted or not encrypted. See the figure anddescription below for more information.

TABLE 8-5. Device Encryption Status

ITEM DESCRIPTION

Pie Chart The pie chart represents the ratio that the hard disk isencrypted and not encrypted.

Drive The hard disk with the agent installed.

Encrypted The percentage that the drive is encrypted.

Action The current encryption status.


8-12

ITEM DESCRIPTION

Average speed The rate (MB/second) that the drive is encrypting ordecrypting.

Estimated time The amount of time until the drive is 100% encrypted ordecrypted.

Understanding Agent InformationThe Information tab provides detailed information about the user account, EndpointEncryption device, and policy synchronization. See the figure and description below formore information.


8-13

TABLE 8-6. Agent Information

LABEL DESCRIPTION

TMEE user name The Endpoint Encryption account used to log on theEndpoint Encryption device. This is different from theWindows logon.

Device ID The unique ID that identifies the agent and endpoint toPolicyServer.

Operating system The operating system and version currently installed on theendpoint.

Computer Name The endpoint computer name to identify it on the network.

Enterprise The Enterprise name of the PolicyServer managing agentpolicies.

Last sync The timestamp for the last policy synchronization toPolicyServer.

Last sync The timestamp for the last policy synchronization toPolicyServer.

For details about synchronizing policies, see SynchronizingPolicies From the Menu Bar on page 8-15.

Synchronize now Forces an immediate policy update.

Synchronizing Policies with PolicyServerThere are two ways to synchronize policies with PolicyServer. For information aboutpolicies affecting Encryption Management for Apple FileVault devices, see EncryptionManagement Agent Policy Limitations on page 8-2.

• Synchronizing Policies from the About Screen on page 8-14

• Synchronizing Policies From the Menu Bar on page 8-15


8-14

Policy Synchronization

The following list explains the events that initiate policy synchronization between agentsand PolicyServer:


Note




Note


Synchronizing Policies from the About Screen

For information about policies limitations affecting Encryption Management for AppleFileVault agents, see Encryption Management Agent Policy Limitations on page 8-2.

Procedure



3. Select About Full Disk Encryption to open the agent menu.

4. Open the Information tab.

5. Click Synchronize now.



8-15

Synchronizing Policies From the Menu Bar

Procedure



3. Select Synchronize Policies.


Creating a Mobile Account for Active Directory on Mac OS

Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS XMountain Lion or later. Other Mac OS user account types will be unable to initiateencryption.

If a Mac OS account other than a local account or mobile account attempts to initiateencryption, the following notification appears:


8-16

The following task shows how to create a mobile account for your Mac OS account tobypass this issue.

Procedure

1. Go to System Preferences... in the Apple menu.

The System Preferences window appears.

2. Select User Groups under the System section.

3. Click the lock icon in the lower left corner.

4. Click Create... next to Mobile account.

5. On the following screens, select any personal settings, and click Create to proceedfrom one screen to the next.

6. When prompted, enter your Active Directory password and click OK.

Your mobile account has been created. You may now use this mobile account toinitate encryption.


8-17

Troubleshooting Password and Encryption IssuesAfter installing Encryption Management for Apple FileVault and restarting theendpoint, Apple FileVault attempts to encrypt the disk. If the password specified duringinstallation did not match the specified user account, the following window appears:

After specifying the correct password, restart the endpoint again. If the password wasthe issue, after restarting, Apple FileVault encrypts the endpoint.

If this problem persists, or if the encryption status displays that the endpoint is notencrypting, then another issue is restricting Apple FileVault functionality. Do thefollowing procedure to determine the location of the issue and whether to send the issueto Trend Micro Support.

Procedure

1. From the Apple menu, go to Security & Privacy > FileVault.

2. If the lock icon is locked, click the lock icon to make changes.

3. Click Turn On FileVault....

A window appears that asks for your password.


8-18

4. Type your password and click Start Encryption.

If your user account has permission to turn on FileVault, your credentials arecorrect, and FileVault is working properly, FileVault begins encrypting the disk.

5. If FileVault encounters any issues during encryption after this point, take relevantscreenshots of those issues and contact Trend Micro Support.

9-1

Chapter 9

RecoveryThis chapter explains methods to recover inaccessible drives encrypted by Full DiskEncryption.

Topics include:

• Full Disk Encryption Recovery Methods on page 9-2

• Recovery Console on page 9-3

• Recovery Tool on page 9-16

• Remote Help Assistance on page 9-22


9-2

Full Disk Encryption Recovery MethodsIf a device is fully encrypted by Full Disk Encryption, issues may occur with the systemor program that hinder or prevent access to Windows or related services. In these cases,use the following methods and tools to recover your system, displayed in order from theleast severe to most severe situation.

SITUATIONRECOVERYMETHOD

DESCRIPTION

Windows is workingnormally but Full DiskEncryption affects someapplications, reducesWindows performance,or displays errormessages.

Uninstall FullDisk Encryption

Uninstalling Full Disk Encryption removesFull Disk Encryption from the device. Onceuninstallation is complete, you mayproceed with other recovery actions withinWindows if necessary. Afterwards, youmay attempt to reinstall Full DiskEncryption.

For uninstallation steps, see the EndpointEncryption Installation Guide.

The Full Disk Encryptionpreboot loads, butWindows does not.

RecoveryConsole onpage 9-3

The Full Disk Encryption RecoveryConsole can be viewed from the Full DiskEncryption preboot.

To decrypt the hard disk, open the FullDisk Encryption Recovery Console >Decrypt Disk option decrypts the selectedhard disk on-the-fly or saves an image ofthe decrypted hard disk to removablemedia.

NoteThis method is not recommended ifWindows is functioning normally.

Recovery

9-3

SITUATIONRECOVERYMETHOD

DESCRIPTION

At startup, neitherWindows nor the FullDisk Encryption prebootstarts up. The endpointdisplays a black screenwith an unmoving inputsymbol.

Recovery Toolon page 9-16

This issue normally occurs because theMBR is corrupted. The Full Disk EncryptionRecovery Tool attempts to repair the MBR.If successful, the Full Disk Encryptionpreboot loads normally the next time theendpoints starts.

At startup, the endpointdisplays the backgroundof the Full DiskEncryption preboot, butthe logon window doesnot load.

Recovery Toolon page 9-16

This issue normally occurs because theFull Disk Encryption database is corrupted.The Recovery Tool attempts to obtaininformation from PolicyServer and replacethe corrupted Full Disk Encryptiondatabase. If successful, the Full DiskEncryption preboot loads normally the nexttime the endpoints starts.

The endpoint is unableto start Windows, oraccess the Full DiskEncryption preboot. TheRecovery Tool is unableto repair the disk.

ContactTechnicalSupport

Attempt to perform other recovery methodsfirst. If the previous recovery methods areinaccessible or do not work, contact TrendMicro support. The Trend Micro supportteam will do their best to resolve yourissue.

For more information, see TechnicalSupport on page 11-1.

Recovery ConsoleThe Full Disk Encryption Recovery Console allows Administrators, Authenticators, andpermitted Users to do the following:

• Recover Full Disk Encryption devices in the event of primary operating systemfailure

• Troubleshoot network connectivity issues

• Decrypt disks to retrieve inaccessible data


9-4

• Manage policies when not connected with PolicyServer

WARNING!

If the disk is encrypted, do not use Windows or third-party repair utilities to recover data.Use the Recovery Console and decrypt the disk first. Otherwise, data may be lost,corrupted, or become inaccessible.

All policy changes are overwritten when the Full Disk Encryption agent synchronizespolicies with PolicyServer.

Recovery Console Options

CONSOLE MENU DESCRIPTION

Back to Login Exit Recovery Console and return to the login screen.

Decrypt Disk Remove encryption from the disk. Decrypt the diskbefore uninstalling the Full Disk Encryption agent.

Mount Partitions Provide access to the encrypted partitions for filemanagement. View encrypted files or copy files to anexternal device.

NoteThis option is only available for disks usingsoftware encryption. This option is unavailable ifthe disk is a SED.

Restore Boot Roll back the MBR to a state before Full Disk Encryptioninstallation.

NoteThis option is only available for disks thatpreviously used software encryption and are nowdecrypted. This option is unavailable if the disk is aSED or if the disk is encrypted.

Recovery

9-5

CONSOLE MENU DESCRIPTION

Manage Users Add or remove users from the device when notconnected to PolicyServer.

Manage Policies Modify policies for devices that are either not managedby PolicyServer or are managed but are temporarily notconnected to PolicyServer. If the device is managed,policy changes are overwritten the next time that thedevice communicates with PolicyServer.

View Logs View and search the various Full Disk Encryption logs.

NoteLogs are available only when the RecoveryConsole is accessed from Windows.

Network Clicking Network opens two screen options:

• Setup: Configure your Internet connection settings,including whether you use a static or dynamic IPaddress, your PolicyServer address, and your Wi-Fisettings.

• Troubleshooting: View your DHCP logs and runtrace route commands.

Exit Exit the Recovery Console.

Accessing the Recovery Console from Full DiskEncryption Preboot

By default, only Administrator and Authenticator accounts may access the RecoveryConsole. To allow other users to access the Recovery Console, enable user recoveryfrom your management console. For Control Manager, see Configuring Full DiskEncryption Rules on page 5-15.

Procedure

1. Start or restart the endpoint.


9-6

The Full Disk Encryption preboot appears.

2. Select the Recovery Console check box.

3. Specify Endpoint Encryption user account credentials.

4. Click Login.

The Recovery Console opens.

Accessing Recovery Console from Windows

Procedure

1. In Windows, go to the Full Disk Encryption installation directory.

The default location is C:\Program Files\Trend Micro\Full DiskEncryption\.

2. Open RecoveryConsole.exe.

The Recovery Console window appears.

3. Specify the Endpoint Encryption user name and password, then click Login.

Recovery Console opens to the Decrypt Disk page.

Using Decrypt DiskSelecting Decrypt Disk decrypts an encrypted Full Disk Encryption hard disk, but doesnot remove any of the encryption drivers. If using Decrypt Disk, disable the Full DiskEncryption “DrAService” service before booting into Windows.

WARNING!

Read this procedure before using Decrypt Disk. Data loss may occur if performedincorrectly. Do not use Decrypt Disk to remove Full Disk Encryption from any EndpointEncryption device that is functioning normally. Use TMFDEUninstall.exe instead.

Recovery

9-7

To decrypt the Full Disk Encryption device, the user must have Endpoint EncryptionEnterprise or Group Administrator rights. To allow all users in a group/policy to accessthe recovery console, enable the following policy:

MANAGEMENTCONSOLE

MENU PATH

PolicyServer MMC Go to Full Disk Encryption > Agent > Allow User Recovery.

Control Manager Create or edit a policy, then go to Full Disk Encryption > Usersare allowed to access system recovery utilities.

With an Administrator, Authenticator, or permitted User, perform the following todecrypt a disk.

Procedure

1. Log on to Recovery Console.

See Accessing the Recovery Console from Full Disk Encryption Preboot on page9-5.


2. Click Decrypt to begin decrypting the drive.

Decryption begins immediately and the Decrypt Disk page shows the decryptionprogress.

3. When decryption completes, click Exit to reboot the Endpoint Encryption device.


• If booting a repair tool CD, DVD, or USB key:

a. After exiting Full Disk Encryption, press F12 (or the appropriate buttonto enter the boot options).

b. Insert the Repair CD and select the CD/DVD drive from the bootoptions screen.

c. Proceed with established recovery actions.


9-8

• If booting into Windows:

a. Reboot the endpoint and hold F8.

b. Select Safe Mode before the system begins booting into Windows.

WARNING!

If the Windows boot options screen is missed, immediately turn off the device.If Windows boots normally (not in Safe Mode), DrAService will immediatelystart encrypting the drive again. Any recovery actions taken at this point willrisk irreparable damage to data on the drive.

5. Open Computer Management and go to Services and Applications > Services.

The Services screen appears.

6. Locate and double-click Trend Micro Full Disk Encryption to open the TrendMicro Full Disk Encryption Properties window.

7. On the General tab, change Startup type to Disabled.

8. Click Apply, then click OK.

9. Reboot the endpoint.

10. Log on the Full Disk Encryption preboot.

11. Log on to Windows.

12. After all recovery actions are complete, set DrAService to Automatic. The deviceautomatically re-encrypts the hard disk after the next reboot.

Mount Partitions

Use Mount Partitions to copy files between the encrypted hard disk and external storagebefore imaging or reformatting the drive. The encrypted contents on the drive appear inthe left pane and an unencrypted device can be mounted in the right pane. Use copy andpaste to move file between panes. Files copied to the encrypted drive will encrypt. Filescopied out of the encrypted drive will decrypt.

Recovery

9-9

Restore Boot

The Restore Boot option restores the original boot on the Endpoint Encryption devicewhen the device is fully decrypted. Restore Boot is only available from the Full DiskEncryption preboot.

Decrypt the disk before restoring the Master Boot Record (MBR).

WARNING!

Do not use Decrypt Disk before reading through the instructions. Data loss may occur.

Procedure

1. Log on to Recovery Console.

See Accessing the Recovery Console from Full Disk Encryption Preboot on page9-5.


2. Click Decrypt Disk, then click Decrypt.

3. Switch to the Restore Boot option.

A Replace MBR confirmation window appears.

4. Click Yes to replace the MBR.

A message confirming the MBR replacement displays.

5. Click Exit.

The Endpoint Encryption device boots into Windows.

Manage Full Disk Encryption Users

Use Manage Users to add or remove users from the Full Disk Encryption preboot cacheor to change a user's cached password. The Manage Users option is useful when the Full


9-10

Disk Encryption agent cannot connect to PolicyServer. Both the Full Disk Encryptionpreboot and Windows Recovery Console can use this option.

Note

• Manage Users is only available when not connected to PolicyServer.

• Changes made to users through Recovery Console are overridden when Full DiskEncryption connects to PolicyServer.

Some considerations about passwords:

• Assigned passwords are always a fixed password.

• Specify the user password expiration date using the Password Expiration calendar.

• Setting the date to the current date or older forces an immediate password change.Setting the date to a future date commits a change on that specified date.

Editing Users

Editing users in Recovery Console follows the same rules as the Enterprise. Forinformation about roles and authentication, see Authentication Overview on page 5-2.

Procedure

1. Select the user from the user list.

2. Update the desired information.

3. Select the user type.

For an explanation of account roles, see Authentication Overview on page 5-2.

4. Set the password expiration date.

5. Click Save.

The user account is updated.

Recovery

9-11

Adding Users

Procedure

1. Click Add User.

2. Specify the user name and password, then confirm the password.

3. Select the authentication method from the Authentication Type drop-down list.

4. Set the password expiration date.

5. Click Save.

The new user appears in the User List and a confirmation window appears.

6. Click OK to close the confirmation window.

The new user account is added.

Deleting Users

Procedure

1. Select a user from the user list.

2. Click Delete User.

A delete user confirmation window appears.

3. Click Yes.

The user is deleted from the user list.

Manage PoliciesUse Manage Policies to set various policies for Full Disk Encryption Recovery Console.

For more information about these policies, see the Administrator's Guide forPolicyServer MMC.


9-12

Note

The Manage Policies option is only available when not connected to PolicyServer and anychanges are overridden the next time Full Disk Encryption connects to PolicyServer.

View LogsUse View Logs to search for and display logs based on specific criteria. View Logs isonly available from Recovery Console using Windows. It is unavailable from the FullDisk Encryption Preboot.

For information about viewing Full Disk Encryption logs, see Accessing RecoveryConsole from Windows on page 9-6.

NetworkGo to Network > Setup to verify, test, and/or change the network settings that are usedby Full Disk Encryption Preboot.

Go to Network > Troubleshooting to view DHCP logs and run trace route commands.

Managing Network Configuration

By default, Get setting from Windows is selected for both IPv4 and IPv6. Deselect thisoption to manually configure the network settings.

• Selecting DHCP (IPv4) or Automatically get address (IPv6) uses the dynamicallyassigned IP address.

• Selecting Static IP enables all fields in that section.

• In the IPv6 tab, selecting Static IP when the IP Address field is empty creates aunique IP address based on the hardware address of the machine.

Recovery

9-13

Changing the Full Disk Encryption PolicyServer

Procedure

1. Open the PolicyServer screen on the Recovery Console.

a. Access the Recovery Console.

See Accessing the Recovery Console from Full Disk Encryption Preboot onpage 9-5.

b. Go to Network > Setup.

c. Select the PolicyServer tab.

2. Click Change Server.

3. At the warning message, click Yes.

4. Specify the new server address.

5. Click Save.

Configuring Wi-Fi Settings

Wi-Fi settings are available from the Recovery Console accessible from the Full DiskEncryption Preboot.

Note

The Full Disk Encryption preboot cannot automatically detect the authentication for WEPsecurity. If the authentication type is WEP-OPEN or WEP-PSK, manually specify thesecurity type.

Procedure

1. Go to the Wi-Fi tab on the Network Setup screen.


9-14

The Wi-Fi settings screen appears.

From the Wi-Fi settings screen, you can disconnect from your current wirelessconnection by clicking Disconnect.

2. Click Configure to modify your wireless network.

Recovery

9-15

The Wireless Network Configuration screen appears.

3. Select your network.

• To use a listed network, select the SSID, then click OK.

• To configure an unlisted network, click Other Network, specify the SSIDsettings, then click Connect.

Important

Do not close the screen or restart your endpoint during configuration.

Network Troubleshooting

The tabs on the Troubleshooting screen allow you to do more in-depth investigationinto network problems. The following tabs are available:


9-16

• DHCP Client: This tab displays the latest DHCP client logs. If no DHCP requesthas been made or there is an error, click Set Up Interface to automaticallyconfigure your network interface card and perform another DHCP request.

• Traceroute: Use this tab to test your network performance by performing atraceroute to PolicyServer. Click Traceroute to perform a new traceroute request.

Recovery ToolThe Full Disk Encryption Recovery Tool is a bootable disk used to repair a device if thedevice is unable to boot. The latest version of the Recovery Tool is available fordownload from the Trend Micro Download Center:


The Recovery Tool allows users to do the following:

• Scan and repair Full Disk Encryption issues that prevent users from logging onWindows

• Open the Full Disk Encryption preboot if the agent is unable to access the prebootnormally

• Recover files from an encrypted disk

Note

In previous versions of Endpoint Encryption, a Repair CD was provided along with theproduct. In Endpoint Encryption 5.0 Patch 4, the Repair CD was replaced with theRecovery Tool.

Preparing the Recovery ToolThe Full Disk Encryption Recovery Tool is a preconfigured Linux environment insideof an ISO file. To use the Recovery Tool, install the Recovery Tool as a bootable diskon a DVD, USB flash drive, or other removeable media device.

The following procedure shows one example of how to install the Recovery Tool to aUSB storage device using the free third-party program Rufus.


Recovery

9-17

Procedure

1. Download the Full Disk Encryption installation package.

The Endpoint Encryption installation packages are available on at the Trend MicroDownload Center:


2. Download and run Rufus.

The Rufus utility is available on the Rufus website:

http://rufus.akeo.ie/?locale=en_US

3. Attach a USB storage device to the endpoint.

WARNING!

This procedure will reformat the USB device, removing all data. Trend Microrecommends backing up all files on the USB device before proceeding.

4. In the Device field, select the USB device.

5. In the Partition scheme and target system type, select MBR partition scheme forBIOS or UEFI-CSM.

6. Select the option Create a bootable disk using, and choose the option ISO image.

7. Click the image icon ( ) and select the imageRecoveryTool_x.x.x.xxxx.iso.

The Recovery Tool is located in the Full Disk Encryption installation package.

For example, if you are using the TMEE Suite package, the Recovery Tool is in thefollowing path:

<base_file_path>\TMEE Suite\TMEE_Full Disk Encryption-Windows\Tools\RecoveryTool\RecoveryTool_x.x.x.xxxx.iso

8. Click Start.

9. On the warning message that appears, click OK.


http://rufus.akeo.ie/?locale=en_US


9-18

Rufus begins reformatting the USB device and installs the Recovery Tool on theUSB device.

10. When Rufus finishes creating the bootable disk, close Rufus and remove the USBdevice from the endpoint.

Scanning and Repairing a Disk

If you are unable to open Windows or the Full Disk Encryption preboot on a device,use the Full Disk Encryption Recovery Tool to detect problems on that device andpotentially repair those issues. The following task assumes that you have already createda bootable disk of the Recovery Tool.

Procedure

1. Start the endpoint that requires repairs, and set the boot priority to boot from thetype of device that the Recovery Tool has been prepared on.

For example, if your system uses BIOS, open the BIOS screen, and select the Boottab. If you used a USB storage device for the Recovery Tool, set RemoveableDevices as the first boot priority.

2. Shut down the endpoint.

3. Attach the Recovery Tool device to the endpoint or put the Recovery Tool CD orDVD in the disk drive.

4. Start the endpoint.

The Recovery Tool boots the device.

At system startup, the Recovery Tool automatically opens the Recovery utility, andbegins scanning the hard disk. If scanning successfully detects a problem with thedevice, the Recovery Tool will attempt to repair the issue. If repairing is successful,no further action needs to be taken.

5. If the Recovery Tool notifies you that authentication is required to continuerepairs, log on PolicyServer with the following credentials:

Recovery

9-19

FIELD DESCRIPTION

User name Specify an Administrator account. Authenticator and normaluser accounts may not access the Recovery Tool, regardlessof policy configuration.

Password Specify the password for that user name.

PolicyServer Specify the PolicyServer IP address or host name.

Device ID Specify the device ID. For Full Disk Encryption 5.0 patch 4 orlater devices, the Recovery Tool attempts to automaticallygenerate this field. If the MBR or Full Disk Encryptiondatabase is corrupted, the Recovery Tool may be unable toretrieve this information.

If the Recovery Tool is unable to retrieve this information, orthe device is Full Disk Encryption 5.0 patch 3 or earlier, findand copy the device ID from PolicyServer MMC or ControlManager. In Control Manager, you can access the device IDfrom the Full Disk Encryption Status Report widget. See FullDisk Encryption Status on page 4-20.

Note

If the Recovery Tool is unable to connect to PolicyServer, a message appearsrequesting that you configure your network. In that case, click Network Status andConfiguration to view your current network status. Click Configure to specify theendpoint IP address settings. Click Reconnect to attempt to connect to PolicyServeragain and refresh your network information.

The Recovery Tool attempts to perform additional scanning and repairs.Regardless of whether recovery is successful or unsuccessful, a completion screenappears with the options Shut Down and Advanced Functions. For moreinformation about the available advanced functions, see Advanced Functions onpage 9-21.

6. Click Shut Down to shut down the endpoint.

7. Remove the Recovery Tool from the endpoint.

8. Start the endpoint.


9-20

If repairs were successful, the endpoint starts at the Full Disk Encryption preboot.

Recovery Tool OptionsThe Full Disk Encryption Recovery Tool opens a Linux operating system with thefollowing options available:

OPTION DESCRIPTION

Recovery Select this option to open the main utility of the Recovery Tool.This utility scans and attempts to repair the device. Afterscanning, additional functions become available for accessing theFull Disk Encryption preboot and viewing encrypted files on thedisk.

NoteThe Recovery Tool may require additional information fromPolicyServer to completely repair the device. After initialscanning, the Recovery Tool may request that youauthenticate with PolicyServer. Ensure that connection tothe network is available before using the Recovery Tool.The Recovery Tool supports wired Ethernet connections.

Zoom Select this option to open the Zoom video conferencing service.Trend Micro Support may ask you to use this service to shareyour display so that Support can better help you performnecessary tasks with the Recovery Tool.

NoteUsing Zoom requires access to the Internet.

Language Input The Recovery Tool supports several language inputs. Go to Start> Language Input and select the language of your keyboard.

Shut Down / Restart To shut down or restart the endpoint, go to Start > Shut Downand select either Shut Down or Restart.

Recovery

9-21

Advanced Functions

After the Recovery Tool finishes scanning and attempting to repair the device, thecompletion screen includes the options Advanced Functions and Shut Down. If youclick Advanced Functions, a screen appears with one or more options depending onyour hard drive.

Note

Accessing the Advanced Functions screen requires authentication. For more informationabout scanning, repairing, and authentication, see Scanning and Repairing a Disk on page9-18.

If your drive is a standard hard drive (not a self-encrypting drive), the following optionsare available:

• Launch File Explorer: Select this option to open window that shows your filedirectory. You can copy files from your drive to an external storage device. TheRecovery Tool will decrypt those files before adding them to the external device.

Note

Trend Micro recommends backing up your most important files this way. Decryptionusing this function may take a long time, so if you want to decrypt and copy all fileson the drive, instead decrypt the entire drive using the Recovery Console.

• Enable Preboot: Select this option to open the Full Disk Encryption preboot thenext time that you restart with the Recovery Tool attached to the endpoint. TheRecovery Tool includes an internal copy of the Full Disk Encryption preboot thatyou can use to access the Recovery Console to configure network settings ordecrypt the device.

If your drive is a self-encrypting drive (SED), the following option is available:

• Remove Preboot: Select this option to remove the Full Disk Encryption prebootfrom the endpoint so that the device no longer requires authentication withPolicyServer. If you have problems authenticating with PolicyServer or accessingWindows from the preboot, select this option.


9-22

Remote Help AssistanceRemote Help allows users to reset a forgotten password or locked account. AnyEndpoint Encryption user who has a locked account or forgot the account passwordmust reset the password before being able to log on to any Endpoint Encryption device.Remote Help requires that the user contact the Help Desk for a Challenge Response.Remote Help does not require network connectivity to PolicyServer.

Procedure

1. Log on to PolicyServer MMC using any account with Group Administratorpermissions in the same policy group as the user.

2. Ask the user to go to Help > Remote Help from the Endpoint Encryption agent.

3. Ask the user for the Device ID.

FIGURE 9-1. Remote Help Assistance

Recovery

9-23

4. In PolicyServer MMC, open Enterprise Devices or expand the user's group andopen Devices.

5. In the right pane, right-click the user's device and then select Soft Token.

The Software Token window appears.

6. Get the16-digit challenge code from the user, and type it into the Challenge field ofthe Software Token window.

7. Click Get Response.

The Response field loads with an 8-character string.

8. Tell the user the 8-character string from the Response field.

9. The user inputs the string in the Response field on the endpoint and clicks Login.

10. The user must specify a new password.

10-1

Chapter 10

Resolved and Known IssuesThis section describes the Endpoint Encryption issues that have been fixed and theremaining issues and limitations.

Topics include:

• Resolved Issues on page 10-2

• Known Issues on page 10-10


10-2

Resolved IssuesThis section describes the previous Endpoint Encryption issues that have been resolved.

Resolved Issues in Endpoint Encryption 5.0 Patch 4Update 1

ISSUE SOLUTION

1 When a Full Disk Encryption agentinstalls on an endpoint, EndpointEncryption uses part of the disk spaceas a database that stores vital FullDisk Encryption information. In high-stress environments, this database mybecome corrupted, and Full DiskEncryption may be unable toauthenticate or connect toPolicyServer, and the endpoint may beunable to restart.

This update modifies the driver toprotect against high-stress databasecorruption.

2 When an Endpoint Encryption agentinstalls on a non-English operatingsystem, the Windows application logrepeatedly displays the following errormessage:

“X9.31: Collected entropy matchedprior entropy”

This update fixes the anomaly in theEndpoint Encryption agents thattriggers this error message.Additionally, this update enhances theagent health check mechanism.

3 The Full Disk Encryption Prebootdetects the Spanish (Mexico) keyboardlayout as the Spanish (Spain) layout.Users are unable to input certainspecial characters with this layout.

This update adds support for Spanish(Mexico) keyboard layouts.

Resolved and Known Issues

10-3

ISSUE SOLUTION

4 When Full Disk Encryption installs on aWindows XP endpoint, after Prebootauthentication and Windows startup,Full Disk Encryption displays an errorregarding a database corruption. Thefollowing error displays in thePolicyServer event logs:

“907001 Scratchspace corruption”

After this event, Full Disk Encryptionautomatically repairs that databasecorruption, so no actual damageoccurs.

This update fixes the root cause of theinitial database corruption, so thedatabase never becomes corruptedand no error messages display.

Resolved Issues in Endpoint Encryption 5.0 Patch 4

ISSUE SOLUTION

1 When a Full Disk Encryption agentinstalls on an endpoint, EndpointEncryption uses part of the disk spaceas a database that stores vital FullDisk Encryption information. If parts ofthis database becomes corrupted, FullDisk Encryption may not be unable toauthenticate or connect toPolicyServer, and the endpoint may beunable to start.

In this version Endpoint Encryptionmakes a backup database when FullDisk Encryption is installed or theagent is upgraded. If EndpointEncryption detects that one of thedatabases is corrupted, EndpointEncryption reports the status toPolicyServer, and attempts to repairthe corrupted database using theremaining uncorrupted database.

2 The Full Disk Encryption preboot odesnot include an option for SwissGerman keyboard mappings.

This patch adds support for SwissGerman keyboard input.

3 The Full Disk Encryption preboot isunable to connect to PolicyServer overa wireless connection for Dell Venue11 Pro 7140 laptops.

This patch adds support for Dell Venue11 Pro 7140 drivers.


10-4

ISSUE SOLUTION

4 The Full Disk Encryption preboot diesnot support touchpads for FujitsuLifebook U745 laptops.

This patch adds loaders to supporttouchpads for Fujitsu Lifebook U745laptops.

5 The Full Disk Encryption preboot isunable to detect the wireless networkcards on certain models of LenovoThinkPad X1 Carbon laptops. Forthese models, the preboot disables theWi-Fi settings icon.

This patch expands the Wi-Fi scanbuffer size and scan protocols tosupport a higher frequency range. Thisallows Full Disk Encryption to supportthe wireless cards in Generation 1 andGeneration 2 Lenovo ThinkPad X1Carbon models.

6 The keyboard input languageautomatically changes back to English(US) with external keyboards in theFull Disk Encryption preboot and afterupgrading Full Disk Encryption.

This patch adds external keyboardchecking and error handlersthroughout Full Disk Encryption toensure that keyboard input settings arepreserved.

7 On VMware vSphere instances, theFull Disk Encryption preboot is unableto detect the wireless network cards sothe preboot disables the Wi-Fi settingsicon.

This patch opens port 546 over theUMP protocol to listen to IPv6 traffic.Additionally, this patch adjusts theinitialization sequence to improve thethe performance of DNS environments.With these improvements, the Full DiskEncryption preboot does not time outwhen detecting wireless network cardsin vSphere instances.

8 The server endpoint with PolicyServerencounters the following exception inDiagnostic Monitor from TMEEService:“The given key was not present in thedictionary.”

This exception was caused by the factthat TMEEService was unable toaccess the communication key. Thisexception did not impact PolicyServerfunctionality. This patch removes thisexception.

9 PolicyServer consistently times outwhile generating reports.

When the audit log and PolicyServerdatabase sizes increase to a certainsize, normal report generationexceeded the report generationthreshold. This patch increases thereport generation threshold to allow forlarger report generation.


10-5

ISSUE SOLUTION

10 The Diagnostic Monitor tool is unableto open.

This issue occurred due to improperstorage of diagnostic files. This patchreworks the diagnostic storageprocess, and enhances the errorhandlers to ensure that users can openthe Diagnostic Tool.

11 If the Endpoint Encryption Proxy isinstalled on a 64-bit Windows Serverendpoint with 32-bit applicationsenabled, the Endpoint EncryptionProxy is unable to complete installationor synchronize with PolicyServer.

This issue occurred due to an issuewith port autodetection throughWindows Registry. This patch addssupport for enabling 32-bit applicationsin 64-bit Windows Serverenvironments.

12 If Full Disk Encryption and FileEncryption are installed on the sameendpoint, Windows displays duplicatedaccounts on the account logon screen.

This patch corrects the accounthandlers for Full Disk Encryption sothe same user account will not displaymultiple times.


ISSUE SOLUTION

1 The Full Disk Encryption does nothave driver support for the Intel DualBand AC 7265 adapter.

This version fixes network connectionson the Lenovo X250.

This issue was first resolved in Hot Fix3817.

2 Windows may display partitions andunallocated disk space incorrectly ondevices encrypted by Full DiskEncryption. This issue occurs if youadd a partition using unallocated diskspace, and then restart Windows.

This version resolves the issue byallowing users to recover the MBR andto keep the partition table.


3 The widget content on the ControlManager console does not display theEndpoint Encryption devices andusers.

This version resolves the ControlManager display issue.



10-6

ISSUE SOLUTION

4 The serviceTMEEProxyWindowsService is unableto communicate with PolicyServerwhen the IIS settingEnable32BitAppOnWin64 is set totrue.

This issue occurred becauseTMEEProxyWindowsService wasunable to read the registry key portvalue. This version resolves the issueby adding a registry key port value for32-bit applications.

5 The service TMEEService occasionallycrashes which prevents PolicyServerMMC from being able to open.

This version updates the version of thefile TMFIP.dll to preventTMEEService crashes.

6 Endpoint Encryption producesunnecessary duplicate logs inWindows Event Center. WindowsEvent Center becomes flooded withtoo many Endpoint Encryption logs.

The duplicate logs were caused byevents regarding PolicyServercommunication with inaccessibleadministrator users. Duplicate logsfrom this event type have beenremoved.


ISSUE SOLUTION

1 Endpoints encrypted by EndpointEncryption version 5.0 or later may beunable to detect an internal Alcor MicroUSB Smart Card Reader.

This version ensures that encryptedendpoints are able to detect an internalAlcor Micro USB Smart Card Reader ifit exists on the endpoint.


2 After installing Full Disk Encryption 5.0on a laptop, during startup, thefollowing error displays:

BOOTMGR is missingPress Ctrl+Alt+Del to restart

This issue occurs because ofincompatibility with some WindowsRecovery Environment (Windows RE)partitions. This version ensures thatEndpoint Encryption supportspreviously unsupported Windows REpartitions.


10-7

ISSUE SOLUTION

3 Windows Update does not functionproperly on Windows 7 (32-bit) deviceswith Full Disk Encryption 5.0 or earlierinstalled.

When running Windows Update, theoperating system can provision toomuch memory to Windows Update.This may cause the kernel to reduce to0 available memory. With no availablememory, Endpoint Encryption abortsthe decryption process. From thispoint, Windows will be unable to readthe correct Registry data.

This version forces the kernel to re-allocate memory to Full DiskEncryption in high-pressure situations.With sufficient memory, EndpointEncryption no longer causes Registryissues, so Windows Update continuesto function properly.


ISSUE SOLUTION

1 When users install Full Disk Encryptionand enable the preboot function, ablank screen appears after thecomputer restarts.

This version resolves a driverincompatibility issue to ensure that theXHCI module loads properly while thecomputer restarts. This ensures thatthe computer can restart successfullyafter users install Full Disk Encryption.


2 Full Disk Encryption preboot processdoes not support Finnish or Swedishcharacter sets when the keyboardlayout is set to Finnish or Swedish.

This version enables support ofFinnish or Swedish character sets forFull Disk Encryption preboot processwhen the keyboard layout is set toFinnish or Swedish.



10-8

ISSUE SOLUTION

3 Windows 7 operating system freezesand/or encounters poor performanceafter using File Encryption. Certainprograms have not been updated toWindows 7, so these programs causeirregular behavior. In this case, whenusing File Encryption, junction pointslink recursively to the directories thejunction points are inside, whichcauses an infinite loop.

This version bypasses the standardjunction point creation process so thatFile Encryption can avoid junction pointrecursion.


4 After Full Disk Encryption is installed,the computer stops at the prebootstage and the computer is unable toload the login console. The computeronly displays the background image.Users are unable to use the device.

This version prevents the computerfrom loading unnecessary networkdrivers while starting. The computeronly loads the specific driver detectedon the device, so the computer nolonger stops at the preboot stage.


5 When users install Full DiskEncryption, during the preboot stage,Alcor Micro USB Smart Card Readerdoes not appear in the detectedcomponents.

This version enables support for AlcorMicro USB Smart Card Reader.


6 The device is unable to connect to anetwork during preboot if the devicecontains a network adapter in the IntelEthernet Connection l217 Family.

This version enables support for theIntel Ethernet Connection l217 Family.


7 Synaptic Touchpad is hypersensitiveduring the Full Disk Encryption prebootstage.

This version adjusts the sensitivity forSynaptic Touchpad during the prebootstage.



10-9

ISSUE SOLUTION

8 For some SSD devices that have SEDfunctionality and are not manufacturedby Seagate, Full Disk Encryptioninstallation will be unsuccessful andwill result in a blank screen afterinstallation causes the endpoint torestart.

This version forces installationencryption for SSD drives notmanufactured by Seagate whichresolves the installation issue.


9 Certain Broadcom Wi-Fi chips do notfunction during the Full Disk Encryptionpreboot stage.

This version provides support for thefollowing Broadcom Wi-Fi chips:

• BCM4311

• BCM4312

• BCM4313

• BCM4321

• BCM4322

• BCM43224

• BCM43225

• BCM43227

• BCM43228


10 The user is unable to use USBpointers and keyboard during the FullDisk Encryption preboot on an HPEliteBook Folio 9470.

This version fixes this issue bychanging the response mode duringpreboot.



10-10

ISSUE SOLUTION

11 When using Encryption Managementfor Microsoft BitLocker, if the user'snetwork is unable to connect to theserver after 10 seconds, the networktimes out.

This version extends the serverconnection time to 100 secondsinstead of 10 seconds so that networkswith high latency concerns time outless frequently.


12 The user is unable to select thepassword field with a pointer on theFull Disk Encryption preboot logonscreen after setting up a wirelessnetwork.

This issue occurs because the displaydoes not refresh after switching fromwireless network configuration. Thisversion fixes this issue by forcing thedisplay to refresh after wirelessnetwork configuration.

13 In the Full Disk Encryption prebootenvironment, the wireless connectiondoes not automatically switch to awireless access point (AP) that it hadconnected to previously.

This version fixes this issue byredesigning the wireless connectionprocess.

14 During decryption when using theRepair CD, the decryption programcrashes shortly after starting.

This issue occurs because of a filehandle leak during the decryptionstatus update. This version fixes thisissue by fixing the file handle leak.

15 When using the Repair CD on a self-encrypting drive (SED) for hardwareencryption, the preboot uninstallationcommand does not work.

This version fixes this issue byredesigning the preboot uninstallationprocess, and then passing the prebootuninstallation command.

Known IssuesThis section describes the Endpoint Encryption issues and limitations groupedaccording to agent or console.


10-11

PolicyServer MMC IssuesThe following are the PolicyServer MMC issues and limitations:

1. If a domain user has the Enterprise Administrator or Enterprise Authenticatorrole, no event log is created when Active Directory synchronization is unsuccessful.

2. PolicyServer MMC is unable to display information for multiple enterprises.PolicyServer is only able to display the first enterprise entered into PolicyServerMMC.

Control Manager Integration IssuesThe following are the Control Manager issues and limitations:

1. After deploying a new policy from Control Manager to PolicyServer, a new policygroup does not immediately appear in PolicyServer MMC. To see the new policygroup, log off from PolicyServer MMC and log back on.

2. Users cannot be added to the policy if the Users panel in Control Manager PolicyManagement is disabled.

3. Deleting a policy that was created in Control Manager does not delete the policyfrom PolicyServer. The policy can still be viewed in PolicyServer MMC.

Endpoint Encryption Deployment Tool Plug-in IssuesThe following are the Endpoint Encryption Deployment Tool plug-in issues andlimitations:

1. If the OfficeScan administrator tries to deploy server settings to PolicyServer usingan Endpoint Encryption user account, an error message returns that theconnection was unsuccessful.

2. Plug-in Manager does not display an error message when installing the EndpointEncryption Deployment Tool Plug-in on a server that does not meet the minimumsystem requirement of 1 GB free hard disk space.

3. The Endpoint Encryption device may still appear in Plug-in Manager even after theEndpoint Encryption agent has been uninstalled. Agents will disappear the next


10-12

time that PolicyServer synchronizes with OfficeScan and the Plug-In Managerscreen refreshes.

4. Endpoint Encryption users with a one-time password (OTP) are only allowed todeploy agents using the Endpoint Encryption Deployment Tool Plug-in once. Allfuture deployments are unsuccessful. After the first deployment, the user must set afixed password before performing deployment again.

5. When the uninstall command is deployed from OfficeScan to Full Disk Encryptiondevices, the message “Successful agent uninstallation request” appears beforeuninstallation has completed. Endpoint Encryption decrypts the endpoint beforecompleting uninstallation.

Full Disk Encryption IssuesThe following are the Full Disk Encryption issues and limitations.

1. Full Disk Encryption does not support endpoints with multiple hard drives.

2. The Full Disk Encryption preboot login may encounter reduced performance if theWi-Fi adapter is connected to an access point with no network access toPolicyServer.

This issue occurs when the PolicyServer IP address is used during Full DiskEncryption installation. Use the PolicyServer FQDN during installation to resolvethe issue.

3. The Full Disk Encryption preboot Wi-Fi is unable to automatically detect accesspoints with WEP-Shared security.

Manually specify WEP-OPEN or WEP-PSK security.

4. The Full Disk Encryption preboot is unable to log on Windows 8, 8.1, or 10 wheninstalled on a virtual machine using VMWare Workstation with the e1000eEthernet driver.

The e1000e Ethernet driver is the default driver for Windows 8 and 8.1. Full DiskEncryption does not support the e1000e Ethernet driver.

To resolve this issue, change the driver to e1000:

a. Shut down VMWare Workstation.


10-13

b. Using a text editor, open the vmware.vmx file.

c. Find the driver line:

ethernet0.virtualDev = "e1000e"

d. Change "e1000e" to "e1000".

e. Save the file and restart the virtual machine.

5. Full Disk Encryption displays an error message and is unable to lock the systemwhen the “LockDeviceTimeDelay” policy is 999999 minutes.

6. Full Disk Encryption is unable to log on by single sign-on when the endpointwakes from hibernation.

7. When a user logs on Full Disk Encryption, the tray icon shows the correct username. However, if the user logs off after the endpoint hibernates and another userlogs on, the user name stills shows the previous user name. No user data is at risk.

8. Toshiba Tecra computers with self-encrypting drives may be unable to runWindows after installing Full Disk Encryption.

9. The Full Disk Encryption preboot does not support combinations of characterswith the “AltGr” key when using a Spanish keyboard layout.

10. The Full Disk Encryption preboot is unable to control the Num Lock indicator forsome HP laptops. In those cases, the Num Lock indicator can be configured in theBIOS settings.

11. Full Disk Encryption does not support installation alongside other third-party fulldisk encryption products. If multiple encryption products are installed on the sameendpoint, the endpoint may be unable to start Windows and may display a bluescreen error message.

12. The Full Disk Encryption Recovery Tool is unable to communicate withPolicyServer in a pure IPv6 network.

To avoid this issue, ensure that your network includes an IPv4 connection toPolicyServer.

13. The Full Disk Encryption Recovery Tool may encounter errors when logging onZoom by single-sign on, or by using Google or Facebook accounts.


10-14

To avoid this issue, only use Zoom to connect to meetings hosted by Trend Microsupport. Do not attempt to host meetings through the Recovery Tool.

File Encryption Issues

The following are the Full Disk Encryption issues and limitations.

1. If you attempt to delete files or folders in an encrypted folder, Windows promptsthe following error: “Can't read from the source file or disk.”

This error occurs because File Encryption is unable to move deleted files andfolders in an encrypted folder to the Recycle Bin. To delete files and folders in anencrypted folder, use the permanent delete command Shift + Delete.

2. File Encryption does not support "Self Help" questions and answers. Atregistration, if the Endpoint Encryption user goes to the "Change Password"screen, the user should be given "Self Help" challenge questions.

3. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0, policiesare unable to synchronize if the File Encryption 3.1.3 agent uses port 8080 (TMEEService) during registration.

4. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0,authentication is locked at the "Change Password" screen if the File Encryption3.1.3 agent used port 8080 (TMEE Service port) during registration.

5. Uninstalling File Encryption without restarting the endpoint does not automaticallyremove the program from the Add/Remove Programs list.

6. The legal notice does not appear when the endpoint starts.

7. The File Encryption agent desktop shortcut and agent icon flash when the FileEncryption agent synchronizes with PolicyServer.

Encryption Management for Microsoft BitLocker Issues

There are no known issues for Encryption Management for Microsoft BitLocker in thisrelease.


10-15

Encryption Management for Apple FileVault IssuesThere are no known issues for Encryption Management for Microsoft BitLocker in thisrelease.

11-1

Chapter 11

Technical SupportLearn about the following topics:

• Troubleshooting Resources on page 11-2

• Contacting Trend Micro on page 11-3

• Sending Suspicious Content to Trend Micro on page 11-4

• Other Resources on page 11-5


11-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Using the Support Portal

The Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select a product or service from the appropriate drop-down list and specify anyother related information.

The Technical Support product page appears.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Submit a Support Case from the left navigation andadd any relevant details, or submit a support case here:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat Encyclopedia

Most malware today consists of “blended threats” which combine two or moretechnologies to bypass computer security protocols. Trend Micro combats this complexmalware with products that create a custom defense strategy. The Threat Encyclopediaprovides a comprehensive list of names and symptoms for various blended threats,including known malware, spam, malicious URLs, and known vulnerabilities.

http://esupport.trendmicro.com

http://esupport.trendmicro.com/srf/SRFMain.aspx

Technical Support

11-3

Go to http://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware to learnmore about:

• Malware and malicious mobile code currently active or “in the wild”

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone, fax, or email:

Address Trend Micro, Inc., 225 E. John Carpenter Freeway, Suite 1500,Irving, Texas 75062

Phone Phone: +1 (817) 569-8900

Toll free: (888) 762-8736

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

http://docs.trendmicro.com

Speeding Up the Support CallTo improve problem resolution, have the following information available:

• Steps to reproduce the problem

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/#malware

http://www.trendmicro.com

mailto:[email protected]

http://www.trendmicro.com/us/about-us/contact/index.html

http://docs.trendmicro.com


11-4

• Appliance or network information

• Computer brand, model, and any connected hardware or devices

• Amount of memory and free hard disk space

• Operating system and service pack version

• Version of the installed agent

• Serial number or activation code

• Detailed description of install environment

• Exact text of any error message received

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

Email Reputation ServicesQuery the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com

Refer to the following Knowledge Base entry to send message samples to Trend Micro:

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

File Reputation ServicesGather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

https://ers.trendmicro.com

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Technical Support

11-5

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called “disease vector” (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to help you stay up to date, learn about innovations, and to be aware of the latestsecurity trends.

Download Center

From time to time, Trend Micro may release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://downloadcenter.trendmicro.com

If a patch has not been applied (patches are dated), open the Readme to determinewhether it is relevant to your environment. The Readme also contains installationinstructions.

Documentation Feedback

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:


http://global.sitesafety.trendmicro.com

http://downloadcenter.trendmicro.com


AppendicesAppendices

A-1

Appendix A

Maintenance ToolsThis section describes additional utilities packaged with Endpoint Encryption thatperform product maintenance tasks. Endpoint Encryption includes the following tools:

TOOL DESCRIPTION

Diagnostics Monitor View Endpoint Encryption event logs in real time.

See Using the Diagnostics Monitor on page A-2.

Log Server Tool Generate a log package for all events that occur while replicatingspecific issues.

See Using the Log Server Tool on page A-5.

PolicyServerChange SettingsTool

Modify your SQL server and Windows service user credentialswithout reinstalling PolicyServer.

See Using the PolicyServer Change Settings Tool on page A-6.


A-2

Using the Diagnostics MonitorThe Diagnostic Monitor allows administrators to view events related to EndpointEncryption in real time.

Procedure

1. Copy, download, or locate a PolicyServer installation package on the endpoint youhave installed PolicyServer on.

To download the PolicyServer installation package or the Endpoint EncryptionSuite, go to the Trend Micro Download Center:


2. Go to <PolicyServer Directory>\TMEE_PolicyServer\Tools\Diagnostics Monitor.

3. Run the file DiagnosticMonitor.exe as an administrator.

The License Renewal Tool screen opens.

Important

Windows may encounter an error titled Xenocode Postbuild 2010 at this point. Themessage text states that the application is unable to load a required virtual machinecomponent. If this error occurs, open Windows Update, remove the update“KB3045999”, and try to run Diagnostic Monitor again.

4. Go to File > Options....


Maintenance Tools

A-3

The Live Monitor Options screen appears.

5. Go to LogAlerts and set the Minimum Level Displayed to Debug.

6. Set the Maximum Records Displayed field to a value between “3000” and “50000”.

After setting the Maximum Records Displayed value, an event may appear inDiagnostic Monitor stating that the system is out of memory. If this event appears,return to this window and set the Maximum Records Displayed to a lower value.

7. Click Apply to all Categories or select individual categories and apply specificsettings to each of them.

8. Restart the service PolicyServerWindowsService from Windows Task Manager.


A-4

When the PolicyServer service restarts, Active Directory synchronizes withPolicyServer. The Diagnostic Monitor will display events related to ActiveDirectory synchronization.

9. View the logs in the Diagnostic Monitor window.

10. If you are using Diagnostic Monitor to troubleshoot a specific issue, perform alltasks necessary to replicate that issue while Diagnostic Monitor is open.

11. To generate a file of the diagnostic logs, go to File > Save to File.

A log file appears at your selected output folder. The default output folder is thedesktop. To change your selected output folder, go to File > Option > OutputFolder.

The name of the file is a timestamp of when you generated the file and the formatis PSDM.

Maintenance Tools

A-5

Note

If you contact Trend Micro Support regarding an issue, the support representativemay request that you send a copy of the diagnostic logs for bug verification.

Using the Log Server ToolThe Log Server Tool allows administrators to record all events related to EndpointEncryption over a period of time to troubleshoot specific issues. The recorded logs areintended for use by Trend Micro Support, so Trend Micro does not recommend usingthe Log Server Tool on your own. If you have an issue, contact Trend Micro Support,and the support representative may request that you replicate your issue while using theLog Server Tool.

Procedure

1. Open the PolicyServer program folder.

The default installation path is C:\Program Files\Trend Micro\PolicyServer.

2. Run the file LogServer.exe as an administrator.

A command prompt titled LogServer.exe appears. The Log Server Tool is runningat this time.

The Log Server Tool generates PolicyServer diagnostic logs. The logs appear as afile named psdedebug.log in a folder named log in the PolicyServer programfolder.

3. Perform all tasks necessary to replicate the issue that you contacted Trend MicroSupport to address.

4. Close the command prompt titled LogServer.exe.

5. Send the file psdedebug.log to the support representative who requested thatyou use this tool.


A-6

Using the PolicyServer Change Settings ToolThe main purpose of the PolicyServer Change Settings Tool is to allow administrators tochange their SQL Server database credentials without requiring the user to reinstallPolicyServer. Additionally, this tool includes several related features, including testingthe database connection and changing the PolicyServer Windows Service credentials.

Procedure

1. Copy, download, or locate a PolicyServer installation package on the endpoint youhave installed PolicyServer on.

To download the PolicyServer installation package or the Endpoint EncryptionSuite, go to the Trend Micro Download Center:


2. Go to <PolicyServer Directory>\TMEE_PolicyServer\Tools\PolicyServer Change Settings.

3. Run the file PolicyServerChangeSettings.exe as an administrator.

4. Accept the End User License Agreement (EULA) to continue.

The EULA only appears the first time that you run this tool.

5. Change your settings as necessary using any of the following options:

OPTION DESCRIPTION

Primary Database Specify your primary database SQL Server credentials in thissection.

If you only have one database that serves as both your primarydatabase and your log database, select Use Primary Settingsfor Log Database.

Log Database If your primary database and log database are separate,specify your log dabase SQL Server credentials in this section.

This section is disabled if Use Primary Settings for LogDatabase is selected.


Maintenance Tools

A-7

OPTION DESCRIPTION

Load From Disk Reset the credentials for the Primary Database and LogDatabase sections with the last saved configuration.

Test Connection Check that PolicyServer can communicate with the databasesshown in the Primary Database and Log Database sections.

Write To Disk Overwrite the last saved configuration with the credentials inthe Primary Database and Log Database sections.

Restart PS Restart PolicyServer.

If you changed the credentials and clicked Write To Disk,PolicyServer will attempt to connect using the new SQL Servercredentials.

Change ServiceCredentials...

Change the credentials for the PolicyServer Windows Service.

The Change PS Credentials window appears if you select thisoption. You may use either the local Windows system accountor specify the credentials for a different account.

B-1

Appendix B

PolicyServer Message IDsThe following tables explain PolicyServer error messages. The tables are grouped bycategory.

• Administrator Alerts onpage B-2

• Audit Log Alerts onpage B-6

• Certificate Alerts onpage B-7

• Device Alerts on pageB-8

• Error Alerts on pageB-10

• Full Disk EncryptionActivity Alerts on pageB-10

• Installation Alerts onpage B-13

• Login / Logout Alertson page B-13

• Mobile Device Alertson page B-17

• OCSP Alerts on pageB-18

• OTA Alerts on pageB-18

• Password Alerts onpage B-19

• PIN Change Alerts onpage B-22

• Smart Card Alerts onpage B-23


B-2

Administrator Alerts

MESSAGE ID DESCRIPTION APPLICATIONS

100002 Identifying Device Full DiskEncryption, FileEncryption,PolicyServer

100003 Security Violation Full DiskEncryption, FileEncryption,PolicyServer

100007 Critical Severity Full DiskEncryption, FileEncryption,PolicyServer

100019 Policy Change Unsuccessful Full DiskEncryption, FileEncryption,PolicyServer

100045 Unsupported configuration Full DiskEncryption, FileEncryption,PolicyServer

100046 Enterprise Pool created Full DiskEncryption, FileEncryption,PolicyServer

100047 Enterprise Pool deleted Full DiskEncryption, FileEncryption,PolicyServer

100048 Enterprise Pool modified Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-3


100049 Admin User locked due to too many failedlogins.

Full DiskEncryption, FileEncryption,PolicyServer

100052 Policy Value Integrity Check Failed Full DiskEncryption, FileEncryption,PolicyServer

100053 Policy request aborted due to failed policyintegrity check.


100054 File request aborted due to failed policyintegrity check.


100055 Admin Authentication Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100056 Admin Authentication Failed Full DiskEncryption, FileEncryption,PolicyServer

100062 Admin Password Reset Full DiskEncryption, FileEncryption,PolicyServer

100463 Unable to remove user. Try again. Full DiskEncryption, FileEncryption,PolicyServer


B-4


100464 Unable to unable user. Try again. Full DiskEncryption, FileEncryption,PolicyServer

100470 Unable to change Self Help password. Aresponse to one of the personal challengequestions was incorrect.


102000 Enterprise Added Full DiskEncryption, FileEncryption,PolicyServer

102001 Enterprise Deleted Full DiskEncryption, FileEncryption,PolicyServer

102002 Enterprise Modified Full DiskEncryption, FileEncryption,PolicyServer

102003 The number of users has exceeded themaximum allowed by this license. Reducethe number of existing users to restore thisuser account.

PolicyServer

200000 Administrator updated policy PolicyServer

200001 Administrator added policy PolicyServer

200002 Administrator deleted policy PolicyServer

200003 Administrator enabled application PolicyServer

200004 Administrator disabled application PolicyServer

200100 Administrator added user PolicyServer

200101 Administrator deleted user PolicyServer


B-5


200102 Administrator updated user PolicyServer

200103 Administrator added user to group PolicyServer

200104 Administrator removed user from group PolicyServer

200200 User added PolicyServer

200201 User deleted PolicyServer

200202 User added to group PolicyServer

200203 User removed from group PolicyServer

200204 User updated PolicyServer

200300 Administrator deleted device PolicyServer

200301 Administrator added device to group PolicyServer

200302 Administrator removed device from group PolicyServer

200500 Administrator added group PolicyServer

200501 Administrator deleted group PolicyServer

200502 Administrator updated group PolicyServer

200503 Administrator copy/pasted group PolicyServer

200600 PolicyServer update applied. PolicyServer

200602 User added to device PolicyServer

200603 User removed from device PolicyServer

200700 Event executed successfully PolicyServer

200701 Failed event execution PolicyServer

200800 Event installed successfully PolicyServer

200801 Failed to install event PolicyServer


B-6

Audit Log Alerts


100015 Log Message Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103000 Audit Log Connection Opened Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103001 Audit Log Connection Closed Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103100 Audit Log Record Missing Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103101 Audit Log Record Integrity Missing Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer


B-7


103102 Audit Log Record Integrity Compromised Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103103 Audit Log Record Integrity ValidationStarted

Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

104003 Authentication method set to SmartCard. Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

904008 Unable To Send Log Alert Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

Certificate Alerts


104008 Certificate expired. Full DiskEncryption, FileEncryption,PolicyServer


B-8

Device Alerts


100001 PDA to Desktop Sync Authentication wasunsuccessful. There was no device ID forthis PDA found.


100012 Device is not in its own PasswordAuthentication File. PAF corrupted?


100044 Lock Device Action Received Full DiskEncryption, FileEncryption,PolicyServer

100100 Install Started Full DiskEncryption, FileEncryption

100101 Install Completed Full DiskEncryption, FileEncryption

100462 Unable to connect to PolicyServer. Full DiskEncryption, FileEncryption,PolicyServer

101001 The network connection is not working.Unable to get policy files fromPolicyServer.


101002 Corrupted PAF (DAFolder.xml) file Full DiskEncryption, FileEncryption,PolicyServer


B-9


105000 Unable to synchronize policies with client.Verify that there is a network connectionand try again.


200400 Device added PolicyServer

200401 Device deleted PolicyServer

200402 Device added to group PolicyServer

200403 Device removed from group PolicyServer

200404 Device modified PolicyServer

200405 Device status updated PolicyServer

200406 Device status reset PolicyServer

200407 Device Kill Issued Full DiskEncryption, FileEncryption,PolicyServer

200408 Device Lock Issued Full DiskEncryption, FileEncryption,PolicyServer

200409 Device Synchronized PolicyServer

904012 User Not Allowed To Register New Device PolicyServer

1000052 Uninstall of product Full DiskEncryption, FileEncryption

1000053 Product Uninstall Denied By Policy Full DiskEncryption, FileEncryption


B-10

Error Alerts


100005 General Error Full DiskEncryption, FileEncryption,PolicyServer

100006 Application Error Full DiskEncryption, FileEncryption,PolicyServer

Full Disk Encryption Activity Alerts


300700 Device log maximum size limit reached,event log truncated.


400001 User has successfully logged in. Full Disk Encryption

400002 User login failed. Full Disk Encryption

400003 Device decryption started. Full Disk Encryption

400004 Device Encryption Started. Full Disk Encryption

400005 Mounted encrypted partition. Full Disk Encryption

400006 Restored native OS MBR. Full Disk Encryption

400007 Restored Application MBR. Full Disk Encryption

400008 Device encryption complete Full Disk Encryption

400009 Device Decryption Completed Full Disk Encryption

400010 Device Encryption In Progress Full Disk Encryption


B-11


400011 System MBR Corrupt Full Disk Encryption

400012 System Pre-boot Kernel Deleted Full Disk Encryption

401000 Recovery Console accessed Full Disk Encryption

401009 Recovery Console error Full Disk Encryption

401010 Decryption in place started Full Disk Encryption

401011 Decryption in place stopped Full Disk Encryption

401012 Decryption in place complete Full Disk Encryption

401013 Decryption of removable device started Full Disk Encryption

401014 Decryption to removable device stopped Full Disk Encryption

401015 Decryption to removable device complete Full Disk Encryption

401018 Decryption in place error Full Disk Encryption

401019 Decryption to removable device error Full Disk Encryption

401020 Encrypted files accessed Full Disk Encryption

401021 Encrypted files modified Full Disk Encryption

401022 Encrypted files copied to removable device Full Disk Encryption

401029 Encrypted files access error Full Disk Encryption

401030 Network administration accessed Full Disk Encryption

401031 PolicyServer address changed Full Disk Encryption

401032 PolicyServer port number changed Full Disk Encryption

401033 Switched to IPv6 Full Disk Encryption

401034 Switched to IPv4 Full Disk Encryption

401035 Switched to dynamic IP configuration Full Disk Encryption

401036 Switched to static IP configuration Full Disk Encryption


B-12


401037 DHCP port number changed Full Disk Encryption

401038 IP address changed Full Disk Encryption

401039 Subnet mask changed Full Disk Encryption

401040 Broadcast address changed Full Disk Encryption

401041 Gateway changed Full Disk Encryption

401042 Domain name changed Full Disk Encryption

401043 Domain name servers changed Full Disk Encryption

401049 Network administration error Full Disk Encryption

401050 User administration accessed Full Disk Encryption

401051 User added Full Disk Encryption

401052 User removed Full Disk Encryption

401053 User modified Full Disk Encryption

401069 User administration error Full Disk Encryption

401070 Locally stored logs accessed Full Disk Encryption

401079 Locally stored logs access error Full Disk Encryption

401080 Original MBR restored Full Disk Encryption

401089 Original MBR restoration error Full Disk Encryption

401090 Default theme restored Full Disk Encryption

401099 Default theme restoration error Full Disk Encryption

402000 Application Startup Full Disk Encryption

402001 Application Shutdown Full Disk Encryption

600001 Update was successful in the Pre-boot. Full Disk Encryption

600002 Pre-boot Update failed Full Disk Encryption


B-13

Installation Alerts


100004 Install Error Full DiskEncryption, FileEncryption,PolicyServer

100020 Successful Installation Full DiskEncryption, FileEncryption,PolicyServer

Login / Logout Alerts


100013 Failed Login Attempt Full DiskEncryption, FileEncryption,PolicyServer

100014 Successful Login Full DiskEncryption, FileEncryption,PolicyServer

100016 Unable to log in. Use RemoteAuthentication to provide the PolicyServerAdministrator with a challenge code.


100021 Unsuccessful ColorCode Login Full DiskEncryption, FileEncryption,PolicyServer


B-14


100022 Unsuccessful Fixed Password Login Full DiskEncryption, FileEncryption,PolicyServer

100023 Unsuccessful PIN Login Full DiskEncryption, FileEncryption,PolicyServer

100024 Unsuccessful X99 Login Full DiskEncryption, FileEncryption,PolicyServer

100028 Successful ColorCode Login Full DiskEncryption, FileEncryption,PolicyServer

100031 Successful X9.9 Login Full DiskEncryption, FileEncryption,PolicyServer

100032 Successful Remote Login Full DiskEncryption, FileEncryption,PolicyServer

100035 Successful WebToken Login Full DiskEncryption, FileEncryption,PolicyServer

100036 Unsuccessful WebToken Login Full DiskEncryption, FileEncryption,PolicyServer


B-15


100050 Fixed Password login blocked due tolockout.


100051 User Login Successfully Unlocked Full DiskEncryption, FileEncryption,PolicyServer

100057 LDAP User Authentication Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100058 LDAP User Authentication Failed Full DiskEncryption, FileEncryption,PolicyServer

100059 LDAP User Password Change Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100060 LDAP User Password Change Failed Full DiskEncryption, FileEncryption,PolicyServer

100061 Access request aborted due to failed policyintegrity check.


100070 Successful Logout Full DiskEncryption, FileEncryption,PolicyServer


B-16


100433 The ColorCode passwords do not match. Full DiskEncryption, FileEncryption,PolicyServer

100434 Unable to change ColorCode. The newColorCode must be different than thecurrent one.


100435 Unable to change ColorCode. The newColorCode must meet the minimum lengthrequirements defined by PolicyServer.


100436 Unable to change ColorCode. The newColorCode must be different than anyprevious ColorCode used.


100437 ColorCode Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer

100459 X9.9 Password Change Failure - Unable toconnect to PolicyServer Host


100460 X9.9 Password Change Failure - EmptySerial Number


100461 X9.9 Password Change Failure - InternalError



B-17


101004 Unable to reset locked device. Full DiskEncryption, FileEncryption,PolicyServer

104000 Smart Card login successful. Full DiskEncryption, FileEncryption,PolicyServer

104001 Smart Card login unsuccessful. Check thatthe card is seated properly and that theSmart Card PIN is valid.


Mobile Device Alerts


100037 Palm Policy Database is missing Full DiskEncryption, FileEncryption, orPolicyServer

100038 Palm Encryption Error Full DiskEncryption, FileEncryption, orPolicyServer

100039 PPC Device Encryption Changed Full DiskEncryption, FileEncryption, orPolicyServer

100040 PPC Encryption Error Full DiskEncryption, FileEncryption, orPolicyServer


B-18

OCSP Alerts


104005 OCSP certificate status good. Full DiskEncryption, FileEncryption,PolicyServer

104006 OCSP certificate status revoked. Full DiskEncryption, FileEncryption,PolicyServer

104007 OCSP certificate status unknown. Full DiskEncryption, FileEncryption,PolicyServer

OTA Alerts


100041 OTA Object Missing or Corrupt. Full DiskEncryption, FileEncryption,PolicyServer

100042 OTA Sync Successful Full DiskEncryption, FileEncryption,PolicyServer

100043 OTA Device Killed Full DiskEncryption, FileEncryption,PolicyServer


B-19

Password Alerts


100017 Change Password Error Full DiskEncryption, FileEncryption,PolicyServer

100018 Password Attempts Exceeded Full DiskEncryption, FileEncryption,PolicyServer

100025 Password Reset to ColorCode Full DiskEncryption, FileEncryption,PolicyServer

100026 Password Reset to Fixed Full DiskEncryption, FileEncryption,PolicyServer

100027 Password Reset to PIN Full DiskEncryption, FileEncryption,PolicyServer

100029 Successful Fixed Password Login Full DiskEncryption, FileEncryption,PolicyServer

100030 Successful PIN Password Login Full DiskEncryption, FileEncryption,PolicyServer

100033 Unable to Reset Password Full DiskEncryption, FileEncryption,PolicyServer


B-20


100432 Unable to change password. The newpassword must be different than thecurrent password.


100439 Unable to change password. Thepasswords do not match.


100441 Unable to change password. Thepassword field cannot be empty.


100442 Unable to change password. Thepassword does not meet the minimumlength requirements defined byPolicyServer.


100443 Unable to change password. Numbers arenot permitted.


100444 Unable to change password. Letters arenot permitted.


100445 Unable to change password. Specialcharacters are not permitted.


100446 Unable to change password. Thepassword cannot contain the user name.



B-21


100447 Unable to change password. Thepassword does not contain enough specialcharacters.


100448 Unable to change password. Thepassword does not contain enoughnumbers.


100449 Unable to change password. Thepassword does not contain enoughcharacters.


100450 Unable to change password. Thepassword contains too many consecutivecharacters.


100451 Unable to change password. The newpassword must be different than anyprevious password used.


100452 Password Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer

101003 Successfully changed Fixed Password. Full DiskEncryption, FileEncryption,PolicyServer


B-22

PIN Change Alerts


100438 Unable to change PIN. The PINs do notmatch.


100440 Unable to change PIN. One of the fieldsare empty.


100453 Unable to change PIN. The PINs do notmatch.


100454 able to change PIN. The new PIN cannotbe the same as the old PIN.


100455 Unable to change PIN. The new PIN doesnot meet the minimum length requirementsdefined by PolicyServer.


100456 Unable to change PIN. The PIN cannotcontain the user name.


100457 Unable to change PIN. The new PIN mustbe different than any previous PIN used.


100458 PIN Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer


B-23

Smart Card Alerts


104002 Registered SmartCard. Full DiskEncryption, FileEncryption,PolicyServer

104004 Unable to register Smart Card. Check thatthe card is seated properly and that theSmart Card PIN is valid.


C-1

Appendix C

Endpoint Encryption ServicesThe following table describes all Endpoint Encryption services. Use it to understandwhich services control which Endpoint Encryption agent or feature and to troubleshoota problem.


C-2

TABLE C-1. Endpoint Encryption Services

PLATFORMSERVICE OR

DAEMON NAMEDISPLAY NAME DESCRIPTION FILE NAME

PolicyServer PolicyServerWindowsService

PolicyServerWindowsService

ManagescommunicationbetweenEndpointEncryptionservices anddatabases.

PolicyServerWindowService.exe

TMEEService EndpointEncryptionService

ManagesEndpointEncryptionagent 5.0 (andabove)communicationin an encryptedchannel(RESTful).

TMEEService.exe

IIS/MAWebService2

Legacy WebService

ManagesEndpointEncryptionagent 3.1.3(and older)communicationin an encryptedchannel(SOAP).

N/A

TMEEForward TMEEForward Forwards trafficfrom EndpointEncryption 5.0Patch 4 agentsto PolicyServer.

TMEEForward.exe

TMEEProxyWindowsService

PolicyServerLDAProxyWindowsService

Provides securecommunicationsfrom TrendMicroPolicyServer toremote LDAPservers

LDAProxyWindowsServices.exe

Endpoint Encryption Services

C-3

PLATFORMSERVICE OR

DAEMON NAMEDISPLAY NAME DESCRIPTION FILE NAME

Full DiskEncryption

DrAService Trend MicroFull DiskEncryption

Provides TrendMicro endpointsecurity and fulldisk encryption.

DrAService.exe

EncryptionManagementfor MicrosoftBitLocker

FDE_MB Trend MicroFull DiskEncryption,EncryptionManagementfor MicrosoftBitLocker

Provides datasecurity forendpoints usingMicrosoftBitLocker.

FDEforBitLocker.exe

EncryptionManagementfor AppleFileVault

Daemon:TMFDEMM

Agent: TrendMicro Full DiskEncryption

Trend MicroFull DiskEncryption,EncryptionManagementfor AppleFileVault

Providesendpointsecurity forendpoints usingApple FileVault.

File Encryption FileEncryptionService

Trend MicroFile Encryption

Provides TrendMicro endpointsecurity anddata protectionfor files, folders,and removablemedia devices.

FEService.exe

D-1

Appendix D

Policy Mapping BetweenManagement Consoles

Administrators may manage Endpoint Encryption using only PolicyServer MMC ormanage Endpoint Encryption using Control Manager for policy, user and devicemanagement and PolicyServer MMC for advanced log management and reporting.

The following tables explain how policies are mapped between PolicyServer MMC andControl Manager. For environments using Control Manager to manage PolicyServer, usePolicyServer MMC to control any policy not listed in the table.

TABLE D-1. Full Disk Encryption Policy Mapping

CONTROL MANAGER LABEL POLICYSERVER MMC PATH

Encryption

Encrypt endpoint Full Disk Encryption > Encryption > Encrypt Device

Client Settings

Bypass Full DiskEncryption preboot

Full Disk Encryption > Login > Preboot Bypass

Users are allowed to accesssystem recovery tools onthe device

Full Disk Encryption > Agent > Allow User Recovery


D-2


Notifications

If the endpoint is found,display the followingmessage

Full Disk Encryption > Login > If Found

Display Technical Supportcontact information

Full Disk Encryption > Login > Support Info

Show legal notice Full Disk Encryption > Login > Legal Notice

• Show legal notice >Installation

• Show legal notice >Startup

Full Disk Encryption > Login > Legal Notice > LegalNotice > Legal Notice Display Time

Show legal notice Full Disk Encryption > Login > Legal Notice > LegalNotice > Legal Notice Text

TABLE D-2. File Encryption Policy Mapping


Folders to Encrypt

Folders to Encrypt text box File Encryption > Encryption > Specify Foldersto Encrypt

Encryption Key Used

Encryption Key Used File Encryption > Encryption > Encryption KeyUsed

Storage Devices

Disable optical drives File Encryption > Encryption > Disable OpticalDrive

Disable USB drives File Encryption > Encryption > RemovableMedia > Disable USB Drive

Policy Mapping Between Management Consoles

D-3


Encrypt all files and folders onUSB drives

File Encryption > Encryption > RemovableMedia > Fully Encrypt Device

Specify the file path to encrypton USB devices

File Encryption > Encryption > RemovableMedia > Folders to Encrypt On RemovableMedia

Notifications

Show legal notice File Encryption > Login > Legal Notice

• Show legal notice >Installation

• Show legal notice > Startup

File Encryption > Login > Legal Notice > LegalNotice Display Time

Show legal notice text box File Encryption > Login > Legal Notice > LegalNotice Text

TABLE D-3. Common Policy Mapping


Allow User to Uninstall

Allow non-administrator accounts touninstall agent software

• Full Disk Encryption > Agent >Allow User to Uninstall

• File Encryption > Agent > AllowUser to Uninstall

Lockout and Lock Device Actions

Lock account after <number> days Full Disk Encryption > Login > AccountLockout Period

Account lockout action Full Disk Encryption > Login > AccountLockout Action

Failed logon attempts allowed Full Disk Encryption > Login > FailedLogin Attempts Allowed


D-4


Full Disk Encryption:

Device locked action

Full Disk Encryption > Login > DeviceLocked Action

Full Disk Encryption:

Number of minutes to lock device

Full Disk Encryption > Login > LockDevice Time Delay

File Encryption:

Device locked action

File Encryption > Login > DeviceLocked Action

File Encryption:

Number of minutes to lock device

File Encryption > Login > Lock DeviceTime Delay

Password

User must change password after<number> days

Common > Authentication > LocalLogin > User Password > ChangePassword Every

User cannot reuse the previous<number> passwords

Common > Authentication > LocalLogin > User Password > PasswordHistory Retention

Number of consecutive charactersallowed in a password

Common > Authentication > LocalLogin > User Password > ConsecutiveCharacters Allowed

Minimum length allowed for passwords Common > Authentication > LocalLogin > User Password > MinimumLength

Password Character Requirements

Letters Common > Authentication > LocalLogin > User Password > Require HowMany Characters

Lowercase characters Common > Authentication > LocalLogin > User Password > Require HowMany Lower Case Characters

Policy Mapping Between Management Consoles

D-5


Uppercase characters Common > Authentication > LocalLogin > User Password > Require HowMany Upper Case Characters

Numbers Common > Authentication > LocalLogin > User Password > Require HowMany Numbers

Symbols Common > Authentication > LocalLogin > User Password > Require HowMany Special Characters

TABLE D-4. Remote Help Policy Locations

POLICY NAME POLICYSERVER MMC MENU PATHCONTROL MANAGER MENU

PATH

Account LockoutAction

Login > Account Lockout Action Common > Lockout andLock Device Actions >Account Lockout Action

Account LockoutPeriod

Login > Account Lockout Period Common > Lockout andLock Device Actions >Lock account after [ ]days

Device LockedAction

For each agent:

Login > Device Locked Action

For each agent:

Common > Lockout andLock Device Actions >Device locked action

Failed LoginAttempts Allowed

For each agent:

Login > Failed Login AttemptsAllowed

For each agent:

Common > Lockout andLock Device Actions >Failed logon attemptsallowed

E-1

Appendix E

GlossaryThe following table explains the terminology used throughout the Endpoint Encryptiondocumentation.

TABLE E-1. Endpoint Encryption Terminology

TERM DESCRIPTION

Agent Software installed on an endpoint that communicates with amanagement server.

Authentication The process of identifying a user.

ColorCode™ The authentication method requiring a color-sequencepassword.

Command Builder A Trend Micro tool to generate scripts used to installPolicyServer and Endpoint Encryption agents for automaticor mass deployments.

Command Line Helper A Trend Micro tool for creating encrypted values to securecredentials used by Endpoint Encryption agent installationscripts.

Control Manager Trend Micro Control Manager is a central managementconsole that manages Trend Micro products and services atthe gateway, mail server, file server, and corporate desktoplevels.


E-2

TERM DESCRIPTION

Device Any computer, laptop, or removal media (external drive, USBdrive) managed by Endpoint Encryption.

Domain authentication The authentication method for single sign-on (SSO) usingActive Directory.

DriveTrust™ Hardware-based encryption technology by Seagate™.

Encryption Managementfor Microsoft BitLocker

The Endpoint Encryption Full Disk Encryption agent forMicrosoft Windows environments that simply need to enableMicrosoft BitLocker on the hosting endpoint.

Use the Encryption Management for Microsoft BitLockeragent to secure endpoints with Trend Micro full diskencryption protection in an existing Windows infrastructure.

Encryption Managementfor Apple FileVault

The Endpoint Encryption Full Disk Encryption agent for MacOS environments that simply need to enable Apple FileVaulton the hosting endpoint.

Use the Encryption Management for Apple FileVault agent tosecure endpoints with Trend Micro full disk encryptionprotection in an existing Mac OS infrastructure.

Endpoint EncryptionService

The PolicyServer service that securely manages all EndpointEncryption 5.0 Patch 4 agent communication.

For Endpoint Encryption 3.1.3 and below agentcommunication, see Legacy Web Service.

Enterprise The Endpoint Encryption Enterprise is the unique identifierabout the organization in the PolicyServer databaseconfigured during PolicyServer installation. One PolicyServerdatabase may have multiple Enterprise configurations.However, Endpoint Encryption configurations using ControlManager may only have one Enterprise.

File Encryption The Endpoint Encryption agent for file and folder encryptionon local drives and removable media.

Use File Encryption to protect files and folders located onvirtually any device that appears as a drive within the hostoperating system.

Glossary

E-3

TERM DESCRIPTION

Fixed password The authentication method for using a standard userpassword consisting of letters and/or numbers and/or specialcharacters.

Full Disk Encryption The Endpoint Encryption agent for hardware and softwareencryption with preboot authentication. Full Disk Encryptionsecures data files, applications, registry settings, temporaryfiles, swap files, print spoolers, and deleted files on anyWindows endpoint. Strong preboot authentication restrictsaccess vulnerabilities until the user is validated.

Legacy Web Service The PolicyServer service that securely manages all EndpointEncryption 3.1.3 and below agent communication. Fordetails, see About PolicyServer on page 2-12.

For Endpoint Encryption 5.0 Patch 4 communication, seeEndpoint Encryption Service.

OfficeScan OfficeScan protects enterprise networks from malware,network viruses, web-based threats, spyware, and mixedthreat attacks. An integrated solution, OfficeScan consists ofan agent that resides at the endpoint and a server programthat manages all agents.

OPAL Trusted Computing Group's Security Subsystem Class forclient devices.

Password Any type of authentication data used in combination with auser name, such as fixed, PIN, and ColorCode.

PIN The authentication method for using a Personal IdentificationNumber, commonly used for ATM transactions.

PolicyServer The central management server that deploys encryption andauthentication policies to the Endpoint Encryption agents.

Remote Help The authentication method for helping Endpoint Encryptionusers who forget their credentials or Endpoint Encryptiondevices that have not synchronized policies within a pre-determined amount of time.


E-4

TERM DESCRIPTION

Recovery Console The Full Disk Encryption interface to recover EndpointEncryption devices in the event of primary operating systemfailure, troubleshoot network issues, and manage users,policies, and logs.

Recovery Tool A bootable disk used to repair a device if the device is unableto boot. The Recovery Tool is distributed as an ISO file in theFull Disk Encryption installation package.

SED A self-encrypting drive. SEDs provide “hardware-basedencryption”, as opposed to the type of encryption that FullDisk Encryption provides, which is referred to as “software-based encryption”.

Self Help The authentication method for helping Endpoint Encryptionusers provide answers to security questions instead ofcontacting Technical Support for password assistance.

Smart card The authentication method requiring a physical card inconjunction with a PIN or fixed password.

IN-1

IndexAabout

authentication, 5-2Encryption Management for MicrosoftBitLocker, 8-4Endpoint Encryption Service, 2-12Legacy Web Service, 2-12PolicyServer, 2-12, 3-1widgets, 4-5

Accessibilityon-screen keyboard, 6-9

Active Directory, 2-18, 3-21configuration, 3-22import users, 3-24, 4-12overview, 3-21

agents, 2-16appendices, 1authentication, 2-3, 2-17

about, 5-2change method, 6-10changing password, 7-12ColorCode, 2-17, 2-18, 6-12, 6-13domain, 2-18domain authentication, 2-17File Encryption, 7-2, 7-14fixed password, 2-17, 2-19Full Disk Encryption, 6-5LDAP, 2-18PIN, 2-19prerequisites, 2-18remote help, 6-15Remote Help, 2-17, 2-19, 6-15security options, 7-16Self Help, 2-17, 2-20, 6-17, 6-18

answers, 6-19setup requirements, 2-18single sign-on, 7-15smart card, 2-20, 6-16

authentication methods, 2-17

Ccentral management, 2-3changing passwords, 6-11ColorCode, 2-18, 6-12Command Line Helper, 6-3, 6-21, 6-22Command Line Helper Installer, 6-3Computer

Network Information, 6-9configuring proxy settings

managed server list, 3-19contacting, 11-5

documentation feedback, 11-5Control Manager, 3-14

agent, 3-15mail server, 3-14MCP, 3-15policies, 5-1report server, 3-14SQL database, 3-14Trend Micro ManagementInfrastructure, 3-15web-based management console, 3-15web server, 3-14widget framework, 3-16

Control Manager integration, 2-13

DDAAutoLogin, 6-3, 6-21dashboard, 4-1


IN-2

data protection, 2-1data recovery, 9-18Decrypt Disk, 9-6decryption

Recovery Console, 9-6deleting

tabs, 4-4demilitarized zone, 6-20device, 2-3devices

Endpoint Encryption Devices widget,4-15lock, 5-22

Diagnostic Monitor, A-2documentation feedback, 11-5domain authentication, 2-18

File Encryption, 7-15draft policies, 5-9

Eencryption

features, 2-3file and folder, 7-1file encryption, 7-1full disk, 6-1hardware-based, 6-1software-based, 6-1

Encryption Management for AppleFileVault

about, 8-9supported operating systems, 3-11system requirements, 3-11

Encryption Management for MicrosoftBitLocker

about, 8-4supported operating systems, 3-10system requirements, 3-10

Endpoint Encryption, 2-1tools, 6-3

enhancements, 2-4error messages

authentication, 7-16

FFile Encryption, 7-1

authentication, 7-14domain, 7-15first-time, 7-2

changing password, 7-12first-time use, 7-2PolicyServer sync, 6-4, 7-10Remote Help, 7-13reset password, 7-10, 7-16secure delete, 7-10single sign-on, 7-15system requirements, 3-9tray icon

about, 7-10unlock device, 7-13

filtered policies, 5-9fixed password, 2-19Full Disk Encryption, 6-1

authentication, 2-20, 6-17changing password, 6-11

connectivity, 6-20context menu, 6-4Decrypt Disk, 9-6menu options, 6-6Network, 9-12network configuration, 9-12network troubleshooting, 9-15patching, 6-23PolicyServer settings, 6-20port settings, 6-20

Index

IN-3

Recovery Console, 9-5manage policies, 9-11manage users, 9-9Windows, 9-6

recovery methods, 9-2Recovery Tool, 9-16Remote Help, 6-15Self Help, 6-18synchronize policies, 6-21system requirements, 3-8, 3-9TCP/IP access, 6-20tools, 6-3tray icon

about, 6-4uninstall, 9-2Windows patches, 6-21

Full Disk Encryption Preboot, 6-5authentication, 6-10keyboard layout, 6-10menu options, 6-6network connectivity, 6-6Network Information, 6-9on-screen keyboard, 6-9wireless connection, 6-6

Hhardware based encryption, 3-8–3-11

Kkey features, 2-3

LLDAP, 2-18logs, 9-12

Mmanaged server list

configuring proxy settings, 3-19

management consoles, 2-13MBR

replacing, 9-9MCP, 3-15modifying

tabs, 4-4

Nnetwork

troubleshooting, 9-15network information, 6-9Network Setup, 9-12

Oon-screen keyboard, 6-9OPAL, 3-8–3-10

Ppasswords, 2-3

Remote Help, 9-22pending targets, 5-7Personal Identification Number (PIN), 2-19PIN, 2-17policies, 2-3, 5-1

allow user recovery, 9-5common, 5-19File Encryption, 5-17Full Disk Encryption, 5-15, 6-21policy mapping, D-1synchronization, 6-1synchronizing, 6-21user, 5-13

policy list, 5-5policy management, 5-7

draft policies, 5-9filtered policies, 5-9pending targets, 5-7


IN-4

policy list, 5-5policy priority, 5-6, 5-9specified policies, 5-9targets, 5-6understanding, 5-7

policy mappingControl Manager, D-1PolicyServer, D-1

policy priority, 5-6PolicyServer

AD synchronization, 3-21getting started, 3-1Remote Help, 9-22requirements

accounts, 3-7files, 3-6SQL, 3-2

setup files, 3-6software requirements, 3-5, 3-6SQL accounts, 3-7SQL requirements, 3-2system requirements

hardware, 3-2PolicyServer Change Settings Tool, A-6PolicyServer MMC, 2-15policy targets, 5-6policy types

draft, 5-9filtered, 5-9policy priority, 5-6specified, 5-9

product definitions, E-1proxy settings

managed server list, 3-19

Rrecovery console

logon, 9-6Recovery Console, 9-3

access, 9-5Windows, 9-6

Decrypt Disk, 9-6functions, 9-3log on, 9-5manage policies, 9-11manage users, 9-9Mount Partitions, 9-8Network, 9-12network configuration, 9-12network troubleshooting, 9-15recovery methods, 9-2Restore Boot, 9-9users

add, 9-11delete, 9-11edit, 9-10

view logs, 9-12Wi-Fi, 9-13

recovery methods, 9-2Recovery Tool, 9-16

repair, 9-18scan, 9-18

Remote Help, 2-19, 6-15, 7-16, 9-22Repair CD, 6-3, 9-2, 9-16reporting, 2-1, 2-3Restore Boot, 9-9

SSeagate DriveTrust drives, 3-8–3-10security

account lock, 2-19, 6-15account lockout action, 2-19, 6-15account lockout period, 2-19, 6-15device lock, 2-19, 6-15

Index

IN-5

erase device, 7-16failed login attempts allowed, 2-19, 6-15remote authentication required, 7-16time delay, 7-16

Self Help, 2-20, 6-17answers, 6-19defining answers, 6-18

smart card, 2-20, 6-16smart cards, 2-20, 6-16specified policies, 5-9

priority, 5-9SSO, 2-18summary dashboard

adding tabs, 4-3deleting tabs, 4-4modifying tabs, 4-4tabs, 4-3

system requirementsEncryption Management for AppleFileVault, 3-11Encryption Management for MicrosoftBitLocker, 3-10File Encryption, 3-9Full Disk Encryption, 3-8, 3-9PolicyServer, 3-2, 3-5, 3-6PolicyServer MMC, 3-7

Ttabs

about, 4-3deleting, 4-4modifying, 4-4summary dashboard, 4-3

targets, 5-6pending, 5-7

terminology, E-1tokens, 6-17

toolsCommand Line Helper, 6-21

DAAutoLogin, 6-21

Recovery, 9-16

Uusers, 5-3

import from AD, 3-24, 4-12

lockout, 5-22

VVMware Virtual Infrastructure, 3-2

Wwhat's new, 2-4

widgetsadding, 4-6

adding tabs, 4-3

configuring, 4-7

Endpoint Encryption Device Lockout,4-27

Endpoint Encryption SecurityViolations Report, 4-29

Endpoint Encryption Status, 4-20

Endpoint Encryption UnsuccessfulDevice Logon, 4-22

Endpoint Encryption UnsuccessfulUser Logon, 4-25

options, 4-7

understanding, 4-5

Wi-Fi, 6-6, 9-13

Windows patch management, 6-21

trend micro, the trend micro t-ball logo, officescan, and

Documents