Transcription

1

2 Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files, release notes, and/or the latest version of the applicable documentation, which are available from the Trend Micro website at: Trend Micro, the Trend Micro t-ball logo, OfficeScan, and Control Manager are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright Trend Micro Incorporated. All rights reserved. Document Part No.: APEM68335/ Release Date: August 2018 Protected by U.S. Patent No.: Patents pending.

3 This documentation introduces the main features of the product and/or provides installation instructions for a production environment. Read through the documentation before installing or using the product. Detailed information about how to use specific features within the product may be available in the Trend Micro Online Help and/or the Trend Micro Knowledge Base at the Trend Micro website. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at docs@trendmicro.com. Evaluate this documentation on the following site:

4 Privacy and Personal Data Collection Disclosure Certain features available in Trend Micro products collect and send feedback regarding product usage and detection information to Trend Micro. Some of this data is considered personal in certain jurisdictions and under certain regulations. If you do not want Trend Micro to collect personal data, you must ensure that you disable the related features. The following link outlines the types of data that Endpoint Encryption collects and provides detailed instructions on how to disable the specific features that feedback the information. Data collected by Trend Micro is subject to the conditions stated in the Trend Micro Privacy Policy:

5 Table of Contents Chapter 1: Introduction Chapter 2: About Trend Micro Endpoint Encryption Features and Benefits What's New About PolicyServer Management Consoles Trend Micro Control Manager About PolicyServer MMC Endpoint Encryption Agents Authentication Methods ColorCode Domain Authentication Fixed Password PIN Remote Help Self Help Smart Card Chapter 3: Getting Started System Requirements PolicyServer System Requirements PolicyServer MMC System Requirements Full Disk Encryption System Requirements File Encryption System Requirements Encryption Management for Microsoft BitLocker System Requirements Encryption Management for Apple FileVault System Requirements i

6 Trend Micro Endpoint Encryption Administrator Guide Setting Up Control Manager Control Manager Architecture Adding PolicyServer as a Managed Product to Control Manager 3-20 Configuring Directory Management for PolicyServer Configuring Proxy Settings Active Directory Synchronization Active Directory Overview Configuring Active Directory Importing Active Directory Users Managing Password Setting Objects from Active Directory Chapter 4: Dashboard Tabs Default Tabs Adding a New Tab Modifying Tab Settings Deleting a Tab Widgets Adding Widgets to a Tab Widget Options Endpoint Encryption Users User Settings Options Add New User Options Policy Membership Importing Users from a CSV File Importing Active Directory Users Endpoint Encryption Devices Device Actions Device Attributes Full Disk Encryption Status Full Disk Encryption Status Report Endpoint Encryption Unsuccessful Device Logon Unsuccessful Device Logon Report Endpoint Encryption Unsuccessful User Logon Unsuccessful User Logon Report ii

7 Table of Contents Endpoint Encryption Device Lockout Device Lockout Report Endpoint Encryption Security Violations Report Consecutive Unsuccessful Device Logon Report Policy Tampering Report Log Integrity Report Chapter 5: Policies Authentication Overview Devices Users Groups Policies in Control Manager Policy Options Policy Types Creating a Policy Specifying Policy Targets Configuring Endpoint Encryption Users Rules Configuring Full Disk Encryption Rules Configuring File Encryption Rules Configuring Common Policy Rules Lockout Actions Migrating Groups to Control Manager Chapter 6: Full Disk Encryption Full Disk Encryption Tools Full Disk Encryption Context Menu Full Disk Encryption Preboot Menu Options Network Connectivity Network Information On-Screen Keyboard Changing the Keyboard Layout iii

8 Trend Micro Endpoint Encryption Administrator Guide Changing Authentication Methods Changing Passwords Remote Help Smart Card Self Help Skipping the Preboot Screen Full Disk Encryption Policy Synchronization Full Disk Encryption Connectivity Requirements Manually Updating Full Disk Encryption Agents Moving Full Disk Encryption Disks Patch Management with Full Disk Encryption Using the Command Line Helper Patching Process for Full Disk Encryption Chapter 7: File Encryption Registering File Encryption File Encryption Actions Encrypting a File or Folder Using File Encryption Secure Delete File Encryption Context Menu Changing Password in File Encryption Using Remote Help to Unlock a File Encryption Device File Encryption Authentication Domain Authentication Requirements Forced Password Reset Endpoint Encryption Device Policy Rules Policy Synchronization Chapter 8: Encryption Management for Third-Party Products About Encryption Management Agents Encryption Management Agent Policy Limitations Encryption Management for Microsoft BitLocker Viewing Encryption Status iv

9 Table of Contents Understanding Encryption Status Understanding Agent Information Synchronizing Policies with PolicyServer Updating PolicyServer Settings Encryption Management for Apple FileVault Viewing Encryption Status Understanding Encryption Status Understanding Agent Information Synchronizing Policies with PolicyServer Updating PolicyServer Settings Creating a Mobile Account for Active Directory on Mac OS Troubleshooting Password and Encryption Issues Chapter 9: Recovery Preboot Errors after Installation Full Disk Encryption Recovery Methods Recovery Console Recovery Console Options Accessing the Recovery Console from Full Disk Encryption Preboot Accessing Recovery Console from Windows Manage Disks Options Encrypt Disks Decrypt Disks Mount Partitions Restore Boot Manage Full Disk Encryption Users Manage Policies View Logs Network Recovery Tool Preparing the Recovery Tool Scanning and Repairing a Disk Using Extensive Repair Recovery Tool Options v

10 Trend Micro Endpoint Encryption Administrator Guide Advanced Functions Remote Help Assistance Chapter 10: Resolved and Known Issues Resolved Issues Resolved Issues in Endpoint Encryption Resolved Issues in Endpoint Encryption 6.0 Update Known Issues PolicyServer MMC Issues Control Manager Integration Issues Endpoint Encryption Deployment Tool Plug-in Issues Full Disk Encryption Issues File Encryption Issues Encryption Management for Microsoft BitLocker Issues Encryption Management for Apple FileVault Issues Chapter 11: Technical Support Appendices Troubleshooting Resources Using the Support Portal Threat Encyclopedia Contacting Trend Micro Speeding Up the Support Call Sending Suspicious Content to Trend Micro Reputation Services File Reputation Services Web Reputation Services Other Resources Download Center Documentation Feedback Appendix A: Maintenance Tools vi

11 Table of Contents Using the Diagnostics Monitor... A-2 Using the Log Server Tool... A-5 Using the PolicyServer Change Settings Tool... A-6 Appendix B: PolicyServer Message IDs Administrator Alerts... B-2 Audit Log Alerts... B-6 Certificate Alerts... B-7 Device Alerts... B-8 Error Alerts... B-10 Full Disk Encryption Activity Alerts... B-10 Installation Alerts... B-13 Login / Logout Alerts... B-13 Mobile Device Alerts... B-17 OCSP Alerts... B-18 OTA Alerts... B-19 Password Alerts... B-19 PIN Change Alerts... B-22 Smart Card Alerts... B-23 Appendix C: Endpoint Encryption Services Appendix D: Policy Mapping Between Management Consoles Appendix E: Glossary Index Index... IN-1 vii

12 Trend Micro Endpoint Encryption Administrator Guide viii

13 Chapter 1 Introduction This guide is intended to help security administrators and IT administrators manage Endpoint Encryption users, devices, policies, logs, and reports using the PolicyServer Microsoft Management Console (MMC). This documentation assumes general knowledge about encryption methods, device formatting and partitioning, and clientserver architecture. This help is a supplementary guide for administrators who require advanced policy setup. For general Endpoint Encryption management and help using Trend Micro Control Manager, see the Endpoint Encryption Administrator's Guide. 1-1

14

15 Chapter 2 About Trend Micro Endpoint Encryption Trend Micro Endpoint Encryption ensures privacy by encrypting data stored on endpoints, files and folders, and removable media in a variety of platform options. Endpoint Encryption provides granular policy controls and flexibly integrates with other Trend Micro management tools, including Control Manager and OfficeScan. Innovative deployment capabilities help you easily deploy agent software using FIPS-compliant hardware-based or software-based encryption that is fully transparent to end users, without disrupting productivity. Once deployed, automated reporting, auditing, and policy synchronization with Endpoint Encryption PolicyServer simplifies endpoint security management. Endpoint Encryption has capabilities to deploy remote commands, recover lost data, and protect user identity while maintaining real-time policy synchronization. In the event that an endpoint is lost or stolen, remotely initiate a reset or kill command to immediately protect corporate information. Many recovery tools are also available to help end users rescue data from a corrupted hard disk. Assimilating into existing corporate identity controls, Endpoint Encryption has a variety of authentication methods, including Active Directory integration and resources for end users who have forgotten their credentials. Topics include: Features and Benefits on page

16 Trend Micro Endpoint Encryption Administrator Guide What's New on page 2-4 About PolicyServer on page 2-8 Management Consoles on page 2-9 Endpoint Encryption Agents on page 2-11 Authentication Methods on page

17 About Trend Micro Endpoint Encryption Features and Benefits The following table explains Endpoint Encryption key features and benefits. Table 2-1. Endpoint Encryption Key Features Feature Benefits Encryption Protection for the full disk, including the master boot record (MBR), operating system, and all system files Hardware-based and software-based encryption for mixed environments Comprehensive data protection of files, folders, and removable media Authentication Flexible authentication methods, including both single and multi-factor Control password strength and regularity for password changes Policy updates before authentication and system boot Configurable actions on failed password attempt threshold Device management Policies to protect data on endpoints and removable media Ability to remotely lock, reset, wipe, or kill a device 2-3

18 Trend Micro Endpoint Encryption Administrator Guide Feature Benefits Central administration Flexibly use either PolicyServer MMC or Control Manager to manage PolicyServer Deploy Endpoint Encryption agents to endpoints already managed by OfficeScan Enforce security policies to individual users and policy groups from a single policy server Instantly protect end user data by sending lock or erase commands to lost or stolen Endpoint Encryption devices Automate policy enforcement with remediation of security events Update security policies in real-time, before authentication, to revoke user credentials before booting the operating system Record keeping, reports, and auditing Advanced real-time reporting and auditing to ensure security compliance Analyze usage statistics with scheduled reports and alert notifications What's New Trend Micro Endpoint Encryption 6.0 Patch 1 offers the following new features and enhancements. Table 2-2. What's New in Endpoint Encryption 6.0 Patch 1 Features / Enhancements Option to update PolicyServer setting in agents after installation Description For endpoints that have Encryption Management for Microsoft Bitlocker and Encryption Management for Apple FileVault installed, Endpoint Encryption adds the option to update the PolicyServer settings in agents, even after installation. 2-4

19 About Trend Micro Endpoint Encryption Features / Enhancements AES Encryption key size used by Microsoft Bitlocker Full Disk Encryption enhancements Description For easier deployment, Endpoint Encryption adds the option to configure the Microsoft Bitlocker AES Encryption key size based on the Full Disk Encryption policy setting. Endpoint Encryption adds the following enhancements: Support for Intel and Toshiba self-encrypting drives Remote retrieval of the encryption status of each disk from the device by directly querying the agent via system management software To streamline the Window update process, disks already encrypted by Full Disk Encryption can be configured to repeatedly skip the Full Disk Encryption Preboot File Encryption support for new authentication types For File Encryption, Endpoint Encryption adds support for the following authentication types: User Principal Name (UPN) and domain password Single Sign On by UPN format Logon user information Endpoint Encryption updates the PolicyServer MMC and Control Manager widgets to show logon user information for Endpoint Encryption agents. Table 2-3. What's New in Endpoint Encryption 6.0 Features / Enhancements Support for UEFI firmware Improved drive performance using AES- XTS encryption mode Description Endpoint Encryption now supports booting on endpoints with UEFI firmware. For new installations, Endpoint Encryption uses the AES- XTS method by default. However, existing agents upgraded to this version will retain the existing AES-CBC encryption mode. Moreover, Endpoint Encryption can manage endpoints where both AES-XTS and AES-CBC encryption modes are used. 2-5

20 Trend Micro Endpoint Encryption Administrator Guide Features / Enhancements Support for systems with more than one physical drive Wi-Fi preboot policies Preboot screen customization Encryption of used disk space for Full Disk Encryption Safety check Multiple Active Directory Domain Synchronization to PolicyServer Installation enhancements for Encryption Management for Microsoft Bitlocker Description Endpoint Encryption encrypts all fixed drives during installation. Additionally, users have the option of manually encrypting any fixed drives attached after installation. Wi-Fi settings can be further customized via new policies available in PolicyServer. These policy settings allow or restrict access to the Wi-Fi settings during preboot. PolicyServer now supports customization of the preboot screen. Full Disk Encryption will only encrypt the used disk space, resulting in a faster encryption process. Endpoint Encryption runs a safety check after installation to verify if the installation was successfully completed. If successful, Endpoint Encryption loads the preboot screen and starts encrypting. However, if the installation was unsuccessful, (or a force shut down is detected), Endpoint Encryption will not load the preboot screen. Endpoint Encryption supports synchronization of multiple Active Directory domains to PolicyServer Encryption Management for Microsoft BitLocker successfully installs even if Microsoft BitLocker is installed and enabled. In previous versions, the installer stops if MicrosoftBitLocker is installed and enabled. 2-6

21 About Trend Micro Endpoint Encryption Features / Enhancements Support for multiple languages Description Supported languages for Full Disk Encyrption, File Encryption, Encryption Management for Microsoft BitLocker, Encryption Management for Apple File Vault: de (German) en (English) fr (French) es (Spanish) pl (Polish) it (Italian) cs (Czech) Supported languages for PolicyServer: de (German) en (English) fr (French) es (Spanish) Supported languages for the OfficeScan Plug-in Service (PLS) Add-on: de (German) en (English) fr (French) es (Spanish) pl (Polish, but will display English) it (Italian, but will display English) 2-7

22 Trend Micro Endpoint Encryption Administrator Guide About PolicyServer Trend Micro PolicyServer manages encryption keys and synchronizes policies across all endpoints in the organization. PolicyServer also enforces secure authentication and provides real-time auditing and reporting tools to ensure regulatory compliance. You can flexibly manage PolicyServer with PolicyServer MMC or with Trend Micro Control Manager. Other data management features include user-based self-help options and device actions to remotely reset or kill a lost or stolen device. The following table describes the PolicyServer components that you can deploy on one server or multiple servers, depending on environmental needs. Table 2-4. PolicyServer Components Component Enterprise Database PolicyServer Windows Service Endpoint Encryption Service Description The Endpoint Encryption Enterprise is the unique identifier about the organization in the PolicyServer database configured during PolicyServer configuration. One PolicyServer database may have one Enterprise configuration. The PolicyServer Microsoft SQL database securely stores all user, device, and log data. The database is either configured on a dedicated server or added to an existing SQL cluster. The log and other databases can reside separately. PolicyServer Windows Service manages all communication transactions between the host operating system, Endpoint Encryption Service, Legacy Web Service, Client Web Proxy, and SQL databases. Starting from Endpoint Encryption 5.0, all agents use Endpoint Encryption Service to communicate with PolicyServer. Endpoint Encryption Service uses a Representational State Transfer web API (RESTful) with an AES-GCM encryption algorithm. After a user authenticates, PolicyServer generates a token related to the specific policy configuration. Until the Endpoint Encryption user authenticates, the service denies all policy transactions. 2-8

23 About Trend Micro Endpoint Encryption Component Legacy Web Service Description All Endpoint Encryption and earlier agents use Simple Object Access Protocol (SOAP) to communicate with PolicyServer. Under certain situations, SOAP may allow insecure policy transactions without user authentication. Legacy Web Service filters SOAP calls by requiring authentication and limiting the commands that SOAP accepts. This service is optional, and can be installed on the same endpoint as the Endpoint Encryption Service using the Endpoint Encryption proxy installer. Management Consoles Flexibly manage Endpoint Encryption using only PolicyServer MMC or manage Endpoint Encryption using Control Manager for policy, user and device management and PolicyServer MMC for advanced log management and reporting. The following illustration shows how to deploy Endpoint Encryption using Control Manager to manage PolicyServer. In a Control Manager deployment, administrators use Control Manager for all Endpoint Encryption policy, user, and device controls, and only use PolicyServer MMC for advanced Enterprise maintenance. 2-9

24 Trend Micro Endpoint Encryption Administrator Guide Note In environments that use Control Manager, changes to PolicyServer policies are always controlled by Control Manager. Any changes made using PolicyServer MMC are overwritten the next time that Control Manager synchronizes policies to the PolicyServer database. Trend Micro Control Manager Trend Micro Control Manager is a central management console that manages Trend Micro products and services at the gateway, mail server, file server, and corporate desktop levels. The Control Manager web-based management console provides a single monitoring point for managed products and services throughout the network. 2-10

25 About Trend Micro Endpoint Encryption Control Manager allows system administrators to monitor and report on activities such as infections, security violations, or virus entry points. System administrators can download and deploy components throughout the network, helping ensure that protection is consistent and up-to-date. Control Manager allows both manual and prescheduled updates, and the configuration and administration of products as groups or as individuals for added flexibility. About PolicyServer MMC The PolicyServer Microsoft Management Console plug-in (PolicyServer MMC) is the native management console for Endpoint Encryption policy, user, and device administration. Use PolicyServer MMC to centrally manage: All Endpoint Encryption users, devices, and groups All policies including encryption, password complexity and authentication Remote device actions, including killing a device, erasing data, or delaying authentication Event logs about authentication events, management events, device encryption status, and security violations Remote Help password reset process Auditing and reporting options Endpoint Encryption Agents The following table describes the Endpoint Encryption agents available for a variety of environments. 2-11

26 Trend Micro Endpoint Encryption Administrator Guide Agent Full Disk Encryption Encryption Management for Microsoft BitLocker Encryption Management for Apple FileVault File Encryption Description The Endpoint Encryption agent for hardware and software encryption with preboot authentication. Full Disk Encryption secures data files, applications, registry settings, temporary files, swap files, print spoolers, and deleted files on any Windows endpoint. Strong preboot authentication restricts access vulnerabilities until the user is validated. The Full Disk Encryption agent may be installed on the same endpoint as the File Encryption agent. The Full Disk Encryption agent cannot be installed on the same endpoint as either the Encryption Management for Microsoft BitLocker agent or the Encryption Management for Apple FileVault agent. The Endpoint Encryption Full Disk Encryption agent for Microsoft Windows environments that simply need to enable Microsoft BitLocker on the hosting endpoint. The Encryption Management for Microsoft BitLocker agent may be installed on the same endpoint as the File Encryption agent. The Endpoint Encryption Full Disk Encryption agent for Mac OS environments that simply need to enable Apple FileVault on the hosting endpoint. The Endpoint Encryption agent for file and folder encryption on local drives and removable media. File Encryption protects files and folders located on virtually any device that appears as a drive within the host operating system. The File Encryption agent may be installed on the same endpoint as either the Full Disk Encryption agent or the Encryption Management for Microsoft BitLocker agent. 2-12

27 About Trend Micro Endpoint Encryption Authentication Methods Endpoint Encryption administrators and users have several authentication methods to log on to Endpoint Encryption devices. The methods available are determined by the PolicyServer policy configuration. Note You must use PolicyServer MMC to configure the authentication methods available to Endpoint Encryption users. It is not possible to use Control Manager to configure the allowed authentication methods. However, you can configure Control Manager for domain authentication. Table 2-5. Supported Authentication Methods Authentication Method ColorCode on page 2-14 Domain Authentication on page 2-14 Fixed Password on page 2-15 PIN on page 2-15 Remote Help on page 2-15 Self Help on page 2-16 Smart Card on page 2-16 A unique sequence of colors. Description Active Directory LDAP synchronization for single sign-on (SSO). A string of characters, numbers, and symbols. A standard Personal Identification Number (PIN). Interactive authentication for users who forget their credentials or devices that have not synchronized policies within a predetermined amount of time. Question and answer combinations that allow users to reset a forgotten password without contacting Technical Support. A physical card used in conjunction with a PIN or fixed password. 2-13

28 Trend Micro Endpoint Encryption Administrator Guide ColorCode ColorCode is a unique authentication method designed for quick access and easy memorization. Rather than alphanumeric characters or symbols for the password, ColorCode authentication consists of a user-created color sequence (example: red, red, blue, yellow, blue, green). Figure 2-1. ColorCode Authentication Screen Domain Authentication Endpoint Encryption integrates with Active Directory using LDAP configured in PolicyServer. Endpoint Encryption domain authentication allows Endpoint Encryption users to use single sign-on (SSO) between the operating system and the Endpoint Encryption agent. For example, Endpoint Encryption users with domain authentication must only provide their credentials once to authenticate to the Full Disk Encryption preboot, log on to Windows, and access the files protected by File Encryption. For seamless Active Directory integration, make sure that the following requirements are met: 2-14

29 About Trend Micro Endpoint Encryption PolicyServer has joined the domain. All Endpoint Encryption devices are in the same Active Directory and domain as PolicyServer. The user names configured in Active Directory exactly match the user names configured in PolicyServer (including case). The user names are located within a PolicyServer group and the Domain Authentication policy is enabled. The host name and domain name are configured correctly based on the LDAP or Active Directory server settings. Note For information about configuring LDAP and Active Directory settings, see the Endpoint Encryption Installation Guide available at: Fixed Password Fixed password authentication is the most common authentication method. The fixed password is created by the user and can be almost any string of numbers, characters, or symbols. You can place restrictions on fixed passwords to ensure that they are not easily compromised. PIN A Personal Identification Number (PIN) is common identification method requiring a unique sequences numbers. The PIN is created by the user and can be almost anything. Similar to fixed passwords, you may place restrictions on the PIN combination. Remote Help Remote Help allows Group or Enterprise Authenticators to assist Endpoint Encryption users who are locked out and cannot log on to Endpoint Encryption devices after too 2-15

30 Trend Micro Endpoint Encryption Administrator Guide many unsuccessful log on attempts, or when the period between the last PolicyServer synchronization has been too long. Note Remote Help authentication is triggered by Endpoint Encryption device policy rules. Remote Help policy rules are configurable in both PolicyServer MMC and Control Manager. Self Help Self Help authentication allows Endpoint Encryption users who have forgotten the credentials to answer security questions and log on to Endpoint Encryption devices without getting Technical Support assistance. Self Help requires the Endpoint Encryption user to respond with answers to predefined personal challenge questions. Self Help can replace fixed password or other authentication methods. Consider the following when choosing your authentication method or when configuring Self Help: Self Help is not available for Administrator and Authenticator accounts. Self Help is not available for accounts that use domain authentication. PolicyServer is unable to change or retrieve previous domain passwords. Self Help has a maximum of six questions for each user account. Users may be unable to log on using Self Help if more than six questions are configured. Self Help is only configurable with PolicyServer MMC. Smart Card Smart card authentication requires both a PIN and a physical token to confirm the user identity. Smart card certificates are associated with the user account and the user's assigned group. Once registered, the user can use smart card authentication from any Endpoint Encryption device in that group. Users are free to use any Endpoint Encryption device in their group and do not need to ask for another one-time password. To use smart card authentication, make sure that the following requirements are met: 2-16

31 About Trend Micro Endpoint Encryption The smart card reader is connected to the endpoint and the smart card is inserted into the smart card reader. ActivClient 6.2 with all service packs and updates installed. Note ActivClient 7.0 and later is not supported. Specify the smart card PIN in the password field. WARNING! Failure to provide a correct password sends a password error and may result in locking the smart card. Note Smart card authentication is only configurable with PolicyServer MMC. Switching the authentication method from smart card to domain authentication may cause issues for domain users added through ADSync or Active Directory User Import. To resolve this issue, remove the domain user account from the enterprise, and then restart the PolicyServer services to start synchronization with the AD server. The synchronization process adds the user back with domain authentication as the authentication method. Alternatively, you can also add the domain user account back via Active Directory User Import. 2-17

32

33 Chapter 3 Getting Started This chapter explains how to get started using Trend Micro Control Manager to manage PolicyServer. Topics include: System Requirements on page 3-2 Setting Up Control Manager on page 3-16 Active Directory Synchronization on page

34 Trend Micro Endpoint Encryption Administrator Guide System Requirements This chapter outlines the system requirements for Trend Micro Endpoint Encryption. Topics include: PolicyServer System Requirements on page 3-2 PolicyServer MMC System Requirements on page 3-8 Full Disk Encryption System Requirements on page 3-9 File Encryption System Requirements on page 3-13 Encryption Management for Microsoft BitLocker System Requirements on page 3-13 Encryption Management for Apple FileVault System Requirements on page 3-15 PolicyServer System Requirements Hardware and Scaling Requirements The following shows deployment and scaling requirements in several different-sized environments. In smaller network environments, PolicyServer SQL databases can be installed on the same server. For PolicyServer deployments in environments greater than 1500 devices, Trend Micro recommends having at least two dedicated servers: 1. A dedicated server for the PolicyServer services, also known as the front-end server 2. A dedicated server for the database, or add the database to an existing SQL cluster The following table displays the requirements for the PolicyServer SQL database for the basic requirements at the specified scale: 3-2

35 Getting Started Devices PolicyServer Front-end Requirements PolicyServer SQL Database Requirements 1,000 One front-end and SQL database multi-role server with an Intel Xeon quad-core 2.2 GHz processor or above Installed on PolicyServer front-end server 8 GB RAM 120 GB hard drive 4,000 One front-end and SQL database multi-role server with an Intel Xeon quad-core 2.2 GHz processor or above Installed on PolicyServer front-end server 8 GB RAM 150 GB hard drive 8,000 Two front-end servers each with an Intel Xeon quad-core 2.2 GHz processor or above 4 GB RAM 40 GB hard drive 20,000 Four front-end servers each with an Intel Xeon quad-core 2.2 GHz processor or above 4 GB RAM 40 GB hard drive One SQL database server with an Intel Xeon quad-core 2.2 GHz processor or above 8 GB RAM 150 GB hard drive Two SQL database servers (one for the policy database and one for the log database) each with an Intel Xeon quadcore 2.2 GHz processor or above 8 GB RAM 180 GB RAID 5 hard drive 3-3

36 Trend Micro Endpoint Encryption Administrator Guide Devices PolicyServer Front-end Requirements PolicyServer SQL Database Requirements 40,000 Eight front-end servers each with an Intel Xeon quad-core 2.2 GHz processor or above 4 GB RAM 40 GB hard drive Two SQL database servers (one for the policy database and one for the log database) each with an Intel Xeon quadcore 2.2 GHz processor or above 16 GB RAM 350 GB shared SAN RAID 5 hard drive Note Virtual hardware is supported under VMware Virtual Infrastructure. Microsoft or VMware on virtual hardware does not support Microsoft Cluster Service. Baseline testing was performed on an endpoint with an Intel Xeon CPU E v GHz, 2200 Mhz. Redundancy Requirements With larger environments, Trend Micro recommends adding additional servers to avoid having single points of failure. The following table displays the requirements for the PolicyServer SQL database for an environment with increased redundancy. Tip Trend Micro recommends setting up redundancy for environments with more than 8,000 devices. 3-4

37 Getting Started Devices PolicyServer Front-end Requirements PolicyServer SQL Database with Zero Single Points of Failure 8,000 Four front-end servers each with one Intel Xeon quad-core 2.2 GHz processor or above 4 GB RAM 40 GB hard drive One SQL server cluster of two nodes, with Intel Xeon quadcore 2.2 GHz processors or above 8 GB RAM 60 GB RAID 5 hard drive 150 GB shared SAN RAID 5 hard drive 20,000 Six front-end servers each with Intel Xeon quad-core 2.2 Ghz processors or above 4 GB RAM 40 GB hard drive Two SQL server clusters of two nodes, with Intel Xeon quad-core 2.2 Ghz processors or above 8 GB RAM 60 GB RAID 5 hard drive 180 GB shared SAN RAID 5 hard drive 40,000 Twelve front-end servers each with Intel Xeon quad-core 2.2 GHz processors or above 4 GB RAM 40 GB hard drive Two SQL server clusters of two nodes, with Intel Xeon quad-core 2.2 Ghz processors or above 16 GB RAM 60 GB RAID 5 hard drive 350 GB shared SAN RAID 5 hard drive 3-5

38 Trend Micro Endpoint Encryption Administrator Guide Note Virtual hardware is supported under VMware Virtual Infrastructure. Microsoft or VMware on virtual hardware does not support Microsoft Cluster Service. Baseline testing was performed on an endpoint with an Intel Xeon CPU E v GHz, 2200 Mhz. Software Requirements Specification Requirements Operating system Windows Server 2008 / 2008 R2 (64-bit) Windows Server 2012 / 2012 R2 (64-bit) Windows Server 2016 (64-bit) Database server Microsoft SQL Server 2008 / 2008 R2 / 2012 / 2012 R2 / 2014 / 2016 Microsoft SQL Server Express 2008 / 2012 / 2014 / 2016 Mixed Mode Authentication (SA password) installed Reporting services installed Note For Windows Server 2008 R2, you must install SQL Server 2008 SP1. Application server PolicyServer 6.0 Patch 1 requires Microsoft Internet Information Services (IIS) with the following roles installed and enabled: Application Development ASP.NET ASP 3-6

39 Getting Started Specification ISAPI Extensions Requirements ISAPI Filters Management Tools IIS Management Console IIS Management Scripts and Tools Management Service IIS 6 Management Compatibility IIS 6 Metabase Compatibility For Windows Server 2008 and 2008 R2 you must install the Application server role and the Web server role. Additionally, you must add SMTP and Microsoft IIS Support features. Legacy Endpoint Encryption environments (version and earlier) require Client Web Service. If you install Client Web Service on a remote endpoint, install Microsoft IIS on that endpoint. Other software Both Microsoft.NET Framework 2.0 SP2 (or 3.5) and 4.0 Windows Installer 4.5 (SQL Express) Installation Files File PolicyServerInstaller.exe PolicyServer MMCSnapinSetup.msi Purpose Installs PolicyServer databases and services. Optionally, the PolicyServer MMC can install at the same time. Installs the PolicyServer MMC only. 3-7

40 Trend Micro Endpoint Encryption Administrator Guide File TMEEProxyInstaller.exe Purpose Installs the Client Web Service and the Traffic Forwarding Service. These services function as web proxies and communication protocols for environments that have PolicyServer and Endpoint Encryption agents in different LANs. Client Web Service functions for or earlier agents and Traffic Forwarding Service functions for 5.0 or later agents. Note PolicyServer includes a 30-day trial license. To upgrade to the full product version, register your product with your Activation Code in Control Manager or PolicyServer MMC. Required Accounts Account Function Description SQL SA PolicyServer Installer Account is used only to create the PolicyServer databases SQL MADB PolicyServer Windows Service Account created during installation to authenticate to PolicyServer databases Local Administrator PolicyServer Windows Service and IIS Account used to run the PolicyServer Windows Service and web service application pools PolicyServer MMC System Requirements Note PolicyServer MMC can be installed on the PolicyServer front-end server or on a different endpoint that has network connectivity with PolicyServer. 3-8

41 Getting Started Specification Processor RAM Disk space Network connectivity Operating system Requirements Intel Core 2 Duo 2.0 GHz processor or equivalent 512 MB 100 MB Connectivity with PolicyServer Any Microsoft Windows operating system supported by PolicyServer or the Endpoint Encryption agents Others Microsoft.NET Framework 4.0 Full Disk Encryption System Requirements Specification Processor RAM Requirements Intel Core 2 Duo 2.0 GHz processor or equivalent 1 GB Disk space 30 GB 20% free disk space 256 MB contiguous free space Network connectivity Communication with PolicyServer required for managed agents 3-9

42 Trend Micro Endpoint Encryption Administrator Guide Specification Requirements Operating system Windows Embedded POSReady 7 (32-bit/64-bit) Windows 10 (32-bit/64-bit) Note Older builds of Windows 10 installed on endpoints where UEFI is enabled may encounter issues if secure boot is turned on. To prevent this issue, install all service packs, hotfixes and security patches for Windows 10 before proceeding with the installation. Windows 8.1 (32-bit/64-bit) Windows 8 (32-bit/64-bit) Windows 7 (32-bit/64-bit) Firmware interface BIOS: all supported operating systems UEFI: all supported operating systems Other software Microsoft.NET Framework 3.5 SP1 or later (Windows 7 and later operating systems) 3-10

43 Getting Started Specification Hard disk Requirements Full Disk Encryption uses software-based encryption for all standard drives (drives without self-encryption). Full Disk Encryption uses hardware-based encryption for the following self-encrypting drives (SEDs): Seagate OPAL and OPAL 2 drives SanDisk self-encrypting (OPAL2) solid-state drives Toshiba self-encrypting (OPAL2) solid-state drives (SATA and NVMe) Intel self-encrypting (OPAL2) solid-state drives (SATA and NVMe) Full Disk Encryption has the following limitations: Full Disk Encryption does not support RAID and SCSI drives. Full Disk Encryption does not support edrive drives for Windows 8 or later environments. Hard disk controllers Software encryption: ATA, AHCI, or IRRT hard disk controller Hardware encryption: AHCI hard disk controller Recommended Disk Combinations Endpoint Encryption supports endpoints with a maximum of 32 disks attached. Full Disk Encryption recommends the following disk combinations: Primary Disk Secondary Disk Recommendation Normal system disk Normal data disk Yes The disk must either be new or previously encrypted and connected with PolicyServer. 3-11

44 Trend Micro Endpoint Encryption Administrator Guide Primary Disk Secondary Disk Recommendation Normal system disk Normal system disk attached as a data disk Yes If the Bypass Preboot policy is set to Allow, Full Disk Encryption prompts for the removal of one system disk. Normal system disk SED data disk Yes SED system disk SED data disk Yes The disk must either be new or previously encrypted and connected with PolicyServer. The disk must either be new or previously encrypted and connected with PolicyServer. SED system disk SED system disk attached as a data disk No The Full Disk Encryption installer completes the installation but won't be able to manage both disks. If the Bypass Preboot policy is set to Allow, Full Disk Encryption prompts for the removal of one system disk SED system disk Normal data disk No The Full Disk Encryption installer completes the installation but won't be able to manage any disks. If a non-recommended disk is found, the Full Disk Encryption installer still completes the installation but won't be able to manage the non-recommended disk. Aditionally, it also reports a status of Unmanaged for the non-recommended disk. 3-12

45 Getting Started File Encryption System Requirements The following table explains the File Encryption system requirements. Specification Processor RAM Requirements Intel Core 2 Duo 2.0 GHz processor or equivalent 1 GB Disk space 30 GB 20% free disk space Network connectivity Communication with PolicyServer required for managed agents Operating system Windows 10 (32-bit/64-bit) Windows 8.1 (32-bit/64-bit) Windows 8 (32-bit/64-bit) Windows 7 (32-bit/64-bit) Other software Microsoft.NET Framework 3.5 SP1 (Windows 7 and later operating systems) Microsoft Windows Installer 3.1 Encryption Management for Microsoft BitLocker System Requirements This following table explains the minimum and recommended Encryption Management for Microsoft BitLocker system requirements. Specification Processor Requirements Intel Core 2 Duo 2.0 GHz processor or equivalent 3-13

46 Trend Micro Endpoint Encryption Administrator Guide RAM Specification Requirements Requirements are the based on Windows system requirements: 64-bit systems: 2 GB 32-bit systems: 1 GB Disk space 30 GB 20% free disk space Hard disk Standard drives supported by Windows Network connectivity Connectivity with PolicyServer Operating system Windows Embedded POSReady 7 (32-bit/64-bit) Windows 10 Enterprise and Professional editions (32- bit/64-bit) Windows 8.1 Enterprise and Professional editions (32- bit/64-bit) Windows 8 Enterprise and Professional editions (32- bit/64-bit) Windows 7 Enterprise and Professional editions (32- bit/64-bit) 3-14

47 Getting Started Specification Requirements Other software Trusted Platform Module (TPM) 1.2 or higher Full Disk Encryption is not installed Microsoft.NET Framework 3.5 WARNING! Full Disk Encryption is unable to install on SED disks attached to devices using UEFI if these disks were previously managed by Windows Bitlocker. To install Full Disk Encryption on these disks, perform one of the following: Configure Full Disk Encryption to use softwarebased encryption by adding the FORCESOFTWARE parameter during installation. For details, see the Installing the Full Disk Encryption Agent section in the Endpoint Encryption Installation Guide. Restore the SED disk back to its factory setting. This procedure removes all existing data from the SED disk. After the disk has been restored, try running the installer again. Encryption Management for Apple FileVault System Requirements This following table explains the minimum and recommended Encryption Management for Apple FileVault system requirements. Specification Processor Requirement Intel Core 2 Duo 2.0 GHz processor or equivalent Memory 512 MB minimum 2 GB recommended 3-15

48 Trend Micro Endpoint Encryption Administrator Guide Specification Requirement Disk space 400 MB minimum Network connectivity Connectivity with PolicyServer Operating system OS X Sierra OS X El Capitan OS X Yosemite OS X Mavericks OS X Mountain Lion Other software Mono runtime environment (MRE) 2.1 Apple FileVault is disabled Hardware considerations Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X Mountain Lion or later. Other Mac OS user account types will be unable to initiate encryption. To create a mobile account for Active Directory on your Mac, see Creating a Mobile Account for Active Directory on Mac OS on page Encryption Management for Apple FileVault supports Apple Fusion Drives on Mac OS X Mountain Lion or later (starting with Mac OS build ). Setting Up Control Manager The following procedure provides an overview to configure Control Manager for Endpoint Encryption management. Note For information about individual policy configurations, see Policies on page

49 Getting Started Procedure 1. Install and configure PolicyServer. See the Endpoint Encryption Installation and Migration Guide. 2. Connect PolicyServer to Control Manager. a. Adding PolicyServer as a Managed Product to Control Manager on page 3-20 b. Configuring Directory Management for PolicyServer on page Add policy targets. See Creating a Policy on page Verify the policy configuration on PolicyServer MMC. Related information Control Manager Architecture Adding PolicyServer as a Managed Product to Control Manager Configuring Directory Management for PolicyServer Configuring Proxy Settings Control Manager Architecture Trend Micro Control Manager provides a means to control Trend Micro products and services from a central location. This application simplifies the administration of a corporate virus/malware and content security policy. The following table provides a list of components Control Manager uses. 3-17

50 Trend Micro Endpoint Encryption Administrator Guide Table 3-1. Control Manager Components Component Control Manager server Description Acts as a repository for all data collected from the agents. It can be a Standard or Advanced Edition server. A Control Manager server includes the following features: An SQL database that stores managed product configurations and logs Control Manager uses the Microsoft SQL Server database (db_controlmanager.mdf) to store data included in logs, Communicator schedule, managed product and child server information, user account, network environment, and notification settings. A web server that hosts the Control Manager web console A mail server that delivers event notifications through messages Control Manager can send notifications to individuals or groups of recipients about events that occur on the Control Manager network. Configure Event Center to send notifications through messages, Windows event log, MSN Messenger, SNMP, Syslog, pager, or any in-house/industry standard application used by your organization to send notification. A report server, present only in the Advanced Edition, that generates antivirus and content security product reports A Control Manager report is an online collection of figures about security threat and content security events that occur on the Control Manager network. 3-18

51 Getting Started Component Trend Micro Management Communication Protocol Trend Micro Management Infrastructure Control Manager 2.x Agents Web-based management console Description MCP handles the Control Manager server interaction with managed products that support the next generation agent. MCP is the new backbone for the Control Manager system. MCP agents install with managed products and use one/two way communication to communicate with Control Manager. MCP agents poll Control Manager for instructions and updates. Handles the Control Manager server interaction with older managed products. The Communicator, or the Message Routing Framework, is the communication backbone of the older Control Manager system. It is a component of the Trend Micro Management Infrastructure (TMI). Communicators handle all communication between the Control Manager server and older managed products. They interact with Control Manager 2.x agents to communicate with older managed products. Receives commands from the Control Manager server and sends status information and logs to the Control Manager server The Control Manager agent is an application installed on a managed product server that allows Control Manager to manage the product. Agents interact with the managed product and Communicator. An agent serves as the bridge between managed product and communicator. Therefore, install agents on the same computer as managed products. Allows an administrator to manage Control Manager from a computer with an Internet connection and Microsoft Internet Explorer The Control Manager management console is a web-based console published on the Internet through the Microsoft Internet Information Server (IIS) and hosted by the Control Manager server. It lets you administer the Control Manager network from any computer using a compatible web browser. 3-19

52 Trend Micro Endpoint Encryption Administrator Guide Component Widget Framework Description Allows an administrator to create a customized dashboard to monitor the Control Manager network. Adding PolicyServer as a Managed Product to Control Manager Endpoint Encryption allows administrators to use Trend Micro Control Manager to control PolicyServer and manage Endpoint Encryption agent policies or use Trend Micro OfficeScan to deploy Endpoint Encryption agent software on managed endpoints. To use Control Manager to manage PolicyServer, you must add PolicyServer as a managed product. Important Endpoint Encryption supports only one configured PolicyServer instance in Control Manager at a time. It is not possible to add multiple PolicyServer configurations. Procedure 1. Log on to Control Manager. 2. Go to Administration > Managed Servers. The Managed Servers screen appears. 3. In the Server Type drop-down list, select Endpoint Encryption. 4. Click Add. 3-20

53 Getting Started The Add Server screen appears. 5. Specify Server Information options. Server: Specify the PolicyServer host name and the port number. Use the following format: Note Control Manager communicates with PolicyServer Endpoint Encryption Service. The default port number is Display name: Specify the name for PolicyServer shown in the Managed Servers screen. 6. Under Authentication, specify the user name and password of the Endpoint Encryption Enterprise Administrator account and the Enterprise specified during PolicyServer installation. 7. Under Connection, select Use a proxy server for the connection if PolicyServer requires a proxy connection. 8. Click Save. Note Synchronization between Control Manager and PolicyServer may require several minutes to complete. 3-21

54 Trend Micro Endpoint Encryption Administrator Guide PolicyServer is added as a new managed product to Control Manager. Configuring Directory Management for PolicyServer The following procedure explains how to configure Directory Management for the new PolicyServer data source. The Directory Management screen displays the available policy targets in the directory tree. Add PolicyServer to Control Manager as a managed server before starting this procedure. For more information, see Adding PolicyServer as a Managed Product to Control Manager on page Procedure 1. Go to Policies > Policy Resources > Managed Servers. The Managed Servers screen appears. 2. Click Directory Management. The Directory Management screen appears. 3. Select the server and then click Add Folder. The Add Directory screen appears. 4. Specify a directory name and then click Save. 5. Click OK to confirm. The new folder is created. 6. Drag the previously added PolicyServer data source into the new folder. 7. Click OK to confirm. 8. Click < Back to return to the Policy Management screen. 3-22

55 Getting Started Configuring Proxy Settings Use a proxy server to connect to the managed products. Procedure 1. Go to Administration > Managed Servers. The Managed Servers screen appears. 2. Click Proxy Settings. 3. Specify your proxy settings. Option Protocol Server Port User name Password Description Endpoint Encryption supports proxy connection over HTTP or SOCKS5 protocols. Specify the IP address or URL of the proxy server. Specify the listening port of the proxy server. Specify the user name to access the server if the proxy requires authentication. Specify the password to access the server if the proxy requires authentication. 4. Click Save. 5. Click the Edit button next to your Endpoint Encryption server. 3-23

56 Trend Micro Endpoint Encryption Administrator Guide The Edit Server screen appears. 6. Select Use a proxy server for the connection. 7. Click Save. Active Directory Synchronization PolicyServer supports Active Directory (AD) synchronization for a configured PolicyServer group. Synchronization will automatically add and remove AD users from configured PolicyServer groups. Topics include: Active Directory Overview on page 3-24 Configuring Active Directory on page 3-25 Importing Active Directory Users on page 3-27 Managing Password Setting Objects from Active Directory on page 3-29 Active Directory Overview Three items are required to enable PolicyServer AD synchronization: 1. A configured AD domain. 3-24

57 Getting Started 2. A PolicyServer group configured to point to one or more valid AD organizational units (OUs). 3. Appropriate credentials to access the AD domain that match the PolicyServer group's distinguished name. When configured properly, synchronization automatically creates new PolicyServer users and moves them to the appropriate paired groups on PolicyServer. During synchronization, PolicyServer is updated to reflect current users and group assignments for paired groups. Adding a new user to the domain and placing that user in an organizational unit will flag that user so that during the next synchronization, AD will create that user in PolicyServer and then move that user into the appropriate paired PolicyServer group. Deleting a user from AD will automatically remove that user from a PolicyServer paired group and from the enterprise. To add non-domain users to groups that are synchronized with the domain, you can create unique Endpoint Encryption users and add them to paired PolicyServer groups without having those users modified by the synchronization system. If you remove the Endpoint Encryption user from a paired group in PolicyServer, that domain user will not automatically be re-added by the synchronization system. This prevents overriding the your action for this Endpoint Encryption user. If you manually move a synchronized domain user back into a paired group then the synchronization system will again begin to automatically maintain the user in the group. Configuring Active Directory This task assumes the domain controller is set up on Windows Server 2012 and that Active Directory (AD) is installed. Procedure 1. Go to Start > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computer screen appears. 3-25

58 Trend Micro Endpoint Encryption Administrator Guide Figure 3-1. Active Directory Users and Computers 2. Create your organizational units (OUs). For each OU you intend to create, perform the following steps: a. Right-click the new domain created during AD installation and then select New. b. Select Organizational Unit. c. From the New Object - Organizational Unit screen, specify the new name and click OK. The new group appears in the left navigation under the domain name. Perform this step for as many organizational units you intend to use with PolicyServer. Important Endpoint Encryption supports up to 12 OUs per policy. 3-26

59 Getting Started The new groups will be used to synchronize with a PolicyServer group. Before synchronization, users must be added to the groups. 3. Add new users to your OUs. For each user you intend to create, perform the following steps: a. Right-click the intended OU and go to New > User. b. From the New Object - User screen, specify the new user's account information and click Next. c. Specify and confirm the new user's domain password and click Next. Note Clear User must change password at next login and select the Password never expires option to simplify other testing later. d. When prompted to complete, click Finish. The domain controller is configured with a new OU and a user in that group. To synchronize that group with PolicyServer, install PolicyServer and create a group for synchronization. This next section assumes that PolicyServer is already installed. Importing Active Directory Users PolicyServer maintains a user directory separate from the Active Directory database. This allows PolicyServer absolute security over access to all Endpoint Encryption devices, user rights, and authentication methods. Use the Endpoint Encryption Users widget in Control Manager to import Active Directory users. For more information about managing users with the Endpoint Encryption Users widget, see Endpoint Encryption Users on page 4-7. Procedure 1. Log on to Control Manager. 3-27

60 Trend Micro Endpoint Encryption Administrator Guide 2. Go to the Endpoint Encryption Users widget. 3. Click the icon. 4. Select Import Users from Active Directory. The Import Users from Active Directory screen appears. 5. Specify your credentials for the Active Directory LDAP server. Note 6. Click Next. For Port, the value 0 specifies the default port. The default port is Wait for the specified Active Directory domain to populate. The Active Directory tree for the specified domain appears in the left pane. 8. From the left pane, use the navigation tree to select the container from which to add users. The available users populate in the right pane. 9. Do one of the following: Select individual users, then click Import Selected Users. Click Import Everyone in this Container. 10. Click OK to add the users to the specified location. A confirmation window appears. 11. Click OK to confirm. An import status message displays. 12. Click Close to finish, or repeat the procedure to select more users to import. 3-28

61 Getting Started Managing Password Setting Objects from Active Directory Endpoint Encryption supports fine-grained password policies through Active Directory. If PolicyServer is in the Active Directory computer list, password policies in Active Directory supersede PolicyServer policy settings from both Control Manager and PolicyServer MMC. The following procedure shows how to add PolicyServer to the Active Directory computer list. Procedure 1. Open your Password Settings object (PSO) Security settings. a. Go to Start > Administrative Tools > Active Directory Users and Computers. b. In the View menu, verify that Advanced Features are enabled. c. Locate your domain node in Active Directory Users and Computers d. Go to System > Password Settings Container. e. Select the PSO Property that you intend to use for password policy management. f. Go to the Security tab. 2. Add the PolicyServer endpoint to the Group or user names list. a. Under the Group or user names list, click Add... b. In the Object Types window, select Computers. c. Select the PolicyServer endpoint. 3. Verify and confirm your changes. 3-29

62

63 Chapter 4 Dashboard The Control Manager dashboard provides at-a-glance information for the Control Manager network. The dashboard is comprised of two components: Tabs: Allow administrators to create a screen that contains one or more widgets Widgets: Provide specific information about various security-related events and perform user and device management Each user account displays its own dashboard. When a user logs on to Control Manager for the first time, the default tabs and the widgets contained within the tabs appear on the dashboard. Each user account can customize the dashboard, tabs, and widgets for the account s specific needs. Customizing the dashboard, tabs, or widgets for one user account has no effect on the dashboard, tabs, or widgets for a different user account. Each user account has a completely independent dashboard, tabs, and widgets from every other user account. 4-1

64 Trend Micro Endpoint Encryption Administrator Guide Tabs To customize the Control Manager Dashboard, add additional tabs, name the new tabs as needed, and add the appropriate widgets. You can modify or delete added tabs. Default Tabs The dashboard provides the following tabs: Summary DLP Incident Investigation Data Loss Prevention Compliance Threat Detection Smart Protection Network Note Deleting the default tabs permanently removes the tabs from viewing for the user account that removed the tabs. There is no way to recover a deleted tab. Deleting a default tab has no impact on the dashboard for other user accounts. Adding a New Tab Procedure 1. Go to the Dashboard. 2. Click the to the right of the last named tab. The New Tab screen appears. 3. Specify a name for the Title of the new tab. 4-2

65 Dashboard 4. Select the radio button for the appropriate layout style. 5. Select Auto-fit On to make the height all widgets on the tab consistent. 6. Click Save. The new tab is added to the right of existing tabs. Modifying Tab Settings Procedure 1. Go to the Dashboard and then open the appropriate tab. 2. Click Tab Settings at the upper-right corner of the tab. 3. Make the needed changes to: Title Layout Auto-fit 4. Click Save. Deleting a Tab Note Deleting the default tabs permanently removes the tabs from viewing for the user account that removed the tabs. There is no way to recover a deleted tab. Deleting a default tab has no impact on the dashboard for other user accounts. Procedure 1. Go to the Dashboard. 4-3

66 Trend Micro Endpoint Encryption Administrator Guide 2. Open the tab to delete. 3. Click the X next to the name of the tab. 4. Click OK to confirm. The tab is deleted. Widgets Widgets are the core components for the dashboard. Tabs provide the layout and widgets provide the actual data for the dashboard. Note Customizing the dashboard, tabs, or widgets for one user account has no effect on the dashboard, tabs, or widgets for a different user account. Each user account has a completely independent dashboard, tabs, and widgets from every other user account. Download the Control Manager widget pool (under Product programs and widget pool on the Manual Download and Scheduled Download screens) periodically to check for new or updated widgets. The data a widget displays comes from one of the following places: Control Manager database Trend Micro Smart Protection Network Managed products added to the Dashboard Server Visibility list Note Smart Feedback must be enabled to display data for widgets that include data from Smart Protection Network. The data a widget displays is controlled in two ways: 4-4

67 Dashboard Table 4-1. Widget Data Item User account Scope Details A user s account grants or restricts access to any managed product registered to Control Manager. The data scope on many widgets can be individually configured. This means a user can further specify the data source location for the widget. Example: An OfficeScan administrator, who manages multiple OfficeScan servers, could create one tab and add widgets that display data for only one OfficeScan server. Adding Widgets to a Tab After adding widgets to a tab, drag-and-drop the widgets to various locations within the tab. Procedure 1. Go to the Dashboard and then open the appropriate tab. 2. Click the Add Widgets at the upper right corner of the tab. The Add Widgets screen appears. 3. Do the following: Click a category from the left and then select the check box next to the name of all applicable widgets that appear. Use the search bar to select a specific widget. 4. Click Add. All selected widgets are added to the tab. 4-5

68 Trend Micro Endpoint Encryption Administrator Guide Widget Options The following illustration and table provide a general overview of available widget options. Different widgets may have different options available. Figure 4-1. Widget Options Table 4-2. Widget Option Descriptions Item Description 1 The total number of objects (examples: events, devices, logs) that the widget gathers data about. Click the number to view additional information. 2 The information that the widget displays. 3 The Enterprise associated with the widget data. 4 The name of the widget. Change the name in the Widget Settings window. 5 Click the icon to manually refresh widget data. The default refresh rate is controlled by the Control Manager dashboard settings at Administration > Settings > Web Console Settings. 4-6

69 Dashboard Item Description 6 Click the icon to display the following widget options: Widget Settings: Configure the displayable options for that widget. Help: Access the Endpoint Encryption Online Help for that widget. Close Widget: Remove the widget from the current tab. 7 View the last time that the widget refreshed data. 8 Click the number or icon to access specific widget data, such as event logs or reports. Endpoint Encryption Users The Endpoint Encryption Users widget provides user management capability directly from the Control Manager dashboard. Use the Endpoint Encryption Users widget to add or remove Endpoint Encryption user accounts, reset passwords, change permissions, configure policy group priority, import from Active Directory, and search for specific user accounts. Note For information about adding existing Endpoint Encryption users to a policy, see Configuring Endpoint Encryption Users Rules on page

70 Trend Micro Endpoint Encryption Administrator Guide Item Description Show Select which users to display: all users in the Enterprise, or users in a specific policy. Search ( ) Click the icon to filter which Endpoint Encryption users appear in the table. Use the search field to specify parameters to search against. Settings ( ) Right-click a user Click the icon to view user attributes or to perform actions on any selected user. Add users ( ) Click the icon to add individual users, import users from a CSV file, or import users from Active Directory LDAP. Number of users View the total number of users in the entire Enterprise, selected policy, or specified search. User Settings Options The following table explains the options available under the settings icon. 4-8

71 Dashboard Table 4-3. User Settings Options Option Change password Delete user Modify user Description Specify a new password for users using the Fixed password authentication type. The widget does not support changing passwords for the Domain authentication type. Removes the selected user. Update the properties of the selected user. The following properties can be modified: User name First name Last name Employee ID address Freeze User type One policy Authentication method List policies Displays the policies where the selected user is a member. If the Allow Install column for the selected user is Yes, then the option to allow or disallow the installation of selected policies, as well as selecting which policies should be given first priority is enabled. Add New User Options The following table explains the options available when adding a new Endpoint Encryption user. 4-9

72 Trend Micro Endpoint Encryption Administrator Guide Table 4-4. Add New User Options User name First name Last name Option Employee ID address Freeze User type One group Authentication method Description Specify the account user name that the user uses to authenticate. Specify the user's first name. Specify the user's last name. Specify the user's employee ID (optional). Specify user's address (optional). Select Yes to temporarily lock the account. A locked account cannot log on to Endpoint Encryption devices. Select User, Authenticator, or Administrator. For more information about user roles, see Users on page 5-3. Select Yes to only allow the user to belong to one policy at a time. The user may not be added to any other policy groups. If you set this option to Yes and set the User type to Authenticator or Administrator, the user will be a group authenticator or group administrator respectively. Select the authentication method available to the user. Policy Membership The following table explains how to understand Endpoint Encryption user policy membership. 4-10

73 Dashboard Note Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker do not require authentication and are not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents. Header Example Description Priority 1, 2. 3 Shows the order that Endpoint Encryption applies policies. When a policy is triggered that affects a user, Endpoint Encryption takes the action, and then no other policies affect the user for that event. Policy Name GP1 Shows the name of all policies that the user is currently assigned. Description Temporary employees policy. Shows the description of the policy. Allow Install Yes, No Shows whether the user can install new Endpoint Encryption devices. Importing Users from a CSV File Note Importing users from a CSV file is supported only for users using fixed password authentication. Format each line in the CSV file as follows: <User ID (required)>, <first name>, <last name>, <employee ID>, < address> For fields with no data, use a comma as a placeholder. The following is an example CSV entry: example_id, name,,, name@example.com 4-11

74 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. From the Endpoint Encryption Users widget, click Add User and then select Import Users from a File. The Import Users from a File screen appears. 2. Click Choose File to select the CSV file. The Open CSV File window appears. 3. Select the file and then click Open. 4. Click Add. The users in the CSV file are imported. Importing Active Directory Users PolicyServer maintains a user directory separate from the Active Directory database. This allows PolicyServer absolute security over access to all Endpoint Encryption devices, user rights, and authentication methods. Use the Endpoint Encryption Users widget in Control Manager to import Active Directory users. For more information about managing users with the Endpoint Encryption Users widget, see Endpoint Encryption Users on page 4-7. Procedure 1. Log on to Control Manager. 2. Go to the Endpoint Encryption Users widget. 3. Click the icon. 4. Select Import Users from Active Directory. The Import Users from Active Directory screen appears. 5. Specify your credentials for the Active Directory LDAP server. 4-12

75 Dashboard Note 6. Click Next. For Port, the value 0 specifies the default port. The default port is Wait for the specified Active Directory domain to populate. The Active Directory tree for the specified domain appears in the left pane. 8. From the left pane, use the navigation tree to select the container from which to add users. The available users populate in the right pane. 9. Do one of the following: Select individual users, then click Import Selected Users. Click Import Everyone in this Container. 10. Click OK to add the users to the specified location. A confirmation window appears. 11. Click OK to confirm. An import status message displays. 12. Click Close to finish, or repeat the procedure to select more users to import. Endpoint Encryption Devices Endpoint Encryption devices are Endpoint Encryption agents that have registered with PolicyServer. Installing any Endpoint Encryption agent automatically registers the endpoint with PolicyServer as a new Endpoint Encryption device. Since multiple Endpoint Encryption agents may protect a given endpoint, a single endpoint may appear as more than one Endpoint Encryption device on PolicyServer. The Endpoint Encryption Devices widget provides Endpoint Encryption device management capability directly from the Control Manager dashboard. Use the 4-13

76 Trend Micro Endpoint Encryption Administrator Guide Endpoint Encryption Devices widget to monitor activity, search for Endpoint Encryption devices, or secure endpoint data by initiating lock or kill commands when an endpoint is lost or stolen. Note For information about adding Endpoint Encryption devices to a policy, see Specifying Policy Targets on page Show Options Description Select which devices to display: all devices in the Enterprise, or devices in a specific policy. Search ( ) Click the icon to select the Endpoint Encryption agent and filter the devices shown in the table. Use the search field to specify parameters to search against. Any attributes listed in devices attributes can be searched. Settings ( ) Right-click a device Select a device and click the icon or right-click a device to view device attributes or to perform actions on the selected device. See Device Actions on page

77 Dashboard Options Number of devices Description View the total number of devices in the entire Enterprise, selected policy, or specified search. Device Actions Select a device and click the actions: Action icon or right-click a device to perform the following Description Delete device Deleting any Endpoint Encryption device from the Enterprise also removes the device from all policy groups. The deleted Endpoint Encryption device continues functioning as long as connectivity and password policies are current on the device. The agent will be unable to synchronize its policy with PolicyServer. WARNING! Before deleting a Full Disk Encryption device, decrypt your disk, and uninstall the Full Disk Encryption agent. If you delete a Full Disk Encryption device without deleting the agent, the Full Disk Encryption preboot may be unable to authenticate with PolicyServer and the data may become inaccessible. Soft token Generating a software token creates a unique string that you can use to unlock Endpoint Encryption devices and to remotely help Endpoint Encryption users reset forgotten passwords. The software token is only available in the full version of Full Disk Encryption, not Encryption Management for Apple FileVault or Encryption Management for Microsoft BitLocker. For information about resetting passwords or unlocking a user account, see Remote Help Assistance on page

78 Trend Micro Endpoint Encryption Administrator Guide Action Recovery key Device attributes Kill device Description Generating a recovery key allows the user to decrypt a hard disk when the user has forgotten the original password or key. The recovery key is only available to Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker agents because they do not use the other recovery methods available in Full Disk Encryption. For information about resetting passwords or unlocking a user account, see Remote Help Assistance on page View a current snapshot of the selected device. See Device Attributes on page Initiating a kill command deletes all Endpoint Encryption device data. The deleted data is different depending on the scope of data that the associated Endpoint Encryption agent manages. For example, initiating a kill command to a Full Disk Encryption device deletes all data from the endpoint, while initiating a kill command to a File Encryption device deletes all files and folders in local or removable storage protected by the File Encryption agent. The kill command is issued when the Endpoint Encryption agent communicates with PolicyServer. WARNING! Killing a device cannot be undone. Back up all the data before initiating a kill command. Lock device Soft reset Initiating a lock command to the Endpoint Encryption device prevents Endpoint Encryption user access until after performing a successful Remote Help authentication. Locking a device reboots the endpoint and forces it into a state that requires Remote Help. The lock command is issued when the Endpoint Encryption agent communicates with PolicyServer. See Remote Help Assistance on page Initiating a soft reset command reboots the endpoint. The command issues the next time that the agent communicates with PolicyServer. 4-16

79 Dashboard Device Attributes The following table describes the Endpoint Encryption device attributes. Attribute Name Example Description AD NetBIOS Name Enterprise The name assigned to the AD NetBIOS. AD Object GUID 6629bdeb-99a8-456 b-b7c5- dbbc50ad13d0 The GUID assigned to the AD object. Battery Count 2 The number of batteries installed..net Version The version and build number for the installed.net framework. Common Framework Build Number The Endpoint Encryption agent uses a common framework for encryption. The build number is used to tell whether the agent is up-to-date. Disk Model VMware Virtual IDE The hard disk model. Disk Name \\. \PHYSICALDRIVE0 The name of the hard disk. Disk Serial Number The serial number of the hard disk. Disk Partitions 1 The number of partitions on the disk with the agent installed. Disk Size The total capacity of the hard disk (in bytes). Domain Name WORKGROUP The domain that the endpoint is a member. Endpoint ID 85b1e3e2a3c25d ef6e4818c3e4 The unique ID of the endpoint used for Control Manager integration. File Encryption Version The version of File Encryption installed on the endpoint. Hostname TREND-4136D2DB 3 The endpoint's host name. 4-17

80 Trend Micro Endpoint Encryption Administrator Guide Attribute Name Example Description IP Address The endpoint's IP address. Language English (United States) The language used by the endpoint. Locale en-us The regional settings used by the endpoint. MAC Address xx-xx The endpoint's MAC address. Machine Name TREND-4136D2DB 3 The computer name that the endpoint used. Manufacturer VMware, Inc. The manufacturer of the hard disk. Model Operating System Operating System Name Operating System Service Pack VMware Virtual Platform Microsoft Windows NT Service Pack 3 Microsoft Windows XP Professional Service Pack 3 The model of the hard disk. The operating system installed on the same hard disk as the agent. The common name of the operating system installed on the same hard disk as the agent. The service pack number of the operating system installed on the same hard disk as the agent. Operating System Version The version number of the operating system installed on the same hard disk as the agent. Partition Scheme Classical MBR The partition scheme for the hard disk. Processor x86 Family 6 Model 30 Stepping 5, Genuine Intel The processor make and model of the endpoint. Processor Count 2 The number of processors in the endpoint. Processor Revision 1e05 The processor revision number. 4-18

81 Dashboard Attribute Name Example Description Time Zone Total Physical Memory Taipei Standard Time 2047MB The time zone that the endpoint resides. The total RAM installed in or allocated to the endpoint. Type X86-based PC The endpoint processor type. Windows User Name TREND-4136D2DB 3\admin The user name of the Windows account that last logged on the endpoint. <Agent> User john_smith The user name for the last logged on used. <Agent> Version The version and build number for the agent installation. Full Disk Encryption Status The Full Disk Encryption Status widget shows the current encryption status of any Endpoint Encryption in the Enterprise. 4-19

82 Trend Micro Endpoint Encryption Administrator Guide Column Status Rate Devices Description The status of the Endpoint Encryption device. Statuses include: Encrypted: The Endpoint Encryption device is 100% encrypted. Encrypting: The Endpoint Encryption device is currently encrypting the hard disk. The status changes to Fully Encrypted once encryption completes and the endpoint restarts. Not encrypted: The Endpoint Encryption device is 0% encrypted. Decrypting: The Endpoint Encryption device is currently decrypting the hard disk. The status changes to Not Encrypted once the decryption completes and the endpoint restarts. Unknown: The Endpoint Encryption device synchronized, but PolicyServer cannot determine the encryption status. The percentage that the Endpoint Encryption device is encrypted. The number of Endpoint Encryption devices with that current status. Click the number to view the Endpoint Encryption Devices report. For more information, see Full Disk Encryption Status Report on page Note At the bottom of the widget, click the number next to Total to view the Endpoint Encryption Status report. Full Disk Encryption Status Report The following table describes the Full Disk Encryption Status report. Use it to understand how to read the report details. 4-20

83 Dashboard Table 4-5. Full Disk Encryption Status Report Example Header Example Description Policy GP1 The title of the policy controlling the Endpoint Encryption device. Device Name TREND-4136D2DB3 The computer name used by the Endpoint Encryption device. Device ID 1fabfbff e5-000c The unique ID established after the Endpoint Encryption agent was installed on the endpoint and a new Endpoint Encryption device was registered with PolicyServer. Agent Full Disk Encryption The currently installed Endpoint Encryption agent. Status Not Encrypted The current state of the Endpoint Encryption device. Last Synchronized Date 10/07/ :05 am The timestamp when the Endpoint Encryption device last updated policies from PolicyServer. Last Policy Enforcement 10/07/ :05 am The timestamp when the Control Manager last enforced policy changes on PolicyServer. Endpoint Encryption Unsuccessful Device Logon The Endpoint Encryption Unsuccessful Device Logon widget shows all Endpoint Encryption devices that had unsuccessful logon attempts by any user (Endpoint 4-21

84 Trend Micro Endpoint Encryption Administrator Guide Encryption user or non-endpoint Encryption user). Unsuccessful device logon events may represent a security breach or the Endpoint Encryption user may have forgotten the logon credentials. Column Device Name Policy Events Description The computer name of the Endpoint Encryption device. The policy managing the Endpoint Encryption device. The number of logon attempts. Click the number to view the Endpoint Encryption Unsuccessful Device Logon report. Unsuccessful Device Logon Report The following table explains the Endpoint Encryption Unsuccessful Device Logon report. Use it to understand how to read the report details. 4-22

85 Dashboard Table 4-6. Endpoint Encryption Unsuccessful Device Logon Example Header Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Policy GP1 The title of the policy controlling the Endpoint Encryption device. Device Name TREND-4136D2DB3 The computer name used by the Endpoint Encryption device. Device ID 1fabfbff e5-0 00c The unique ID established after the Endpoint Encryption agent was installed on the endpoint and a new Endpoint Encryption device was registered with PolicyServer. IP Address The Endpoint Encryption device IP address. Agent Full Disk Encryption The currently installed Endpoint Encryption agent. User Name user325 The user name used to attempt to log on to the Endpoint Encryption device. Display Name Mary Jones The first and last name of the Endpoint Encryption user account. If the specified user name is not a valid Endpoint Encryption user name, the column shows Not Recorded. Event Unsuccessful Fixed Password Login The logged event including the authentication method. 4-23

86 Trend Micro Endpoint Encryption Administrator Guide Endpoint Encryption Unsuccessful User Logon The Endpoint Encryption Unsuccessful User Logon widget shows all attempts by any user (Endpoint Encryption user or non-endpoint Encryption user) to log on to any Endpoint Encryption device. Column User Name Display Name Events Description The user name used to attempt to log on to the Endpoint Encryption device. The display name of the user account that attempted to log on to the Endpoint Encryption device. The number of authentication attempts. Click the number to view the Endpoint Encryption Unsuccessful User Logon report. Unsuccessful User Logon Report The following table explains the Endpoint Encryption Unsuccessful User Logon report. Use it to understand how to read the report details. 4-24

87 Dashboard Table 4-7. Endpoint Encryption Unsuccessful User Logon Report Example Header Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Policy GP1 The title of the policy controlling the Endpoint Encryption device. Device Name TREND-4136D2DB3 The computer name used by the Endpoint Encryption device. Device ID 1fabfbff e5-0 00c The unique ID established after the Endpoint Encryption agent was installed on the endpoint and a new Endpoint Encryption device was registered with PolicyServer. IP Address The Endpoint Encryption device IP address. Agent Full Disk Encryption The currently installed Endpoint Encryption agent. User Name user325 The user name used to attempt to log on to the Endpoint Encryption device. Display Name Mary Jones The first and last name of the Endpoint Encryption user account. If the specified user name is not a valid Endpoint Encryption user name, the column shows Not Recorded. Event Unsuccessful Fixed Password Login The logged event including the authentication method. Endpoint Encryption Device Lockout The Endpoint Encryption Device Lockout widget shows Endpoint Encryption devices that are locked out due to policy restrictions. 4-25

88 Trend Micro Endpoint Encryption Administrator Guide Note For information about Endpoint Encryption device lockout rules, see Lockout Actions on page Header Device Name Policy Lockout Details Description The computer name used by the Endpoint Encryption device. The title of the policy controlling the Endpoint Encryption device. The timestamp when PolicyServer issued the device lock command. The Endpoint Encryption device does not actually lock until after the Endpoint Encryption agent synchronizes policies with PolicyServer. Click details icon to view the Endpoint Encryption Device Lockout report. At the bottom of the widget, click the number next to Total to view the report. 4-26

89 Dashboard Device Lockout Report The following table explains the Endpoint Encryption Device Lockout report. Use it to understand how to read the report details. Note For information about account lockout and device lock actions, see Lockout Actions on page Table 4-8. Endpoint Encryption Device Lockout Report Example Header Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Policy GP1 The title of the policy controlling the Endpoint Encryption device. Device Name TREND-4136D2DB3 The computer name used by the Endpoint Encryption device. Device ID 1fabfbff e5-000c The unique ID established after the Endpoint Encryption agent was installed on the endpoint and a new Endpoint Encryption device was registered with PolicyServer. IP Address The Endpoint Encryption device IP address. Agent Full Disk Encryption The currently installed Endpoint Encryption agent. User Name user325 The user name used to attempt to log on to the Endpoint Encryption device. 4-27

90 Trend Micro Endpoint Encryption Administrator Guide Header Example Description Display Name Mary Jones The first and last name of the Endpoint Encryption user account. If the specified user name is not a valid Endpoint Encryption user name, the column shows Not Recorded. Event Locked device due to invalid login attempt violation. The logged event including the authentication method. Endpoint Encryption Security Violations Report The Endpoint Encryption Security Violations Report widget shows the security violations assessed by the following reports: Endpoint Encryption Consecutive Unsuccessful Device Logon Endpoint Encryption Policy Tampering Endpoint Encryption Log Integrity 4-28

91 Dashboard Generating a report gathers all security violations currently logged by PolicyServer. Once generated, click the number on the Reports column to view generated reports for that violation. Header Violation report type Action Reports Description The available report types for various violations. Click Generate to create a new report. The total number of generated reports for that violation. Click the number to view available reports. Note To specify the number of unsuccessful logons attempts before it is considered a security violation, click to open the Widget Settings window, type a value in the Consecutive unsuccessful logons textbox, and then click Save. Consecutive Unsuccessful Device Logon Report The following table explains the Endpoint Encryption Consecutive Unsuccessful Device Logon report. Use it to understand when the logon attempt occurred, the 4-29

92 Trend Micro Endpoint Encryption Administrator Guide affected Endpoint Encryption device, and how many times the user attempted to log on to the Endpoint Encryption device. Table 4-9. Endpoint Encryption Consecutive Unsuccessful Device Logon Report Example Entry Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Device Name TREND-4136D2DB3 The computer name used by the Endpoint Encryption device. Attempts 5 The number of times that a user attempted to log on to the Endpoint Encryption device. Policy Tampering Report The following table explains the Endpoint Encryption Policy Tampering report. Use it to understand how to read the report details. Table Endpoint Encryption Policy Tampering Report Example Header Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Event Policy Value Integrity Check Failed The logged event including the authentication method. Log Integrity Report The following table explains the Endpoint Encryption Log Integrity report. Use it to understand how to read the report details. 4-30

93 Dashboard Table Endpoint Encryption Log Integrity Report Example Header Example Description Event Timestamp 07/02/ :56 pm When the event occurred. Event Audit Log Record Missing The logged event including the authentication method. 4-31

94

95 Chapter 5 Policies This chapter explains how to use policies and provides detailed information about individual policy setting values. 5-1

96 Trend Micro Endpoint Encryption Administrator Guide Authentication Overview The primary form of protection that Endpoint Encryption delivers is prevention of unauthorized user access to encrypted endpoints and devices. Correctly configuring Endpoint Encryption devices, users, and policy groups prevents data loss risk from accidental information release or deliberate sabotage. Devices on page 5-2 Users on page 5-3 Groups on page 5-4 Endpoint Encryption counts the amount of consecutive logon attempts on a given device and the amount of time since the last communication with PolicyServer for a given length of time. If a device violates the policy criteria, Endpoint Encryption can reset, lock, or erase the disk. In addition to checking authentication attempts on a device, Endpoint Encryption also counts the amount of consecutive logon attempts by a particular user account. If that user violates the policy criteria, Endpoint Encryption can reset, lock, or erase the disk. Groups act as a container for users for policy management. Administrators and authenticators within a group have those special privileges only within that group, but unassigned administrators and authenticators have that role throughout the Enterprise. For a complete list of the configurable methods to authenticate users and devices, see Authentication Methods on page Devices Endpoint Encryption devices are Endpoint Encryption agents that have registered with PolicyServer. Installing any Endpoint Encryption agent automatically registers the endpoint with PolicyServer as a new Endpoint Encryption device. Since multiple Endpoint Encryption agents may protect a given endpoint, a single endpoint may appear as more than one Endpoint Encryption device on PolicyServer. Depending on the policy settings, Endpoint Encryption takes one of the following actions when users attempt to consecutively log on that device unsuccessfully: Delay the next authentication attempt 5-2

97 Policies Lock the device Erase all data on the device Note To configure Endpoint Encryption devices, use the Endpoint Encryption Devices widget. See Endpoint Encryption Devices on page Users Endpoint Encryption users are any user account manually added to PolicyServer or synchronized with Active Directory. Endpoint Encryption has several types of account roles and authentication methods for comprehensive identity-based authentication and management. Using Control Manager or PolicyServer MMC, you can add or import user accounts, control authentication, synchronize with the Active Directory, and manage policy group membership, as needed. The following table describes the Endpoint Encryption user roles: Role Administrator Description Administrators may access the management consoles and perform any configurations within their domain. This role has different rights depending on the level that the administrator role is added: Enterprise administrator: These administrators have control over all policies, groups, users, and devices in the enterprise. Group administrator: These administrators have control over users and devices that authenticate within a specific group. Control Manager makes a group for each policy, so these administrators may also be known as policy administrators. 5-3

98 Trend Micro Endpoint Encryption Administrator Guide Role Authenticator User Description Authenticators provide remote assistance when users forget their Endpoint Encryption passwords or have technical problems. This role has different rights depending on the level that the authenticator role is added: Enterprise authenticator: These authenticators can assist any users in the enterprise. Group authenticator: These authenticators can assist any users within a specific group. Control Manager makes a group for each policy, so these authenticators may also be known as policy authenticators. Basic end users have no special privileges. The user role may not log on the Endpoint Encryption management consoles. Unless allowed by PolicyServer, the user role also may not use recovery tools. Note To configure Endpoint Encryption users, use the Endpoint Encryption Users widget. See Endpoint Encryption Users on page 4-7. Groups Endpoint Encryption manages policies by user groups. Groups management differs between PolicyServer MMC and Control Manager. After modifying policies and groups, PolicyServer synchronizes groups across both consoles. Important Control Manager always takes precedence over PolicyServer MMC for policy and group assignment. Any modifications to the group assignment in PolicyServer MMC are automatically overwritten the next time that Control Manager synchronizes with PolicyServer. 5-4

99 Policies Console Control Manager PolicyServer MMC Group Management Endpoint Encryption automatically creates a group each time a policy with specific targets is deployed. After deployment, modify the groups a user is in from the Endpoint Encryption Users widget, and modify the users in the policy from the Policy Management screen. Add and modify groups directly from the left pane of PolicyServer MMC. Groups in PolicyServer MMC can be assigned as follows: Top Group: Top Groups are the highest level of groups under the Enterprise. Each Top Group has a unique node underneath the Enterprise. Subgroup: Subgroups are created within Top Groups. Subgroups inherit the policies of the Top Group on creation, but do not inherit changes made to the Top Group. Subgroups may not be more permissive than the Top Group. Note You must manually assign devices and users to each subgroup. Adding Endpoint Encryption users to a subgroup does not automatically add the users to the Top Group. However, you can add users to both the Top Group and subgroup. Note To configure the users within a policy group on Control Manager, use the Endpoint Encryption Users widget. See Endpoint Encryption Users on page 4-7. To configure users within a policy group on PolicyServer MMC, see the Endpoint Encryption PolicyServer MMC Guide. Policies in Control Manager The policy list displays the information and status of policies created by all users. When a new endpoint registers to Control Manager, it goes through the filtered policies in the list in descending order. Control Manager assigns the new endpoint to a filtered policy when the following conditions are both satisfied: 5-5

100 Trend Micro Endpoint Encryption Administrator Guide The new endpoint matches the target criteria of the policy The policy creator has the permission to manage the new endpoint The following table describes the items in the policy list. Menu Item Description Priority Policy Targets Deployed This column is not used in Endpoint Encryption. This column only displays the following: Locked: The policy has been created and is being used. Blank: The policy is a draft and is not currently being used. Displays the name of the policy. Displays how administrators select targets for the policy. Specified: Uses the browse or search function to select specific targets for the policy. Specified policies remain static on the top of the policy list and take priority over filtered policies. Filtered: This option is not used in Endpoint Encryption. None: The policy creator saved the policy as a draft without selecting any targets. Displays the number of targets that have applied the policy settings. 5-6

101 Policies Pending Creator Menu Item Endpoints/Products without policies Total endpoints/products Description Displays the number of targets that have not applied the policy settings. Click the pending number to check the policy status. Displays the user who created the policy. Displays the number of managed products or endpoints to which Control Manager has not assigned a policy. Displays the number of managed products or endpoints available for policy management. Note The numbers in Deployed, Pending, Endpoints/Products without policies, and Total endpoints/products only reflect the endpoints or managed products an administrator has the permissions to manage. Policy Options Policy management allows administrators to enforce product settings on managed products and endpoints from a single management console. Administrators create a policy by selecting the targets and configuring a list of product settings. Control Manager policies have the following attributes: Table 5-1. Control Manager Policy Options Attribute Policy name Description The name of the policy configuration. 5-7

102 Trend Micro Endpoint Encryption Administrator Guide Targets Settings Attribute Description Administrators can select targets to assign to their policies. The target selection method determines the policy type and how the policy works. Administrators can manually select targets or use a filter to automatically assign targets to their policies. The target selection method determines the policy type and how the policy works. See Policy Types on page 5-9 for more information about policy types. To include a managed product or endpoint as the target, make sure the product version of the managed product or endpoint supports policy management in Control Manager. The Policy Template Settings screen contains information about supported product versions. Once Control Manager deploys a policy to the targets, the settings defined in the policy overwrite the existing settings in the targets. Control Manager enforces the policy settings in the targets every 24 hours. Although local administrators can make changes to the settings from the managed product console, the changes are overwritten every time Control Manager enforces the policy settings. Note Since policy enforcement only occurs every 24 hours, the product settings in the targets may not align with the policy settings if local administrators make changes through the managed product console between the enforcement period. Note Make sure to use the Product Directory to move the managed PolicyServer instance from the New Entity folder to the Endpoint Encryption folder in the Product Directory. 5-8

103 Policies Policy Types Control Manager provides three types of policies administrators can create. Each policy type differs in the target selection method, which affects how a policy works. The policy list arranges the policy types in the order as described in the following table. Table 5-2. Policy Types Policy Type Description Specified Uses the search or browse function to locate specific targets and manually assigns them to the policy Useful when administrators plan to deploy specific settings only to a certain targets Remains static on the top of the policy list and takes priority over any filtered policies Filtered Draft Note Endpoint Encryption does not support filtered policies. Allows administrators to save policy settings as a draft without selecting any targets. Control Manager saves draft policies with the lowest priority at the bottom of the list. Creating a Policy The following procedure explains how to configure a Control Manager policy that affects Endpoint Encryption users and devices. Procedure 1. Set up your Endpoint Encryption users and devices. Endpoint Encryption user and device configuration uses the Endpoint Encryption Users and Endpoint Encryption Devices widgets. See Endpoint Encryption Users on page 4-7 and Endpoint Encryption Devices on page 4-13 respectively. 5-9

104 Trend Micro Endpoint Encryption Administrator Guide If your environment includes Active Directory, ensure that you have configured Active Directory and synchronized all users. See Active Directory Synchronization on page For a general description of authentication process, see Authentication Overview on page Go to the Create Policy screen. a. Go to Policies > Policy Management. b. From the Product drop-down list, select Endpoint Encryption. c. Click Create. The Create Policy screen appears. 3. Specify a policy name. 4. Select one of the following policy target options: None (Draft Only): Create a policy with no targets (endpoints) A policy with no targets may not be deployed. After creating a draft policy, edit the policy later to specify targets and deploy it to your environment. Filter by Criteria: Endpoint Encryption does not support filtering by criteria Specify Target(s): Specify existing endpoints. 5-10

105 Policies Note For more information about policy targets, see Specifying Policy Targets on page Specify Endpoint Encryption policy settings. Endpoint Encryption settings are divided into the following rule sets: Rule Set Reference Users Configuring Endpoint Encryption Users Rules on page 5-13 Full Disk Encryption Configuring Full Disk Encryption Rules on page 5-15 File Encryption Configuring File Encryption Rules on page 5-19 Common Configuring Common Policy Rules on page Click Save. Specifying Policy Targets Use the Specify Target(s) screen to assign Endpoint Encryption devices to the policy. Note The Specify Target(s) screen is available when creating a new policy. For information about creating a policy, see Creating a Policy on page

106 Trend Micro Endpoint Encryption Administrator Guide Figure 5-1. Specifying Policy Targets Procedure 1. From the Specify Target(s) screen, click the Browse tab. 2. From the left pane, expand the tree to select the managed folder. Example: CM-PI-2K8 > Local Folder > TMEE > TMEE > QA2 3. Select any appropriate Endpoint Encryption devices, or select the top check box to select all Endpoint Encryption devices listed on the current page. 4. Click Add Selected Targets. Note To immediately select all devices in the managed folder, click Add All from Selected Folder. View Action List and View Results update based on the selection. 5-12

107 Policies 5. Click OK. Configuring Endpoint Encryption Users Rules The following procedure explains the configurable options for policy rules that affect authentication and Endpoint Encryption user accounts. Procedure 1. Create a new Endpoint Encryption policy. See Creating a Policy on page Click Users. The Users policy rules settings appear. Figure 5-2. Endpoint Encryption Users Policy Rules 3. If users require domain authentication, select Enable domain authentication under Domain User Settings. If you selected Enable domain authentication, specify the server information for your Active Directory (AD) account. 5-13

108 Trend Micro Endpoint Encryption Administrator Guide a. Configure the AD domain name. b. Configure the host name of the AD server. c. Select the server type: LDAP LDAP proxy 4. Under User Management, configure user access. Option All Endpoint Encryption users Active Directory users Description Allow all users, domain and local accounts, to authenticate Endpoint Encryption devices. Allow users from organizational units (OUs) within an AD to authenticate Endpoint Encryption devices. Note Select Enable domain authentication to enable the Active Directory users option. To configure domain authentication, see Active Directory Synchronization on page Select specific users Specify which already added Endpoint Encryption users can authenticate to managed endpoints. Note In order to select specific users with this option, you must populate the user list. Add OUs with the Active Directory users option or add users with the Endpoint Encryption Users widget. For more information about the Endpoint Encryption Users widget, see Endpoint Encryption Users on page If you selected Active Directory users, add OUs to the policy by their distinguished name. 5-14

109 Policies After selecting Active Directory users, the following additional options appear: Option User name Password Distinguished name Description Specify your Active Directory user name. Specify your Active Directory password. Specify each OU by its sequence of relative distinguished names (RDN) separated by commas. Example: OU=TW, DC=mycompany, DC=com After specifying the OU distinguished name, click OK. Important Endpoint Encryption supports up to 12 OUs per policy. Configuring Full Disk Encryption Rules The following procedure explains the configurable options for policy rules affecting Full Disk Encryption devices. 5-15

110 Trend Micro Endpoint Encryption Administrator Guide Note Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker do not require authentication and are not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents. Procedure 1. Create a new Endpoint Encryption policy. See Creating a Policy on page Click Full Disk Encryption. 5-16

111 Policies The Full Disk Encryption policy rules settings appear. Figure 5-3. Full Disk Encryption Policy Rules 3. Under Encryption, select the following options: Select Encrypt device to start full disk encryption when the Endpoint Encryption agent synchronizes policies with PolicyServer. 5-17

112 Trend Micro Endpoint Encryption Administrator Guide WARNING! Do not deploy encryption to Full Disk Encryption agents without first preparing the endpoint's hard drive. For information about preparing the hard drive, see Full Disk Encryption Deployment Outline in the Endpoint Encryption Installation Guide. Select Encrypt only used space to encrypt only the used space. Select Select encrypt key size to specify a device encryption key size in bits. 4. Under Agent Settings, select the following options: Select Bypass Full Disk Encryption Preboot to allow the user to authenticate directly into Windows without protection from preboot authentication. Select Users are allowed to access system recovery utilities on the device to allow the user to access the Recovery Console. For information about configurable options and available tools in Full Disk Encryption, see Recovery Console on page 9-5. Select Allow user to configure Wi-Fi to allow users to configure Wi-Fi policies on the device during preboot. Select Enable Wi-Fi configuration to use a predetermined Wi-Fi configuration during preboot. Specify the following details: Network name (SSID) User name Password Security type Select Enable logon background color to specify the background color during logon. Select Enable logon banner to specify a logon banner image. 5-18

113 Policies Image should not exceed 128 KB in size and should measure 512 x 64 pixels. Accepted file formats are PNG with transparency (recommended), JPG and GIF 5. Under Notifications, configure the following options: Select If found, display the following message on the device to show a message when the If Found policy is active. Select Display Technical Support contact information to show a message after the user logs on to the Full Disk Encryption agent. Select Show a legal notice to show the specific legal message at start up or only after installing the Full Disk Encryption agent. Configuring File Encryption Rules The following procedure explains the configurable options for policy rules affecting File Encryption devices. Procedure 1. Create a new Endpoint Encryption policy. See Creating a Policy on page Click File Encryption. 5-19

114 Trend Micro Endpoint Encryption Administrator Guide The File Encryption policy rules settings appear. Figure 5-4. File Encryption Policy Rules 3. Under Folder to Encrypt, specify folders that are automatically created and encrypted on the endpoint when the File Encryption agent synchronized policies. 4. Under Encryption Key, select the encryption for the File Encryption encrypted folder. User key: Use a unique key for each Endpoint Encryption user. Only the Endpoint Encryption user can decrypt files that he or she encrypted. 5-20

115 Policies Policy key: Use a unique key for each policy. Only Endpoint Encryption users and devices in the policy can decrypt files. Enterprise key: Any Endpoint Encryption user or device in the Enterprise can decrypt the files. Note Selecting Policy key or Enterprise key controls the sharing for the File Encryption shared key. For more information, see File Encryption Actions on page Under Storage Devices, configure the following options: Select Disable optical drives to control whether removable media is accessible from the endpoint. Select Disable USB drives to control when the USB ports are disabled. Options are: Always Logged out Never Select Encrypt all files and folders on USB devices to automatically encrypt all the files and folders on removable drives when plugged into the endpoint. Select Specify the file path to encrypt on USB devices to add or remove encrypted folders to USB drives. If a folder does not exist, it is created. If no drive letter is specified, all USB devices are affected. 6. Under Notifications, select Show a legal notice to show the specific legal message at start up or only after installing the File Encryption agent. Configuring Common Policy Rules This section explains the configurable options for policy rules affecting all Endpoint Encryption devices. 5-21

116 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Create a new Endpoint Encryption policy. See Creating a Policy on page Click Common. The Common policy rules settings appear. Figure 5-5. Common Policy Rules 5-22

117 Policies 3. Under Allow User to Uninstall, select Allow User (non-administrator) accounts to uninstall agent software to allow any Endpoint Encryption user to uninstall the agent. Note By default, only Administrator accounts can uninstall Endpoint Encryption agents. 4. Under Lockout and Lock Device Actions, configure the following options: Select Lock account after <number> days to specify the number of days that the Endpoint Encryption device locks if it does not synchronize policies. Use Account lockout action to specify whether the remote authentication or erase action occurs at lockout. Note For information about lock options, see Lockout Actions on page 5-24 Select Failed log on attempts allowed to specify how many times that a user can attempt to authenticate before the Endpoint Encryption device locks. For Full Disk Encryption or File Encryption devices, separately configure the following: Use Device locked action to specify whether the Remote Authentication or the Erase action occurs at lockout. Note For information about lock options, see Lockout Actions on page 5-24 Use Number of minutes to lock device to specify the duration that time delay locks the Endpoint Encryption device from authentication 5. Under Password, configure the following options: Select Users must change password after <number> days to control when a user is prompted to update password. 5-23

118 Trend Micro Endpoint Encryption Administrator Guide Select Users cannot reuse the previous <number> passwords to specify how many previous passwords the user may reuse. Select Number of consecutive characters allowed in a password to specify how many repeated characters a user may specify in the password. Select Minimum length allowed for passwords to specify how many characters the user is required to use in the password. 6. Under Password Requirements, specify the password character limitations. Letters Lowercase characters Uppercase characters Numbers Symbols Important The sum total of letters, numbers, and symbols cannot exceed 255 characters. 7. Under Agent, specify the Sync internal in minutes. Lockout Actions Some policies have settings to lock out a user account or to lock a device based on certain criteria. Account lockout and device lockout actions affect the Endpoint Encryption device whether or not the agent synchronizes policies with PolicyServer. For example, if the Endpoint Encryption agent does not communicate with PolicyServer for a certain period of time, the Endpoint Encryption agent automatically locks the Endpoint Encryption device. Use the tables below to understand the actions available for the account lockout and device lock actions. The following table describes when the lockout actions occur: 5-24

119 Policies Type Account lockout Full Disk Encryption device lockout File Encryption device lockout Description Account lockout actions take effect when the Endpoint Encryption agent does not communicate with PolicyServer for a certain period of time as set by the policy. Full Disk Encryption device lockout actions take effect when the Endpoint Encryption user exceeds the number of unsuccessful logon attempts to that Full Disk Encryption device as set by the policy. File Encryption device lockout actions take effect when the Endpoint Encryption user exceeds the number of unsuccessful logon attempts to that File Encryption device as set by the policy. The options for lockout actions are as follows: Action Description Erase PolicyServer erases all data controlled by the associated Endpoint Encryption agent. WARNING! The Endpoint Encryption user cannot recover the erased data. Remote authentication Time delay PolicyServer locks the Endpoint Encryption device until the Endpoint Encryption user contacts receives Remote Help authentication from an authenticator or from Support. See Remote Help on page PolicyServer temporarily locks the Endpoint Encryption device and notifies the Endpoint Encryption user that the device is locked. The ability to authenticate or reset the password is disabled during the time delay. The duration of the time delay is determined by policy. Once the time delay has expired, the user is permitted to authenticate. 5-25

120 Trend Micro Endpoint Encryption Administrator Guide Migrating Groups to Control Manager Use the following procedure to add existing groups from PolicyServer MMC to Control Manager. Procedure 1. Log on to PolicyServer MMC. 2. Gather the following information: Total number of groups, their names, and the subgroups All users assigned to each group The policy configuration of each group 3. Log on to Control Manager. 4. For each group in PolicyServer MMC, configure a new policy that matches the corresponding group policy configuration. Note Subgroups are not supported in Control Manager. To replicate the subgroup policy settings, create a separate policy for each subgroup. 5. Add users to each corresponding new policy. 6. Deploy each policy. 5-26

121 Chapter 6 Full Disk Encryption Full Disk Encryption provides comprehensive endpoint data security using mandatory strong authentication and full disk encryption. Full Disk Encryption secures not only the data files, but also all applications, registry settings, temporary files, swap files, print spoolers, and deleted files. Until the user is validated, strong preboot authentication restricts access to the vulnerable host operating system. The Full Disk Encryption agent uses FIPS-compliant XST-AES encryption algorithms and mandatory authentication to make data inaccessible without authentication. Full Disk Encryption prevents data loss by encrypting the whole drive, including operating system, program, temporary, and end user files. Administrators can choose either 128-bit or 256-bit key size depending on the need for encryption strength or performance in their environment. Full Disk Encryption allows for the flexibility to use either software-based encrypted hard drives or hardware-based encrypted hard drives as needed. Seagate DriveTrust, OPAL, OPAL2, and SanDisk self-encrypting solid-state drives are supported. While hardware-based encryption is simpler to deploy on new hardware, easier to maintain, and offers a higher level of performance, software-based encryption does not require any hardware and is cheaper to deploy to existing endpoints. Trend Micro PolicyServer controls policies affecting Full Disk Encryption, ensuring complete endpoint security centrally managed across the Enterprise. Full Disk Encryption is network-aware and updates policies before allowing authentication. You 6-1

122 Trend Micro Endpoint Encryption Administrator Guide can also remotely lock or wipe data on the endpoint before the operating system or any other sensitive data is accessed. 6-2

123 Full Disk Encryption Full Disk Encryption Tools The following table describes the various tools available for Endpoint Encryption. Tool Context Menu Preboot Command Builder Command Line Helper DAAutoLogin Recovery Console Description Access the Full Disk Encryption agent from the Full Disk Encryption icon ( ) in the system tray. From the context menu, you can view the device encryption status and synchronize with PolicyServer. See Full Disk Encryption Context Menu on page 6-4. Authenticate with PolicyServer through the Full Disk Encryption preboot. The preboot loads when the endpoint starts before Windows loads. Use the Full Disk Encryption preboot to configure your network and Wi-Fi settings and troubleshoot issues with credentials. Use Command Builder to generate scripts for automated installations and to create encrypted values for credentials when creating the scripts. For more information, see the Endpoint Encryption Installation Guide. Use Command Line Helper to create encrypted values to secure credentials when creating an installation script. See Using the Command Line Helper on page Use DAAutoLogin for Windows patching. DAAutoLogin allows for a one-time bypass of Endpoint Encryption Preboot. See Patching Process for Full Disk Encryption on page Use Recovery Console to recover from an operating system critical error, troubleshoot network issues, and manage users or logs. See Recovery Console on page

124 Trend Micro Endpoint Encryption Administrator Guide Tool Recovery Tool Description Use the bootable Repair CD to decrypt the hard disk before removing Full Disk Encryption in the event that the disk becomes corrupted. Only use the Repair CD if standard removal methods are not possible. A typical symptom of a corrupted disk is a black screen. See Recovery Tool on page Full Disk Encryption Context Menu Use the Full Disk Encryption icon ( ) in the system tray to access to the Full Disk Encryption agent. Right-click the agent icon to display the menu items. The following table explains the available menu options. Table 6-1. Full Disk Encryption Agent Menu Options Menu Item Synchronize Policies Function Manually download policy updates from PolicyServer. Note Full Disk Encryption agents can synchronize policies without user authentication. Full Disk Encryption agents automatically update policy settings based on your PolicyServer configurations. For more information, see Policy Synchronization on page Hide Icon About Full Disk Encryption Temporarily removes the Full Disk Encryption tray icon. To show the Full Disk Encryption tray icon again, run Full Disk Encryption from your desktop or Start menu. Displays Full Disk Encryption information including version, last synchronization time, and authenticated user. The Encryption Status tab displays the status of each individual disk managed by this agent. 6-4

125 Full Disk Encryption Online Help Menu Item Function View the Full Disk Encryption documentation online. Full Disk Encryption Preboot After installing Full Disk Encryption, the Full Disk Encryption preboot appears before Windows loads. The Full Disk Encryption preboot ensures that only authorized users are able to access endpoints and updates local security policies when connected to PolicyServer. Note Use PolicyServer MMC to configure and customize the preboot screen. Menu Options There are several options available in the upper-left menu of Full Disk Encryption Preboot. Table 6-2. Full Disk Encryption Preboot Menu Options Menu Item Authentication Communications Computer Description Change the authentication method used to log on to Endpoint Encryption devices. Manually synchronize with PolicyServer. View information about Full Disk Encryption, view your network information, change the keyboard layout, access the on-screen keyboard, or restart or shut down the endpoint. 6-5

126 Trend Micro Endpoint Encryption Administrator Guide Network Connectivity The network connection icon ( ) appears in the upper-right corner when Full Disk Encryption is installed as a managed endpoint. The icon is only highlighted when the device is connected to the network and has communication with PolicyServer. Connecting to a Wireless Network The wireless connection icon ( ) appears in the upper-right corner of the Full Disk Encryption preboot logon when the endpoint has a detected wireless card installed. If there is no wireless card detected, the wireless network icon does not display. Note The Full Disk Encryption preboot cannot automatically detect the authentication for WEP security. If the authentication type is WEP-OPEN or WEP-PSK, manually specify the security type. If your enterprise policy does not allow Wi-Fi configuration, the All Access Points and Disconnect buttons will be disabled. For more information, see the Administrator's Guide for PolicyServer MMC. Procedure 1. Click the wireless connection icon in the upper-right corner of the Full Disk Encryption preboot logon. 6-6

127 Full Disk Encryption The Wireless Access screen appears. 2. Click All Access Points. 6-7

128 Trend Micro Endpoint Encryption Administrator Guide The Wireless Network Configuration screen appears. 3. Select your network. To use a listed network, select the SSID, then click OK. To configure an unlisted network, click Other Network, specify the SSID settings, then click Connect. Important Do not close the screen or restart your endpoint during configuration. 4. Click Close to complete the wireless network setup. Network Information View network and connection information from the Full Disk Encryption preboot by going to Menu > Computer > Network Information. 6-8

129 Full Disk Encryption The Network Information screen includes the following: Section Hardware Information Network Information Description This section shows detected Ethernet controllers and Wi-Fi cards. This section shows the network identification information for each Ethernet port, including the following: MAC address IPv4 and IPv6 addresses Subnet mask Default gateway Network link status, which shows whether the Ethernet port is connected or not DNS Resolution PolicyServer Information PolicyServer Connection Status This section shows the DNS resolution results including the servers and addresses contacted while looking up PolicyServer. This section shows the PolicyServer URL. If the URL includes the server host name, PolicyServer must also perform host name resolution to find the associated IP address. If the URL instead includes the IP address of PolicyServer, the Full Disk Encryption preboot skips host name resolution. This section shows whether the Full Disk Encryption preboot successfully connected to PolicyServer or not. Click Reconnect to attempt to connect to PolicyServer again, or to refresh the current information. On-Screen Keyboard Access the on-screen keyboard from Full Disk Encryption preboot by going to Menu > Computer > On-Screen Keyboard. To insert the cursor in the desired field when the keyboard is displayed, click Focus on the bottom-right corner of the keyboard. 6-9

130 Trend Micro Endpoint Encryption Administrator Guide Changing the Keyboard Layout Changing the keyboard layout affects both keystrokes and the on-screen keyboard. Once Windows boots, the keyboard layout is set by the Windows operating system. A restart is required to commit the keyboard layout changes. Procedure 1. Go to Menu > Computer > Change Keyboard Layout. The Select the keyboard language (layout) window appears. 2. Select a keyboard layout. 3. Click OK. 4. Click OK to restart the endpoint. Changing Authentication Methods Note For information about authentication methods, see Authentication Methods on page Procedure 1. From the Full Disk Encryption preboot, select Change Password After Login. 2. Specify the user name and password. 3. Click Login. 6-10

131 Full Disk Encryption The Change Password window appears. The interface is different for different authentication methods. Figure 6-1. Example Of Changing A Fixed Password 4. From the upper-left menu, select Authentication, then select the desired authentication method. The New Password window for the chosen authentication method appears. 5. Provide and confirm the new password, and then click Next. The device boots into Windows. Changing Passwords The following procedure explains how to change the Endpoint Encryption user account password using the Full Disk Encryption preboot. 6-11

132 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Specify the Endpoint Encryption user name and password. 2. select Change Password After Login. 3. Click Login. The Change Password window appears. The interface is different for different authentication methods. Figure 6-2. Changing A Fixed Password Screen 4. Provide and confirm the new password, and click Next. The device boots into Windows. 6-12

133 Full Disk Encryption ColorCode ColorCode is a unique authentication method designed for quick access and easy memorization. Rather than alphanumeric characters or symbols for the password, ColorCode authentication consists of a user-created color sequence (example: red, red, blue, yellow, blue, green). Figure 6-3. ColorCode Authentication Screen Creating a ColorCode Password The total number of steps in the ColorCode (count) is defined by PolicyServer. The default count is six. Procedure 1. Start the endpoint and wait for the Full Disk Encryption preboot to appear. 2. Follow the instructions to change passwords. See Changing Passwords on page

134 Trend Micro Endpoint Encryption Administrator Guide 3. Change the authentication method to ColorCode. Note For information about changing authentication methods, see Changing Authentication Methods on page The ColorCode Change Password screen appears. Figure 6-4. ColorCode Change Password Screen 4. Select the first color by clicking it using the square to the left. The count increases by one. 5. Click additional colors in the sequence. Tip Click Back to change the last color clicked, or click Clear to start over. 6. After the sequence is complete, confirm the ColorCode password using the square to the right. 6-14

135 Full Disk Encryption 7. Click Next to finish. Remote Help Remote Help allows Group or Enterprise Authenticators to assist Endpoint Encryption users who are locked out and cannot log on to Endpoint Encryption devices after too many unsuccessful log on attempts, or when the period between the last PolicyServer synchronization has been too long. Note Remote Help authentication is triggered by Endpoint Encryption device policy rules. Remote Help policy rules are configurable in both PolicyServer MMC and Control Manager. Using Remote Help to Unlock Full Disk Encryption Devices Important Restarting the Endpoint Encryption device resets the challenge code. Manually synchronizing policies with PolicyServer also resets the challenge code. The challenge code and response code are not case sensitive. Procedure 1. From the Full Disk Encryption preboot, go to Menu > Authentication > Remote Help. 2. Provide the Challenge Code to the Policy/Group Administrator. 3. Specify the Response Code provided by the Policy/Group Administrator. 4. Click Login. The Change Password screen appears. 6-15

136 Trend Micro Endpoint Encryption Administrator Guide Note If the account uses domain authentication, the endpoint boots directly into Windows. 5. Specify and confirm new password, then click Next. The device boots into Windows. Smart Card Smart card authentication requires both a PIN and a physical token to confirm the user identity. Smart card certificates are associated with the user account and the user's assigned group. Once registered, the user can use smart card authentication from any Endpoint Encryption device in that group. Users are free to use any Endpoint Encryption device in their group and do not need to ask for another one-time password. To use smart card authentication, make sure that the following requirements are met: The smart card reader is connected to the endpoint and the smart card is inserted into the smart card reader. ActivClient 6.1 with all service packs and updates installed. Specify the smart card PIN in the password field. WARNING! Failure to provide a correct password sends a password error and may result in locking the smart card. Note Smart card authentication is only configurable with PolicyServer MMC. Smart Card Registration Smart card certificates are associated with the user account and the user's assigned group. Once registered, the user can use smart card authentication from any Endpoint 6-16

137 Full Disk Encryption Encryption device in that group. Users are free to use any Endpoint Encryption device in their group and do not need to ask for another one-time password. Registering a Smart Card in Full Disk Encryption Preboot Procedure 1. Follow the instructions to change passwords, then select Smart Card. See the Administrator's Guide for PolicyServer MMC. 2. Insert the smart card in the reader. 3. Connect the reader to the endpoint. 4. Specify the user name and fixed password. 5. Click Continue. 6. At the confirmation message, click Continue. 7. At the Register Token window, do the following: a. Type the new PIN provided by the Group or Enterprise Administrator. b. Confirm the new PIN. c. Select the smart card type from the Token drop-down list. d. Click Continue to finish registering the smart card token. Self Help Self Help authentication allows Endpoint Encryption users who have forgotten the credentials to answer security questions and log on to Endpoint Encryption devices without getting Technical Support assistance. Self Help requires the Endpoint Encryption user to respond with answers to predefined personal challenge questions. Self Help can replace fixed password or other authentication methods. Consider the following when choosing your authentication method or when configuring Self Help: 6-17

138 Trend Micro Endpoint Encryption Administrator Guide Self Help is not available for Administrator and Authenticator accounts. Self Help is not available for accounts that use domain authentication. PolicyServer is unable to change or retrieve previous domain passwords. Self Help has a maximum of six questions for each user account. Users may be unable to log on using Self Help if more than six questions are configured. Self Help is only configurable with the legacy PolicyServer MMC. Self Help is not available for offline endpoints. Setting Up Self Help If the Self Help policy is enabled, the user is prompted to define answers for the Self Help questions after his/her first login. If the user changes their password, they must define Self Help question answers again. Note Self Help answers are stored on the device. If a user logs on another Full Disk Encryption device, the user must define Self Help answers for that device. Procedure 1. Provide the user name and password. 2. Click Login. The Self Help window appears. 3. Define answers for all of the Self Help questions. 4. Click Next. The device boots into Windows. 6-18

139 Full Disk Encryption Using Self Help Procedure 1. From the top-left menu of Full Disk Encryption Preboot, go to Menu > Authentication > Self Help. The Self Help window appears. 2. Answer all of the Self Help questions. 3. Click Login. 4. Define a new password, and then click Next. The device boots into Windows. Changing Self Help Answers Procedure 1. From the Full Disk Encryption preboot, provide the credentials, select Change Password After Login, then click Login. The Change Password window appears. 2. Provide and confirm the new password, then click Next. The Self Help window appears. 3. Define new answers for all Self Help questions, then click Next. The Endpoint Encryption device boots into Windows. Skipping the Preboot Screen To streamline the Window update process, disks already encrypted by Full Disk Encryption can be configured to skip the Full Disk Encryption Preboot multiple times. 6-19

140 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Open a command prompt window with elevated privileges. 2. Navigate to the following path: %Program Files%\Trend Micro\Full Disk Encryption 3. Run DAAutoLogin.exe using the following parameters: DAAutoLogin.exe username:<username> password:<password> [domainname:<domain name> domainusername:<domain username> domainpassword:<domain password>] [count:n] Note Use a colon ( : ) to separate a key and its value. Refer to the examples below: Bypass Full Disk Encryption authentication once DAAutoLogin.exe username:tmee password: DAAutoLogin.exe username:tmee password:=5mih67ukdy7tlvan2iswgqq= count:1 Bypass Full Disk Encryption authentication once - use Domain account and login to Windows via single sign on using the same account DAAutoLogin.exe username:qa\user password:=5mih67ukdy7tlvan2iswgqq= count:1 Bypass Full Disk Encryption authentication once - Full Disk Encryption Preboot login account is different from the SSO account in Windows DAAutoLogin.exe username:tmee password:=5mih67ukdy7tlvan2iswgqq= domainname:qa domainusername:user domainpassword:=5mih67ukdy7tlvan2iswgqq= count:1 Bypass Full Disk Encryption authentication 9 times 6-20

141 Full Disk Encryption DAAutoLogin.exe username:tmee password: count:9 DAAutoLogin.exe username:tmee password:=5mih67ukdy7tlvan2iswgqq= count:9 Bypass Full Disk Encryption authentication 9 times - use Domain account and login to Windows via single sign on using the same account DAAutoLogin.exe username:qa\user password:=5mih67ukdy7tlvan2iswgqq= count:9 Bypass Full Disk Encryption authentication 9 times - Full Disk Encryption Preboot login account is different from the SSO account in Windows DAAutoLogin.exe username:tmee password:=5mih67ukdy7tlvan2iswgqq= domainname:qa domainusername:user domainpassword:=5mih67ukdy7tlvan2iswgqq= count:9 Disable bypass of Full Disk Encryption authentication - user name and password is required DAAutoLogin.exe username:tmee password: count:0 Full Disk Encryption Policy Synchronization The following list explains the events that initiate policy synchronization between agents and PolicyServer: After the operating system loads and the agent service starts For information about Endpoint Encryption services, see Endpoint Encryption Services on page C-1. When the Full Disk Encryption preboot starts At regular intervals based on the PolicyServer synchronization policy Manually, from the agent context menu or from the Full Disk Encryption preboot See Manually Updating Full Disk Encryption Agents on page

142 Trend Micro Endpoint Encryption Administrator Guide Note Device actions initiate after the agent receives policy updates. Full Disk Encryption Connectivity Requirements Endpoint Encryption uses a FIPS approved encryption process for data passed between the Full Disk Encryption preboot and PolicyServer. Full Disk Encryption agents that have network connectivity to PolicyServer can receive policy updates and upload audit data from the agent. All client-server communications are internally encrypted and can be sent over insecure connections such as the Internet. You can place an Endpoint Encryption proxy within a DMZ (Demilitarized Zone) for access to both internal networks and the Internet. For information about different network topology configurations, see the Endpoint Encryption Installation Guide. Table 6-3. Full Disk Encryption Connectivity Requirements Resource PolicyServer TCP/IP Access Port Function Updated security policies from PolicyServer are sent to the Full Disk Encryption preboot or by connectivity established within Windows, LAN, or VPN. Network connectivity requires full TCP/IP network access; dial-up or telephone access cannot be used to provide connectivity with PolicyServer during preboot authentication. Endpoint Encryption agents communicate using port 8080 by default. To change the default port number, go to Recovery Console and update the PolicyServer. For details, see Changing the Full Disk Encryption PolicyServer on page Manually Updating Full Disk Encryption Agents Full Disk Encryption agents automatically receive policy updates from PolicyServer at intervals determined by policy. Do either of the following to manually update policies. 6-22

143 Full Disk Encryption Procedure Use the Full Disk Encryption preboot. a. Go to Communications > Synchronize policies. b. Go to Computer > About Full Disk Encryption. The timestamp of the latest PolicyServer policy synchronization displays. Use the Full Disk Encryption agent. a. Double-click the Full Disk Encryption icon ( ) in the Windows system tray. The Full Disk Encryption agent opens. b. Click Synchronize with PolicyServer. After a moment PolicyServer enforces all new policies changes. Moving Full Disk Encryption Disks If a Full Disk Encryption disk is moved to another endpoint registered with PolicyServer, Full Disk Encryption automatically detects the change and sends an update to the PolicyServer database. An administrator account is not required for this process. Note Before moving the disk, ensure that the following requirements are met: The source endpoint and destination endpoint belong to the same group, and use the same PolicyServer. The disk to be moved is a disk that is currently managed by Full Disk Encryption. Procedure 1. Power off the source endpoint and physically remove an existing disk. 2. Power off the destination endpoint and insert the disk that was removed from the source endpoint. 6-23

144 Trend Micro Endpoint Encryption Administrator Guide 3. Restart the endpoints. 4. Full Disk Encryption detects the removal or addition of any disks and sends an update to the PolicyServer database during start up. 5. Click the Full Disk Encryption icon ( ) on the system tray and view the Encryption Status tab to verify if the process was successful. Note During this process, the new disk becomes inaccessible on the destination endpoint. 6. Restart the endpoint where the new disk was attached to initiate re-authentication with PolicyServer. 7. After restarting, click the Full Disk Encryption icon ( ) on the system tray and view the Encryption Status tab to verify if the process was successful. The new disk is now accessible and ready for use. Patch Management with Full Disk Encryption Use the Command Line Helper and DAAutoLogin together to run Windows patch management on devices with Full Disk Encryption installed. Use Command Line Helper to create encrypted values for scripts For details, see Using the Command Line Helper on page Use DAAutoLogin in various combinations to accomplish different needs After patches are pushed out, call DAAutoLogin inside scripts to: Send a reboot command for the device to display the Windows GINA (graphical identification and authentication) component for confirmation of successful patching Push another round of patches For details, see Patching Process for Full Disk Encryption on page

145 Full Disk Encryption To streamline the Window update process, use DAAutoLogin to skip the Full Disk Encryption Preboot multiple times For details, see Skipping the Preboot Screen on page Note Make sure to run both tools on a Full Disk Encryption device. Both tools are available in the tools folder of the zip file received from Trend Micro. For assistance, contact Trend Micro Support. Using the Command Line Helper Command Line Helper enables encrypted values to pass via the installation script to the Full Disk Encryption preboot and installer. You can manually use Command Line Helper to generate encrypted values of strings for installation scripts or patch management. Procedure 1. Download the Command Line Helper tool and locate the tool in your Endpoint Encryption download folder. The Command Line Helper tool is part of the PolicyServer installation package. Go to Trend Micro Download Center, select the Endpoint Encryption, and download the PolicyServer package. The Command Line Helper tool is located in the following directory: <download_directory>\tmee_policyserver\tools\command Line Helper 2. Open a command prompt. 3. Change the directory to the directory of the Command Line Helper tool. Example: 6-25

146 Trend Micro Endpoint Encryption Administrator Guide cd C:\TMEE_PolicyServer\Tools\Command Line Helper 4. Type CommandLineHelper.exe followed by the string that you want to encrypt, and press ENTER. Example: CommandLineHelper.exe examplepassword Tip It may be easier to copy the generated value directly from a text file. In that case, the above example would be modified as follows: CommandLineHelper.exe examplepassword > file.txt The Command Line Helper produces an encrypted string. Patching Process for Full Disk Encryption Procedure 1. Push patches to targeted Full Disk Encryption devices. 2. Follow up with a script using DAAutoLogin. 3. Send a reboot command for the Full Disk Encryption device to load Windows GINA for confirmation of successful patching or to push another round of patches. 6-26

147 Chapter 7 File Encryption The Trend Micro File Encryption agent uses AES encryption to protect data that is shared between Endpoint Encryption users, stored on removable media, or saved on network resources. File Encryption can also protect different files with different keys, allowing you to set access policies to the File Encryption agent and then create separate policies for access to certain files, which is useful in environments where multiple users access the same endpoint. Encryption is performed after authentication takes place. End users also have the flexibility to locally manage File Encryption by encrypting individual files, folders, or removable media on the fly, safeguarding their data regardless of where it travels. File Encryption can also protect different files with different keys, allowing you to set access policies to the File Encryption device and separate policies for access to certain files. This is useful in environments where multiple users access one endpoint. 7-1

148 Trend Micro Endpoint Encryption Administrator Guide Registering File Encryption After File Encryption is installed, an initial registration is required to identify PolicyServer. The fixed password authentication method is the default method and is required for initial registration. Other options may be available depending on policy settings. Important Without authenticating to File Encryption, access to files and removable media is denied. Procedure 1. The Login window appears the next time your endpoint starts after File Encryption installation. If you need to access the Login screen at a later time, right-click the File Encryption tray icon, and then select Register. 2. Specify the Endpoint Encryption user name and password. 3. Specify the PolicyServer IP address (or host name) and the Enterprise. 4. Click OK. The Change Password screen appears. 5. Select any available authentication method. For more information about authentication methods, see File Encryption Authentication on page Specify and confirm the new password. 7. Click OK. The new password is updated and a confirmation message appears. 7-2

149 File Encryption File Encryption Actions After registering the File Encryption agent, File Encryption options become available for files and folders. Right-click a file or folder to see options available. Figure 7-1. File Encryption Actions Use the following table to understand the available menu options. Table 7-1. File Encryption Context Menu Options Archive Menu Option Expand Archive Description Create an encrypted copy of the specified file. See Encrypting a File or Folder on page 7-4. Open a previously created archive. 7-3

150 Trend Micro Endpoint Encryption Administrator Guide Menu Option Archive and Burn Secure Delete Description Create an encrypted copy of the specified file and write it to a CD or DVD. See Encrypting a File or Folder on page 7-4. Securely erase the selected files and the file history from the File Encryption device. See Using File Encryption Secure Delete on page Encrypting a File or Folder Procedure 1. Right-click on the file or folder that you want to encrypt. 2. Choose the location to create the encrypted file. Option Description Details Archive Create the encrypted file locally. The encrypted file will appear in the same folder as the original file. Archive and Burn Write the encrypted file to a CD or DVD. In the authentication window, you will be prompted to select your writable disk drive. 3. Choose the authentication method to access the encrypted file. 7-4

151 File Encryption Option Description Notes Local Key Shared Key Fixed Password Create an encrypted file that can only be accessed by the user who created it. Create an encrypted file that can only be accessed by any member of the current user's policy group. Create an encrypted file that requires a password to access. This option is only available if you select Archive. No window will display after selecting this option. The encrypted file will be created immediately. Depending on the Windows operating system, a user may view folder contents if switching from one user to a separate user without restarting Windows. While file names and folder content may be viewed, the file contents are not available. This is due to Windows operating system caching the file structure for quick search capability. This option is only available if you select Archive. No window will display after selecting this option. The encrypted file will be created immediately. Depending on the Windows operating system, a user may view folder contents if switching from one user to a separate user without restarting Windows. While file names and folder content may be viewed, the file contents are not available. This is due to Windows operating system caching the file structure for quick search capability. There is no functionality available for password recovery with self-extracting files. If a password is forgotten, the encrypted file cannot be recovered. Due to a Windows limitation, executable (self-extracting) files cannot be larger than 2 GB. 7-5

152 Trend Micro Endpoint Encryption Administrator Guide Option Description Notes Certificate Create an encrypted file that requires specific digital certificates to access. The digital certificates may be stored on smart cards depending on your environment and policy settings. Figure 7-2. File Encryption Actions 4. If a window appears, complete all on-screen instructions. File Encryption creates the encrypted file in the intended location. The original files or folders are unchanged and can be kept or deleted. 7-6

153 File Encryption File Encryption Fixed Password Encryption If you attempt to encrypt a file or folder using a fixed password, the following screen displays: The options for this window are as follows: Table 7-2. Fixed Password Options Password Confirm Option Details Type and confirm a password that will be required to open the encrypted file. 7-7

154 Trend Micro Endpoint Encryption Administrator Guide Burn using Option Output encrypted data a self-extracting archive. Details Select the drive with the CD or DVD to write the encrypted file to. If you have not already done so, insert a writable CD or DVD with available free space. This option is only available if you select Archive and Burn. Select this option to create the encrypted file as a selfextracting archive. Self-extracting archives may be opened on devices that do not have File Encryption agents. Due to a Windows limitation, executable (self-extracting) files cannot be larger than 2 GB. Note There is no functionality available for password recovery with self-extracting files. If a password is forgotten, the encrypted file cannot be recovered. 7-8

155 File Encryption File Encryption Digital Certificate Encryption If you attempt to encrypt a file or folder using a digital certificate, the following screen displays: The options for this window are as follows: Table 7-3. Certificate Options Option Certificates Store Details Select a group from the drop-down list and click Gather Certificates to see a window with a list of certificates related to that group. From the Certificate Selection window, select a certificate and click OK to add that certificate to Selected Recipient Certificates. 7-9

156 Trend Micro Endpoint Encryption Administrator Guide Option Selected Recipient Certificates Details View the list of currently selected certificates. These certificates will be required to open the encrypted file. Click Clear to remove all certificates. Important There is no available method to remove individual certificates. If you must remove one or more certificates, remove all certificates, and add the required certificates again. Burn using Select the drive with the CD or DVD to write the encrypted file to. If you have not already done so, insert a writable CD or DVD with available free space. This option is only available if you select Archive and Burn. Using File Encryption Secure Delete Use Secure Delete to securely erase the selected files and the file history from the File Encryption device. Procedure 1. Right-click the file and go to File Encryption > Secure Delete. 2. Click Yes to permanently delete the file. File Encryption Context Menu Use the File Encryption icon ( ) in the system tray to access to the File Encryption agent. Right-click the agent icon to display the menu items. The following table explains the available menu options. 7-10

157 File Encryption Table 7-4. File Encryption Agent Menu Options Menu Item Register Log In / Log Out Change Password Remote Help Synchronize Policies Function First-time user registration of File Encryption with the PolicyServer. For more information, see Registering File Encryption on page 7-2. This option only appears if you have not completed File Encryption registration. Authenticate with PolicyServer. Permits users to change their password and their authentication method. For more information, see Changing Password in File Encryption on page Unlock File Encryption using Remote Help to authenticate if the user forgets the Endpoint Encryption password, there were too many unsuccessful authentication attempts, or the Endpoint Encryption device has not communicated with the PolicyServer for a specified duration. For more information, see Using Remote Help to Unlock a File Encryption Device on page This option is only available if the File Encryption agent is locked. For more information about locked accounts, see Forced Password Reset on page Manually download policy updates from PolicyServer. Note File Encryption agents can synchronize policies without user authentication. File Encryption agents automatically update policy settings based on your PolicyServer configurations. For more information, see Policy Synchronization on page Synchronize Offline Files Synchronizing with PolicyServer offline files enforces new security policies using an import file instead of communicating directly with PolicyServer. 7-11

158 Trend Micro Endpoint Encryption Administrator Guide Menu Item Show / Hide Notifications Hide Icon About File Encryption Online Help Function Silences all File Encryption notifications. Temporarily removes the File Encryption tray icon. To show the File Encryption tray icon again, run File Encryption from your desktop or Start menu. Displays File Encryption information including version, last synchronization time, and authenticated user. You can change the PolicyServer that synchronizes policies with your File Encryption agent from the About File Encryption window. To change your PolicyServer, click Edit PolicyServer. View the File Encryption documentation online. Changing Password in File Encryption To change the password, the user must authenticate to File Encryption with a User account role. The user can then change the password using any authentication method allowed by policy. Use PolicyServer MMC to manage the policy at: Group Name > Policies > File Encryption > Login > Authentication Methods Allowed Procedure 1. Right-click the File Encryption tray icon, then select Change Password. 2. Specify the password. 3. Click Next. 4. Select any available authentication method. For more information about authentication methods, see File Encryption Authentication on page

159 File Encryption 5. Specify and confirm the new password. 6. Click OK. The new password is updated and a confirmation message appears. Using Remote Help to Unlock a File Encryption Device If a user exceeds the number of authentication attempts and policies are set to enact Remote Authentication, File Encryption locks Endpoint Encryption folders and notifies the user that Remote Help is required. Using Remote Help to unlock File Encryption requires assistance from the Enterprise Authenticator or Group Authenticator. Note For information about using Remote Help, see Remote Help on page Procedure 1. Right-click the File Encryption tray icon, then select Remote Help. 7-13

160 Trend Micro Endpoint Encryption Administrator Guide The Remote Help screen appears. Figure 7-3. File Encryption Remote Help 2. Specify the user name. 3. Click Get Challenge. 4. Type the Response provided by the Enterprise/Group Authenticator. 5. Click Log In. The user is authenticated to File Encryption and a notification displays. File Encryption Authentication This section explains how to authenticate to and use File Encryption. All authentication methods for Endpoint Encryption are available in File Encryption. 7-14

161 File Encryption Note For information about authentication methods, see Authentication Methods on page Endpoint Encryption administrators and users have several authentication methods to log on to File Encryption. The methods available are determined by the PolicyServer policy configuration. Table 7-5. Supported Authentication Methods Authentication Method ColorCode Domain authentication Fixed password Smart card PIN Description A unique sequence of colors. See ColorCode on page Active Directory LDAP synchronization for single sign-on (SSO). See Domain Authentication on page A string of characters, numbers, and symbols. See Fixed Password on page A physical card used in conjunction with a PIN or fixed password. See Smart Card on page A standard Personal Identification Number (PIN). See PIN on page Domain Authentication Requirements For domain authentication single sign-on (SSO), ensure that the following requirements are met: The user belongs to a policy group with domain authentication enabled. Make sure that the Host Name and Domain Name are configured properly. PolicyServer and all Endpoint Encryption devices using domain authentication are in the same domain. 7-15

162 Trend Micro Endpoint Encryption Administrator Guide The user account is configured in both Active Directory and PolicyServer. The user name is case sensitive and must match exactly. Additionally, domain authentication has the following limitations: Domain authentication cannot be used with a Smart Card PIN. Remote Help is available to domain users. However, the domain password must be reset in Active Directory if it is forgotten. Forced Password Reset File Encryption prevents unauthorized access to encrypted files and folders by locking protected files when there are too many unsuccessful authentication attempts or if the endpoint has not communicated with PolicyServer for a specified duration of time. Depending on the policy configuration, File Encryption locks a user from access or enacts a time delay before authentication attempts can be made. Endpoint Encryption Device Policy Rules The following table explains the security policy rules for lost or stolen Endpoint Encryption devices. Depending on the policy settings, too many consecutive unsuccessful authentication attempts to the Endpoint Encryption devices delays the next authentication attempt, locks the Endpoint Encryption device, or erases all data controlled by the associated Endpoint Encryption agent. 7-16

163 File Encryption Table 7-6. Device Security Options Security Option Time delay Description PolicyServer temporarily locks the Endpoint Encryption device and notifies the Endpoint Encryption user that the device is locked. The ability to authenticate or reset the password is disabled during the time delay. The duration of the time delay is determined by policy. Once the time delay has expired, the user is permitted to authenticate. Note The Endpoint Encryption user may use Self Help or Remote Help authentication to avoid waiting for the time delay period to expire. Remote authentication required PolicyServer locks the Endpoint Encryption device until the Endpoint Encryption user contacts receives Remote Help authentication from an authenticator or from Support. Note For more information, see Remote Help on page Erase the device PolicyServer erases all data controlled by the associated Endpoint Encryption agent. WARNING! The Endpoint Encryption user cannot recover the erased data. Policy Synchronization The following list explains the events that initiate policy synchronization between agents and PolicyServer: After the operating system loads and the agent service starts 7-17

164 Trend Micro Endpoint Encryption Administrator Guide Note For information about Endpoint Encryption services, see Endpoint Encryption Services on page C-1. At regular intervals based on the PolicyServer synchronization policy Manually, by clicking the Synchronize Policies button in the agent context menu Note Device actions initiate after the agent receives policy updates. 7-18

165 Chapter 8 Encryption Management for Third- Party Products A key feature of Full Disk Encryption is the ability to manage third-party encryption products. The Endpoint Encryption agents fully integrate with the encryption solutions built into the host operating systems. 8-1

166 Trend Micro Endpoint Encryption Administrator Guide About Encryption Management Agents The following table explains the two Full Disk Encryption agents for third-party product encryption management. Note For information about all available Endpoint Encryption agents, see Endpoint Encryption Agents on page Table 8-1. Encryption Management Agents Agent Encryption Management for Microsoft BitLocker Encryption Management for Apple FileVault Description The Endpoint Encryption Full Disk Encryption agent for Microsoft Windows environments that simply need to enable Microsoft BitLocker on the hosting endpoint. The Endpoint Encryption Full Disk Encryption agent for Mac OS environments that simply need to enable Apple FileVault on the hosting endpoint. Encryption Management Agent Policy Limitations The following table explains the policy limitations for Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker. To use all policies, install the Full Disk Encryption agent instead. 8-2

167 Encryption Management for Third-Party Products Note Encryption Management for Microsoft BitLocker does not require authentication and is not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents. Encryption Management for Apple FileVault does not require authentication for endpoints with hard drives not using APFS (Apple File System). However, for endpoints running Mac OS High Sierra (10.13) with SSDs using APFS, Encryption Management for Apple FileVault prompts for the user's password when the Encrypt Device policy is later updated to to No. The following table explains the policies affecting each agent. Use it to understand the policy limitations of third-party agents. Table 8-2. Policies Affecting Full Disk Encryption Agents Policy Full Disk Encryption Encryption Management for Apple FileVault Encryption Management for Microsoft BitLocker Allow User Recovery Allow User to Uninstall Encrypt Device Account Lockout Action Account Lockout Period Dead Man Switch Device Locked Action 8-3

168 Trend Micro Endpoint Encryption Administrator Guide Policy Full Disk Encryption Encryption Management for Apple FileVault Encryption Management for Microsoft BitLocker Device Killed Action Failed Login Attempted Allowed If Found Legal Notice Lock Device Time Delay Preboot Bypass Support Info Token Authentication Authentication Methods Allowed Sync Interval Allow User to Configure Wi-Fi Wi-Fi Settings Apply Wi-Fi settings (in Control Manager) Encrypt Only Used Space Select Encryption Key Size 8-4

169 Encryption Management for Third-Party Products Policy Full Disk Encryption Encryption Management for Apple FileVault Encryption Management for Microsoft BitLocker Logon Background Color Customize background color (in Control Manager) Logon Banner Customize banner (in Control Manager) Encryption Management for Microsoft BitLocker Encryption Management for Microsoft BitLocker manages BitLocker Drive Encryption for endpoints running Microsoft Windows. Encryption Management for Microsoft BitLocker is designed to protect data by providing encryption for entire volumes. By default, BitLocker uses the AES encryption algorithm in CBC mode with a 128-bit or 256-bit key. Viewing Encryption Status Procedure 1. Click the Full Disk Encryption icon ( ). For Windows, go to the system tray. For Mac OS, go to the menu bar. 8-5

170 Trend Micro Endpoint Encryption Administrator Guide 2. Open the Encryption Status tab. 3. See Understanding Encryption Status on page 8-6 for details. Understanding Encryption Status The Encryption Status tab provides details about the encrypted drives, the types of encryption, and the ratio that the drive is encrypted or not encrypted. See the figure and description below for more information. Table 8-3. Device Encryption Status Pie Chart Item Description The pie chart represents the ratio that the hard disk is encrypted and not encrypted. 8-6

171 Encryption Management for Third-Party Products Item Description Drive Encrypted Action Encryption The hard disk with the agent installed. The percentage that the drive is encrypted. The current encryption status. The type of encryption deployed on the endpoint. Note Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker always use softwarebased encryption. FIPS mode Whether FIPS is enabled. 8-7

172 Trend Micro Endpoint Encryption Administrator Guide Understanding Agent Information The Information tab provides detailed information about the user account, Endpoint Encryption device, and policy synchronization. See the figure and description below for more information. Table 8-4. Agent Information Label TMEE user name Device ID Operating system Description The Endpoint Encryption account used to log on the Endpoint Encryption device. This is different from the Windows logon. The unique ID that identifies the agent and endpoint to PolicyServer. The operating system and version currently installed on the endpoint. 8-8

173 Encryption Management for Third-Party Products Label Computer name Last sync Sync with PolicyServer Description The endpoint computer name to identify it on the network. The timestamp for the last policy synchronization to PolicyServer. Forces an immediate policy update. Synchronizing Policies with PolicyServer There are two ways to synchronize policies with PolicyServer. For information about policies affecting Encryption Management for Microsoft BitLocker devices, see Encryption Management Agent Policy Limitations on page 8-2. Synchronizing Policies From the Menu Bar on page 8-18 Synchronizing Policies from the About Screen on page 8-10 Policy Synchronization The following list explains the events that initiate policy synchronization between agents and PolicyServer: After the operating system loads and the agent service starts Note For information about Endpoint Encryption services, see Endpoint Encryption Services on page C-1. At regular intervals based on the PolicyServer synchronization policy Manually, by clicking the Synchronize Policies button in the agent context menu Note Device actions initiate after the agent receives policy updates. 8-9

174 Trend Micro Endpoint Encryption Administrator Guide Synchronizing Policies from the About Screen For information about policies limitations affecting the Encryption Management for Microsoft BitLocker agent, see Encryption Management Agent Policy Limitations on page 8-2. Procedure 1. Make sure that the Endpoint Encryption device has network access. 2. Click the agent icon ( ). 3. Select About Full Disk Encryption to open the agent menu. 4. Open the Information tab. 5. Click Sync with PolicyServer. If successful, all Endpoint Encryption policies are up-to-date. Synchronizing Policies From the System Tray Procedure 1. Make sure that the Endpoint Encryption device has network access. 2. Click the agent icon ( ). 3. Select Sync with PolicyServer. If successful, all Endpoint Encryption policies are up-to-date. Updating PolicyServer Settings Endpoint Encryption allows the update of PolicyServer settings in Encryption Management for Microsoft Bitlocker and Encryption Management for Apple FileVault, even after installation. 8-10

175 Encryption Management for Third-Party Products Procedure 1. To update policy settings for agents where Encryption Management for Microsoft Bitlocker is intalled, perform the following: a. On the agent, open a command line window as an administrator. b. Navigate to the following path: %Program Files%\Trend Micro\FDE Encryption Management Verify that the TMFDEForBitlocker.exe file exists on the location. c. Type the following commands: TMFDEForBitlocker.exe -ChangeServer username=<userid> password=<password> newserver=<newserverhostname> TMFDEForBitlocker.exe -ChangeServer eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> TMFDEForBitlocker.exe -ChangeEnterprise username=<userid> password=<password> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<groupadminonnewserver> newpassword=<passwordforgroupadmin> TMFDEForBitlocker.exe -ChangeEnterprise eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<egroupadminonnewserver> enewpassword=<epasswordforgroupadmin> 8-11

176 Trend Micro Endpoint Encryption Administrator Guide Note To use encrypted values for user names and passwords generated by CommandLineHelper.exe, replace the argument names with the eusername= and enewpassword= parameters. 2. To update policy settings for agents where Encryption Management for Apple FileVault is intalled, perform the following: a. On the agent, open a command line window as an administrator. b. Navigate to the following path: /Library/Application/Support/TrendMicro/FDEMM/ c. Type the following commands: $sudo SupportTool ChangeEnterprise username=<userid> password=<password> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<groupadminonnewserver> newpassword=<passwordforgroupadmin> [skipkeycheck=<true false>] $sudo SupportTool -ChangeServer eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> $sudo SupportTool -ChangeEnterprise eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> newenterprise=<newenterprisename> enewadmin=<groupadminonnewserver> enewpassword=<passwordforgroupadmin> Note To use encrypted values for user names and passwords generated by CommandLineHelper.exe, replace the argument names with the eusername= and enewpassword= parameters. 8-12

177 Encryption Management for Third-Party Products 3. Verify that the changes were applied to the agent. Encryption Management for Apple FileVault Encryption Management for Apple FileVault manages Apple FileVault to encrypt the entire OS X startup volume, which typically includes the home directory, abandoning the disk image approach. Encryption Management for Apple FileVault manages encryption using Apple FileVault with the user's password as the encryption pass phrase. Encryption Management for Apple FileVault uses the AES-XTS mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST. Only unlockenabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down. Note Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X Mountain Lion or later. Other Mac OS user account types will be unable to initiate encryption. To create a mobile account for Active Directory on your Mac, see Creating a Mobile Account for Active Directory on Mac OS on page Viewing Encryption Status Procedure 1. Click the Full Disk Encryption icon ( ). For Windows, go to the system tray. For Mac OS, go to the menu bar. 2. Open the Encryption Status tab. 3. See Understanding Encryption Status on page 8-6 for details. 8-13

178 Trend Micro Endpoint Encryption Administrator Guide Understanding Encryption Status The Encryption Status tab provides details about the encrypted drives, the types of encryption, and the ratio that the drive is encrypted or not encrypted. See the figure and description below for more information. Table 8-5. Device Encryption Status Item Description Pie Chart Drive Encrypted Action The pie chart represents the ratio that the hard disk is encrypted and not encrypted. The hard disk with the agent installed. The percentage that the drive is encrypted. The current encryption status. 8-14

179 Encryption Management for Third-Party Products Item Average speed Estimated time Description The rate (MB/second) that the drive is encrypting or decrypting. The amount of time until the drive is 100% encrypted or decrypted. Understanding Agent Information The Information tab provides detailed information about the user account, Endpoint Encryption device, and policy synchronization. See the figure and description below for more information. 8-15

180 Trend Micro Endpoint Encryption Administrator Guide Table 8-6. Agent Information Label TMEE user name Device ID Operating system Computer Name Enterprise Last sync Synchronize now Description The Endpoint Encryption account used to log on the Endpoint Encryption device. This is different from the Mac OS logon. The unique ID that identifies the agent and endpoint to PolicyServer. The operating system and version currently installed on the endpoint. The endpoint computer name to identify it on the network. The Enterprise name of the PolicyServer managing agent policies. The timestamp for the last policy synchronization to PolicyServer. For details about synchronizing policies, see Synchronizing Policies From the Menu Bar on page Forces an immediate policy update. Synchronizing Policies with PolicyServer There are two ways to synchronize policies with PolicyServer. For information about policies affecting Encryption Management for Apple FileVault devices, see Encryption Management Agent Policy Limitations on page 8-2. Synchronizing Policies from the About Screen on page 8-17 Synchronizing Policies From the Menu Bar on page 8-18 Policy Synchronization The following list explains the events that initiate policy synchronization between agents and PolicyServer: 8-16

181 Encryption Management for Third-Party Products After the operating system loads and the agent service starts Note For information about Endpoint Encryption services, see Endpoint Encryption Services on page C-1. At regular intervals based on the PolicyServer synchronization policy Manually, by clicking the Synchronize Policies button in the agent context menu Note Device actions initiate after the agent receives policy updates. Synchronizing Policies from the About Screen For information about policies limitations affecting Encryption Management for Apple FileVault agents, see Encryption Management Agent Policy Limitations on page 8-2. Procedure 1. Make sure that the Endpoint Encryption device has network access. 2. Click the agent icon ( ). 3. Select About Full Disk Encryption to open the agent menu. 4. Open the Information tab. 5. Click Synchronize now. If successful, all Endpoint Encryption policies are up-to-date. 8-17

182 Trend Micro Endpoint Encryption Administrator Guide Synchronizing Policies From the Menu Bar Procedure 1. Make sure that the Endpoint Encryption device has network access. 2. Click the agent icon ( ). 3. Select Synchronize Policies. If successful, all Endpoint Encryption policies are up-to-date. Updating PolicyServer Settings Endpoint Encryption allows the update of PolicyServer settings in Encryption Management for Microsoft Bitlocker and Encryption Management for Apple FileVault, even after installation. Procedure 1. To update policy settings for agents where Encryption Management for Microsoft Bitlocker is intalled, perform the following: a. On the agent, open a command line window as an administrator. b. Navigate to the following path: %Program Files%\Trend Micro\FDE Encryption Management Verify that the TMFDEForBitlocker.exe file exists on the location. c. Type the following commands: TMFDEForBitlocker.exe -ChangeServer username=<userid> password=<password> newserver=<newserverhostname> TMFDEForBitlocker.exe -ChangeServer eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> 8-18

183 Encryption Management for Third-Party Products TMFDEForBitlocker.exe -ChangeEnterprise username=<userid> password=<password> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<groupadminonnewserver> newpassword=<passwordforgroupadmin> TMFDEForBitlocker.exe -ChangeEnterprise eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<egroupadminonnewserver> enewpassword=<epasswordforgroupadmin> Note To use encrypted values for user names and passwords generated by CommandLineHelper.exe, replace the argument names with the eusername= and enewpassword= parameters. 2. To update policy settings for agents where Encryption Management for Apple FileVault is intalled, perform the following: a. On the agent, open a command line window as an administrator. b. Navigate to the following path: /Library/Application/Support/TrendMicro/FDEMM/ c. Type the following commands: $sudo SupportTool ChangeEnterprise username=<userid> password=<password> newserver=<newserverhostname> newenterprise=<newenterprisename> newadmin=<groupadminonnewserver> newpassword=<passwordforgroupadmin> [skipkeycheck=<true false>] $sudo SupportTool -ChangeServer eusername=<encrypteduserid> 8-19

184 Trend Micro Endpoint Encryption Administrator Guide epassword=<encryptedpassword> newserver=<newserverhostname> $sudo SupportTool -ChangeEnterprise eusername=<encrypteduserid> epassword=<encryptedpassword> newserver=<newserverhostname> newenterprise=<newenterprisename> enewadmin=<groupadminonnewserver> enewpassword=<passwordforgroupadmin> Note To use encrypted values for user names and passwords generated by CommandLineHelper.exe, replace the argument names with the eusername= and enewpassword= parameters. 3. Verify that the changes were applied to the agent. Creating a Mobile Account for Active Directory on Mac OS Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS X Mountain Lion or later. Other Mac OS user account types will be unable to initiate encryption. 8-20

185 Encryption Management for Third-Party Products If a Mac OS account other than a local account or mobile account attempts to initiate encryption, the following notification appears: The following task shows how to create a mobile account for your Mac OS account to bypass this issue. Procedure 1. Go to System Preferences... in the Apple menu. The System Preferences window appears. 2. Select User Groups under the System section. 3. Click the lock icon in the lower left corner. 4. Click Create... next to Mobile account. 5. On the following screens, select any personal settings, and click Create to proceed from one screen to the next. 6. When prompted, enter your Active Directory password and click OK. 8-21

186 Trend Micro Endpoint Encryption Administrator Guide Your mobile account has been created. You may now use this mobile account to initate encryption. Troubleshooting Password and Encryption Issues After installing Encryption Management for Apple FileVault and restarting the endpoint, Apple FileVault attempts to encrypt the disk. 8-22

187 Encryption Management for Third-Party Products If the password specified during installation did not match the specified user account, the following window appears: For endpoints with hard drives not using APFS (Apple File System), restart the endpoint again after specifying the correct password. If the password was the issue, Apple FileVault encrypts the endpoint after restarting. For endpoints running Mac OS High Sierra (10.13) with SSDs using APFS, a restart is not required. Apple FileVault encrypts the endpoint after specifying the correct password. If this problem persists, or if the encryption status displays that the endpoint is not encrypting, then another issue is restricting Apple FileVault functionality. Do the following procedure to determine the location of the issue and whether to send the issue to Trend Micro Support. Procedure 1. From the Apple menu, go to Security & Privacy > FileVault. 2. If the lock icon is locked, click the lock icon to make changes. 3. Click Turn On FileVault

188 Trend Micro Endpoint Encryption Administrator Guide A window appears that asks for your password. 4. Type your password and click Start Encryption. If your user account has permission to turn on FileVault, your credentials are correct, and FileVault is working properly, FileVault begins encrypting the disk. 5. If FileVault encounters any issues during encryption after this point, take relevant screenshots of those issues and contact Trend Micro Support. 8-24

189 Chapter 9 Recovery This chapter explains methods to recover inaccessible drives encrypted by Full Disk Encryption. 9-1

190 Trend Micro Endpoint Encryption Administrator Guide Preboot Errors after Installation If the first run of the preboot is unable to load immediately after installation, Full Disk Encryption performs the following: Restores the normal boot process, and boots into Windows Prevents encryption from starting Displays the following message: This may be due to the following issues: Issue Description Solution Incomplete installation The installer was not able to complete installation. Uninstall Full Disk Encryption, reboot and try running the installer again. 9-2

191 Recovery Issue Description Solution Unexpected shutdown Incompatible hardware Usually does not cause an issue. However, it is possible that the installer was not able to complete installation. Unable to complete preboot loading due to incompatible hardware or firmware. Restart the endpoint first. If the error persists, uninstall Full Disk Encryption, reboot and try running the installer again Uninstall Full Disk Encryption, and then do one of the following: Remove all incompatible hardware Update all incompatible firmware Note To determine if a specific hardware or firmware is incompatible with the Full Disk Encryption installation, contact Trend Micro support for more details. Re-install Full Disk Encryption again. If the issue persists, contact Trend Micro support for assistance. Full Disk Encryption Recovery Methods If a device is fully encrypted by Full Disk Encryption, issues may occur with the system or program that hinder or prevent access to Windows or related services. In these cases, use the following methods and tools to recover your system, displayed in order from the least severe to most severe situation. 9-3

192 Trend Micro Endpoint Encryption Administrator Guide Situation Windows is working normally but Full Disk Encryption affects some applications, reduces Windows performance, or displays error messages. The Full Disk Encryption preboot loads, but Windows does not. Recovery Method Uninstall Full Disk Encryption Recovery Console on page 9-5 Description Uninstalling Full Disk Encryption removes Full Disk Encryption from the device. Once uninstallation is complete, you may proceed with other recovery actions within Windows if necessary. Afterwards, you may attempt to reinstall Full Disk Encryption. For uninstallation steps, see the Endpoint Encryption Installation Guide. The Full Disk Encryption Recovery Console can be viewed from the Full Disk Encryption preboot. To decrypt the hard disk, open the Full Disk Encryption Recovery Console > Manage Disk > Decrypt This Disk option decrypts the selected hard disk on-the-fly or saves an image of the decrypted hard disk to removable media. At startup, neither Windows nor the Full Disk Encryption preboot starts up. The endpoint displays a black screen with an unmoving input symbol. Recovery Tool on page 9-23 Note This method is not recommended if Windows is functioning normally. This issue normally occurs because the MBR is corrupted. The Full Disk Encryption Recovery Tool attempts to repair the MBR. If successful, the Full Disk Encryption preboot loads normally the next time the endpoints starts. 9-4

193 Recovery Situation At startup, the endpoint displays the background of the Full Disk Encryption preboot, but the logon window does not load. The endpoint is unable to start Windows, or access the Full Disk Encryption preboot. The Recovery Tool is unable to repair the disk. Recovery Method Recovery Tool on page 9-23 Contact Technical Support Description This issue normally occurs because the Full Disk Encryption database is corrupted. The Recovery Tool attempts to obtain information from PolicyServer and replace the corrupted Full Disk Encryption database. If successful, the Full Disk Encryption preboot loads normally the next time the endpoints starts. Attempt to perform other recovery methods first. If the previous recovery methods are inaccessible or do not work, contact Trend Micro support. The Trend Micro support team will do their best to resolve your issue. For more information, see Technical Support on page Recovery Console The Full Disk Encryption Recovery Console allows Administrators, Authenticators, and permitted Users to do the following: Recover Full Disk Encryption devices in the event of primary operating system failure Troubleshoot network connectivity issues Decrypt disks to retrieve inaccessible data Manage policies when not connected with PolicyServer 9-5

194 Trend Micro Endpoint Encryption Administrator Guide WARNING! If the disk is encrypted, do not use Windows or third-party repair utilities to recover data. Use the Recovery Console and decrypt the disk first. Otherwise, data may be lost, corrupted, or become inaccessible. All policy changes are overwritten when the Full Disk Encryption agent synchronizes policies with PolicyServer. Recovery Console Options Console Menu Manage Disks Mount Partitions Description Displays options for managing disks on the endpoint. For details, see Manage Disks Options on page 9-8 Provide access to the encrypted partitions for file management. View encrypted files or copy files to an external device. Note This option is only available for disks using software encryption. This option is unavailable if the disk is a SED. Manage Users Manage Policies View Logs Add or remove users from the device when not connected to PolicyServer. Modify policies for devices that are either not managed by PolicyServer or are managed but are temporarily not connected to PolicyServer. If the device is managed, policy changes are overwritten the next time that the device communicates with PolicyServer. View and search the various Full Disk Encryption logs. Note Logs are available only when the Recovery Console is accessed from Windows. 9-6

195 Recovery Console Menu Network Back to Login Exit Description Clicking Network opens two screen options: Setup: Configure your Internet connection settings, including whether you use a static or dynamic IP address, your PolicyServer address, and your Wi-Fi settings. Troubleshooting: View your DHCP logs and run trace route commands. Exit Recovery Console and return to the login screen. Exit the Recovery Console. Accessing the Recovery Console from Full Disk Encryption Preboot By default, only Administrator and Authenticator accounts may access the Recovery Console. To allow other users to access the Recovery Console, enable user recovery from your management console. For Control Manager, see Configuring Full Disk Encryption Rules on page Procedure 1. Start or restart the endpoint. The Full Disk Encryption preboot appears. 2. Select the Recovery Console check box. 3. Specify Endpoint Encryption user account credentials. 4. Click Login. The Recovery Console opens. 9-7

196 Trend Micro Endpoint Encryption Administrator Guide Accessing Recovery Console from Windows Procedure 1. In Windows, go to the Full Disk Encryption installation directory. The default location is C:\Program Files\Trend Micro\Full Disk Encryption\. 2. Open RecoveryConsole.exe. The Recovery Console window appears. 3. Specify the Endpoint Encryption user name and password, then click Login. Recovery Console opens to the Manage Disks page. Manage Disks Options The options displayed in the Manage Disks screen change depending on the status of the disks attached to the device. Option Encrypt Decrypt All Decrypt this Disk Stop Encrypt new unencrypted disks Description This is the only option available if the Recovery Console is accessed from Windows. The system disk is selected by default. For details, see Encrypt Disks on page 9-9. Decrypt the system disk and all data disks attached to the endpoint Decrypt the selected disk For details, see Using Decrypt Disk in Preboot on page Stop the decryption process 9-8

197 Recovery Option Detach Disk Restore Boot Partition Unlock SED Description Exclude the disk from being managed by Full Disk Encryption This option is available only for data disks which have completed decryption. After detaching the disk, Full Disk Encryption identifies the disk as a new disk and excludes it from all policies. To manage the disk again, use Full Disk Encryption to re-encrypt the disk. Roll back the MBR to a state before Full Disk Encryption installation This option is available only for system disks which have completed decryption. To enable this option, detach all data disks from the endpoint. For details, see Restore Boot on page Remove the preboot from an SED system disk This option is available only for SED system disks which have completed decryption. To enable this option, detach all data disks from the endpoint. Encrypt Disks Use the Recovery Console to initialize the encryption of new unencrypted disks. Note This process requires a working connection to PolicyServer. Procedure 1. Power off the endpoint and attach the new disk. 2. Boot into Windows. Windows detects and installs drivers for the new disk. 3. Start the Recovery Console from Windows. For details, see Accessing Recovery Console from Windows on page

198 Trend Micro Endpoint Encryption Administrator Guide 4. Log on to Recovery Console. 5. On the Manage Disks screen, click Summary to review which disks to encrypt. Note Full Disk Encryption shows unencrypted disks as Unmanaged disks. 6. Select the disk that needs to be provisioned, and click Encrypt Disk. A notification appears informing the user that the disk has been successfully provisioned for encryption. 7. (Optional) For devices with multiple disks, repeat the previous step to provision additional disks for encryption. 8. Restart the endpoint to begin encryption. 9. After restarting, click the Full Disk Encryption icon on the system tray and use the Encryption Status tab to monitor the progress of the encryption. Decrypt Disks Full Disk Encryption provides the following options for decrypting disks: Use PolicyServer to deploy a policy that decrypts all disks for a specific group. Set the Encrypt Device value to No. For details, see the Endpoint Encryption 6.0 PolicyServer MMC Guide. Uninstalling Full Disk Encryption automatically decrypts all disks attached to a device. For uninstallation steps, see the Endpoint Encryption Installation Guide. Start disk decryption from the Recovery Console in preboot. For details, see Using Decrypt Disk in Preboot on page

199 Recovery Important Use the preboot's Decrypt Disk function only if you have problems booting into Windows. If there are no issues accessing Full Disk Encryption from Windows, Trend Micro recommends using PolicyServer or the Full Disk Encryption uninstaller to decrypt disks. Using Decrypt Disk in Preboot Selecting Decrypt Disk in preboot decrypts an encrypted Full Disk Encryption hard disk, but does not remove any of the encryption drivers. WARNING! Read all instructions first before using Decrypt Disk. Data loss may occur if performed incorrectly. Use the preboot's Decrypt Disk function only if you have problems booting into Windows. Do not use Decrypt Disk to remove Full Disk Encryption from any Endpoint Encryption device that is functioning normally. Use TMFDEUninstall.exe instead. To decrypt the Full Disk Encryption device, the user must have sufficient rights to access the recovery console. To allow all users in a group/policy to access the recovery console, enable the following policy: Management Console PolicyServer MMC Control Manager Menu Path Go to Full Disk Encryption > Agent > Allow User Recovery. Create or edit a policy, then go to Full Disk Encryption > Users are allowed to access system recovery utilities. With an Administrator, Authenticator, or permitted User, perform the following to decrypt a disk. 9-11

200 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Log on to Recovery Console. See Accessing the Recovery Console from Full Disk Encryption Preboot on page 9-7. Recovery Console opens to the Manage Disk page. 2. Do one of the following: Click Decrypt All to decrypt all encrypted drives in the device. Click Summary, select a disk, and click Decrypt to decrypt only the selected disk. Decryption begins immediately and the Manage Disk page shows the decryption progress. 3. When decryption completes, Full Disk Encryption displays the following options: For system disks, Full Disk Encryption displays Restore Boot Partition or Unlock SED, depending on the disk type. For details, see Restore Boot on page For data disks, Full Disk Encryption displays Detach Disk. Click to exclude the disk from being managed by Full Disk Encryption. 4. Click Exit to reboot the Endpoint Encryption device. 5. Log on the Full Disk Encryption preboot. 6. Log on to Windows. Verify that all disks selected for decryption are no longer encrypted. Mount Partitions Use Mount Partitions to copy files between the encrypted hard disk and external storage before imaging or reformatting the drive. The encrypted contents on the drive appear in the left pane and an unencrypted device can be mounted in the right pane. Use 9-12

201 Recovery copy and paste to move file between panes. Files copied to the encrypted drive will encrypt. Files copied out of the encrypted drive will decrypt. Restore Boot The Restore Boot option restores the original boot on the system disk of an Endpoint Encryption device when the device is fully decrypted. Restore Boot is only available from the Full Disk Encryption preboot. Decrypt the disk before restoring the Master Boot Record (MBR). WARNING! Read all instructions first before using Decrypt Disk. Data loss may occur if performed incorrectly. Procedure 1. Log on to Recovery Console. See Accessing the Recovery Console from Full Disk Encryption Preboot on page 9-7. Recovery Console opens to the Manage Disks page. 2. Click Summary, and then click Decrypt All. 3. Wait for the disk to complete decryption. 4. After decryption, select a data disk and click Detach. Repeat this procedure for all data disk in the endpoint. Only the system disk should remain. Restore Boot Partition becomes available after all data disk have been detached from the endpoint. Note If the system disk is a SED disk, the Recovery Console displays Unlock SED instead. 9-13

202 Trend Micro Endpoint Encryption Administrator Guide 5. Click Restore Boot Partition. A Replace MBR confirmation window appears. 6. Click Yes to replace the MBR. A message confirming the MBR replacement displays. 7. Click Exit. The Endpoint Encryption device boots into Windows. Manage Full Disk Encryption Users Use Manage Users to add or remove users from the Full Disk Encryption preboot cache or to change a user's cached password. The Manage Users option is useful when the Full Disk Encryption agent cannot connect to PolicyServer. Both the Full Disk Encryption preboot and Windows Recovery Console can use this option. Note Manage Users is only available when not connected to PolicyServer. Changes made to users through Recovery Console are overridden when Full Disk Encryption connects to PolicyServer. Some considerations about passwords: Assigned passwords are always a fixed password. Specify the user password expiration date using the Password Expiration calendar. Setting the date to the current date or older forces an immediate password change. Setting the date to a future date commits a change on that specified date. Editing Users Editing users in Recovery Console follows the same rules as the Enterprise. For information about roles and authentication, see Authentication Overview on page

203 Recovery Procedure 1. Select the user from the user list. 2. Update the desired information. 3. Select the user type. For an explanation of account roles, see Authentication Overview on page Set the password expiration date. 5. Click Save. The user account is updated. Adding Users Procedure 1. Click Add User. 2. Specify the user name and password, then confirm the password. 3. Select the authentication method from the Authentication Type drop-down list. 4. Set the password expiration date. 5. Click Save. The new user appears in the User List and a confirmation window appears. 6. Click OK to close the confirmation window. The new user account is added. 9-15

204 Trend Micro Endpoint Encryption Administrator Guide Deleting Users Procedure 1. Select a user from the user list. 2. Click Delete User. A delete user confirmation window appears. 3. Click Yes. The user is deleted from the user list. Manage Policies Use Manage Policies to set various policies for Full Disk Encryption Recovery Console. For more information about these policies, see the Administrator's Guide for PolicyServer MMC. Note The Manage Policies option is only available when not connected to PolicyServer and any changes are overridden the next time Full Disk Encryption connects to PolicyServer. View Logs Use View Logs to search for and display logs based on specific criteria. View Logs is only available from Recovery Console using Windows. It is unavailable from the Full Disk Encryption Preboot. For information about viewing Full Disk Encryption logs, see Accessing Recovery Console from Windows on page

205 Recovery Network Go to Network > Setup to verify, test, and/or change the network settings that are used by Full Disk Encryption Preboot. Go to Network > Troubleshooting to view DHCP logs and run trace route commands. Managing Network Configuration By default, Get setting from Windows is selected for both IPv4 and IPv6. Deselect this option to manually configure the network settings. Selecting DHCP (IPv4) or Automatically get address (IPv6) uses the dynamically assigned IP address. Selecting Static IP enables all fields in that section. In the IPv6 tab, selecting Static IP when the IP Address field is empty creates a unique IP address based on the hardware address of the machine. Migrating Full Disk Encryption to a New Enterprise One PolicyServer instance may have multiple Enterprise configurations that each represent a business unit or department. Moving to a new Enterprise removes the Endpoint Encryption device from the old Enterprise and adds the Endpoint Encryption device to the new Enterprise within the same PolicyServer instance. The Full Disk Encryption agent may need to move to a new Enterprise when the employee moves to a different department or office location. WARNING! Changing the Enterprise requires configuring policies again, recreating groups, and deletes all cached passwords, password history, and audit logs. Procedure 1. Click Network Setup. 9-17

206 Trend Micro Endpoint Encryption Administrator Guide 2. Select the PolicyServer tab. 3. Click Change Enterprise. The Change Enterprise screen appears. Figure 9-1. Recovery Console Change Enterprise 4. Configure the following options: Option New Server User New User Password New Server Address New Enterprise Description Specify a Group Administrator account user name, or user name of account with permission to install to the group in the new PolicyServer. Specify the password for the Enterprise Administrator account. Specify the new PolicyServer IP address or host name. Specify the new PolicyServer Enterprise. 9-18

207 Recovery 5. Click Save. Full Disk Encryption validates the new PolicyServer information. 6. At the confirmation message, click OK. Note Restart the Full Disk Encryption agent to update the encryption status displayed in PolicyServer MMC and Control Manager. Changing the Full Disk Encryption PolicyServer Note Changing the PolicyServer requires access to Full Disk Encryption Recovery Console. Procedure 1. Start or restart the endpoint. The Full Disk Encryption preboot appears. 2. Select the Recovery Console check box. 3. Specify Endpoint Encryption user account credentials. Note 4. Click Login. By default, only Administrator and Authenticator accounts may access the Recovery Console. To allow other users to access the Recovery Console, enable user recovery from your management console. The Recovery Console opens. 5. Go to Network > Setup. 9-19

208 Trend Micro Endpoint Encryption Administrator Guide 6. Select the PolicyServer tab. 7. Click Change Server. 8. At the warning message, click Yes. 9. Specify the new server address. 10. Click Save. Configuring Wi-Fi Settings Wi-Fi settings are available from the Recovery Console accessible from the Full Disk Encryption Preboot. Note The Full Disk Encryption preboot cannot automatically detect the authentication for WEP security. If the authentication type is WEP-OPEN or WEP-PSK, manually specify the security type. Procedure 1. Go to the Wi-Fi tab on the Network Setup screen. 9-20

209 Recovery The Wi-Fi settings screen appears. From the Wi-Fi settings screen, you can disconnect from your current wireless connection by clicking Disconnect. 2. Click Configure to modify your wireless network. 9-21

210 Trend Micro Endpoint Encryption Administrator Guide The Wireless Network Configuration screen appears. 3. Select your network. To use a listed network, select the SSID, then click OK. To configure an unlisted network, click Other Network, specify the SSID settings, then click Connect. Important Do not close the screen or restart your endpoint during configuration. Network Troubleshooting The tabs on the Troubleshooting screen allow you to do more in-depth investigation into network problems. The following tabs are available: 9-22

211 Recovery DHCP Client: This tab displays the latest DHCP client logs. If no DHCP request has been made or there is an error, click Set Up Interface to automatically configure your network interface card and perform another DHCP request. Traceroute: Use this tab to test your network performance by performing a traceroute to PolicyServer. Click Traceroute to perform a new traceroute request. Recovery Tool The Full Disk Encryption Recovery Tool is a bootable disk used to repair a device if the device is unable to boot. The latest version of the Recovery Tool is available for download from the Trend Micro Download Center: The Recovery Tool allows users to do the following: Scan and repair Full Disk Encryption issues that prevent users from logging on Windows Open the Full Disk Encryption preboot if the agent is unable to access the preboot normally Recover files from an encrypted disk Note In previous versions of Endpoint Encryption, a Repair CD was provided along with the product. In Endpoint Encryption 5.0 Patch 4, the Repair CD was replaced with the Recovery Tool. Preparing the Recovery Tool The Full Disk Encryption Recovery Tool is a preconfigured Linux environment inside of an ISO file. To use the Recovery Tool, install the Recovery Tool as a bootable disk on a DVD, USB flash drive, or other removable media device. The following procedure shows one example of how to install the Recovery Tool to a USB storage device using the free third-party program Rufus. 9-23

212 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Download the Full Disk Encryption installation package. The Endpoint Encryption installation packages are available on at the Trend Micro Download Center: 2. Download and run Rufus. The Rufus utility is available on the Rufus website: 3. Attach a USB storage device to the endpoint. WARNING! This procedure will reformat the USB device, removing all data. Trend Micro recommends backing up all files on the USB device before proceeding. 4. In the Device field, select the USB device. 5. In the Partition scheme and target system type, select MBR partition scheme for BIOS or UEFI-CSM. 6. Select the option Create a bootable disk using, and choose the option ISO image. 7. Click the image icon ( ) and select the image RecoveryTool_x.x.x.xxxx.iso. The Recovery Tool is located in the Full Disk Encryption installation package. For example, if you are using the TMEE Suite package, the Recovery Tool is in the following path: <base_file_path>\tmee Suite\TMEE_Full Disk Encryption- Windows\Tools\RecoveryTool\RecoveryTool_x.x.x.xxxx.iso 8. Click Start. 9-24

213 Recovery 9. On the ISOHybrid image detected screen, select an option based on the endpoint where the tool will be used: For endpoints that use BIOS, select Write in ISO Image mode (Recommended) and click OK. For endpoints that use UEFI, select Write in DD Image mode and click OK. Rufus begins reformatting the USB device and installs the Recovery Tool on the USB device. 10. When Rufus finishes creating the bootable disk, close Rufus and remove the USB device from the endpoint. Scanning and Repairing a Disk If you are unable to open Windows or the Full Disk Encryption preboot on a device, use the Full Disk Encryption Recovery Tool to detect problems and potentially repair any issues on that device. The following task assumes that you have already installed the Recovery Tool to a bootable disk. Procedure 1. On the endpoint to be repaired, set the boot priority to boot from the device where the Recovery Tool has been installed. For example, if your system uses BIOS, open the BIOS screen, and select the Boot tab. If you used a USB storage device for the Recovery Tool, set Removable Devices as the first boot priority. 2. Shut down the endpoint. 3. Attach the Recovery Tool device to the endpoint, or put the Recovery Tool CD or DVD in the disk drive. 4. Start the endpoint. The device uses the Recovery Tool to boot. At system startup, the Recovery Tool automatically opens the Recovery utility and begins scanning the system disk. 9-25

214 Trend Micro Endpoint Encryption Administrator Guide If it detects a problem with the system disk, the Recovery Tool will attempt to repair the issue. 5. The Recovery tool shows one of the following statuses: FDE System Disk Repaired Successfully: The repair process is successful and no further action is necessary. Click View to see more details. Unable to Repair Device: The Recovery Tool requires an administrator account to perform the repair and displays the Extensive Repair option. Click Extensive Repair to log on as an administrator and perform an extensive repair. For details, see Using Extensive Repair on page Click Shut Down to shut down the endpoint. 7. Remove the Recovery Tool from the endpoint. 8. Start the endpoint. If repairs were successful, the endpoint loads the Full Disk Encryption preboot screen at start up. Using Extensive Repair The Recovery Tool displays the Unable to Repair Device status if it requires an administrator account to perform the repair. Additionally, it adds the Extensive Repair option to the screen. Clicking View also notifies you that authentication is required to continue repairs. Procedure 1. Click Extensive Repair. 2. Log on PolicyServer with the following credentials: 9-26

215 Recovery Field User name Password PolicyServer Device ID Description Specify an Administrator account. Authenticator and normal user accounts may not access the Recovery Tool, regardless of policy configuration. Specify the password for that user name. Specify the PolicyServer IP address or host name. Specify the device ID. For Full Disk Encryption 5.0 patch 4 or later devices, the Recovery Tool attempts to automatically generate this field. If the MBR or Full Disk Encryption database is corrupted, the Recovery Tool may be unable to retrieve this information. If the Recovery Tool is unable to retrieve this information, or the device has Full Disk Encryption 5.0 patch 3 or earlier installed, find and copy the device ID from PolicyServer MMC or Control Manager. In Control Manager, you can access the device ID from the Full Disk Encryption Status Report widget. See Full Disk Encryption Status on page Note If the Recovery Tool is unable to connect to PolicyServer, a message appears requesting that you configure your network. In that case, click Network Status and Configuration to view your current network status. Click Configure to specify the endpoint IP address settings. Click Reconnect to attempt to connect to PolicyServer again and refresh your network information. 3. The Recovery Tool automatically performs additional scanning and repairs. After this process, the Recovery Tool shows FDE System Disk Repaired Successfully. 4. (Optional) To ensure that all users can log on after the repair, click Advanced Functions, and then click Cache All Users. A notification appears informing the user that user accounts were cached successfully. For more information about the available advanced functions, see Advanced Functions on page

216 Trend Micro Endpoint Encryption Administrator Guide 5. (Optional) If you need to collect logs for further troubleshooting, click Start > Collect CDT to run the Case Diagnostic Tool. The Recovery Tool saves the collected logs in the USB drive and shows a notification after collection is finished. 6. Click Shut Down to shut down the endpoint. 7. Remove the Recovery Tool from the endpoint. 8. Start the endpoint. If repairs were successful, the endpoint loads the Full Disk Encryption preboot screen at start up. Recovery Tool Options The Full Disk Encryption Recovery Tool opens a Linux operating system with the following options available: Recovery Option Description Select this option to open the main utility of the Recovery Tool. This utility scans and attempts to repair the device. After scanning, additional functions become available for accessing the Full Disk Encryption preboot and viewing encrypted files on the disk. Note The Recovery Tool may require additional information from PolicyServer to completely repair the device. After initial scanning, the Recovery Tool may request that you authenticate with PolicyServer. Ensure that connection to the network is available before using the Recovery Tool. The Recovery Tool supports wired Ethernet connections. 9-28

217 Recovery Option Description Zoom Select this option to open the Zoom video conferencing service. Trend Micro Support may ask you to use this service to share your display so that Support can better help you perform necessary tasks with the Recovery Tool. Note Using Zoom requires access to the Internet. Language Input Shut Down / Restart The Recovery Tool supports several language inputs. Go to Start > Language Input and select the language of your keyboard. To shut down or restart the endpoint, go to Start > Shut Down and select either Shut Down or Restart. Advanced Functions After the Recovery Tool finishes scanning and attempting to repair the device, the completion screen includes the options Advanced Functions and Shut Down. Click Advanced Functions to view a screen with one or more options depending on the disk types installed on the device. Note Accessing the Advanced Functions screen requires authentication. For more information about scanning, repairing, and authentication, see Scanning and Repairing a Disk on page For standard hard drives (not a self-encrypting drive), the following options are available: Launch File Explorer: Click to open a window that shows your file directory. You can copy files from your drive to an external storage device. The Recovery Tool will decrypt those files before adding them to the external device. Note Trend Micro recommends backing up your most important files this way. Decryption using this function may take a long time, so if you want to decrypt and copy all files on the drive, instead decrypt the entire drive using the Recovery Console. 9-29

218 Trend Micro Endpoint Encryption Administrator Guide Enable Preboot: Click to set the endpoint to open the Full Disk Encryption preboot the next time that you restart with the Recovery Tool attached to the endpoint. The Recovery Tool includes an internal copy of the Full Disk Encryption preboot that you can use to access the Recovery Console to configure network settings or decrypt the device. Cache All Users: Click to allow authentication without a network connection to PolicyServer. In case the endpoint experiences network connection issues after a repair task, users can still type their correct password to authenticate without connecting to PolicyServer. For self-encrypting drives (SED), the following option is available: Unlock SED: The Recovery Console performs one of the following actions depending on the disk configuration: If the SED disk is a system disk, the Recovery Console removes the Full Disk Encryption preboot from the disk so that the device no longer requires authentication with PolicyServer. If the SED disk is a data disk, the Recovery Console excludes the disk from being managed by Full Disk Encryption Note If the device uses an SED as a system disk and the Advance Functions option is not available, shut down the device and use the Recovery Tool to boot the device again. Using the File Explorer The following example demonstrates how to use the file explorer included in the Recovery Tool to copy local files to an external storage device. Procedure 1. After the Recovery Tool finishes scanning and attempting to repair the device, click Launch File Explorer on the Advanced Functions screen. The file explorer window appears. 9-30

219 Recovery 2. Select the files or folders you want to copy. 3. Right click on the files or folders you want to copy, and select Copy on the context menu. Alternatively, press CTRL + C to copy the selected files. 4. Connect an external storage device to the endpoint. The file explorer displays a new sub-tree for the recently attached external storage device. 5. Navigate to the external storage device, and locate a destination folder. 6. Right click on an empty area in the destination folder window, and select Paste on the context menu. Alternatively, press CTRL + V to paste the selected files. The file explorer pastes the files copied earlier in the destination folder. Note The Recovery Tool will decrypt files before adding them to the external device. Decryption using this function may take a long time. If you want to decrypt and copy all files on the drive, another alternative is to decrypt the entire drive using the Recovery Console. Remote Help Assistance Remote Help allows users to reset a forgotten password or locked account. Any Endpoint Encryption user who has a locked account or forgot the account password must reset the password before being able to log on to any Endpoint Encryption device. Remote Help requires that the user contact the Help Desk for a Challenge Response. Remote Help does not require network connectivity to PolicyServer. 9-31

220 Trend Micro Endpoint Encryption Administrator Guide Procedure 1. Log on to PolicyServer MMC using any account with Group Administrator permissions in the same policy group as the user. 2. Ask the user to go to Help > Remote Help from the Endpoint Encryption agent. 3. Ask the user for the Device ID. Figure 9-2. Remote Help Assistance 4. In PolicyServer MMC, open Enterprise Devices or expand the user's group and open Devices. 5. In the right pane, right-click the user's device and then select Soft Token. The Software Token window appears. 6. Get the16-digit challenge code from the user, and type it into the Challenge field of the Software Token window. 9-32

221 Recovery 7. Click Get Response. The Response field loads with an 8-character string. 8. Tell the user the 8-character string from the Response field. 9. The user inputs the string in the Response field on the endpoint and clicks Login. 10. The user must specify a new password. 9-33

222

223 Chapter 10 Resolved and Known Issues This section describes the Endpoint Encryption issues that have been fixed and the remaining issues and limitations. 10-1

224 Trend Micro Endpoint Encryption Administrator Guide Resolved Issues This section describes the previous Endpoint Encryption issues that have been resolved. Resolved Issues in Endpoint Encryption 6.0 Issue 1 Loading time from boot to the preboot screen can take more than 5 minutes for some specific endpoints. 2 Screen scaling issues on HD and UltraHD displays may cause the Full Disk Encryption preboot login screen pages and strings to appear too small. 3 Preboot authentication is slow if PolicyServer is inaccessible. 4 The PolicyServer device management screen displays a "Not encrypted" status at for self-encrypting drives. 5 The Wi-Fi connection is unable to connect to PolicyServer during Full Disk Encryption preboot for some endpoints. 6 The Full Disk Encryption sync password tool encounters issues when working with 6.0 Full Disk Encryption agents. 7 The Full Disk Encryption support tool encounters issues when working with 6.0 Full Disk Encryption agents. Solution This version adds improvements to make the Full Disk Encryption preboot screen load faster. This version resolves the issue by giving the Full Disk Encryption preboot screen a specific resolution. This version adds improvements to the Full Disk Encryption preboot network connection structure. This version resolves the "Not encrypted" status which the PolicyServer device management screen displays for self-encrypting drives. This version ensures that the Wi-Fi connection successfully connects to PolicyServer by adding improvements to the Full Disk Encryption preboot. The Full Disk Encryption Sync password tool supports both Endpoint Encryption 5.0 and 6.0 agents. The Full Disk Encryption Sync support tool supports both Endpoint Encryption 5.0 and 6.0 agents. 10-2

225 Resolved and Known Issues Resolved Issues in Endpoint Encryption 6.0 Update 1 Issue 1 PolicyServer is unable to complete the upgrade to version 6.0 if the database connection encounters timeout errors. 2 The PolicyServer update status log sent to Control Manager may contain strings that are not recognized as valid date time formats, which causes Control Manager to show incorrect policy and device status information. 3 Domain login is unsuccessful if the default password policy cannot be retrieved. 4 If the application pool is set to enable 32- bit applications, automatic port detection does not work. 5 Using an Encryption Management for Apple FileVault (Build ) pkg file where the certificate has already expired may cause issues during installation. 6 Unable to successfully install or upgrade the Trend Micro Endpoint Encryption Deployment tool (Build ) on OfficeScan XG. 7 After upgrading to a 6.0 server, a 5.0 client may require more processing time to sync policies. This causes the server to stop answering client requests and crash. 8 Unable to perform domain authentication if the user's Distinguished Name contains a special character. Solution This version fixes the issue by extending the timeout setting to 600 seconds. This version adds improvements to the parsing of date time values. This version improves error handling for null exceptions. This version adds support for application pools running 32-bit applications in x64 systems. This version updates the certificate for the installation pkg file. This version ( ) updates the AU module to fix issues related to SSL certificate verification. This version fixes the issue by extending the timeout setting to 600 seconds. This version fixes the issue by encoding special characters in the LDAP filter and also prevents the occurrence of possible LDAP injection events. 10-3

226 Trend Micro Endpoint Encryption Administrator Guide Issue 9 If PolicyServer sends a status log to Control Manager and an exception error occurs, Trend Micro Endpoint Encryption agents may not appear in Control Manager. Solution This version improves error handling for requests related to getting user information, thus preventing the exception error The ALPS touchpad in Dell laptops is unresponsive during the Full Disk Encryption preboot. After installing Trend Micro Full Disk Encryption, a Windows system configured to use UEFI may boot to a black screen with a blinking cursor. In the Encryption Management for Microsoft Bitlocker agent console, the "TMEE Username" displays the user who installed Encryption Management for Microsoft Bitlocker, instead of the user who is currently logged on. This version adds support for the ALPS touchpad in Dell laptops so that it functions normally during preboot on endpoints configured to boot using MBR or UEFI. This version provides an updated Trend Micro Full Disk Encryption EFI program to provide increased compatibility with old UEFI firmware. This version fixes the issue by hiding the "TMEE Username" value. Known Issues This section describes the Endpoint Encryption issues and limitations grouped according to agent or console. PolicyServer MMC Issues The following are the PolicyServer MMC issues and limitations: 1. If a domain user has the Enterprise Administrator or Enterprise Authenticator role, no event log is created when Active Directory synchronization is unsuccessful. 10-4

227 Resolved and Known Issues 2. PolicyServer MMC is unable to display information for multiple enterprises. PolicyServer is only able to display the first enterprise entered into PolicyServer MMC. 3. Permission issues may prevent PolicyServer from upgrading directly to 6.0. To prevent this issue, grant "db_ddladmin" permission to the database user account of PolicyServer before upgrading to 6.0, or upgrade PolicyServer to first before upgrading to During preboot, Full Disk Encryption generates message id "10029" (successfully fixed password login) if a user is authenticated by domain password. To distinguish between fixed password authentication and domain authentication, Full Disk Encryption assigns message id "100057" for domain authentication. 5. The Endpoint Encryption 5.0 MMC console is unable to correctly display new policies added in Endpoint Encryption 6.0. To avoid this issue, upgrade the Endpoint Encryption MMC from 5.0 to 6.0 after PolicyServer is upgraded. 6. The time filter function in log events displays incorrect results if the Endpoint Encryption 6.0 MMC connects to a 6.0 beta version of PolicyServer. To solve this issue, upgrade both the PolicyServer and the Endpoint Encryption MMC to the 6.0 release version. 7. Control Manager and the Endpoint Encryption MMC displays the incorrect encryption status of a device after it is migrated to a New Enterprise before the device is rebooted. Control Manager and the Endpoint Encryption MMC should display the correct encryption status after the device is rebooted. 8. The Log Integrity Alert report may show log events from the PolicyServer 6.0 beta version as log integrity compromised events. Log events from the PolicyServer 5.0 or 6.0 versions should be reported correctly. Control Manager Integration Issues The following are the Control Manager issues and limitations: 1. After deploying a new policy from Control Manager to PolicyServer, a new policy group does not immediately appear in PolicyServer MMC. To see the new policy group, log off from PolicyServer MMC and log back on. 10-5

228 Trend Micro Endpoint Encryption Administrator Guide 2. Users cannot be added to the policy if the Users panel in Control Manager Policy Management is disabled. 3. Deleting a policy that was created in Control Manager does not delete the policy from PolicyServer. The policy can still be viewed in PolicyServer MMC. Endpoint Encryption Deployment Tool Plug-in Issues The following are the Endpoint Encryption Deployment Tool plug-in issues and limitations: 1. If the OfficeScan administrator tries to deploy server settings to PolicyServer using an Endpoint Encryption user account, an error message returns that the connection was unsuccessful. 2. Plug-in Manager does not display an error message when installing the Endpoint Encryption Deployment Tool Plug-in on a server that does not meet the minimum system requirement of 1 GB free hard disk space. 3. The Endpoint Encryption device may still appear in Plug-in Manager even after the Endpoint Encryption agent has been uninstalled. Agents will disappear the next time that PolicyServer synchronizes with OfficeScan and the Plug-In Manager screen refreshes. 4. Endpoint Encryption users with a one-time password (OTP) are only allowed to deploy agents using the Endpoint Encryption Deployment Tool Plug-in once. All future deployments are unsuccessful. After the first deployment, the user must set a fixed password before performing deployment again. 5. When the uninstall command is deployed from OfficeScan to Full Disk Encryption devices, the message Successful agent uninstallation request appears before uninstallation has completed. Endpoint Encryption decrypts the endpoint before completing uninstallation. Full Disk Encryption Issues The following are the Full Disk Encryption issues and limitations. 10-6

229 Resolved and Known Issues 1. The Full Disk Encryption preboot login may encounter reduced performance if the Wi-Fi adapter is connected to an access point with no network access to PolicyServer. This issue occurs when the PolicyServer IP address is used during Full Disk Encryption installation. Use the PolicyServer FQDN during installation to resolve the issue. 2. The Full Disk Encryption preboot Wi-Fi is unable to automatically detect access points with WEP-Shared security. Manually specify WEP-OPEN or WEP-PSK security. 3. The Full Disk Encryption preboot is unable to log on Windows 8, 8.1, or 10 when installed on a virtual machine using VMWare Workstation with the e1000e Ethernet driver. The e1000e Ethernet driver is the default driver for Windows 8 and 8.1. Full Disk Encryption does not support the e1000e Ethernet driver. To resolve this issue, change the driver to e1000: a. Shut down VMWare Workstation. b. Using a text editor, open the vmware.vmx file. c. Find the driver line: ethernet0.virtualdev = "e1000e" d. Change "e1000e" to "e1000". e. Save the file and restart the virtual machine. 4. Full Disk Encryption displays an error message and is unable to lock the system when the LockDeviceTimeDelay policy is minutes. 5. Full Disk Encryption is unable to log on by single sign-on when the endpoint wakes from hibernation. 6. When a user logs on Full Disk Encryption, the tray icon shows the correct user name. However, if the user logs off after the endpoint hibernates and another user logs on, the user name stills shows the previous user name. No user data is at risk. 10-7

230 Trend Micro Endpoint Encryption Administrator Guide 7. Toshiba Tecra computers with self-encrypting drives may be unable to run Windows after installing Full Disk Encryption. 8. The Full Disk Encryption preboot does not support combinations of characters with the AltGr key when using a Spanish keyboard layout. 9. The Full Disk Encryption preboot is unable to control the Num Lock indicator for some HP laptops. In those cases, the Num Lock indicator can be configured in the BIOS settings. 10. Full Disk Encryption does not support installation alongside other third-party full disk encryption products. If multiple encryption products are installed on the same endpoint, the endpoint may be unable to start Windows and may display a blue screen error message. 11. The Full Disk Encryption Recovery Tool may encounter errors when logging on Zoom by single-sign on, or by using Google or Facebook accounts. To avoid this issue, only use Zoom to connect to meetings hosted by Trend Micro support. Do not attempt to host meetings through the Recovery Tool. 12. Full Disk Encryption is unable to install on the HP Probook 6570b and HP EliteBook Folio 9470m, if the boot configuration for these endpoints is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation. 13. The Full Disk Encryption installer is unable to upgrade older Full Disk Encryption versions on devices where the system disk contains more than 8 extended partitions. To upgrade these devices to the 6.0 version, uninstall the old version first and then perform a clean install instead. 14. Full Disk Encryption may display an inaccurate percentage of completion if the value of the Encrypt Policy setting changes during encryption. To fix this issue, decrypt the whole disk and encrypt it again. 15. Disk conversion from MBR to GPT cannot be performed on a disk managed by Full Disk Encryption. To convert a managed disk from MBR to GPT, decrypt the whole disk first, and then detach the disk from Full Disk Encryption. Afterwards, perform the disk conversion as usual. 16. During preboot, the Wire Network Configuration screen displays the hidden SSID \x00\x00\x00\x00\x00\x00\x00\x

231 Resolved and Known Issues 17. In rare cases, sectors may become corrupted if the power is cut off while encrypting. To prevent this issue, ensure that the power cord is connected during the initial encryption period of Full Disk Encryption. 18. Multiple device encryption complete messages from the same device appear in the audit log for a period of time. This is because Full Disk Encryption generates an "encryption complete" message to PolicyServer for encrypted disks whenever the Full Disk Encryption service restarts to ensure that the encryption status on server side is up to date. 19. Full Disk Encryption is incompatible with the PLEXTOR PX-128M5 Pro (old firmware). The encryption status of the disk is displayed as (NaN%) when the encryption starts. 20. Full Disk Encryption usually queries DNS suffixes from Windows and applies it in preboot. However, Full Disk Encryption only uses the first DNS suffix found. To minimize issues, ensure that the preferred DNS suffix is set as the first DNS suffix in Windows. 21. Full Disk Encryption may incorrectly mark the network information display of Windows XP VMware images with an (X). However, this is only a display issue. There is no impact on network connectivity. 22. During preboot, the touchpad of an Acer V3-372 ASUS BU400A machine may be unresponsive. To solve this issue, change the touchpad setting in the firmware from Enhanced to Basic, or use an external USB mouse. 23. When deploying Full Disk Encryption using the Endpoint Encryption Deployment Tool Plug-in, the Endpoint Encryption Deployment Tool Plug-in does not display the result of safety check (a new feature of Full Disk Encryption in 6.0). As a workaround, administrators can manually review the safety check result from Control Manager or the Endpoint Encryption MMC console. 24. Full Disk Encryption may encounter issues if installed on an ASUS BU400A machine using a UEFI SED configuration. This causes the firmware to delete the boot entry after the device has booted into Windows, which makes unlocking the self encrypting drive difficult after the device is powered on again. To minimize issues, switch to BIOS with SED configuration, or UEFI with normal disk configuration. If the self encrypting drive cannot be unlocked, administrators may use the recovery tool to unlock the drive after authentication. 10-9

232 Trend Micro Endpoint Encryption Administrator Guide 25. WiFi SSID settings deployed from Control Manager does not support angle brackets (< >). Remove angle brackets from the WiFi SSID settings. 26. The Full Disk Encryption preboot does not support the network port of the Microsoft Surface Dock. However, the Full Disk Encryption preboot supports the built-in Wi-Fi found on the Surface Pro 3 and Surface Pro 4. To establish a connection to PolicyServer, configure the Full Disk Encryption Preboot to use the built-in Wi-Fi. 27. Installation of Full Disk Encryption may cause the endpoint to require more time to resume from hibernation. On average, time to resume from hibernation may take 80 seconds for BIOS-configured endpoints, and 30 seconds for UEFIconfigured endpoints. 28. If the Full Disk Encryption database of a data disk becomes corrupt, the data disk becomes inaccessible in Windows. To resolve this issue, use the Full Disk Encryption recovery tool. The Full Disk Encryption recovery tool reports the disk as "Not an FDE disk", but will still automatically repair the database on the data disk. If the issue persists, contact Trend Micro support for data recovery. 29. Full Disk Encryption is unable to complete installation on Lenovo Think Station P410 endpoints if the boot configuration is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation. 30. Full Disk Encryption is incompatible with some Dell Optiplex 980 models. To use Full Disk Encryption on these endpoints, install Encryption Management for Microsoft Bitlocker. 31. For NVMe disks, Full Disk Encryption displays the "Failed to find FDE Device" error message if the firmware's SATA Operation setting is set to RAID on. To resolve this issue, switch the firmware's SATA operation setting to AHCI, and then install Full Disk Encryption again. 32. Full Disk Encryption 6.0 Patch 1 release does not support the Gigabyte Q21B. The current workaround is to install the Full Disk Encryption build. 33. The Full Disk Encryption preboot is unable to display the network card information of an ASUS T100TA. However, the network connection still works

233 Resolved and Known Issues File Encryption Issues The following are the Full Disk Encryption issues and limitations. 1. If you attempt to delete files or folders in an encrypted folder, Windows prompts the following error: Can't read from the source file or disk. This error occurs because File Encryption is unable to move deleted files and folders in an encrypted folder to the Recycle Bin. To delete files and folders in an encrypted folder, use the permanent delete command Shift + Delete. 2. File Encryption does not support "Self Help" questions and answers. At registration, if the Endpoint Encryption user goes to the "Change Password" screen, the user should be given "Self Help" challenge questions. 3. After upgrading PolicyServer and File Encryption from SP1 to 5.0, policies are unable to synchronize if the File Encryption agent uses port 8080 (TMEE Service) during registration. 4. After upgrading PolicyServer and File Encryption from SP1 to 5.0, authentication is locked at the "Change Password" screen if the File Encryption agent used port 8080 (TMEE Service port) during registration. 5. Uninstalling File Encryption without restarting the endpoint does not automatically remove the program from the Add/Remove Programs list. 6. The legal notice does not appear when the endpoint starts. 7. The File Encryption agent desktop shortcut and agent icon flash when the File Encryption agent synchronizes with PolicyServer. Encryption Management for Microsoft BitLocker Issues There are no known issues for Encryption Management for Microsoft BitLocker in this release. Encryption Management for Apple FileVault Issues The following are the Encryption Management for Apple FileVault issues and limitations

234 Trend Micro Endpoint Encryption Administrator Guide 1. After upgrading Mac OS to , Encryption Management for Apple FileVault may not start encryption if the domain user doesn't have a "secure token" to enable FileVault. Administrators may need to manually apply a secure token to the mobile account. For details, refer to the following Knowledge Base entry: 2. After Encryption Management for FileVault receives the Kill command from PolicyServer, all the user passwords on that device are reset to random characters. However, due to a Mac OS security design, the Kill function may become "locked", and users are unable to unlock FileVault on that device

235 Chapter 11 Technical Support Learn about the following topics: 11-1

236 Trend Micro Endpoint Encryption Administrator Guide Troubleshooting Resources Before contacting technical support, consider visiting the following Trend Micro online resources. Using the Support Portal The Trend Micro Support Portal is a 24x7 online resource that contains the most up-todate information about both common and unusual problems. Procedure 1. Go to 2. Select from the available products or click the appropriate button to search for solutions. 3. Use the Search Support box to search for available solutions. 4. If no solution is found, click Contact Support and select the type of support needed. Tip To submit a support case online, visit the following URL: A Trend Micro support engineer investigates the case and responds in 24 hours or less. Threat Encyclopedia Most malware today consists of blended threats, which combine two or more technologies, to bypass computer security protocols. Trend Micro combats this complex malware with products that create a custom defense strategy. The Threat Encyclopedia 11-2

237 Technical Support provides a comprehensive list of names and symptoms for various blended threats, including known malware, spam, malicious URLs, and known vulnerabilities. Go to to learn more about: Malware and malicious mobile code currently active or "in the wild" Correlated threat information pages to form a complete web attack story Internet threat advisories about targeted attacks and security threats Web attack and online trend information Weekly malware reports Contacting Trend Micro In the United States, Trend Micro representatives are available by phone or Address Trend Micro, Incorporated 225 E. John Carpenter Freeway, Suite 1500 Irving, Texas U.S.A. Phone Phone: +1 (817) Toll-free: (888) Website address support@trendmicro.com Worldwide support offices: Trend Micro product documentation:

238 Trend Micro Endpoint Encryption Administrator Guide Speeding Up the Support Call To improve problem resolution, have the following information available: Steps to reproduce the problem Appliance or network information Computer brand, model, and any additional connected hardware or devices Amount of memory and free hard disk space Operating system and service pack version Version of the installed agent Serial number or Activation Code Detailed description of install environment Exact text of any error message received Sending Suspicious Content to Trend Micro Several options are available for sending suspicious content to Trend Micro for further analysis. Reputation Services Query the reputation of a specific IP address and nominate a message transfer agent for inclusion in the global approved list: Refer to the following Knowledge Base entry to send message samples to Trend Micro:

239 Technical Support File Reputation Services Gather system information and submit suspicious file content to Trend Micro: Record the case number for tracking purposes. Web Reputation Services Query the safety rating and content type of a URL suspected of being a phishing site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and malware): If the assigned rating is incorrect, send a re-classification request to Trend Micro. Other Resources In addition to solutions and support, there are many other helpful resources available online to stay up to date, learn about innovations, and be aware of the latest security trends. Download Center From time to time, Trend Micro may release a patch for a reported known issue or an upgrade that applies to a specific product or service. To find out whether any patches are available, go to: If a patch has not been applied (patches are dated), open the Readme file to determine whether it is relevant to your environment. The Readme file also contains installation instructions. 11-5

240 Trend Micro Endpoint Encryption Administrator Guide Documentation Feedback Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please go to the following site:

241 Appendices Appendices

242

243 Appendix A Maintenance Tools This section describes additional utilities packaged with Endpoint Encryption that perform product maintenance tasks. Endpoint Encryption includes the following tools: Tool Diagnostics Monitor Log Server Tool PolicyServer Change Settings Tool Description View Endpoint Encryption event logs in real time. See Using the Diagnostics Monitor on page A-2. Generate a log package for all events that occur while replicating specific issues. See Using the Log Server Tool on page A-5. Modify your SQL server and Windows service user credentials without reinstalling PolicyServer. See Using the PolicyServer Change Settings Tool on page A-6. A-1

244 Trend Micro Endpoint Encryption Administrator Guide Using the Diagnostics Monitor The Diagnostic Monitor allows administrators to view events related to Endpoint Encryption in real time. Procedure 1. Copy, download, or locate a PolicyServer installation package on the endpoint you have installed PolicyServer on. To download the PolicyServer installation package or the Endpoint Encryption Suite, go to the Trend Micro Download Center: 2. Go to <PolicyServer Directory>\TMEE_PolicyServer\Tools \Diagnostics Monitor. 3. Run the file DiagnosticMonitor.exe as an administrator. The License Renewal Tool screen opens. Important Windows may encounter an error titled Xenocode Postbuild 2010 at this point. The message text states that the application is unable to load a required virtual machine component. If this error occurs, open Windows Update, remove the update KB , and try to run Diagnostic Monitor again. 4. Go to File > Options... A-2

245 Maintenance Tools The Live Monitor Options screen appears. 5. Go to LogAlerts and set the Minimum Level Displayed to Debug. 6. Set the Maximum Records Displayed field to a value between 3000 and After setting the Maximum Records Displayed value, an event may appear in Diagnostic Monitor stating that the system is out of memory. If this event appears, return to this window and set the Maximum Records Displayed to a lower value. 7. Click Apply to all Categories or select individual categories and apply specific settings to each of them. A-3

246 Trend Micro Endpoint Encryption Administrator Guide 8. Restart the service PolicyServerWindowsService from Windows Task Manager. When the PolicyServer service restarts, Active Directory synchronizes with PolicyServer. The Diagnostic Monitor will display events related to Active Directory synchronization. 9. View the logs in the Diagnostic Monitor window. 10. If you are using Diagnostic Monitor to troubleshoot a specific issue, perform all tasks necessary to replicate that issue while Diagnostic Monitor is open. 11. To generate a file of the diagnostic logs, go to File > Save to File. A log file appears at your selected output folder. The default output folder is the desktop. To change your selected output folder, go to File > Option > Output Folder. The name of the file is a timestamp of when you generated the file and the format is PSDM. A-4