Trend Micro, the Trend Micro t-ball logo, OfficeScan,...

296

Transcript of Trend Micro, the Trend Micro t-ball logo, OfficeScan,...

Trend Micro Incorporated reserves the right to make changes to this document and tothe product described herein without notice. Before installing and using the product,please review the readme files, release notes, and/or the latest version of the applicabledocumentation, which are available from the Trend Micro website at:

http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx

Trend Micro, the Trend Micro t-ball logo, OfficeScan, and Control Manager aretrademarks or registered trademarks of Trend Micro Incorporated. All other product orcompany names may be trademarks or registered trademarks of their owners.

Copyright © 2018. Trend Micro Incorporated. All rights reserved.

Document Part No.: APEM68335/180626

Release Date: August 2018

Protected by U.S. Patent No.: Patents pending.

This documentation introduces the main features of the product and/or providesinstallation instructions for a production environment. Read through the documentationbefore installing or using the product.

Detailed information about how to use specific features within the product may beavailable in the Trend Micro Online Help and/or the Trend Micro Knowledge Base atthe Trend Micro website.

Trend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please contact us [email protected].

Evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

Privacy and Personal Data Collection Disclosure

Certain features available in Trend Micro products collect and send feedback regardingproduct usage and detection information to Trend Micro. Some of this data isconsidered personal in certain jurisdictions and under certain regulations. If you do notwant Trend Micro to collect personal data, you must ensure that you disable the relatedfeatures.

The following link outlines the types of data that Endpoint Encryption collects andprovides detailed instructions on how to disable the specific features that feedback theinformation.

https://success.trendmicro.com/data-collection-disclosure

Data collected by Trend Micro is subject to the conditions stated in the Trend MicroPrivacy Policy:

https://www.trendmicro.com/en_us/about/legal/privacy-policy-product.html

i

Table of Contents

Chapter 1: Introduction

Chapter 2: About Trend Micro Endpoint EncryptionFeatures and Benefits ..................................................................................... 2-3

What's New ..................................................................................................... 2-4

About PolicyServer ......................................................................................... 2-8

Management Consoles ................................................................................... 2-9Trend Micro Control Manager ........................................................... 2-10About PolicyServer MMC ................................................................... 2-11

Endpoint Encryption Agents ..................................................................... 2-11

Authentication Methods .............................................................................. 2-13ColorCode ............................................................................................. 2-14Domain Authentication ....................................................................... 2-14Fixed Password ..................................................................................... 2-15PIN ......................................................................................................... 2-15Remote Help ......................................................................................... 2-15Self Help ................................................................................................ 2-16Smart Card ............................................................................................. 2-16

Chapter 3: Getting StartedSystem Requirements ..................................................................................... 3-2

PolicyServer System Requirements ...................................................... 3-2PolicyServer MMC System Requirements .......................................... 3-8Full Disk Encryption System Requirements ...................................... 3-9File Encryption System Requirements .............................................. 3-13Encryption Management for Microsoft BitLocker SystemRequirements ........................................................................................ 3-13Encryption Management for Apple FileVault System Requirements .................................................................................................................. 3-15

Trend Micro Endpoint Encryption Administrator Guide

ii

Setting Up Control Manager ....................................................................... 3-16Control Manager Architecture ........................................................... 3-17Adding PolicyServer as a Managed Product to Control Manager 3-20Configuring Directory Management for PolicyServer .................... 3-22Configuring Proxy Settings ................................................................. 3-23

Active Directory Synchronization .............................................................. 3-24Active Directory Overview ................................................................. 3-24Configuring Active Directory ............................................................. 3-25Importing Active Directory Users ..................................................... 3-27Managing Password Setting Objects from Active Directory ......... 3-29

Chapter 4: DashboardTabs ................................................................................................................... 4-2

Default Tabs ............................................................................................ 4-2Adding a New Tab ................................................................................. 4-2Modifying Tab Settings .......................................................................... 4-3Deleting a Tab ......................................................................................... 4-3

Widgets ............................................................................................................. 4-4Adding Widgets to a Tab ....................................................................... 4-5Widget Options ...................................................................................... 4-6

Endpoint Encryption Users .......................................................................... 4-7User Settings Options ............................................................................ 4-8Add New User Options ........................................................................ 4-9Policy Membership ............................................................................... 4-10Importing Users from a CSV File ..................................................... 4-11Importing Active Directory Users ..................................................... 4-12

Endpoint Encryption Devices ................................................................... 4-13Device Actions ...................................................................................... 4-15Device Attributes ................................................................................. 4-17

Full Disk Encryption Status ........................................................................ 4-19Full Disk Encryption Status Report .................................................. 4-20

Endpoint Encryption Unsuccessful Device Logon ................................ 4-21Unsuccessful Device Logon Report .................................................. 4-22

Endpoint Encryption Unsuccessful User Logon .................................... 4-24Unsuccessful User Logon Report ...................................................... 4-24

Table of Contents

iii

Endpoint Encryption Device Lockout ..................................................... 4-25Device Lockout Report ....................................................................... 4-27

Endpoint Encryption Security Violations Report ................................... 4-28Consecutive Unsuccessful Device Logon Report ........................... 4-29Policy Tampering Report .................................................................... 4-30Log Integrity Report ............................................................................ 4-30

Chapter 5: PoliciesAuthentication Overview .............................................................................. 5-2

Devices ..................................................................................................... 5-2Users ......................................................................................................... 5-3Groups ..................................................................................................... 5-4

Policies in Control Manager .......................................................................... 5-5Policy Options ......................................................................................... 5-7Policy Types ............................................................................................. 5-9

Creating a Policy ............................................................................................. 5-9Specifying Policy Targets ..................................................................... 5-11

Configuring Endpoint Encryption Users Rules ...................................... 5-13

Configuring Full Disk Encryption Rules .................................................. 5-15

Configuring File Encryption Rules ............................................................ 5-19

Configuring Common Policy Rules ........................................................... 5-22Lockout Actions ................................................................................... 5-25

Migrating Groups to Control Manager ..................................................... 5-26

Chapter 6: Full Disk EncryptionFull Disk Encryption Tools .......................................................................... 6-3

Full Disk Encryption Context Menu ........................................................... 6-4

Full Disk Encryption Preboot ...................................................................... 6-5Menu Options ......................................................................................... 6-5Network Connectivity ............................................................................ 6-6Network Information ............................................................................ 6-8On-Screen Keyboard ............................................................................. 6-9Changing the Keyboard Layout ......................................................... 6-10

Trend Micro Endpoint Encryption Administrator Guide

iv

Changing Authentication Methods .................................................... 6-10Changing Passwords ............................................................................ 6-11Remote Help ......................................................................................... 6-15Smart Card ............................................................................................. 6-16Self Help ................................................................................................ 6-17Skipping the Preboot Screen .............................................................. 6-19

Full Disk Encryption Policy Synchronization .......................................... 6-21Full Disk Encryption Connectivity Requirements .......................... 6-22Manually Updating Full Disk Encryption Agents ........................... 6-22Moving Full Disk Encryption Disks ................................................. 6-23

Patch Management with Full Disk Encryption ....................................... 6-24Using the Command Line Helper ..................................................... 6-25Patching Process for Full Disk Encryption ..................................... 6-26

Chapter 7: File EncryptionRegistering File Encryption ........................................................................... 7-2

File Encryption Actions ................................................................................ 7-3Encrypting a File or Folder ................................................................... 7-4Using File Encryption Secure Delete ................................................ 7-10

File Encryption Context Menu .................................................................. 7-10Changing Password in File Encryption ............................................ 7-12Using Remote Help to Unlock a File Encryption Device ............. 7-13

File Encryption Authentication .................................................................. 7-14Domain Authentication Requirements ............................................. 7-15Forced Password Reset ........................................................................ 7-16Endpoint Encryption Device Policy Rules ...................................... 7-16

Policy Synchronization ................................................................................. 7-17

Chapter 8: Encryption Management for Third-PartyProducts

About Encryption Management Agents ..................................................... 8-2

Encryption Management Agent Policy Limitations .................................. 8-2

Encryption Management for Microsoft BitLocker ................................... 8-5Viewing Encryption Status ................................................................... 8-5

Table of Contents

v

Understanding Encryption Status ........................................................ 8-6Understanding Agent Information ...................................................... 8-8Synchronizing Policies with PolicyServer ........................................... 8-9Updating PolicyServer Settings .......................................................... 8-10

Encryption Management for Apple FileVault ......................................... 8-13Viewing Encryption Status ................................................................. 8-13Understanding Encryption Status ...................................................... 8-14Understanding Agent Information .................................................... 8-15Synchronizing Policies with PolicyServer ......................................... 8-16Updating PolicyServer Settings .......................................................... 8-18Creating a Mobile Account for Active Directory on Mac OS ...... 8-20Troubleshooting Password and Encryption Issues ......................... 8-22

Chapter 9: RecoveryPreboot Errors after Installation .................................................................. 9-2

Full Disk Encryption Recovery Methods ................................................... 9-3

Recovery Console ........................................................................................... 9-5Recovery Console Options ................................................................... 9-6Accessing the Recovery Console from Full Disk Encryption Preboot .................................................................................................................... 9-7Accessing Recovery Console from Windows .................................... 9-8Manage Disks Options .......................................................................... 9-8Encrypt Disks ......................................................................................... 9-9Decrypt Disks ....................................................................................... 9-10Mount Partitions ................................................................................... 9-12Restore Boot ......................................................................................... 9-13Manage Full Disk Encryption Users ................................................. 9-14Manage Policies .................................................................................... 9-16View Logs .............................................................................................. 9-16Network ................................................................................................. 9-17

Recovery Tool ............................................................................................... 9-23Preparing the Recovery Tool .............................................................. 9-23Scanning and Repairing a Disk ........................................................... 9-25Using Extensive Repair ....................................................................... 9-26Recovery Tool Options ....................................................................... 9-28

Trend Micro Endpoint Encryption Administrator Guide

vi

Advanced Functions ............................................................................ 9-29

Remote Help Assistance .............................................................................. 9-31

Chapter 10: Resolved and Known IssuesResolved Issues ............................................................................................. 10-2

Resolved Issues in Endpoint Encryption 6.0 ................................... 10-2Resolved Issues in Endpoint Encryption 6.0 Update 1 ................. 10-3

Known Issues ................................................................................................ 10-4PolicyServer MMC Issues ................................................................... 10-4Control Manager Integration Issues .................................................. 10-5Endpoint Encryption Deployment Tool Plug-in Issues ................ 10-6Full Disk Encryption Issues ............................................................... 10-6File Encryption Issues ....................................................................... 10-11Encryption Management for Microsoft BitLocker Issues ........... 10-11Encryption Management for Apple FileVault Issues ................... 10-11

Chapter 11: Technical SupportTroubleshooting Resources ......................................................................... 11-2

Using the Support Portal .................................................................... 11-2Threat Encyclopedia ............................................................................ 11-2

Contacting Trend Micro .............................................................................. 11-3Speeding Up the Support Call ............................................................ 11-4

Sending Suspicious Content to Trend Micro ........................................... 11-4Email Reputation Services .................................................................. 11-4File Reputation Services ...................................................................... 11-5Web Reputation Services ..................................................................... 11-5

Other Resources ........................................................................................... 11-5Download Center ................................................................................. 11-5Documentation Feedback ................................................................... 11-6

AppendicesAppendix A: Maintenance Tools

Table of Contents

vii

Using the Diagnostics Monitor ................................................................... A-2

Using the Log Server Tool ........................................................................... A-5

Using the PolicyServer Change Settings Tool ........................................... A-6

Appendix B: PolicyServer Message IDsAdministrator Alerts ...................................................................................... B-2

Audit Log Alerts ............................................................................................. B-6

Certificate Alerts ............................................................................................ B-7

Device Alerts .................................................................................................. B-8

Error Alerts ................................................................................................... B-10

Full Disk Encryption Activity Alerts ........................................................ B-10

Installation Alerts ......................................................................................... B-13

Login / Logout Alerts ................................................................................. B-13

Mobile Device Alerts .................................................................................. B-17

OCSP Alerts ................................................................................................. B-18

OTA Alerts ................................................................................................... B-19

Password Alerts ............................................................................................ B-19

PIN Change Alerts ...................................................................................... B-22

Smart Card Alerts ........................................................................................ B-23

Appendix C: Endpoint Encryption Services

Appendix D: Policy Mapping Between ManagementConsoles

Appendix E: Glossary

IndexIndex .............................................................................................................. IN-1

Trend Micro Endpoint Encryption Administrator Guide

viii

1-1

Chapter 1

IntroductionThis guide is intended to help security administrators and IT administrators manageEndpoint Encryption users, devices, policies, logs, and reports using the PolicyServerMicrosoft Management Console (MMC). This documentation assumes generalknowledge about encryption methods, device formatting and partitioning, and client-server architecture.

This help is a supplementary guide for administrators who require advanced policysetup. For general Endpoint Encryption management and help using Trend MicroControl Manager, see the Endpoint Encryption Administrator's Guide.

2-1

Chapter 2

About Trend Micro EndpointEncryption

Trend Micro™ Endpoint Encryption™ ensures privacy by encrypting data stored onendpoints, files and folders, and removable media in a variety of platform options.Endpoint Encryption provides granular policy controls and flexibly integrates with otherTrend Micro management tools, including Control Manager and OfficeScan. Innovativedeployment capabilities help you easily deploy agent software using FIPS-complianthardware-based or software-based encryption that is fully transparent to end users,without disrupting productivity. Once deployed, automated reporting, auditing, andpolicy synchronization with Endpoint Encryption PolicyServer simplifies endpointsecurity management.

Endpoint Encryption has capabilities to deploy remote commands, recover lost data,and protect user identity while maintaining real-time policy synchronization. In the eventthat an endpoint is lost or stolen, remotely initiate a reset or “kill” command toimmediately protect corporate information. Many recovery tools are also available tohelp end users rescue data from a corrupted hard disk. Assimilating into existingcorporate identity controls, Endpoint Encryption has a variety of authenticationmethods, including Active Directory integration and resources for end users who haveforgotten their credentials.

Topics include:

• Features and Benefits on page 2-3

Trend Micro Endpoint Encryption Administrator Guide

2-2

• What's New on page 2-4

• About PolicyServer on page 2-8

• Management Consoles on page 2-9

• Endpoint Encryption Agents on page 2-11

• Authentication Methods on page 2-13

About Trend Micro Endpoint Encryption

2-3

Features and BenefitsThe following table explains Endpoint Encryption key features and benefits.

Table 2-1. Endpoint Encryption Key Features

Feature Benefits

Encryption • Protection for the full disk, including the master boot record(MBR), operating system, and all system files

• Hardware-based and software-based encryption for mixedenvironments

• Comprehensive data protection of files, folders, andremovable media

Authentication • Flexible authentication methods, including both single andmulti-factor

• Control password strength and regularity for passwordchanges

• Policy updates before authentication and system boot

• Configurable actions on failed password attempt threshold

Device management • Policies to protect data on endpoints and removable media

• Ability to remotely lock, reset, wipe, or kill a device

Trend Micro Endpoint Encryption Administrator Guide

2-4

Feature Benefits

Central administration • Flexibly use either PolicyServer MMC or Control Managerto manage PolicyServer

• Deploy Endpoint Encryption agents to endpoints alreadymanaged by OfficeScan

• Enforce security policies to individual users and policygroups from a single policy server

• Instantly protect end user data by sending lock or erasecommands to lost or stolen Endpoint Encryption devices

• Automate policy enforcement with remediation of securityevents

• Update security policies in real-time, before authentication,to revoke user credentials before booting the operatingsystem

Record keeping,reports, and auditing

• Advanced real-time reporting and auditing to ensuresecurity compliance

• Analyze usage statistics with scheduled reports and alertnotifications

What's NewTrend Micro Endpoint Encryption 6.0 Patch 1 offers the following new features andenhancements.

Table 2-2. What's New in Endpoint Encryption 6.0 Patch 1

Features /Enhancements Description

Option to updatePolicyServer setting inagents after installation

For endpoints that have Encryption Management forMicrosoft Bitlocker and Encryption Management for AppleFileVault installed, Endpoint Encryption adds the option toupdate the PolicyServer settings in agents, even afterinstallation.

About Trend Micro Endpoint Encryption

2-5

Features /Enhancements Description

AES Encryption key sizeused by Microsoft Bitlocker

For easier deployment, Endpoint Encryption adds theoption to configure the Microsoft Bitlocker AES Encryptionkey size based on the Full Disk Encryption policy setting.

Full Disk Encryptionenhancements

Endpoint Encryption adds the following enhancements:

• Support for Intel and Toshiba self-encrypting drives

• Remote retrieval of the encryption status of each diskfrom the device by directly querying the agent viasystem management software

• To streamline the Window update process, disksalready encrypted by Full Disk Encryption can beconfigured to repeatedly skip the Full Disk EncryptionPreboot

File Encryption support fornew authentication types

For File Encryption, Endpoint Encryption adds support forthe following authentication types:

• User Principal Name (UPN) and domain password

• Single Sign On by UPN format

Logon user information Endpoint Encryption updates the PolicyServer MMC andControl Manager widgets to show logon user informationfor Endpoint Encryption agents.

Table 2-3. What's New in Endpoint Encryption 6.0

Features /Enhancements Description

Support for UEFI firmware Endpoint Encryption now supports booting on endpointswith UEFI firmware.

Improved driveperformance using AES-XTS encryption mode

For new installations, Endpoint Encryption uses the AES-XTS method by default. However, existing agentsupgraded to this version will retain the existing AES-CBCencryption mode. Moreover, Endpoint Encryption canmanage endpoints where both AES-XTS and AES-CBCencryption modes are used.

Trend Micro Endpoint Encryption Administrator Guide

2-6

Features /Enhancements Description

Support for systems withmore than one physicaldrive

Endpoint Encryption encrypts all fixed drives duringinstallation. Additionally, users have the option of manuallyencrypting any fixed drives attached after installation.

Wi-Fi preboot policies Wi-Fi settings can be further customized via new policiesavailable in PolicyServer. These policy settings allow orrestrict access to the Wi-Fi settings during preboot.

Preboot screencustomization

PolicyServer now supports customization of the prebootscreen.

Encryption of used diskspace for Full DiskEncryption

Full Disk Encryption will only encrypt the used disk space,resulting in a faster encryption process.

Safety check Endpoint Encryption runs a safety check after installationto verify if the installation was successfully completed. Ifsuccessful, Endpoint Encryption loads the preboot screenand starts encrypting. However, if the installation wasunsuccessful, (or a force shut down is detected), EndpointEncryption will not load the preboot screen.

Multiple Active DirectoryDomain Synchronization toPolicyServer

Endpoint Encryption supports synchronization of multipleActive Directory domains to PolicyServer

Installation enhancementsfor Encryption Managementfor Microsoft Bitlocker

Encryption Management for Microsoft BitLockersuccessfully installs even if Microsoft BitLocker is installedand enabled. In previous versions, the installer stops ifMicrosoftBitLocker is installed and enabled.

About Trend Micro Endpoint Encryption

2-7

Features /Enhancements Description

Support for multiplelanguages

Supported languages for Full Disk Encyrption, FileEncryption, Encryption Management for MicrosoftBitLocker, Encryption Management for Apple File Vault:

• de (German)

• en (English)

• fr (French)

• es (Spanish)

• pl (Polish)

• it (Italian)

• cs (Czech)

Supported languages for PolicyServer:

• de (German)

• en (English)

• fr (French)

• es (Spanish)

Supported languages for the OfficeScan Plug-in Service(PLS) Add-on:

• de (German)

• en (English)

• fr (French)

• es (Spanish)

• pl (Polish, but will display English)

• it (Italian, but will display English)

Trend Micro Endpoint Encryption Administrator Guide

2-8

About PolicyServerTrend Micro PolicyServer manages encryption keys and synchronizes policies across allendpoints in the organization. PolicyServer also enforces secure authentication andprovides real-time auditing and reporting tools to ensure regulatory compliance. You canflexibly manage PolicyServer with PolicyServer MMC or with Trend Micro ControlManager. Other data management features include user-based self-help options anddevice actions to remotely reset or “kill” a lost or stolen device.

The following table describes the PolicyServer components that you can deploy on oneserver or multiple servers, depending on environmental needs.

Table 2-4. PolicyServer Components

Component Description

Enterprise The Endpoint Encryption Enterprise is the unique identifier aboutthe organization in the PolicyServer database configured duringPolicyServer configuration. One PolicyServer database may haveone Enterprise configuration.

Database The PolicyServer Microsoft SQL database securely stores all user,device, and log data. The database is either configured on adedicated server or added to an existing SQL cluster. The log andother databases can reside separately.

PolicyServerWindows Service

PolicyServer Windows Service manages all communicationtransactions between the host operating system, EndpointEncryption Service, Legacy Web Service, Client Web Proxy, andSQL databases.

EndpointEncryption Service

Starting from Endpoint Encryption 5.0, all agents use EndpointEncryption Service to communicate with PolicyServer. EndpointEncryption Service uses a Representational State Transfer webAPI (RESTful) with an AES-GCM encryption algorithm. After a userauthenticates, PolicyServer generates a token related to thespecific policy configuration. Until the Endpoint Encryption userauthenticates, the service denies all policy transactions.

About Trend Micro Endpoint Encryption

2-9

Component Description

Legacy WebService

All Endpoint Encryption 3.1.3 and earlier agents use Simple ObjectAccess Protocol (SOAP) to communicate with PolicyServer. Undercertain situations, SOAP may allow insecure policy transactionswithout user authentication. Legacy Web Service filters SOAP callsby requiring authentication and limiting the commands that SOAPaccepts. This service is optional, and can be installed on the sameendpoint as the Endpoint Encryption Service using the EndpointEncryption proxy installer.

Management ConsolesFlexibly manage Endpoint Encryption using only PolicyServer MMC or manageEndpoint Encryption using Control Manager for policy, user and device managementand PolicyServer MMC for advanced log management and reporting.

The following illustration shows how to deploy Endpoint Encryption using ControlManager to manage PolicyServer. In a Control Manager deployment, administrators useControl Manager for all Endpoint Encryption policy, user, and device controls, and onlyuse PolicyServer MMC for advanced Enterprise maintenance.

Trend Micro Endpoint Encryption Administrator Guide

2-10

Note

In environments that use Control Manager, changes to PolicyServer policies are alwayscontrolled by Control Manager. Any changes made using PolicyServer MMC areoverwritten the next time that Control Manager synchronizes policies to the PolicyServerdatabase.

Trend Micro Control Manager

Trend Micro™ Control Manager™ is a central management console that managesTrend Micro products and services at the gateway, mail server, file server, and corporatedesktop levels. The Control Manager web-based management console provides a singlemonitoring point for managed products and services throughout the network.

About Trend Micro Endpoint Encryption

2-11

Control Manager allows system administrators to monitor and report on activities suchas infections, security violations, or virus entry points. System administrators candownload and deploy components throughout the network, helping ensure thatprotection is consistent and up-to-date. Control Manager allows both manual and pre-scheduled updates, and the configuration and administration of products as groups or asindividuals for added flexibility.

About PolicyServer MMCThe PolicyServer Microsoft Management Console plug-in (PolicyServer MMC) is thenative management console for Endpoint Encryption policy, user, and deviceadministration.

Use PolicyServer MMC to centrally manage:

• All Endpoint Encryption users, devices, and groups

• All policies including encryption, password complexity and authentication

• Remote device actions, including killing a device, erasing data, or delayingauthentication

• Event logs about authentication events, management events, device encryptionstatus, and security violations

• Remote Help password reset process

• Auditing and reporting options

Endpoint Encryption AgentsThe following table describes the Endpoint Encryption agents available for a variety ofenvironments.

Trend Micro Endpoint Encryption Administrator Guide

2-12

Agent Description

Full Disk Encryption The Endpoint Encryption agent for hardware and softwareencryption with preboot authentication. Full DiskEncryption secures data files, applications, registrysettings, temporary files, swap files, print spoolers, anddeleted files on any Windows endpoint. Strong prebootauthentication restricts access vulnerabilities until the useris validated.

The Full Disk Encryption agent may be installed on thesame endpoint as the File Encryption agent. The Full DiskEncryption agent cannot be installed on the sameendpoint as either the Encryption Management forMicrosoft BitLocker agent or the Encryption Managementfor Apple FileVault agent.

Encryption Management forMicrosoft BitLocker

The Endpoint Encryption Full Disk Encryption agent forMicrosoft Windows environments that simply need toenable Microsoft BitLocker on the hosting endpoint.

The Encryption Management for Microsoft BitLocker agentmay be installed on the same endpoint as the FileEncryption agent.

Encryption Management forApple FileVault

The Endpoint Encryption Full Disk Encryption agent forMac OS environments that simply need to enable AppleFileVault on the hosting endpoint.

File Encryption The Endpoint Encryption agent for file and folderencryption on local drives and removable media. FileEncryption protects files and folders located on virtuallyany device that appears as a drive within the hostoperating system.

The File Encryption agent may be installed on the sameendpoint as either the Full Disk Encryption agent or theEncryption Management for Microsoft BitLocker agent.

About Trend Micro Endpoint Encryption

2-13

Authentication MethodsEndpoint Encryption administrators and users have several authentication methods tolog on to Endpoint Encryption devices. The methods available are determined by thePolicyServer policy configuration.

NoteYou must use PolicyServer MMC to configure the authentication methods available toEndpoint Encryption users. It is not possible to use Control Manager to configure theallowed authentication methods. However, you can configure Control Manager for domainauthentication.

Table 2-5. Supported Authentication Methods

AuthenticationMethod Description

ColorCode on page2-14

A unique sequence of colors.

DomainAuthentication onpage 2-14

Active Directory LDAP synchronization for single sign-on (SSO).

Fixed Password onpage 2-15

A string of characters, numbers, and symbols.

PIN on page 2-15 A standard Personal Identification Number (PIN).

Remote Help onpage 2-15

Interactive authentication for users who forget their credentials ordevices that have not synchronized policies within apredetermined amount of time.

Self Help on page2-16

Question and answer combinations that allow users to reset aforgotten password without contacting Technical Support.

Smart Card onpage 2-16

A physical card used in conjunction with a PIN or fixed password.

Trend Micro Endpoint Encryption Administrator Guide

2-14

ColorCode

ColorCode™ is a unique authentication method designed for quick access and easymemorization. Rather than alphanumeric characters or symbols for the password,ColorCode authentication consists of a user-created color sequence (example: red, red,blue, yellow, blue, green).

Figure 2-1. ColorCode Authentication Screen

Domain Authentication

Endpoint Encryption integrates with Active Directory using LDAP configured inPolicyServer. Endpoint Encryption domain authentication allows Endpoint Encryptionusers to use single sign-on (SSO) between the operating system and the EndpointEncryption agent. For example, Endpoint Encryption users with domain authenticationmust only provide their credentials once to authenticate to the Full Disk Encryptionpreboot, log on to Windows, and access the files protected by File Encryption.

For seamless Active Directory integration, make sure that the following requirements aremet:

About Trend Micro Endpoint Encryption

2-15

• PolicyServer has joined the domain.

• All Endpoint Encryption devices are in the same Active Directory and domain asPolicyServer.

• The user names configured in Active Directory exactly match the user namesconfigured in PolicyServer (including case).

• The user names are located within a PolicyServer group and the DomainAuthentication policy is enabled.

• The host name and domain name are configured correctly based on the LDAP orActive Directory server settings.

NoteFor information about configuring LDAP and Active Directory settings, see the EndpointEncryption Installation Guide available at:

http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx

Fixed PasswordFixed password authentication is the most common authentication method. The fixedpassword is created by the user and can be almost any string of numbers, characters, orsymbols. You can place restrictions on fixed passwords to ensure that they are not easilycompromised.

PINA Personal Identification Number (PIN) is common identification method requiring aunique sequences numbers. The PIN is created by the user and can be almost anything.Similar to fixed passwords, you may place restrictions on the PIN combination.

Remote HelpRemote Help allows Group or Enterprise Authenticators to assist Endpoint Encryptionusers who are locked out and cannot log on to Endpoint Encryption devices after too

Trend Micro Endpoint Encryption Administrator Guide

2-16

many unsuccessful log on attempts, or when the period between the last PolicyServersynchronization has been too long.

NoteRemote Help authentication is triggered by Endpoint Encryption device policy rules.Remote Help policy rules are configurable in both PolicyServer MMC and ControlManager.

Self HelpSelf Help authentication allows Endpoint Encryption users who have forgotten thecredentials to answer security questions and log on to Endpoint Encryption deviceswithout getting Technical Support assistance. Self Help requires the EndpointEncryption user to respond with answers to predefined personal challenge questions.Self Help can replace fixed password or other authentication methods.

Consider the following when choosing your authentication method or when configuringSelf Help:

• Self Help is not available for Administrator and Authenticator accounts.

• Self Help is not available for accounts that use domain authentication. PolicyServeris unable to change or retrieve previous domain passwords.

• Self Help has a maximum of six questions for each user account. Users may beunable to log on using Self Help if more than six questions are configured.

• Self Help is only configurable with PolicyServer MMC.

Smart CardSmart card authentication requires both a PIN and a physical token to confirm the useridentity. Smart card certificates are associated with the user account and the user'sassigned group. Once registered, the user can use smart card authentication from anyEndpoint Encryption device in that group. Users are free to use any EndpointEncryption device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are met:

About Trend Micro Endpoint Encryption

2-17

• The smart card reader is connected to the endpoint and the smart card is insertedinto the smart card reader.

• ActivClient 6.2 with all service packs and updates installed.

NoteActivClient 7.0 and later is not supported.

• Specify the smart card PIN in the password field.

WARNING!Failure to provide a correct password sends a password error and may result inlocking the smart card.

Note

• Smart card authentication is only configurable with PolicyServer MMC.

• Switching the authentication method from smart card to domain authentication maycause issues for domain users added through ADSync or Active Directory UserImport. To resolve this issue, remove the domain user account from the enterprise,and then restart the PolicyServer services to start synchronization with the AD server.The synchronization process adds the user back with domain authentication as theauthentication method. Alternatively, you can also add the domain user account backvia Active Directory User Import.

3-1

Chapter 3

Getting StartedThis chapter explains how to get started using Trend Micro Control Manager to managePolicyServer.

Topics include:

• System Requirements on page 3-2

• Setting Up Control Manager on page 3-16

• Active Directory Synchronization on page 3-24

Trend Micro Endpoint Encryption Administrator Guide

3-2

System RequirementsThis chapter outlines the system requirements for Trend Micro Endpoint Encryption.

Topics include:

• PolicyServer System Requirements on page 3-2

• PolicyServer MMC System Requirements on page 3-8

• Full Disk Encryption System Requirements on page 3-9

• File Encryption System Requirements on page 3-13

• Encryption Management for Microsoft BitLocker System Requirements on page 3-13

• Encryption Management for Apple FileVault System Requirements on page 3-15

PolicyServer System Requirements

Hardware and Scaling RequirementsThe following shows deployment and scaling requirements in several different-sizedenvironments. In smaller network environments, PolicyServer SQL databases can beinstalled on the same server. For PolicyServer deployments in environments greater than1500 devices, Trend Micro recommends having at least two dedicated servers:

1. A dedicated server for the PolicyServer services, also known as the “front-endserver”

2. A dedicated server for the database, or add the database to an existing SQL cluster

The following table displays the requirements for the PolicyServer SQL database for thebasic requirements at the specified scale:

Getting Started

3-3

Devices PolicyServer Front-endRequirements

PolicyServer SQL DatabaseRequirements

1,000 • One front-end and SQLdatabase multi-role server withan Intel Xeon quad-core 2.2GHz processor or above

• 8 GB RAM

• 120 GB hard drive

Installed on PolicyServer front-endserver

4,000 • One front-end and SQLdatabase multi-role server withan Intel Xeon quad-core 2.2GHz processor or above

• 8 GB RAM

• 150 GB hard drive

Installed on PolicyServer front-endserver

8,000 • Two front-end servers eachwith an Intel Xeon quad-core2.2 GHz processor or above

• 4 GB RAM

• 40 GB hard drive

• One SQL database server withan Intel Xeon quad-core 2.2GHz processor or above

• 8 GB RAM

• 150 GB hard drive

20,000 • Four front-end servers eachwith an Intel Xeon quad-core2.2 GHz processor or above

• 4 GB RAM

• 40 GB hard drive

• Two SQL database servers(one for the policy databaseand one for the log database)each with an Intel Xeon quad-core 2.2 GHz processor orabove

• 8 GB RAM

• 180 GB RAID 5 hard drive

Trend Micro Endpoint Encryption Administrator Guide

3-4

Devices PolicyServer Front-endRequirements

PolicyServer SQL DatabaseRequirements

40,000 • Eight front-end servers eachwith an Intel Xeon quad-core2.2 GHz processor or above

• 4 GB RAM

• 40 GB hard drive

• Two SQL database servers(one for the policy databaseand one for the log database)each with an Intel Xeon quad-core 2.2 GHz processor orabove

• 16 GB RAM

• 350 GB shared SAN RAID 5hard drive

Note

• Virtual hardware is supported under VMware Virtual Infrastructure.

• Microsoft or VMware on virtual hardware does not support Microsoft ClusterService.

• Baseline testing was performed on an endpoint with an Intel Xeon CPU E5-2650 v42.20 GHz, 2200 Mhz.

Redundancy Requirements

With larger environments, Trend Micro recommends adding additional servers to avoidhaving single points of failure. The following table displays the requirements for thePolicyServer SQL database for an environment with increased redundancy.

TipTrend Micro recommends setting up redundancy for environments with more than 8,000devices.

Getting Started

3-5

Devices PolicyServer Front-endRequirements

PolicyServer SQL Databasewith Zero Single Points of

Failure

8,000 • Four front-end servers eachwith one Intel Xeon quad-core2.2 GHz processor or above

• 4 GB RAM

• 40 GB hard drive

• One SQL server cluster of twonodes, with Intel Xeon quad-core 2.2 GHz processors orabove

• 8 GB RAM

• 60 GB RAID 5 hard drive

• 150 GB shared SAN RAID 5hard drive

20,000 • Six front-end servers each withIntel Xeon quad-core 2.2 Ghzprocessors or above

• 4 GB RAM

• 40 GB hard drive

• Two SQL server clusters oftwo nodes , with Intel Xeonquad-core 2.2 Ghz processorsor above

• 8 GB RAM

• 60 GB RAID 5 hard drive

• 180 GB shared SAN RAID 5hard drive

40,000 • Twelve front-end servers eachwith Intel Xeon quad-core 2.2GHz processors or above

• 4 GB RAM

• 40 GB hard drive

• Two SQL server clusters oftwo nodes , with Intel Xeonquad-core 2.2 Ghz processorsor above

• 16 GB RAM

• 60 GB RAID 5 hard drive

• 350 GB shared SAN RAID 5hard drive

Trend Micro Endpoint Encryption Administrator Guide

3-6

Note

• Virtual hardware is supported under VMware Virtual Infrastructure.

• Microsoft or VMware on virtual hardware does not support Microsoft ClusterService.

• Baseline testing was performed on an endpoint with an Intel Xeon CPU E5-2650 v42.20 GHz, 2200 Mhz.

Software Requirements

Specification Requirements

Operating system • Windows Server 2008 / 2008 R2 (64-bit)

• Windows Server 2012 / 2012 R2 (64-bit)

• Windows Server 2016 (64-bit)

Database server • Microsoft SQL Server 2008 / 2008 R2 / 2012 /2012 R2 / 2014 / 2016

• Microsoft SQL Server Express 2008 / 2012 /2014 / 2016

• Mixed Mode Authentication (SA password)installed

• Reporting services installed

NoteFor Windows Server 2008 R2, you must installSQL Server 2008 SP1.

Application server PolicyServer 6.0 Patch 1 requires Microsoft InternetInformation Services (IIS) with the following rolesinstalled and enabled:

• Application Development

• ASP.NET

• ASP

Getting Started

3-7

Specification Requirements• ISAPI Extensions

• ISAPI Filters

• Management Tools

• IIS Management Console

• IIS Management Scripts and Tools

• Management Service

• IIS 6 Management Compatibility

• IIS 6 Metabase Compatibility

For Windows Server 2008 and 2008 R2 you mustinstall the “Application server” role and the “Webserver” role. Additionally, you must add SMTP andMicrosoft IIS Support features.

Legacy Endpoint Encryption environments (version3.1.3 and earlier) require Client Web Service. If youinstall Client Web Service on a remote endpoint, installMicrosoft IIS on that endpoint.

Other software • Both Microsoft .NET Framework 2.0 SP2 (or 3.5)and 4.0

• Windows Installer 4.5 (SQL Express)

Installation Files

File Purpose

PolicyServerInstaller.exe Installs PolicyServer databases and services.Optionally, the PolicyServer MMC can install atthe same time.

PolicyServerMMCSnapinSetup.msi

Installs the PolicyServer MMC only.

Trend Micro Endpoint Encryption Administrator Guide

3-8

File Purpose

TMEEProxyInstaller.exe Installs the Client Web Service and the TrafficForwarding Service. These services function asweb proxies and communication protocols forenvironments that have PolicyServer andEndpoint Encryption agents in different LANs.Client Web Service functions for 3.1.3 or earlieragents and Traffic Forwarding Service functionsfor 5.0 or later agents.

Note

PolicyServer includes a 30-day trial license. To upgrade to the full product version, registeryour product with your Activation Code in Control Manager or PolicyServer MMC.

Required Accounts

Account Function Description

SQL SA PolicyServer Installer Account is used only to create thePolicyServer databases

SQL MADB PolicyServer Windows Service Account created during installationto authenticate to PolicyServerdatabases

LocalAdministrator

PolicyServer Windows Serviceand IIS

Account used to run thePolicyServer Windows Service andweb service application pools

PolicyServer MMC System Requirements

Note

PolicyServer MMC can be installed on the PolicyServer front-end server or on a differentendpoint that has network connectivity with PolicyServer.

Getting Started

3-9

Specification Requirements

Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

RAM 512 MB

Disk space 100 MB

Network connectivity Connectivity with PolicyServer

Operating system Any Microsoft Windows operating system supported byPolicyServer or the Endpoint Encryption agents

Others Microsoft .NET Framework 4.0

Full Disk Encryption System Requirements

Specification Requirements

Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

RAM 1 GB

Disk space • 30 GB

• 20% free disk space

• 256 MB contiguous free space

Network connectivity Communication with PolicyServer required for managedagents

Trend Micro Endpoint Encryption Administrator Guide

3-10

Specification Requirements

Operating system • Windows™ Embedded POSReady 7 (32-bit/64-bit)

• Windows™ 10 (32-bit/64-bit)

NoteOlder builds of Windows 10 installed on endpointswhere UEFI is enabled may encounter issues ifsecure boot is turned on. To prevent this issue,install all service packs, hotfixes and securitypatches for Windows 10 before proceeding withthe installation.

• Windows™ 8.1 (32-bit/64-bit)

• Windows™ 8 (32-bit/64-bit)

• Windows™ 7 (32-bit/64-bit)

Firmware interface • BIOS: all supported operating systems

• UEFI: all supported operating systems

Other software • Microsoft .NET Framework 3.5 SP1 or later (Windows 7and later operating systems)

Getting Started

3-11

Specification Requirements

Hard disk Full Disk Encryption uses software-based encryption for allstandard drives (drives without self-encryption).

Full Disk Encryption uses hardware-based encryption for thefollowing self-encrypting drives (SEDs):

• Seagate OPAL and OPAL 2 drives

• SanDisk self-encrypting (OPAL2) solid-state drives

• Toshiba self-encrypting (OPAL2) solid-state drives (SATAand NVMe)

• Intel self-encrypting (OPAL2) solid-state drives (SATAand NVMe)

Full Disk Encryption has the following limitations:

• Full Disk Encryption does not support RAID and SCSIdrives.

• Full Disk Encryption does not support eDrive drives forWindows 8 or later environments.

Hard disk controllers • Software encryption: ATA, AHCI, or IRRT hard diskcontroller

• Hardware encryption: AHCI hard disk controller

Recommended Disk CombinationsEndpoint Encryption supports endpoints with a maximum of 32 disks attached. FullDisk Encryption recommends the following disk combinations:

Primary Disk Secondary Disk Recommendation

Normal system disk Normal data disk Yes

The disk must either benew or previously encryptedand connected withPolicyServer.

Trend Micro Endpoint Encryption Administrator Guide

3-12

Primary Disk Secondary Disk Recommendation

Normal system disk Normal system diskattached as a data disk

Yes

If the Bypass Prebootpolicy is set to Allow, FullDisk Encryption prompts forthe removal of one systemdisk.

Normal system disk SED data disk Yes

The disk must either benew or previously encryptedand connected withPolicyServer.

SED system disk SED data disk Yes

The disk must either benew or previously encryptedand connected withPolicyServer.

SED system disk SED system disk attachedas a data disk

No

The Full Disk Encryptioninstaller completes theinstallation but won't beable to manage both disks.If the Bypass Prebootpolicy is set to Allow, FullDisk Encryption prompts forthe removal of one systemdisk

SED system disk Normal data disk No

The Full Disk Encryptioninstaller completes theinstallation but won't beable to manage any disks.

If a non-recommended disk is found, the Full Disk Encryption installer still completesthe installation but won't be able to manage the non-recommended disk. Aditionally, italso reports a status of Unmanaged for the non-recommended disk.

Getting Started

3-13

File Encryption System RequirementsThe following table explains the File Encryption system requirements.

Specification Requirements

Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

RAM 1 GB

Disk space • 30 GB

• 20% free disk space

Network connectivity Communication with PolicyServer required for managedagents

Operating system • Windows™ 10 (32-bit/64-bit)

• Windows™ 8.1 (32-bit/64-bit)

• Windows™ 8 (32-bit/64-bit)

• Windows™ 7 (32-bit/64-bit)

Other software • Microsoft .NET Framework 3.5 SP1 (Windows 7 andlater operating systems)

• Microsoft Windows Installer 3.1

Encryption Management for Microsoft BitLocker SystemRequirements

This following table explains the minimum and recommended Encryption Managementfor Microsoft BitLocker system requirements.

Specification Requirements

Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

Trend Micro Endpoint Encryption Administrator Guide

3-14

Specification Requirements

RAM Requirements are the based on Windows systemrequirements:

• 64-bit systems: 2 GB

• 32-bit systems: 1 GB

Disk space • 30 GB

• 20% free disk space

Hard disk • Standard drives supported by Windows

Network connectivity Connectivity with PolicyServer

Operating system • Windows™ Embedded POSReady 7 (32-bit/64-bit)

• Windows™ 10 Enterprise and Professional editions (32-bit/64-bit)

• Windows™ 8.1 Enterprise and Professional editions (32-bit/64-bit)

• Windows™ 8 Enterprise and Professional editions (32-bit/64-bit)

• Windows™ 7 Enterprise and Professional editions (32-bit/64-bit)

Getting Started

3-15

Specification Requirements

Other software • Trusted Platform Module (TPM) 1.2 or higher

• Full Disk Encryption is not installed

• Microsoft .NET Framework 3.5

WARNING!Full Disk Encryption is unable to install on SED disksattached to devices using UEFI if these disks werepreviously managed by Windows Bitlocker. To installFull Disk Encryption on these disks, perform one of thefollowing:

• Configure Full Disk Encryption to use software-based encryption by adding the FORCESOFTWAREparameter during installation.

For details, see the Installing the Full DiskEncryption Agent section in the EndpointEncryption Installation Guide.

• Restore the SED disk back to its factory setting.This procedure removes all existing data from theSED disk. After the disk has been restored, tryrunning the installer again.

Encryption Management for Apple FileVault SystemRequirements

This following table explains the minimum and recommended Encryption Managementfor Apple FileVault system requirements.

Specification Requirement

Processor Intel Core 2 Duo 2.0 GHz processor or equivalent

Memory • 512 MB minimum

• 2 GB recommended

Trend Micro Endpoint Encryption Administrator Guide

3-16

Specification Requirement

Disk space • 400 MB minimum

Network connectivity • Connectivity with PolicyServer

Operating system • OS X™ “Sierra”

• OS X™ “El Capitan”

• OS X™ “Yosemite”

• OS X™ “Mavericks”

• OS X™ “Mountain Lion”

Other software • Mono runtime environment (MRE) 2.1

• Apple FileVault is disabled

Hardware considerations • Mac OS local accounts or mobile accounts are able toinitiate encryption on Mac OS X Mountain Lion or later.Other Mac OS user account types will be unable toinitiate encryption.

To create a mobile account for Active Directory on yourMac, see Creating a Mobile Account for Active Directoryon Mac OS on page 8-20.

• Encryption Management for Apple FileVault supportsApple Fusion Drives on Mac OS X Mountain Lion or later(starting with Mac OS build 10.8.2).

Setting Up Control ManagerThe following procedure provides an overview to configure Control Manager forEndpoint Encryption management.

NoteFor information about individual policy configurations, see Policies on page 5-1.

Getting Started

3-17

Procedure

1. Install and configure PolicyServer.

See the Endpoint Encryption Installation and Migration Guide.

2. Connect PolicyServer to Control Manager.

a. Adding PolicyServer as a Managed Product to Control Manager on page 3-20

b. Configuring Directory Management for PolicyServer on page 3-22

3. Add policy targets.

See Creating a Policy on page 5-9.

4. Verify the policy configuration on PolicyServer MMC.

Related information

➥ Control Manager Architecture➥ Adding PolicyServer as a Managed Product to Control Manager➥ Configuring Directory Management for PolicyServer➥ Configuring Proxy Settings

Control Manager ArchitectureTrend Micro Control Manager provides a means to control Trend Micro products andservices from a central location. This application simplifies the administration of acorporate virus/malware and content security policy. The following table provides a listof components Control Manager uses.

Trend Micro Endpoint Encryption Administrator Guide

3-18

Table 3-1. Control Manager Components

Component Description

Control Manager server Acts as a repository for all data collected from the agents. Itcan be a Standard or Advanced Edition server. A ControlManager server includes the following features:

• An SQL database that stores managed productconfigurations and logs

Control Manager uses the Microsoft SQL Serverdatabase (db_ControlManager.mdf) to store dataincluded in logs, Communicator schedule, managedproduct and child server information, user account,network environment, and notification settings.

• A web server that hosts the Control Manager webconsole

• A mail server that delivers event notifications throughemail messages

Control Manager can send notifications to individualsor groups of recipients about events that occur on theControl Manager network. Configure Event Center tosend notifications through email messages, Windowsevent log, MSN Messenger, SNMP, Syslog, pager, orany in-house/industry standard application used byyour organization to send notification.

• A report server, present only in the Advanced Edition,that generates antivirus and content security productreports

A Control Manager report is an online collection offigures about security threat and content securityevents that occur on the Control Manager network.

Getting Started

3-19

Component Description

Trend Micro ManagementCommunication Protocol

MCP handles the Control Manager server interaction withmanaged products that support the next generation agent.

MCP is the new backbone for the Control Manager system.

MCP agents install with managed products and useone/two way communication to communicate with ControlManager. MCP agents poll Control Manager for instructionsand updates.

Trend Micro ManagementInfrastructure

Handles the Control Manager server interaction with oldermanaged products.

The Communicator, or the Message Routing Framework, isthe communication backbone of the older Control Managersystem. It is a component of the Trend Micro ManagementInfrastructure (TMI). Communicators handle allcommunication between the Control Manager server andolder managed products. They interact with ControlManager 2.x agents to communicate with older managedproducts.

Control Manager 2.xAgents

Receives commands from the Control Manager server andsends status information and logs to the Control Managerserver

The Control Manager agent is an application installed on amanaged product server that allows Control Manager tomanage the product. Agents interact with the managedproduct and Communicator. An agent serves as the bridgebetween managed product and communicator. Therefore,install agents on the same computer as managed products.

Web-based managementconsole

Allows an administrator to manage Control Manager from acomputer with an Internet connection and Microsoft InternetExplorer

The Control Manager management console is a web-basedconsole published on the Internet through the MicrosoftInternet Information Server (IIS) and hosted by the ControlManager server. It lets you administer the Control Managernetwork from any computer using a compatible webbrowser.

Trend Micro Endpoint Encryption Administrator Guide

3-20

Component Description

Widget Framework Allows an administrator to create a customized dashboardto monitor the Control Manager network.

Adding PolicyServer as a Managed Product to ControlManager

Endpoint Encryption allows administrators to use Trend Micro Control Manager tocontrol PolicyServer and manage Endpoint Encryption agent policies or use TrendMicro OfficeScan to deploy Endpoint Encryption agent software on managedendpoints.

To use Control Manager to manage PolicyServer, you must add PolicyServer as amanaged product.

ImportantEndpoint Encryption supports only one configured PolicyServer instance in ControlManager at a time. It is not possible to add multiple PolicyServer configurations.

Procedure

1. Log on to Control Manager.

2. Go to Administration > Managed Servers.

The Managed Servers screen appears.

3. In the Server Type drop-down list, select Endpoint Encryption.

4. Click Add.

Getting Started

3-21

The Add Server screen appears.

5. Specify Server Information options.

• Server: Specify the PolicyServer host name and the port number. Use thefollowing format:

http://<server_name>:port_number

Note

Control Manager communicates with PolicyServer Endpoint EncryptionService. The default port number is 8080.

• Display name: Specify the name for PolicyServer shown in the ManagedServers screen.

6. Under Authentication, specify the user name and password of the EndpointEncryption Enterprise Administrator account and the Enterprise specified duringPolicyServer installation.

7. Under Connection, select Use a proxy server for the connection if PolicyServerrequires a proxy connection.

8. Click Save.

Note

Synchronization between Control Manager and PolicyServer may require severalminutes to complete.

Trend Micro Endpoint Encryption Administrator Guide

3-22

PolicyServer is added as a new managed product to Control Manager.

Configuring Directory Management for PolicyServer

The following procedure explains how to configure Directory Management for the newPolicyServer data source. The Directory Management screen displays the availablepolicy targets in the directory tree.

Add PolicyServer to Control Manager as a managed server before starting thisprocedure. For more information, see Adding PolicyServer as a Managed Product to ControlManager on page 3-20.

Procedure

1. Go to Policies > Policy Resources > Managed Servers.

The Managed Servers screen appears.

2. Click Directory Management.

The Directory Management screen appears.

3. Select the server and then click Add Folder.

The Add Directory screen appears.

4. Specify a directory name and then click Save.

5. Click OK to confirm.

The new folder is created.

6. Drag the previously added PolicyServer data source into the new folder.

7. Click OK to confirm.

8. Click < Back to return to the Policy Management screen.

Getting Started

3-23

Configuring Proxy SettingsUse a proxy server to connect to the managed products.

Procedure

1. Go to Administration > Managed Servers.

The Managed Servers screen appears.

2. Click Proxy Settings.

3. Specify your proxy settings.

Option Description

Protocol Endpoint Encryption supports proxy connection over HTTP orSOCKS5 protocols.

Server Specify the IP address or URL of the proxy server.

Port Specify the listening port of the proxy server.

User name Specify the user name to access the server if the proxy requiresauthentication.

Password Specify the password to access the server if the proxy requiresauthentication.

4. Click Save.

5. Click the Edit button next to your Endpoint Encryption server.

Trend Micro Endpoint Encryption Administrator Guide

3-24

The Edit Server screen appears.

6. Select Use a proxy server for the connection.

7. Click Save.

Active Directory SynchronizationPolicyServer supports Active Directory (AD) synchronization for a configuredPolicyServer group. Synchronization will automatically add and remove AD users fromconfigured PolicyServer groups.

Topics include:

• Active Directory Overview on page 3-24

• Configuring Active Directory on page 3-25

• Importing Active Directory Users on page 3-27

• Managing Password Setting Objects from Active Directory on page 3-29

Active Directory OverviewThree items are required to enable PolicyServer AD synchronization:

1. A configured AD domain.

Getting Started

3-25

2. A PolicyServer group configured to point to one or more valid AD organizationalunits (OUs).

3. Appropriate credentials to access the AD domain that match the PolicyServergroup's distinguished name.

When configured properly, synchronization automatically creates new PolicyServer usersand moves them to the appropriate paired groups on PolicyServer. Duringsynchronization, PolicyServer is updated to reflect current users and group assignmentsfor paired groups.

Adding a new user to the domain and placing that user in an organizational unit will flagthat user so that during the next synchronization, AD will create that user inPolicyServer and then move that user into the appropriate paired PolicyServer group.

Deleting a user from AD will automatically remove that user from a PolicyServer pairedgroup and from the enterprise.

To add non-domain users to groups that are synchronized with the domain, you cancreate unique Endpoint Encryption users and add them to paired PolicyServer groupswithout having those users modified by the synchronization system.

If you remove the Endpoint Encryption user from a paired group in PolicyServer, thatdomain user will not automatically be re-added by the synchronization system. Thisprevents overriding the your action for this Endpoint Encryption user. If you manuallymove a synchronized domain user back into a paired group then the synchronizationsystem will again begin to automatically maintain the user in the group.

Configuring Active Directory

This task assumes the domain controller is set up on Windows Server 2012 and thatActive Directory (AD) is installed.

Procedure

1. Go to Start > Administrative Tools > Active Directory Users and Computers.

The Active Directory Users and Computer screen appears.

Trend Micro Endpoint Encryption Administrator Guide

3-26

Figure 3-1. Active Directory Users and Computers

2. Create your organizational units (OUs).

For each OU you intend to create, perform the following steps:

a. Right-click the new domain created during AD installation and then selectNew.

b. Select Organizational Unit.

c. From the New Object - Organizational Unit screen, specify the new nameand click OK.

The new group appears in the left navigation under the domain name.Perform this step for as many organizational units you intend to use withPolicyServer.

ImportantEndpoint Encryption supports up to 12 OUs per policy.

Getting Started

3-27

The new groups will be used to synchronize with a PolicyServer group. Beforesynchronization, users must be added to the groups.

3. Add new users to your OUs.

For each user you intend to create, perform the following steps:

a. Right-click the intended OU and go to New > User.

b. From the New Object - User screen, specify the new user's accountinformation and click Next.

c. Specify and confirm the new user's domain password and click Next.

Note

Clear User must change password at next login and select the Passwordnever expires option to simplify other testing later.

d. When prompted to complete, click Finish.

The domain controller is configured with a new OU and a user in that group.To synchronize that group with PolicyServer, install PolicyServer and create agroup for synchronization. This next section assumes that PolicyServer isalready installed.

Importing Active Directory UsersPolicyServer maintains a user directory separate from the Active Directory database.This allows PolicyServer absolute security over access to all Endpoint Encryptiondevices, user rights, and authentication methods.

Use the Endpoint Encryption Users widget in Control Manager to import ActiveDirectory users. For more information about managing users with the EndpointEncryption Users widget, see Endpoint Encryption Users on page 4-7.

Procedure

1. Log on to Control Manager.

Trend Micro Endpoint Encryption Administrator Guide

3-28

2. Go to the Endpoint Encryption Users widget.

3. Click the icon.

4. Select Import Users from Active Directory.

The Import Users from Active Directory screen appears.

5. Specify your credentials for the Active Directory LDAP server.

Note

For Port, the value “0” specifies the default port. The default port is 389.

6. Click Next.

7. Wait for the specified Active Directory domain to populate.

The Active Directory tree for the specified domain appears in the left pane.

8. From the left pane, use the navigation tree to select the container from which toadd users.

The available users populate in the right pane.

9. Do one of the following:

• Select individual users, then click Import Selected Users.

• Click Import Everyone in this Container.

10. Click OK to add the users to the specified location.

A confirmation window appears.

11. Click OK to confirm.

An import status message displays.

12. Click Close to finish, or repeat the procedure to select more users to import.

Getting Started

3-29

Managing Password Setting Objects from ActiveDirectory

Endpoint Encryption supports fine-grained password policies through Active Directory.If PolicyServer is in the Active Directory computer list, password policies in ActiveDirectory supersede PolicyServer policy settings from both Control Manager andPolicyServer MMC.

The following procedure shows how to add PolicyServer to the Active Directorycomputer list.

Procedure

1. Open your Password Settings object (PSO) Security settings.

a. Go to Start > Administrative Tools > Active Directory Users andComputers.

b. In the View menu, verify that Advanced Features are enabled.

c. Locate your domain node in Active Directory Users and Computers

d. Go to System > Password Settings Container.

e. Select the PSO Property that you intend to use for password policymanagement.

f. Go to the Security tab.

2. Add the PolicyServer endpoint to the Group or user names list.

a. Under the Group or user names list, click Add....

b. In the Object Types window, select Computers.

c. Select the PolicyServer endpoint.

3. Verify and confirm your changes.

4-1

Chapter 4

DashboardThe Control Manager dashboard provides at-a-glance information for the ControlManager network. The dashboard is comprised of two components:

• Tabs: Allow administrators to create a screen that contains one or more widgets

• Widgets: Provide specific information about various security-related events andperform user and device management

Each user account displays its own dashboard. When a user logs on to Control Managerfor the first time, the default tabs and the widgets contained within the tabs appear onthe dashboard.

Each user account can customize the dashboard, tabs, and widgets for the account’sspecific needs. Customizing the dashboard, tabs, or widgets for one user account has noeffect on the dashboard, tabs, or widgets for a different user account. Each user accounthas a completely independent dashboard, tabs, and widgets from every other useraccount.

Trend Micro Endpoint Encryption Administrator Guide

4-2

TabsTo customize the Control Manager Dashboard, add additional tabs, name the new tabsas needed, and add the appropriate widgets. You can modify or delete added tabs.

Default TabsThe dashboard provides the following tabs:

• Summary

• DLP Incident Investigation

• Data Loss Prevention

• Compliance

• Threat Detection

• Smart Protection Network

NoteDeleting the default tabs permanently removes the tabs from viewing for the user accountthat removed the tabs. There is no way to recover a deleted tab. Deleting a default tab hasno impact on the dashboard for other user accounts.

Adding a New Tab

Procedure

1. Go to the Dashboard.

2. Click the to the right of the last named tab.

The New Tab screen appears.

3. Specify a name for the Title of the new tab.

Dashboard

4-3

4. Select the radio button for the appropriate layout style.

5. Select Auto-fit On to make the height all widgets on the tab consistent.

6. Click Save.

The new tab is added to the right of existing tabs.

Modifying Tab Settings

Procedure

1. Go to the Dashboard and then open the appropriate tab.

2. Click Tab Settings at the upper-right corner of the tab.

3. Make the needed changes to:

• Title

• Layout

• Auto-fit

4. Click Save.

Deleting a Tab

Note

Deleting the default tabs permanently removes the tabs from viewing for the user accountthat removed the tabs. There is no way to recover a deleted tab. Deleting a default tab hasno impact on the dashboard for other user accounts.

Procedure

1. Go to the Dashboard.

Trend Micro Endpoint Encryption Administrator Guide

4-4

2. Open the tab to delete.

3. Click the X next to the name of the tab.

4. Click OK to confirm.

The tab is deleted.

WidgetsWidgets are the core components for the dashboard. Tabs provide the layout andwidgets provide the actual data for the dashboard.

Note

Customizing the dashboard, tabs, or widgets for one user account has no effect on thedashboard, tabs, or widgets for a different user account. Each user account has acompletely independent dashboard, tabs, and widgets from every other user account.

Download the Control Manager widget pool (under Product programs and widgetpool on the Manual Download and Scheduled Download screens) periodically tocheck for new or updated widgets.

The data a widget displays comes from one of the following places:

• Control Manager database

• Trend Micro Smart Protection Network

• Managed products added to the Dashboard Server Visibility list

Note

Smart Feedback must be enabled to display data for widgets that include data from SmartProtection Network.

The data a widget displays is controlled in two ways:

Dashboard

4-5

Table 4-1. Widget Data

Item Details

User account A user’s account grants or restricts access to any managedproduct registered to Control Manager.

Scope The data scope on many widgets can be individually configured.

This means a user can further specify the data source location forthe widget.

Example: An OfficeScan administrator, who manages multipleOfficeScan servers, could create one tab and add widgets thatdisplay data for only one OfficeScan server.

Adding Widgets to a Tab

After adding widgets to a tab, drag-and-drop the widgets to various locations within thetab.

Procedure

1. Go to the Dashboard and then open the appropriate tab.

2. Click the Add Widgets at the upper right corner of the tab.

The Add Widgets screen appears.

3. Do the following:

• Click a category from the left and then select the check box next to the nameof all applicable widgets that appear.

• Use the search bar to select a specific widget.

4. Click Add.

All selected widgets are added to the tab.

Trend Micro Endpoint Encryption Administrator Guide

4-6

Widget OptionsThe following illustration and table provide a general overview of available widgetoptions. Different widgets may have different options available.

Figure 4-1. Widget Options

Table 4-2. Widget Option Descriptions

Item Description

1 The total number of objects (examples: events, devices, logs) that thewidget gathers data about. Click the number to view additionalinformation.

2 The information that the widget displays.

3 The Enterprise associated with the widget data.

4 The name of the widget. Change the name in the Widget Settingswindow.

5 Click the icon to manually refresh widget data. The default refreshrate is controlled by the Control Manager dashboard settings atAdministration > Settings > Web Console Settings.

Dashboard

4-7

Item Description

6 Click the

icon to display the following widget options:

• Widget Settings: Configure the displayable options for that widget.

• Help: Access the Endpoint Encryption Online Help for that widget.

• Close Widget: Remove the widget from the current tab.

7 View the last time that the widget refreshed data.

8 Click the number or icon to access specific widget data, such as eventlogs or reports.

Endpoint Encryption UsersThe Endpoint Encryption Users widget provides user management capability directlyfrom the Control Manager dashboard. Use the Endpoint Encryption Users widget toadd or remove Endpoint Encryption user accounts, reset passwords, changepermissions, configure policy group priority, import from Active Directory, and searchfor specific user accounts.

NoteFor information about adding existing Endpoint Encryption users to a policy, seeConfiguring Endpoint Encryption Users Rules on page 5-13.

Trend Micro Endpoint Encryption Administrator Guide

4-8

Item Description

Show Select which users to display: all users in the Enterprise, or usersin a specific policy.

Search ( ) Click the icon to filter which Endpoint Encryption usersappear in the table. Use the search field to specify parameters tosearch against.

Settings ( )

Right-click a user

Click the icon to view user attributes or to perform actions onany selected user.

Add users ( ) Click the icon to add individual users, import users from a CSVfile, or import users from Active Directory LDAP.

Number of users View the total number of users in the entire Enterprise, selectedpolicy, or specified search.

User Settings OptionsThe following table explains the options available under the settings icon.

Dashboard

4-9

Table 4-3. User Settings Options

Option Description

Change password Specify a new password for users usingthe Fixed password authentication type.The widget does not support changingpasswords for the Domain authenticationtype.

Delete user Removes the selected user.

Modify user Update the properties of the selected user.The following properties can be modified:

• User name

• First name

• Last name

• Employee ID

• Email address

• Freeze

• User type

• One policy

• Authentication method

List policies Displays the policies where the selecteduser is a member.

If the Allow Install column for the selecteduser is Yes, then the option to allow ordisallow the installation of selectedpolicies, as well as selecting which policiesshould be given first priority is enabled.

Add New User Options

The following table explains the options available when adding a new EndpointEncryption user.

Trend Micro Endpoint Encryption Administrator Guide

4-10

Table 4-4. Add New User Options

Option Description

User name Specify the account user name that the user uses toauthenticate.

First name Specify the user's first name.

Last name Specify the user's last name.

Employee ID Specify the user's employee ID (optional).

Email address Specify user's email address (optional).

Freeze Select Yes to temporarily lock the account. A locked accountcannot log on to Endpoint Encryption devices.

User type Select User, Authenticator, or Administrator.

For more information about user roles, see Users on page5-3.

One group Select Yes to only allow the user to belong to one policy at atime. The user may not be added to any other policy groups.

If you set this option to Yes and set the User type toAuthenticator or Administrator, the user will be a groupauthenticator or group administrator respectively.

Authenticationmethod

Select the authentication method available to the user.

Policy MembershipThe following table explains how to understand Endpoint Encryption user policymembership.

Dashboard

4-11

NoteEncryption Management for Apple FileVault and Encryption Management for MicrosoftBitLocker do not require authentication and are not affected by authentication policies.Client, login, password, and authentication policies, or allowing the user to uninstall theEndpoint Encryption agent software only affects the Full Disk Encryption and FileEncryption agents.

Header Example Description

Priority 1, 2. 3 Shows the order that Endpoint Encryptionapplies policies. When a policy is triggeredthat affects a user, Endpoint Encryptiontakes the action, and then no other policiesaffect the user for that event.

Policy Name GP1 Shows the name of all policies that theuser is currently assigned.

Description Temporaryemployees policy.

Shows the description of the policy.

Allow Install Yes, No Shows whether the user can install newEndpoint Encryption devices.

Importing Users from a CSV File

NoteImporting users from a CSV file is supported only for users using fixed passwordauthentication.

Format each line in the CSV file as follows:

<User ID (required)>, <first name>, <last name>, <employee ID>,<email address>

For fields with no data, use a comma as a placeholder. The following is an example CSVentry:

example_id, name,,, [email protected]

Trend Micro Endpoint Encryption Administrator Guide

4-12

Procedure

1. From the Endpoint Encryption Users widget, click Add User and then selectImport Users from a File.

The Import Users from a File screen appears.

2. Click Choose File to select the CSV file.

The Open CSV File window appears.

3. Select the file and then click Open.

4. Click Add.

The users in the CSV file are imported.

Importing Active Directory UsersPolicyServer maintains a user directory separate from the Active Directory database.This allows PolicyServer absolute security over access to all Endpoint Encryptiondevices, user rights, and authentication methods.

Use the Endpoint Encryption Users widget in Control Manager to import ActiveDirectory users. For more information about managing users with the EndpointEncryption Users widget, see Endpoint Encryption Users on page 4-7.

Procedure

1. Log on to Control Manager.

2. Go to the Endpoint Encryption Users widget.

3. Click the icon.

4. Select Import Users from Active Directory.

The Import Users from Active Directory screen appears.

5. Specify your credentials for the Active Directory LDAP server.

Dashboard

4-13

NoteFor Port, the value “0” specifies the default port. The default port is 389.

6. Click Next.

7. Wait for the specified Active Directory domain to populate.

The Active Directory tree for the specified domain appears in the left pane.

8. From the left pane, use the navigation tree to select the container from which toadd users.

The available users populate in the right pane.

9. Do one of the following:

• Select individual users, then click Import Selected Users.

• Click Import Everyone in this Container.

10. Click OK to add the users to the specified location.

A confirmation window appears.

11. Click OK to confirm.

An import status message displays.

12. Click Close to finish, or repeat the procedure to select more users to import.

Endpoint Encryption DevicesEndpoint Encryption devices are Endpoint Encryption agents that have registered withPolicyServer. Installing any Endpoint Encryption agent automatically registers theendpoint with PolicyServer as a new Endpoint Encryption device. Since multipleEndpoint Encryption agents may protect a given endpoint, a single endpoint may appearas more than one Endpoint Encryption device on PolicyServer.

The Endpoint Encryption Devices widget provides Endpoint Encryption devicemanagement capability directly from the Control Manager dashboard. Use the

Trend Micro Endpoint Encryption Administrator Guide

4-14

Endpoint Encryption Devices widget to monitor activity, search for EndpointEncryption devices, or secure endpoint data by initiating lock or kill commands when anendpoint is lost or stolen.

Note

For information about adding Endpoint Encryption devices to a policy, see Specifying PolicyTargets on page 5-11.

Options Description

Show Select which devices to display: all devices in the Enterprise, ordevices in a specific policy.

Search ( ) Click the icon to select the Endpoint Encryption agent andfilter the devices shown in the table. Use the search field tospecify parameters to search against. Any attributes listed indevices attributes can be searched.

Settings ( )

Right-click a device

Select a device and click the icon or right-click a device to viewdevice attributes or to perform actions on the selected device.

See Device Actions on page 4-15.

Dashboard

4-15

Options Description

Number of devices View the total number of devices in the entire Enterprise, selectedpolicy, or specified search.

Device ActionsSelect a device and click the icon or right-click a device to perform the followingactions:

Action Description

Delete device Deleting any Endpoint Encryption device from the Enterprise alsoremoves the device from all policy groups. The deleted EndpointEncryption device continues functioning as long as connectivityand password policies are current on the device. The agent will beunable to synchronize its policy with PolicyServer.

WARNING!Before deleting a Full Disk Encryption device, decrypt yourdisk, and uninstall the Full Disk Encryption agent. If youdelete a Full Disk Encryption device without deleting theagent, the Full Disk Encryption preboot may be unable toauthenticate with PolicyServer and the data may becomeinaccessible.

Soft token Generating a “software token” creates a unique string that youcan use to unlock Endpoint Encryption devices and to remotelyhelp Endpoint Encryption users reset forgotten passwords.

The software token is only available in the full version of Full DiskEncryption, not Encryption Management for Apple FileVault orEncryption Management for Microsoft BitLocker.

For information about resetting passwords or unlocking a useraccount, see Remote Help Assistance on page 9-31.

Trend Micro Endpoint Encryption Administrator Guide

4-16

Action Description

Recovery key Generating a “recovery key” allows the user to decrypt a hard diskwhen the user has forgotten the original password or key.

The recovery key is only available to Encryption Management forApple FileVault and Encryption Management for MicrosoftBitLocker agents because they do not use the other recoverymethods available in Full Disk Encryption.

For information about resetting passwords or unlocking a useraccount, see Remote Help Assistance on page 9-31.

Device attributes View a current snapshot of the selected device.

See Device Attributes on page 4-17.

Kill device Initiating a “kill” command deletes all Endpoint Encryption devicedata. The deleted data is different depending on the scope of datathat the associated Endpoint Encryption agent manages. Forexample, initiating a “kill” command to a Full Disk Encryptiondevice deletes all data from the endpoint, while initiating a “kill”command to a File Encryption device deletes all files and foldersin local or removable storage protected by the File Encryptionagent. The “kill” command is issued when the Endpoint Encryptionagent communicates with PolicyServer.

WARNING!Killing a device cannot be undone. Back up all the databefore initiating a kill command.

Lock device Initiating a “lock” command to the Endpoint Encryption deviceprevents Endpoint Encryption user access until after performing asuccessful Remote Help authentication. Locking a device rebootsthe endpoint and forces it into a state that requires Remote Help.The lock command is issued when the Endpoint Encryption agentcommunicates with PolicyServer.

See Remote Help Assistance on page 9-31.

Soft reset Initiating a “soft reset” command reboots the endpoint. Thecommand issues the next time that the agent communicates withPolicyServer.

Dashboard

4-17

Device AttributesThe following table describes the Endpoint Encryption device attributes.

Attribute Name Example Description

AD NetBIOS Name Enterprise The name assigned to the AD NetBIOS.

AD Object GUID 6629bdeb-99a8-456b-b7c5-dbbc50ad13d0

The GUID assigned to the AD object.

Battery Count 2 The number of batteries installed.

.NET Version 2.0.50727.3620 The version and build number for theinstalled .NET framework.

CommonFramework BuildNumber

5.0.0.84 The Endpoint Encryption agent uses acommon framework for encryption. Thebuild number is used to tell whether theagent is up-to-date.

Disk Model VMware Virtual IDE The hard disk model.

Disk Name \\.\PHYSICALDRIVE0

The name of the hard disk.

Disk Serial Number The serial number of the hard disk.

Disk Partitions 1 The number of partitions on the disk withthe agent installed.

Disk Size 10733990400 The total capacity of the hard disk (inbytes).

Domain Name WORKGROUP The domain that the endpoint is a member.

Endpoint ID 85b1e3e2a3c25d882540ef6e4818c3e4

The unique ID of the endpoint used forControl Manager integration.

File EncryptionVersion

6.0.0.1039 The version of File Encryption installed onthe endpoint.

Trend Micro Endpoint Encryption Administrator Guide

4-18

Attribute Name Example Description

Hostname TREND-4136D2DB3

The endpoint's host name.

IP Address 10.1.152.219 The endpoint's IP address.

Language English (UnitedStates)

The language used by the endpoint.

Locale en-US The regional settings used by the endpoint.

MAC Address 00-50-56-01-xx-xx The endpoint's MAC address.

Machine Name TREND-4136D2DB3

The computer name that the endpointused.

Manufacturer VMware, Inc. The manufacturer of the hard disk.

Model VMware VirtualPlatform

The model of the hard disk.

Operating System Microsoft WindowsNT 5.1.2600Service Pack 3

The operating system installed on thesame hard disk as the agent.

Operating SystemName

Microsoft WindowsXP Professional

The common name of the operatingsystem installed on the same hard disk asthe agent.

Operating SystemService Pack

Service Pack 3 The service pack number of the operatingsystem installed on the same hard disk asthe agent.

Operating SystemVersion

5.1.2600.196608 The version number of the operatingsystem installed on the same hard disk asthe agent.

Partition Scheme Classical MBR The partition scheme for the hard disk.

Processor x86 Family 6 Model30 Stepping 5,Genuine Intel

The processor make and model of theendpoint.

Processor Count 2 The number of processors in the endpoint.

Dashboard

4-19

Attribute Name Example Description

Processor Revision 1e05 The processor revision number.

Time Zone Taipei StandardTime

The time zone that the endpoint resides.

Total PhysicalMemory

2047MB The total RAM installed in or allocated tothe endpoint.

Type X86-based PC The endpoint processor type.

Windows UserName

TREND-4136D2DB3\admin

The user name of the Windows accountthat last logged on the endpoint.

<Agent> User john_smith The user name for the last logged on used.

<Agent> Version 5.0.0.260 The version and build number for the agentinstallation.

Full Disk Encryption StatusThe Full Disk Encryption Status widget shows the current encryption status of anyEndpoint Encryption in the Enterprise.

Trend Micro Endpoint Encryption Administrator Guide

4-20

Column Description

Status The status of the Endpoint Encryption device. Statuses include:

• Encrypted: The Endpoint Encryption device is 100%encrypted.

• Encrypting: The Endpoint Encryption device is currentlyencrypting the hard disk. The status changes to “FullyEncrypted” once encryption completes and the endpointrestarts.

• Not encrypted: The Endpoint Encryption device is 0%encrypted.

• Decrypting: The Endpoint Encryption device is currentlydecrypting the hard disk. The status changes to NotEncrypted once the decryption completes and the endpointrestarts.

• Unknown: The Endpoint Encryption device synchronized,but PolicyServer cannot determine the encryption status.

Rate The percentage that the Endpoint Encryption device is encrypted.

Devices The number of Endpoint Encryption devices with that currentstatus. Click the number to view the Endpoint Encryption Devicesreport. For more information, see Full Disk Encryption StatusReport on page 4-20.

NoteAt the bottom of the widget, click the number next to Total to view the EndpointEncryption Status report.

Full Disk Encryption Status ReportThe following table describes the Full Disk Encryption Status report. Use it tounderstand how to read the report details.

Dashboard

4-21

Table 4-5. Full Disk Encryption Status Report Example

Header Example Description

Policy GP1 The title of the policycontrolling the EndpointEncryption device.

Device Name TREND-4136D2DB3 The computer name usedby the Endpoint Encryptiondevice.

Device ID 1fabfbff-0001-06e5-000c-297085710000

The unique ID establishedafter the EndpointEncryption agent wasinstalled on the endpointand a new EndpointEncryption device wasregistered withPolicyServer.

Agent Full Disk Encryption The currently installedEndpoint Encryption agent.

Status Not Encrypted The current state of theEndpoint Encryption device.

Last Synchronized Date 10/07/2013 11:05 am The timestamp when theEndpoint Encryption devicelast updated policies fromPolicyServer.

Last Policy Enforcement 10/07/2013 11:05 am The timestamp when theControl Manager lastenforced policy changes onPolicyServer.

Endpoint Encryption Unsuccessful DeviceLogon

The Endpoint Encryption Unsuccessful Device Logon widget shows all EndpointEncryption devices that had unsuccessful logon attempts by any user (Endpoint

Trend Micro Endpoint Encryption Administrator Guide

4-22

Encryption user or non-Endpoint Encryption user). Unsuccessful device logon eventsmay represent a security breach or the Endpoint Encryption user may have forgottenthe logon credentials.

Column Description

Device Name The computer name of the Endpoint Encryption device.

Policy The policy managing the Endpoint Encryption device.

Events The number of logon attempts. Click the number to viewthe Endpoint Encryption Unsuccessful Device Logonreport.

Unsuccessful Device Logon ReportThe following table explains the Endpoint Encryption Unsuccessful Device Logonreport. Use it to understand how to read the report details.

Dashboard

4-23

Table 4-6. Endpoint Encryption Unsuccessful Device Logon Example

Header Example Description

Event Timestamp 07/02/2012 01:56pm

When the event occurred.

Policy GP1 The title of the policy controlling theEndpoint Encryption device.

Device Name TREND-4136D2DB3 The computer name used by theEndpoint Encryption device.

Device ID 1fabfbff-0001-06e5-000c-297085710000

The unique ID established after theEndpoint Encryption agent wasinstalled on the endpoint and a newEndpoint Encryption device wasregistered with PolicyServer.

IP Address 10.1.152.219 The Endpoint Encryption device IPaddress.

Agent Full Disk Encryption The currently installed EndpointEncryption agent.

User Name user325 The user name used to attempt to logon to the Endpoint Encryption device.

Display Name Mary Jones The first and last name of the EndpointEncryption user account. If thespecified user name is not a validEndpoint Encryption user name, thecolumn shows “Not Recorded”.

Event Unsuccessful FixedPassword Login

The logged event including theauthentication method.

Trend Micro Endpoint Encryption Administrator Guide

4-24

Endpoint Encryption Unsuccessful User LogonThe Endpoint Encryption Unsuccessful User Logon widget shows all attempts byany user (Endpoint Encryption user or non-Endpoint Encryption user) to log on to anyEndpoint Encryption device.

Column Description

User Name The user name used to attempt to log on to the EndpointEncryption device.

Display Name The display name of the user account that attempted tolog on to the Endpoint Encryption device.

Events The number of authentication attempts. Click the numberto view the Endpoint Encryption Unsuccessful User Logonreport.

Unsuccessful User Logon ReportThe following table explains the Endpoint Encryption Unsuccessful User Logonreport. Use it to understand how to read the report details.

Dashboard

4-25

Table 4-7. Endpoint Encryption Unsuccessful User Logon Report Example

Header Example Description

Event Timestamp 07/02/2012 01:56pm

When the event occurred.

Policy GP1 The title of the policy controlling theEndpoint Encryption device.

Device Name TREND-4136D2DB3 The computer name used by theEndpoint Encryption device.

Device ID 1fabfbff-0001-06e5-000c-297085710000

The unique ID established after theEndpoint Encryption agent wasinstalled on the endpoint and a newEndpoint Encryption device wasregistered with PolicyServer.

IP Address 10.1.152.219 The Endpoint Encryption device IPaddress.

Agent Full Disk Encryption The currently installed EndpointEncryption agent.

User Name user325 The user name used to attempt to logon to the Endpoint Encryption device.

Display Name Mary Jones The first and last name of the EndpointEncryption user account. If thespecified user name is not a validEndpoint Encryption user name, thecolumn shows “Not Recorded”.

Event Unsuccessful FixedPassword Login

The logged event including theauthentication method.

Endpoint Encryption Device LockoutThe Endpoint Encryption Device Lockout widget shows Endpoint Encryptiondevices that are locked out due to policy restrictions.

Trend Micro Endpoint Encryption Administrator Guide

4-26

NoteFor information about Endpoint Encryption device lockout rules, see Lockout Actions onpage 5-25.

Header Description

Device Name The computer name used by the Endpoint Encryptiondevice.

Policy The title of the policy controlling the Endpoint Encryptiondevice.

Lockout The timestamp when PolicyServer issued the device lockcommand. The Endpoint Encryption device does notactually lock until after the Endpoint Encryption agentsynchronizes policies with PolicyServer.

Details Click details icon to view the Endpoint Encryption DeviceLockout report.

At the bottom of the widget, click the number next to Total to view the report.

Dashboard

4-27

Device Lockout Report

The following table explains the Endpoint Encryption Device Lockout report. Use itto understand how to read the report details.

Note

For information about account lockout and device lock actions, see Lockout Actions on page5-25.

Table 4-8. Endpoint Encryption Device Lockout Report Example

Header Example Description

Event Timestamp 07/02/2012 01:56 pm When the event occurred.

Policy GP1 The title of the policycontrolling the EndpointEncryption device.

Device Name TREND-4136D2DB3 The computer name usedby the Endpoint Encryptiondevice.

Device ID 1fabfbff-0001-06e5-000c-297085710000

The unique ID establishedafter the EndpointEncryption agent wasinstalled on the endpointand a new EndpointEncryption device wasregistered withPolicyServer.

IP Address 10.1.152.219 The Endpoint Encryptiondevice IP address.

Agent Full Disk Encryption The currently installedEndpoint Encryption agent.

User Name user325 The user name used toattempt to log on to theEndpoint Encryption device.

Trend Micro Endpoint Encryption Administrator Guide

4-28

Header Example Description

Display Name Mary Jones The first and last name ofthe Endpoint Encryptionuser account. If thespecified user name is not avalid Endpoint Encryptionuser name, the columnshows “Not Recorded”.

Event Locked device due toinvalid login attemptviolation.

The logged event includingthe authentication method.

Endpoint Encryption Security ViolationsReport

The Endpoint Encryption Security Violations Report widget shows the securityviolations assessed by the following reports:

• Endpoint Encryption Consecutive Unsuccessful Device Logon

• Endpoint Encryption Policy Tampering

• Endpoint Encryption Log Integrity

Dashboard

4-29

Generating a report gathers all security violations currently logged by PolicyServer.Once generated, click the number on the Reports column to view generated reports forthat violation.

Header Description

Violation report type The available report types for various violations.

Action Click Generate to create a new report.

Reports The total number of generated reports for that violation.Click the number to view available reports.

Note

To specify the number of unsuccessful logons attempts before it is considered a securityviolation, click ▼ to open the Widget Settings window, type a value in the Consecutiveunsuccessful logons textbox, and then click Save.

Consecutive Unsuccessful Device Logon ReportThe following table explains the Endpoint Encryption Consecutive UnsuccessfulDevice Logon report. Use it to understand when the logon attempt occurred, the

Trend Micro Endpoint Encryption Administrator Guide

4-30

affected Endpoint Encryption device, and how many times the user attempted to log onto the Endpoint Encryption device.

Table 4-9. Endpoint Encryption Consecutive Unsuccessful Device Logon ReportExample

Entry Example Description

Event Timestamp 07/02/2012 01:56 pm When the event occurred.

Device Name TREND-4136D2DB3 The computer name usedby the Endpoint Encryptiondevice.

Attempts 5 The number of times that auser attempted to log on tothe Endpoint Encryptiondevice.

Policy Tampering ReportThe following table explains the Endpoint Encryption Policy Tampering report. Useit to understand how to read the report details.

Table 4-10. Endpoint Encryption Policy Tampering Report Example

Header Example Description

Event Timestamp 07/02/2012 01:56 pm When the event occurred.

Event Policy Value Integrity CheckFailed

The logged event includingthe authentication method.

Log Integrity ReportThe following table explains the Endpoint Encryption Log Integrity report. Use it tounderstand how to read the report details.

Dashboard

4-31

Table 4-11. Endpoint Encryption Log Integrity Report Example

Header Example Description

Event Timestamp 07/02/2012 01:56 pm When the event occurred.

Event Audit Log Record Missing The logged event includingthe authentication method.

5-1

Chapter 5

PoliciesThis chapter explains how to use policies and provides detailed information aboutindividual policy setting values.

Trend Micro Endpoint Encryption Administrator Guide

5-2

Authentication OverviewThe primary form of protection that Endpoint Encryption delivers is prevention ofunauthorized user access to encrypted endpoints and devices. Correctly configuringEndpoint Encryption devices, users, and policy groups prevents data loss risk fromaccidental information release or deliberate sabotage.

Devices on page5-2

Endpoint Encryption counts the amount of consecutive logonattempts on a given device and the amount of time since the lastcommunication with PolicyServer for a given length of time. If adevice violates the policy criteria, Endpoint Encryption can reset,lock, or erase the disk.

Users on page5-3

In addition to checking authentication attempts on a device,Endpoint Encryption also counts the amount of consecutive logonattempts by a particular user account. If that user violates thepolicy criteria, Endpoint Encryption can reset, lock, or erase thedisk.

Groups on page5-4

Groups act as a container for users for policy management.Administrators and authenticators within a group have thosespecial privileges only within that group, but unassignedadministrators and authenticators have that role throughout theEnterprise.

For a complete list of the configurable methods to authenticate users and devices, seeAuthentication Methods on page 2-13.

DevicesEndpoint Encryption devices are Endpoint Encryption agents that have registered withPolicyServer. Installing any Endpoint Encryption agent automatically registers theendpoint with PolicyServer as a new Endpoint Encryption device. Since multipleEndpoint Encryption agents may protect a given endpoint, a single endpoint may appearas more than one Endpoint Encryption device on PolicyServer.

Depending on the policy settings, Endpoint Encryption takes one of the followingactions when users attempt to consecutively log on that device unsuccessfully:

• Delay the next authentication attempt

Policies

5-3

• Lock the device

• Erase all data on the device

NoteTo configure Endpoint Encryption devices, use the Endpoint Encryption Deviceswidget. See Endpoint Encryption Devices on page 4-13.

UsersEndpoint Encryption users are any user account manually added to PolicyServer orsynchronized with Active Directory.

Endpoint Encryption has several types of account roles and authentication methods forcomprehensive identity-based authentication and management. Using Control Manageror PolicyServer MMC, you can add or import user accounts, control authentication,synchronize with the Active Directory, and manage policy group membership, asneeded.

The following table describes the Endpoint Encryption user roles:

Role Description

Administrator Administrators may access the management consoles andperform any configurations within their domain. This role hasdifferent rights depending on the level that the administrator role isadded:

• Enterprise administrator: These administrators have controlover all policies, groups, users, and devices in the enterprise.

• Group administrator: These administrators have control overusers and devices that authenticate within a specific group.Control Manager makes a group for each policy, so theseadministrators may also be known as “policy administrators”.

Trend Micro Endpoint Encryption Administrator Guide

5-4

Role Description

Authenticator Authenticators provide remote assistance when users forget theirEndpoint Encryption passwords or have technical problems. Thisrole has different rights depending on the level that theauthenticator role is added:

• Enterprise authenticator: These authenticators can assist anyusers in the enterprise.

• Group authenticator: These authenticators can assist anyusers within a specific group. Control Manager makes agroup for each policy, so these authenticators may also beknown as “policy authenticators”.

User Basic end users have no special privileges. The user role may notlog on the Endpoint Encryption management consoles. Unlessallowed by PolicyServer, the user role also may not use recoverytools.

NoteTo configure Endpoint Encryption users, use the Endpoint Encryption Users widget.See Endpoint Encryption Users on page 4-7.

GroupsEndpoint Encryption manages policies by user groups. Groups management differsbetween PolicyServer MMC and Control Manager. After modifying policies and groups,PolicyServer synchronizes groups across both consoles.

ImportantControl Manager always takes precedence over PolicyServer MMC for policy and groupassignment. Any modifications to the group assignment in PolicyServer MMC areautomatically overwritten the next time that Control Manager synchronizes withPolicyServer.

Policies

5-5

Console Group Management

ControlManager

Endpoint Encryption automatically creates a group each time a policywith specific targets is deployed. After deployment, modify the groupsa user is in from the Endpoint Encryption Users widget, and modifythe users in the policy from the Policy Management screen.

PolicyServerMMC

Add and modify groups directly from the left pane of PolicyServerMMC. Groups in PolicyServer MMC can be assigned as follows:

• Top Group: Top Groups are the highest level of groups under theEnterprise. Each Top Group has a unique node underneath theEnterprise.

• Subgroup: Subgroups are created within Top Groups. Subgroupsinherit the policies of the Top Group on creation, but do not inheritchanges made to the Top Group. Subgroups may not be morepermissive than the Top Group.

NoteYou must manually assign devices and users to eachsubgroup. Adding Endpoint Encryption users to a subgroupdoes not automatically add the users to the Top Group.However, you can add users to both the Top Group andsubgroup.

NoteTo configure the users within a policy group on Control Manager, use the EndpointEncryption Users widget. See Endpoint Encryption Users on page 4-7.

To configure users within a policy group on PolicyServer MMC, see the Endpoint EncryptionPolicyServer MMC Guide.

Policies in Control ManagerThe policy list displays the information and status of policies created by all users. Whena new endpoint registers to Control Manager, it goes through the filtered policies in thelist in descending order. Control Manager assigns the new endpoint to a filtered policywhen the following conditions are both satisfied:

Trend Micro Endpoint Encryption Administrator Guide

5-6

• The new endpoint matches the target criteria of the policy

• The policy creator has the permission to manage the new endpoint

The following table describes the items in the policy list.

Menu Item Description

Priority This column is not used in Endpoint Encryption. Thiscolumn only displays the following:

• Locked: The policy has been created and is beingused.

• Blank: The policy is a draft and is not currently beingused.

Policy Displays the name of the policy.

Targets Displays how administrators select targets for the policy.

• Specified: Uses the browse or search function toselect specific targets for the policy. Specified policiesremain static on the top of the policy list and takepriority over filtered policies.

• Filtered: This option is not used in EndpointEncryption.

• None: The policy creator saved the policy as a draftwithout selecting any targets.

Deployed Displays the number of targets that have applied the policysettings.

Policies

5-7

Menu Item Description

Pending Displays the number of targets that have not applied thepolicy settings. Click the pending number to check thepolicy status.

Creator Displays the user who created the policy.

Endpoints/Products withoutpolicies

Displays the number of managed products or endpoints towhich Control Manager has not assigned a policy.

Total endpoints/products Displays the number of managed products or endpointsavailable for policy management.

NoteThe numbers in Deployed, Pending, Endpoints/Products without policies, and Totalendpoints/products only reflect the endpoints or managed products an administrator hasthe permissions to manage.

Policy OptionsPolicy management allows administrators to enforce product settings on managedproducts and endpoints from a single management console. Administrators create apolicy by selecting the targets and configuring a list of product settings.

Control Manager policies have the following attributes:

Table 5-1. Control Manager Policy Options

Attribute Description

Policy name The name of the policy configuration.

Trend Micro Endpoint Encryption Administrator Guide

5-8

Attribute Description

Targets Administrators can select targets to assign to their policies. Thetarget selection method determines the policy type and how thepolicy works.

Administrators can manually select targets or use a filter toautomatically assign targets to their policies. The target selectionmethod determines the policy type and how the policy works.

See Policy Types on page 5-9 for more information about policytypes.

To include a managed product or endpoint as the target, makesure the product version of the managed product or endpointsupports policy management in Control Manager. The PolicyTemplate Settings screen contains information about supportedproduct versions.

Settings Once Control Manager deploys a policy to the targets, the settingsdefined in the policy overwrite the existing settings in the targets.Control Manager enforces the policy settings in the targets every24 hours. Although local administrators can make changes to thesettings from the managed product console, the changes areoverwritten every time Control Manager enforces the policysettings.

NoteSince policy enforcement only occurs every 24 hours, theproduct settings in the targets may not align with the policysettings if local administrators make changes through themanaged product console between the enforcement period.

NoteMake sure to use the Product Directory to move the managed PolicyServer instance fromthe New Entity folder to the Endpoint Encryption folder in the Product Directory.

Policies

5-9

Policy Types

Control Manager provides three types of policies administrators can create. Each policytype differs in the target selection method, which affects how a policy works. The policylist arranges the policy types in the order as described in the following table.

Table 5-2. Policy Types

Policy Type Description

Specified • Uses the search or browse function to locate specific targets andmanually assigns them to the policy

• Useful when administrators plan to deploy specific settings only toa certain targets

• Remains static on the top of the policy list and takes priority overany filtered policies

Filtered NoteEndpoint Encryption does not support filtered policies.

Draft Allows administrators to save policy settings as a draft without selectingany targets. Control Manager saves draft policies with the lowestpriority at the bottom of the list.

Creating a PolicyThe following procedure explains how to configure a Control Manager policy thataffects Endpoint Encryption users and devices.

Procedure

1. Set up your Endpoint Encryption users and devices.

Endpoint Encryption user and device configuration uses the EndpointEncryption Users and Endpoint Encryption Devices widgets. See EndpointEncryption Users on page 4-7 and Endpoint Encryption Devices on page 4-13 respectively.

Trend Micro Endpoint Encryption Administrator Guide

5-10

If your environment includes Active Directory, ensure that you have configuredActive Directory and synchronized all users. See Active Directory Synchronization onpage 3-24.

For a general description of authentication process, see Authentication Overview onpage 5-2.

2. Go to the Create Policy screen.

a. Go to Policies > Policy Management.

b. From the Product drop-down list, select Endpoint Encryption.

c. Click Create.

The Create Policy screen appears.

3. Specify a policy name.

4. Select one of the following policy target options:

• None (Draft Only): Create a policy with no targets (endpoints)

A policy with no targets may not be deployed. After creating a draft policy,edit the policy later to specify targets and deploy it to your environment.

• Filter by Criteria: Endpoint Encryption does not support filtering by criteria

• Specify Target(s): Specify existing endpoints.

Policies

5-11

NoteFor more information about policy targets, see Specifying Policy Targets on page5-11.

5. Specify Endpoint Encryption policy settings.

Endpoint Encryption settings are divided into the following rule sets:

Rule Set Reference

Users Configuring Endpoint Encryption Users Rules on page 5-13

Full DiskEncryption

Configuring Full Disk Encryption Rules on page 5-15

File Encryption Configuring File Encryption Rules on page 5-19

Common Configuring Common Policy Rules on page 5-22

6. Click Save.

Specifying Policy TargetsUse the Specify Target(s) screen to assign Endpoint Encryption devices to the policy.

NoteThe Specify Target(s) screen is available when creating a new policy.

For information about creating a policy, see Creating a Policy on page 5-9.

Trend Micro Endpoint Encryption Administrator Guide

5-12

Figure 5-1. Specifying Policy Targets

Procedure

1. From the Specify Target(s) screen, click the Browse tab.

2. From the left pane, expand the tree to select the managed folder.

Example: CM-PI-2K8 > Local Folder > TMEE > TMEE > QA2

3. Select any appropriate Endpoint Encryption devices, or select the top check box toselect all Endpoint Encryption devices listed on the current page.

4. Click Add Selected Targets.

Note

To immediately select all devices in the managed folder, click Add All from SelectedFolder.

“View Action List” and “View Results” update based on the selection.

Policies

5-13

5. Click OK.

Configuring Endpoint Encryption Users RulesThe following procedure explains the configurable options for policy rules that affectauthentication and Endpoint Encryption user accounts.

Procedure

1. Create a new Endpoint Encryption policy.

See Creating a Policy on page 5-9.

2. Click Users.

The Users policy rules settings appear.

Figure 5-2. Endpoint Encryption Users Policy Rules

3. If users require domain authentication, select Enable domain authenticationunder Domain User Settings.

If you selected Enable domain authentication, specify the server information foryour Active Directory (AD) account.

Trend Micro Endpoint Encryption Administrator Guide

5-14

a. Configure the AD domain name.

b. Configure the host name of the AD server.

c. Select the server type:

• LDAP

• LDAP proxy

4. Under User Management, configure user access.

Option Description

All EndpointEncryptionusers

Allow all users, domain and local accounts, to authenticateEndpoint Encryption devices.

ActiveDirectoryusers

Allow users from organizational units (OUs) within an AD toauthenticate Endpoint Encryption devices.

NoteSelect Enable domain authentication to enable the ActiveDirectory users option.

To configure domain authentication, see Active DirectorySynchronization on page 3-24.

Select specificusers

Specify which already added Endpoint Encryption users canauthenticate to managed endpoints.

NoteIn order to select specific users with this option, you must populatethe user list. Add OUs with the Active Directory users option oradd users with the Endpoint Encryption Users widget.

For more information about the Endpoint Encryption Users widget,see Endpoint Encryption Users on page 4-7.

5. If you selected Active Directory users, add OUs to the policy by theirdistinguished name.

Policies

5-15

After selecting Active Directory users, the following additional options appear:

Option Description

User name Specify your Active Directory user name.

Password Specify your Active Directory password.

Distinguishedname

Specify each OU by its sequence of relative distinguishednames (RDN) separated by commas.

Example: OU=TW, DC=mycompany, DC=com

After specifying the OU distinguished name, click OK.

ImportantEndpoint Encryption supports up to 12 OUs per policy.

Configuring Full Disk Encryption RulesThe following procedure explains the configurable options for policy rules affecting FullDisk Encryption devices.

Trend Micro Endpoint Encryption Administrator Guide

5-16

NoteEncryption Management for Apple FileVault and Encryption Management for MicrosoftBitLocker do not require authentication and are not affected by authentication policies.Client, login, password, and authentication policies, or allowing the user to uninstall theEndpoint Encryption agent software only affects the Full Disk Encryption and FileEncryption agents.

Procedure

1. Create a new Endpoint Encryption policy.

See Creating a Policy on page 5-9.

2. Click Full Disk Encryption.

Policies

5-17

The Full Disk Encryption policy rules settings appear.

Figure 5-3. Full Disk Encryption Policy Rules

3. Under Encryption, select the following options:

• Select Encrypt device to start full disk encryption when the EndpointEncryption agent synchronizes policies with PolicyServer.

Trend Micro Endpoint Encryption Administrator Guide

5-18

WARNING!

Do not deploy encryption to Full Disk Encryption agents without firstpreparing the endpoint's hard drive.

For information about preparing the hard drive, see Full Disk EncryptionDeployment Outline in the Endpoint Encryption Installation Guide.

• Select Encrypt only used space to encrypt only the used space.

• Select Select encrypt key size to specify a device encryption key size in bits.

4. Under Agent Settings, select the following options:

• Select Bypass Full Disk Encryption Preboot to allow the user toauthenticate directly into Windows without protection from prebootauthentication.

• Select Users are allowed to access system recovery utilities on the deviceto allow the user to access the Recovery Console.

For information about configurable options and available tools in Full DiskEncryption, see Recovery Console on page 9-5.

• Select Allow user to configure Wi-Fi to allow users to configure Wi-Fipolicies on the device during preboot.

• Select Enable Wi-Fi configuration to use a predetermined Wi-Ficonfiguration during preboot. Specify the following details:

• Network name (SSID)

• User name

• Password

• Security type

• Select Enable logon background color to specify the background colorduring logon.

• Select Enable logon banner to specify a logon banner image.

Policies

5-19

Image should not exceed 128 KB in size and should measure 512 x 64 pixels.Accepted file formats are PNG with transparency (recommended), JPG andGIF

5. Under Notifications, configure the following options:

• Select If found, display the following message on the device to show amessage when the If Found policy is active.

• Select Display Technical Support contact information to show a messageafter the user logs on to the Full Disk Encryption agent.

• Select Show a legal notice to show the specific legal message at start up oronly after installing the Full Disk Encryption agent.

Configuring File Encryption RulesThe following procedure explains the configurable options for policy rules affecting FileEncryption devices.

Procedure

1. Create a new Endpoint Encryption policy.

See Creating a Policy on page 5-9.

2. Click File Encryption.

Trend Micro Endpoint Encryption Administrator Guide

5-20

The File Encryption policy rules settings appear.

Figure 5-4. File Encryption Policy Rules

3. Under Folder to Encrypt, specify folders that are automatically created andencrypted on the endpoint when the File Encryption agent synchronized policies.

4. Under Encryption Key, select the encryption for the File Encryption encryptedfolder.

• User key: Use a unique key for each Endpoint Encryption user. Only theEndpoint Encryption user can decrypt files that he or she encrypted.

Policies

5-21

• Policy key: Use a unique key for each policy. Only Endpoint Encryptionusers and devices in the policy can decrypt files.

• Enterprise key: Any Endpoint Encryption user or device in the Enterprisecan decrypt the files.

Note

Selecting Policy key or Enterprise key controls the sharing for the File Encryptionshared key. For more information, see File Encryption Actions on page 7-3.

5. Under Storage Devices, configure the following options:

• Select Disable optical drives to control whether removable media isaccessible from the endpoint.

• Select Disable USB drives to control when the USB ports are disabled.Options are:

• Always

• Logged out

• Never

• Select Encrypt all files and folders on USB devices to automaticallyencrypt all the files and folders on removable drives when plugged into theendpoint.

• Select Specify the file path to encrypt on USB devices to add or removeencrypted folders to USB drives. If a folder does not exist, it is created. If nodrive letter is specified, all USB devices are affected.

6. Under Notifications, select Show a legal notice to show the specific legalmessage at start up or only after installing the File Encryption agent.

Note

Notifications are only supported by Trend Micro File Encryption agents versions3.1.3 and earlier.

Trend Micro Endpoint Encryption Administrator Guide

5-22

Configuring Common Policy RulesThis section explains the configurable options for policy rules affecting all EndpointEncryption devices.

Procedure

1. Create a new Endpoint Encryption policy.

See Creating a Policy on page 5-9.

2. Click Common.

Policies

5-23

The Common policy rules settings appear.

Figure 5-5. Common Policy Rules

3. Under Allow User to Uninstall, select Allow User (non-administrator)accounts to uninstall agent software to allow any Endpoint Encryption user touninstall the agent.

Note

By default, only Administrator accounts can uninstall Endpoint Encryption agents.

4. Under Lockout and Lock Device Actions, configure the following options:

Trend Micro Endpoint Encryption Administrator Guide

5-24

• Select Lock account after <number> days to specify the number of daysthat the Endpoint Encryption device locks if it does not synchronize policies.

• Use Account lockout action to specify whether the remoteauthentication or erase action occurs at lockout.

Note

For information about lock options, see Lockout Actions on page 5-25

• Select Failed log on attempts allowed to specify how many times that a usercan attempt to authenticate before the Endpoint Encryption device locks.

• For Full Disk Encryption or File Encryption devices, separately configure thefollowing:

• Use Device locked action to specify whether the “RemoteAuthentication” or the “Erase” action occurs at lockout.

Note

For information about lock options, see Lockout Actions on page 5-25

• Use Number of minutes to lock device to specify the duration thattime delay locks the Endpoint Encryption device from authentication

5. Under Password, configure the following options:

• Select Users must change password after <number> days to controlwhen a user is prompted to update password.

• Select Users cannot reuse the previous <number> passwords to specifyhow many previous passwords the user may reuse.

• Select Number of consecutive characters allowed in a password tospecify how many repeated characters a user may specify in the password.

• Select Minimum length allowed for passwords to specify how manycharacters the user is required to use in the password.

6. Under Password Requirements, specify the password character limitations.

Policies

5-25

• Letters

• Lowercase characters

• Uppercase characters

• Numbers

• Symbols

Important

The sum total of letters, numbers, and symbols cannot exceed 255 characters.

7. Under Agent, specify the Sync internal in minutes.

Lockout Actions

Some policies have settings to lock out a user account or to lock a device based oncertain criteria. Account lockout and device lockout actions affect the EndpointEncryption device whether or not the agent synchronizes policies with PolicyServer. Forexample, if the Endpoint Encryption agent does not communicate with PolicyServer fora certain period of time, the Endpoint Encryption agent automatically locks theEndpoint Encryption device. Use the tables below to understand the actions availablefor the account lockout and device lock actions.

The following table describes when the lockout actions occur:

Type Description

Account lockout Account lockout actions take effect when the Endpoint Encryptionagent does not communicate with PolicyServer for a certainperiod of time as set by the policy.

Full Disk Encryptiondevice lockout

Full Disk Encryption device lockout actions take effect when theEndpoint Encryption user exceeds the number of unsuccessfullogon attempts to that Full Disk Encryption device as set by thepolicy.

Trend Micro Endpoint Encryption Administrator Guide

5-26

Type Description

File Encryptiondevice lockout

File Encryption device lockout actions take effect when theEndpoint Encryption user exceeds the number of unsuccessfullogon attempts to that File Encryption device as set by the policy.

The options for lockout actions are as follows:

Action Description

Erase PolicyServer erases all data controlled by the associatedEndpoint Encryption agent.

WARNING!The Endpoint Encryption user cannot recover the eraseddata.

Remoteauthentication

PolicyServer locks the Endpoint Encryption device until theEndpoint Encryption user contacts receives Remote Helpauthentication from an authenticator or from Support.

See Remote Help on page 2-15.

Time delay PolicyServer temporarily locks the Endpoint Encryption deviceand notifies the Endpoint Encryption user that the device islocked. The ability to authenticate or reset the password isdisabled during the time delay. The duration of the time delay isdetermined by policy. Once the time delay has expired, the useris permitted to authenticate.

Migrating Groups to Control ManagerUse the following procedure to add existing groups from PolicyServer MMC to ControlManager.

Procedure

1. Log on to PolicyServer MMC.

Policies

5-27

2. Gather the following information:

• Total number of groups, their names, and the subgroups

• All users assigned to each group

• The policy configuration of each group

3. Log on to Control Manager.

4. For each group in PolicyServer MMC, configure a new policy that matches thecorresponding group policy configuration.

NoteSubgroups are not supported in Control Manager. To replicate the subgroup policysettings, create a separate policy for each subgroup.

5. Add users to each corresponding new policy.

6. Deploy each policy.

6-1

Chapter 6

Full Disk EncryptionFull Disk Encryption provides comprehensive endpoint data security using mandatorystrong authentication and full disk encryption. Full Disk Encryption secures not onlythe data files, but also all applications, registry settings, temporary files, swap files, printspoolers, and deleted files. Until the user is validated, strong preboot authenticationrestricts access to the vulnerable host operating system.

The Full Disk Encryption agent uses FIPS-compliant XST-AES encryption algorithmsand mandatory authentication to make data inaccessible without authentication. FullDisk Encryption prevents data loss by encrypting the whole drive, including operatingsystem, program, temporary, and end user files. Administrators can choose either 128-bitor 256-bit key size depending on the need for encryption strength or performance intheir environment.

Full Disk Encryption allows for the flexibility to use either software-based encryptedhard drives or hardware-based encrypted hard drives as needed. Seagate DriveTrust™,OPAL, OPAL2, and SanDisk™ self-encrypting solid-state drives are supported. Whilehardware-based encryption is simpler to deploy on new hardware, easier to maintain,and offers a higher level of performance, software-based encryption does not requireany hardware and is cheaper to deploy to existing endpoints.

Trend Micro PolicyServer controls policies affecting Full Disk Encryption, ensuringcomplete endpoint security centrally managed across the Enterprise. Full DiskEncryption is network-aware and updates policies before allowing authentication. You

Trend Micro Endpoint Encryption Administrator Guide

6-2

can also remotely lock or wipe data on the endpoint before the operating system or anyother sensitive data is accessed.

Full Disk Encryption

6-3

Full Disk Encryption ToolsThe following table describes the various tools available for Endpoint Encryption.

Tool Description

Context Menu Access the Full Disk Encryption agent from the Full DiskEncryption icon ( ) in the system tray. From the contextmenu, you can view the device encryption status andsynchronize with PolicyServer.

See Full Disk Encryption Context Menu on page 6-4.

Preboot Authenticate with PolicyServer through the Full DiskEncryption preboot. The preboot loads when the endpointstarts before Windows loads. Use the Full Disk Encryptionpreboot to configure your network and Wi-Fi settings andtroubleshoot issues with credentials.

Command Builder Use Command Builder to generate scripts for automatedinstallations and to create encrypted values for credentialswhen creating the scripts.

For more information, see the Endpoint EncryptionInstallation Guide.

Command Line Helper Use Command Line Helper to create encrypted values tosecure credentials when creating an installation script.

See Using the Command Line Helper on page 6-25.

DAAutoLogin Use DAAutoLogin for Windows patching. DAAutoLoginallows for a one-time bypass of Endpoint Encryption Preboot.

See Patching Process for Full Disk Encryption on page6-26.

Recovery Console Use Recovery Console to recover from an operating systemcritical error, troubleshoot network issues, and manage usersor logs.

See Recovery Console on page 9-5.

Trend Micro Endpoint Encryption Administrator Guide

6-4

Tool Description

Recovery Tool Use the bootable Repair CD to decrypt the hard disk beforeremoving Full Disk Encryption in the event that the diskbecomes corrupted. Only use the Repair CD if standardremoval methods are not possible. A typical symptom of acorrupted disk is a black screen.

See Recovery Tool on page 9-23.

Full Disk Encryption Context MenuUse the Full Disk Encryption icon ( ) in the system tray to access to the Full DiskEncryption agent. Right-click the agent icon to display the menu items. The followingtable explains the available menu options.

Table 6-1. Full Disk Encryption Agent Menu Options

Menu Item Function

Synchronize Policies Manually download policy updates from PolicyServer.

NoteFull Disk Encryption agents can synchronize policieswithout user authentication.

Full Disk Encryption agents automatically update policysettings based on your PolicyServer configurations. For moreinformation, see Policy Synchronization on page 7-17.

Hide Icon Temporarily removes the Full Disk Encryption tray icon.

To show the Full Disk Encryption tray icon again, run FullDisk Encryption from your desktop or Start menu.

About Full DiskEncryption

Displays Full Disk Encryption information including version,last synchronization time, and authenticated user. TheEncryption Status tab displays the status of each individualdisk managed by this agent.

Full Disk Encryption

6-5

Menu Item Function

Online Help View the Full Disk Encryption documentation online.

Full Disk Encryption PrebootAfter installing Full Disk Encryption, the Full Disk Encryption preboot appears beforeWindows loads. The Full Disk Encryption preboot ensures that only authorized usersare able to access endpoints and updates local security policies when connected toPolicyServer.

NoteUse PolicyServer MMC to configure and customize the preboot screen.

Menu OptionsThere are several options available in the upper-left menu of Full Disk EncryptionPreboot.

Table 6-2. Full Disk Encryption Preboot Menu Options

Menu Item Description

Authentication Change the authentication method used to log on to EndpointEncryption devices.

Communications Manually synchronize with PolicyServer.

Computer View information about Full Disk Encryption, view your networkinformation, change the keyboard layout, access the on-screenkeyboard, or restart or shut down the endpoint.

Trend Micro Endpoint Encryption Administrator Guide

6-6

Network ConnectivityThe network connection icon ( ) appears in the upper-right corner when Full DiskEncryption is installed as a managed endpoint. The icon is only highlighted when thedevice is connected to the network and has communication with PolicyServer.

Connecting to a Wireless Network

The wireless connection icon ( ) appears in the upper-right corner of the Full DiskEncryption preboot logon when the endpoint has a detected wireless card installed. Ifthere is no wireless card detected, the wireless network icon does not display.

NoteThe Full Disk Encryption preboot cannot automatically detect the authentication for WEPsecurity. If the authentication type is WEP-OPEN or WEP-PSK, manually specify thesecurity type.

If your enterprise policy does not allow Wi-Fi configuration, the All Access Points andDisconnect buttons will be disabled.

For more information, see the Administrator's Guide for PolicyServer MMC.

Procedure

1. Click the wireless connection icon in the upper-right corner of the Full DiskEncryption preboot logon.

Full Disk Encryption

6-7

The Wireless Access screen appears.

2. Click All Access Points.

Trend Micro Endpoint Encryption Administrator Guide

6-8

The Wireless Network Configuration screen appears.

3. Select your network.

• To use a listed network, select the SSID, then click OK.

• To configure an unlisted network, click Other Network, specify the SSIDsettings, then click Connect.

ImportantDo not close the screen or restart your endpoint during configuration.

4. Click Close to complete the wireless network setup.

Network InformationView network and connection information from the Full Disk Encryption preboot bygoing to Menu > Computer > Network Information.

Full Disk Encryption

6-9

The Network Information screen includes the following:

Section Description

HardwareInformation

This section shows detected Ethernet controllers and Wi-Fi cards.

Network Information This section shows the network identification information for eachEthernet port, including the following:

• MAC address

• IPv4 and IPv6 addresses

• Subnet mask

• Default gateway

• Network link status, which shows whether the Ethernet port isconnected or not

DNS Resolution This section shows the DNS resolution results including theservers and addresses contacted while looking up PolicyServer.

PolicyServerInformation

This section shows the PolicyServer URL. If the URL includes theserver host name, PolicyServer must also perform host nameresolution to find the associated IP address. If the URL insteadincludes the IP address of PolicyServer, the Full Disk Encryptionpreboot skips host name resolution.

PolicyServerConnection Status

This section shows whether the Full Disk Encryption prebootsuccessfully connected to PolicyServer or not.

Click Reconnect to attempt to connect to PolicyServer again, or to refresh the currentinformation.

On-Screen Keyboard

Access the on-screen keyboard from Full Disk Encryption preboot by going to Menu >Computer > On-Screen Keyboard.

To insert the cursor in the desired field when the keyboard is displayed, click Focus onthe bottom-right corner of the keyboard.

Trend Micro Endpoint Encryption Administrator Guide

6-10

Changing the Keyboard LayoutChanging the keyboard layout affects both keystrokes and the on-screen keyboard. OnceWindows boots, the keyboard layout is set by the Windows operating system. A restart isrequired to commit the keyboard layout changes.

Procedure

1. Go to Menu > Computer > Change Keyboard Layout.

The Select the keyboard language (layout) window appears.

2. Select a keyboard layout.

3. Click OK.

4. Click OK to restart the endpoint.

Changing Authentication Methods

Note

For information about authentication methods, see Authentication Methods on page 2-13.

Procedure

1. From the Full Disk Encryption preboot, select Change Password After Login.

2. Specify the user name and password.

3. Click Login.

Full Disk Encryption

6-11

The Change Password window appears. The interface is different for differentauthentication methods.

Figure 6-1. Example Of Changing A Fixed Password

4. From the upper-left menu, select Authentication, then select the desiredauthentication method.

The New Password window for the chosen authentication method appears.

5. Provide and confirm the new password, and then click Next.

The device boots into Windows.

Changing PasswordsThe following procedure explains how to change the Endpoint Encryption user accountpassword using the Full Disk Encryption preboot.

Trend Micro Endpoint Encryption Administrator Guide

6-12

Procedure

1. Specify the Endpoint Encryption user name and password.

2. select Change Password After Login.

3. Click Login.

The Change Password window appears. The interface is different for differentauthentication methods.

Figure 6-2. Changing A Fixed Password Screen

4. Provide and confirm the new password, and click Next.

The device boots into Windows.

Full Disk Encryption

6-13

ColorCode

ColorCode™ is a unique authentication method designed for quick access and easymemorization. Rather than alphanumeric characters or symbols for the password,ColorCode authentication consists of a user-created color sequence (example: red, red,blue, yellow, blue, green).

Figure 6-3. ColorCode Authentication Screen

Creating a ColorCode Password

The total number of steps in the ColorCode (count) is defined by PolicyServer. Thedefault count is six.

Procedure

1. Start the endpoint and wait for the Full Disk Encryption preboot to appear.

2. Follow the instructions to change passwords.

See Changing Passwords on page 6-11.

Trend Micro Endpoint Encryption Administrator Guide

6-14

3. Change the authentication method to ColorCode.

Note

For information about changing authentication methods, see Changing AuthenticationMethods on page 6-10.

The ColorCode Change Password screen appears.

Figure 6-4. ColorCode Change Password Screen

4. Select the first color by clicking it using the square to the left.

The count increases by one.

5. Click additional colors in the sequence.

Tip

Click Back to change the last color clicked, or click Clear to start over.

6. After the sequence is complete, confirm the ColorCode password using the squareto the right.

Full Disk Encryption

6-15

7. Click Next to finish.

Remote HelpRemote Help allows Group or Enterprise Authenticators to assist Endpoint Encryptionusers who are locked out and cannot log on to Endpoint Encryption devices after toomany unsuccessful log on attempts, or when the period between the last PolicyServersynchronization has been too long.

Note

Remote Help authentication is triggered by Endpoint Encryption device policy rules.Remote Help policy rules are configurable in both PolicyServer MMC and ControlManager.

Using Remote Help to Unlock Full Disk Encryption Devices

Important

• Restarting the Endpoint Encryption device resets the challenge code.

• Manually synchronizing policies with PolicyServer also resets the challenge code.

• The challenge code and response code are not case sensitive.

Procedure

1. From the Full Disk Encryption preboot, go to Menu > Authentication >Remote Help.

2. Provide the Challenge Code to the Policy/Group Administrator.

3. Specify the Response Code provided by the Policy/Group Administrator.

4. Click Login.

The Change Password screen appears.

Trend Micro Endpoint Encryption Administrator Guide

6-16

Note

If the account uses domain authentication, the endpoint boots directly into Windows.

5. Specify and confirm new password, then click Next.

The device boots into Windows.

Smart CardSmart card authentication requires both a PIN and a physical token to confirm the useridentity. Smart card certificates are associated with the user account and the user'sassigned group. Once registered, the user can use smart card authentication from anyEndpoint Encryption device in that group. Users are free to use any EndpointEncryption device in their group and do not need to ask for another one-time password.

To use smart card authentication, make sure that the following requirements are met:

• The smart card reader is connected to the endpoint and the smart card is insertedinto the smart card reader.

• ActivClient 6.1 with all service packs and updates installed.

• Specify the smart card PIN in the password field.

WARNING!

Failure to provide a correct password sends a password error and may result inlocking the smart card.

Note

Smart card authentication is only configurable with PolicyServer MMC.

Smart Card RegistrationSmart card certificates are associated with the user account and the user's assignedgroup. Once registered, the user can use smart card authentication from any Endpoint

Full Disk Encryption

6-17

Encryption device in that group. Users are free to use any Endpoint Encryption devicein their group and do not need to ask for another one-time password.

Registering a Smart Card in Full Disk Encryption Preboot

Procedure

1. Follow the instructions to change passwords, then select Smart Card.

See the Administrator's Guide for PolicyServer MMC.

2. Insert the smart card in the reader.

3. Connect the reader to the endpoint.

4. Specify the user name and fixed password.

5. Click Continue.

6. At the confirmation message, click Continue.

7. At the Register Token window, do the following:

a. Type the new PIN provided by the Group or Enterprise Administrator.

b. Confirm the new PIN.

c. Select the smart card type from the Token drop-down list.

d. Click Continue to finish registering the smart card token.

Self HelpSelf Help authentication allows Endpoint Encryption users who have forgotten thecredentials to answer security questions and log on to Endpoint Encryption deviceswithout getting Technical Support assistance. Self Help requires the EndpointEncryption user to respond with answers to predefined personal challenge questions.Self Help can replace fixed password or other authentication methods.

Consider the following when choosing your authentication method or when configuringSelf Help:

Trend Micro Endpoint Encryption Administrator Guide

6-18

• Self Help is not available for Administrator and Authenticator accounts.

• Self Help is not available for accounts that use domain authentication. PolicyServeris unable to change or retrieve previous domain passwords.

• Self Help has a maximum of six questions for each user account. Users may beunable to log on using Self Help if more than six questions are configured.

• Self Help is only configurable with the legacy PolicyServer MMC.

• Self Help is not available for offline endpoints.

Setting Up Self Help

If the Self Help policy is enabled, the user is prompted to define answers for the SelfHelp questions after his/her first login. If the user changes their password, they mustdefine Self Help question answers again.

Note

Self Help answers are stored on the device. If a user logs on another Full Disk Encryptiondevice, the user must define Self Help answers for that device.

Procedure

1. Provide the user name and password.

2. Click Login.

The Self Help window appears.

3. Define answers for all of the Self Help questions.

4. Click Next.

The device boots into Windows.

Full Disk Encryption

6-19

Using Self Help

Procedure

1. From the top-left menu of Full Disk Encryption Preboot, go to Menu >Authentication > Self Help.

The Self Help window appears.

2. Answer all of the Self Help questions.

3. Click Login.

4. Define a new password, and then click Next.

The device boots into Windows.

Changing Self Help Answers

Procedure

1. From the Full Disk Encryption preboot, provide the credentials, select ChangePassword After Login, then click Login.

The Change Password window appears.

2. Provide and confirm the new password, then click Next.

The Self Help window appears.

3. Define new answers for all Self Help questions, then click Next.

The Endpoint Encryption device boots into Windows.

Skipping the Preboot ScreenTo streamline the Window update process, disks already encrypted by Full DiskEncryption can be configured to skip the Full Disk Encryption Preboot multiple times.

Trend Micro Endpoint Encryption Administrator Guide

6-20

Procedure

1. Open a command prompt window with elevated privileges.

2. Navigate to the following path:

%Program Files%\Trend Micro\Full Disk Encryption

3. Run DAAutoLogin.exe using the following parameters:

DAAutoLogin.exe username:<username> password:<password>[domainName:<domain name> domainUserName:<domain username>domainPassword:<domain password>] [count:N]

NoteUse a colon ( : ) to separate a key and its value.

Refer to the examples below:

• Bypass Full Disk Encryption authentication once

DAAutoLogin.exe username:tmee password:123456

DAAutoLogin.exe username:tmeepassword:=5mih67uKdy7TlVaN2ISWGQQ= count:1

• Bypass Full Disk Encryption authentication once - use Domain account andlogin to Windows via single sign on using the same account

DAAutoLogin.exe username:QA\userpassword:=5mih67uKdy7TlVaN2ISWGQQ= count:1

• Bypass Full Disk Encryption authentication once - Full Disk EncryptionPreboot login account is different from the SSO account in Windows

DAAutoLogin.exe username:tmeepassword:=5mih67uKdy7TlVaN2ISWGQQ= domainName:QAdomainUserName:userdomainPassword:=5mih67uKdy7TlVaN2ISWGQQ= count:1

• Bypass Full Disk Encryption authentication 9 times

Full Disk Encryption

6-21

DAAutoLogin.exe username:tmee password:123456 count:9

DAAutoLogin.exe username:tmeepassword:=5mih67uKdy7TlVaN2ISWGQQ= count:9

• Bypass Full Disk Encryption authentication 9 times - use Domain accountand login to Windows via single sign on using the same account

DAAutoLogin.exe username:QA\userpassword:=5mih67uKdy7TlVaN2ISWGQQ= count:9

• Bypass Full Disk Encryption authentication 9 times - Full Disk EncryptionPreboot login account is different from the SSO account in Windows

DAAutoLogin.exe username:tmeepassword:=5mih67uKdy7TlVaN2ISWGQQ= domainName:QAdomainUserName:userdomainPassword:=5mih67uKdy7TlVaN2ISWGQQ= count:9

• Disable bypass of Full Disk Encryption authentication - user name andpassword is required

DAAutoLogin.exe username:tmee password:123456 count:0

Full Disk Encryption Policy SynchronizationThe following list explains the events that initiate policy synchronization between agentsand PolicyServer:

• After the operating system loads and the agent service starts

For information about Endpoint Encryption services, see Endpoint EncryptionServices on page C-1.

• When the Full Disk Encryption preboot starts

• At regular intervals based on the PolicyServer synchronization policy

• Manually, from the agent context menu or from the Full Disk Encryption preboot

See Manually Updating Full Disk Encryption Agents on page 6-22.

Trend Micro Endpoint Encryption Administrator Guide

6-22

NoteDevice actions initiate after the agent receives policy updates.

Full Disk Encryption Connectivity RequirementsEndpoint Encryption uses a FIPS 140-2 approved encryption process for data passedbetween the Full Disk Encryption preboot and PolicyServer. Full Disk Encryptionagents that have network connectivity to PolicyServer can receive policy updates andupload audit data from the agent. All client-server communications are internallyencrypted and can be sent over insecure connections such as the Internet.

You can place an Endpoint Encryption proxy within a DMZ (Demilitarized Zone) foraccess to both internal networks and the Internet. For information about differentnetwork topology configurations, see the Endpoint Encryption Installation Guide.

Table 6-3. Full Disk Encryption Connectivity Requirements

Resource Function

PolicyServer Updated security policies from PolicyServer are sent tothe Full Disk Encryption preboot or by connectivityestablished within Windows, LAN, or VPN.

TCP/IP Access Network connectivity requires full TCP/IP networkaccess; dial-up or telephone access cannot be used toprovide connectivity with PolicyServer during prebootauthentication.

Port Endpoint Encryption agents communicate using port8080 by default. To change the default port number, goto Recovery Console and update the PolicyServer. Fordetails, see Changing the Full Disk EncryptionPolicyServer on page 9-19.

Manually Updating Full Disk Encryption AgentsFull Disk Encryption agents automatically receive policy updates from PolicyServer atintervals determined by policy.

Do either of the following to manually update policies.

Full Disk Encryption

6-23

Procedure

• Use the Full Disk Encryption preboot.

a. Go to Communications > Synchronize policies.

b. Go to Computer > About Full Disk Encryption.

The timestamp of the latest PolicyServer policy synchronization displays.

• Use the Full Disk Encryption agent.

a. Double-click the Full Disk Encryption icon ( ) in the Windows system tray.

The Full Disk Encryption agent opens.

b. Click Synchronize with PolicyServer.

After a moment PolicyServer enforces all new policies changes.

Moving Full Disk Encryption DisksIf a Full Disk Encryption disk is moved to another endpoint registered withPolicyServer, Full Disk Encryption automatically detects the change and sends an updateto the PolicyServer database. An administrator account is not required for this process.

NoteBefore moving the disk, ensure that the following requirements are met:

• The source endpoint and destination endpoint belong to the same group, and use thesame PolicyServer.

• The disk to be moved is a disk that is currently managed by Full Disk Encryption.

Procedure

1. Power off the source endpoint and physically remove an existing disk.

2. Power off the destination endpoint and insert the disk that was removed from thesource endpoint.

Trend Micro Endpoint Encryption Administrator Guide

6-24

3. Restart the endpoints.

4. Full Disk Encryption detects the removal or addition of any disks and sends anupdate to the PolicyServer database during start up.

5. Click the Full Disk Encryption icon ( ) on the system tray and view theEncryption Status tab to verify if the process was successful.

NoteDuring this process, the new disk becomes inaccessible on the destination endpoint.

6. Restart the endpoint where the new disk was attached to initiate re-authenticationwith PolicyServer.

7. After restarting, click the Full Disk Encryption icon ( ) on the system tray andview the Encryption Status tab to verify if the process was successful.

The new disk is now accessible and ready for use.

Patch Management with Full Disk EncryptionUse the Command Line Helper and DAAutoLogin together to run Windows patchmanagement on devices with Full Disk Encryption installed.

• Use Command Line Helper to create encrypted values for scripts

For details, see Using the Command Line Helper on page 6-25.

• Use DAAutoLogin in various combinations to accomplish different needs

• After patches are pushed out, call DAAutoLogin inside scripts to:

• Send a reboot command for the device to display the Windows GINA(graphical identification and authentication) component for confirmationof successful patching

• Push another round of patches

For details, see Patching Process for Full Disk Encryption on page 6-26.

Full Disk Encryption

6-25

• To streamline the Window update process, use DAAutoLogin to skip the FullDisk Encryption Preboot multiple times

For details, see Skipping the Preboot Screen on page 6-19.

Note

• Make sure to run both tools on a Full Disk Encryption device.

• Both tools are available in the tools folder of the zip file received from Trend Micro.For assistance, contact Trend Micro Support.

Using the Command Line HelperCommand Line Helper enables encrypted values to pass via the installation script to theFull Disk Encryption preboot and installer. You can manually use Command LineHelper to generate encrypted values of strings for installation scripts or patchmanagement.

Procedure

1. Download the Command Line Helper tool and locate the tool in your EndpointEncryption download folder.

The Command Line Helper tool is part of the PolicyServer installation package.Go to Trend Micro Download Center, select the Endpoint Encryption, anddownload the PolicyServer package.

http://downloadcenter.trendmicro.com/

The Command Line Helper tool is located in the following directory:

<download_directory>\TMEE_PolicyServer\Tools\Command LineHelper

2. Open a command prompt.

3. Change the directory to the directory of the Command Line Helper tool.

Example:

Trend Micro Endpoint Encryption Administrator Guide

6-26

cd C:\TMEE_PolicyServer\Tools\Command Line Helper

4. Type CommandLineHelper.exe followed by the string that you want to encrypt,and press ENTER.

Example:

CommandLineHelper.exe examplepassword

TipIt may be easier to copy the generated value directly from a text file.

In that case, the above example would be modified as follows:

CommandLineHelper.exe examplepassword > file.txt

The Command Line Helper produces an encrypted string.

Patching Process for Full Disk Encryption

Procedure

1. Push patches to targeted Full Disk Encryption devices.

2. Follow up with a script using DAAutoLogin.

3. Send a reboot command for the Full Disk Encryption device to load WindowsGINA for confirmation of successful patching or to push another round ofpatches.

7-1

Chapter 7

File EncryptionThe Trend Micro File Encryption agent uses AES encryption to protect data that isshared between Endpoint Encryption users, stored on removable media, or saved onnetwork resources. File Encryption can also protect different files with different keys,allowing you to set access policies to the File Encryption agent and then create separatepolicies for access to certain files, which is useful in environments where multiple usersaccess the same endpoint. Encryption is performed after authentication takes place.

End users also have the flexibility to locally manage File Encryption by encryptingindividual files, folders, or removable media on the fly, safeguarding their data regardlessof where it travels.

File Encryption can also protect different files with different keys, allowing you to setaccess policies to the File Encryption device and separate policies for access to certainfiles. This is useful in environments where multiple users access one endpoint.

Trend Micro Endpoint Encryption Administrator Guide

7-2

Registering File EncryptionAfter File Encryption is installed, an initial registration is required to identifyPolicyServer. The fixed password authentication method is the default method and isrequired for initial registration. Other options may be available depending on policysettings.

Important

Without authenticating to File Encryption, access to files and removable media is denied.

Procedure

1. The Login window appears the next time your endpoint starts after FileEncryption installation. If you need to access the Login screen at a later time,right-click the File Encryption tray icon, and then select Register.

2. Specify the Endpoint Encryption user name and password.

3. Specify the PolicyServer IP address (or host name) and the Enterprise.

4. Click OK.

The Change Password screen appears.

5. Select any available authentication method.

For more information about authentication methods, see File EncryptionAuthentication on page 7-14.

6. Specify and confirm the new password.

7. Click OK.

The new password is updated and a confirmation message appears.

File Encryption

7-3

File Encryption ActionsAfter registering the File Encryption agent, File Encryption options become availablefor files and folders. Right-click a file or folder to see options available.

Figure 7-1. File Encryption Actions

Use the following table to understand the available menu options.

Table 7-1. File Encryption Context Menu Options

Menu Option Description

Archive Create an encrypted copy of the specified file.

See Encrypting a File or Folder on page 7-4.

Expand Archive Open a previously created archive.

Trend Micro Endpoint Encryption Administrator Guide

7-4

Menu Option Description

Archive and Burn Create an encrypted copy of the specified file and write it to aCD or DVD.

See Encrypting a File or Folder on page 7-4.

Secure Delete Securely erase the selected files and the file history from theFile Encryption device.

See Using File Encryption Secure Delete on page 7-10.

Encrypting a File or Folder

Procedure

1. Right-click on the file or folder that you want to encrypt.

2. Choose the location to create the encrypted file.

Option Description Details

Archive Create the encrypted file locally. The encrypted file will appear inthe same folder as the originalfile.

Archive andBurn

Write the encrypted file to a CDor DVD.

In the authentication window,you will be prompted to selectyour writable disk drive.

3. Choose the authentication method to access the encrypted file.

File Encryption

7-5

Option Description Notes

Local Key Create an encrypted filethat can only be accessedby the user who createdit.

This option is only available if you selectArchive.

No window will display after selectingthis option. The encrypted file will becreated immediately.

Depending on the Windows operatingsystem, a user may view folder contentsif switching from one user to a separateuser without restarting Windows. Whilefile names and folder content may beviewed, the file contents are notavailable. This is due to Windowsoperating system caching the filestructure for quick search capability.

SharedKey

Create an encrypted filethat can only be accessedby any member of thecurrent user's policygroup.

This option is only available if you selectArchive.

No window will display after selectingthis option. The encrypted file will becreated immediately.

Depending on the Windows operatingsystem, a user may view folder contentsif switching from one user to a separateuser without restarting Windows. Whilefile names and folder content may beviewed, the file contents are notavailable. This is due to Windowsoperating system caching the filestructure for quick search capability.

FixedPassword

Create an encrypted filethat requires a passwordto access.

There is no functionality available forpassword recovery with self-extractingfiles. If a password is forgotten, theencrypted file cannot be recovered.

Due to a Windows limitation, executable(self-extracting) files cannot be largerthan 2 GB.

Trend Micro Endpoint Encryption Administrator Guide

7-6

Option Description Notes

Certificate Create an encrypted filethat requires specificdigital certificates toaccess.

The digital certificates may be stored onsmart cards depending on yourenvironment and policy settings.

Figure 7-2. File Encryption Actions

4. If a window appears, complete all on-screen instructions.

File Encryption creates the encrypted file in the intended location. The originalfiles or folders are unchanged and can be kept or deleted.

File Encryption

7-7

File Encryption Fixed Password EncryptionIf you attempt to encrypt a file or folder using a fixed password, the following screendisplays:

The options for this window are as follows:

Table 7-2. Fixed Password Options

Option Details

Password

Confirm

Type and confirm a password that will be required to openthe encrypted file.

Trend Micro Endpoint Encryption Administrator Guide

7-8

Option Details

Burn using Select the drive with the CD or DVD to write the encryptedfile to. If you have not already done so, insert a writableCD or DVD with available free space.

This option is only available if you select Archive andBurn.

Output encrypted data aself-extracting archive.

Select this option to create the encrypted file as a self-extracting archive. Self-extracting archives may beopened on devices that do not have File Encryptionagents.

Due to a Windows limitation, executable (self-extracting)files cannot be larger than 2 GB.

NoteThere is no functionality available for passwordrecovery with self-extracting files. If a password isforgotten, the encrypted file cannot be recovered.

File Encryption

7-9

File Encryption Digital Certificate EncryptionIf you attempt to encrypt a file or folder using a digital certificate, the following screendisplays:

The options for this window are as follows:

Table 7-3. Certificate Options

Option Details

Certificates Store Select a group from the drop-down list and click GatherCertificates to see a window with a list of certificatesrelated to that group. From the Certificate Selectionwindow, select a certificate and click OK to add thatcertificate to Selected Recipient Certificates.

Trend Micro Endpoint Encryption Administrator Guide

7-10

Option Details

Selected RecipientCertificates

View the list of currently selected certificates. Thesecertificates will be required to open the encrypted file.

Click Clear to remove all certificates.

ImportantThere is no available method to remove individualcertificates. If you must remove one or morecertificates, remove all certificates, and add therequired certificates again.

Burn using Select the drive with the CD or DVD to write the encryptedfile to. If you have not already done so, insert a writableCD or DVD with available free space.

This option is only available if you select Archive andBurn.

Using File Encryption Secure DeleteUse Secure Delete to securely erase the selected files and the file history from the FileEncryption device.

Procedure

1. Right-click the file and go to File Encryption > Secure Delete.

2. Click Yes to permanently delete the file.

File Encryption Context MenuUse the File Encryption icon ( ) in the system tray to access to the File Encryptionagent. Right-click the agent icon to display the menu items. The following table explainsthe available menu options.

File Encryption

7-11

Table 7-4. File Encryption Agent Menu Options

Menu Item Function

Register First-time user registration of File Encryption with thePolicyServer. For more information, see Registering FileEncryption on page 7-2.

This option only appears if you have not completed FileEncryption registration.

Log In / Log Out Authenticate with PolicyServer.

Change Password Permits users to change their password and theirauthentication method. For more information, see ChangingPassword in File Encryption on page 7-12.

Remote Help Unlock File Encryption using Remote Help to authenticate ifthe user forgets the Endpoint Encryption password, therewere too many unsuccessful authentication attempts, or theEndpoint Encryption device has not communicated with thePolicyServer for a specified duration. For more information,see Using Remote Help to Unlock a File Encryption Deviceon page 7-13.

This option is only available if the File Encryption agent islocked. For more information about locked accounts, seeForced Password Reset on page 7-16.

Synchronize Policies Manually download policy updates from PolicyServer.

NoteFile Encryption agents can synchronize policieswithout user authentication.

File Encryption agents automatically update policy settingsbased on your PolicyServer configurations. For moreinformation, see Policy Synchronization on page 7-17.

Synchronize OfflineFiles

Synchronizing with PolicyServer offline files enforces newsecurity policies using an import file instead ofcommunicating directly with PolicyServer.

Trend Micro Endpoint Encryption Administrator Guide

7-12

Menu Item Function

Show / HideNotifications

Silences all File Encryption notifications.

Hide Icon Temporarily removes the File Encryption tray icon.

To show the File Encryption tray icon again, run FileEncryption from your desktop or Start menu.

About File Encryption Displays File Encryption information including version, lastsynchronization time, and authenticated user.

You can change the PolicyServer that synchronizes policieswith your File Encryption agent from the About FileEncryption window. To change your PolicyServer, click EditPolicyServer.

Online Help View the File Encryption documentation online.

Changing Password in File EncryptionTo change the password, the user must authenticate to File Encryption with a Useraccount role. The user can then change the password using any authentication methodallowed by policy.Use PolicyServer MMC to manage the policy at:

Group Name > Policies > File Encryption > Login > Authentication MethodsAllowed

Procedure

1. Right-click the File Encryption tray icon, then select Change Password.

2. Specify the password.

3. Click Next.

4. Select any available authentication method.

For more information about authentication methods, see File EncryptionAuthentication on page 7-14.

File Encryption

7-13

5. Specify and confirm the new password.

6. Click OK.

The new password is updated and a confirmation message appears.

Using Remote Help to Unlock a File Encryption DeviceIf a user exceeds the number of authentication attempts and policies are set to enactRemote Authentication, File Encryption locks Endpoint Encryption folders and notifiesthe user that Remote Help is required. Using Remote Help to unlock File Encryptionrequires assistance from the Enterprise Authenticator or Group Authenticator.

Note

For information about using Remote Help, see Remote Help on page 2-15.

Procedure

1. Right-click the File Encryption tray icon, then select Remote Help.

Trend Micro Endpoint Encryption Administrator Guide

7-14

The Remote Help screen appears.

Figure 7-3. File Encryption Remote Help

2. Specify the user name.

3. Click Get Challenge.

4. Type the Response provided by the Enterprise/Group Authenticator.

5. Click Log In.

The user is authenticated to File Encryption and a notification displays.

File Encryption AuthenticationThis section explains how to authenticate to and use File Encryption. All authenticationmethods for Endpoint Encryption are available in File Encryption.

File Encryption

7-15

Note

For information about authentication methods, see Authentication Methods on page 2-13.

Endpoint Encryption administrators and users have several authentication methods tolog on to File Encryption. The methods available are determined by the PolicyServerpolicy configuration.

Table 7-5. Supported Authentication Methods

AuthenticationMethod Description

ColorCode™ A unique sequence of colors.

See ColorCode on page 2-14.

Domainauthentication

Active Directory LDAP synchronization for single sign-on (SSO).

See Domain Authentication on page 2-14.

Fixed password A string of characters, numbers, and symbols.

See Fixed Password on page 2-15.

Smart card A physical card used in conjunction with a PIN or fixed password.

See Smart Card on page 2-16.

PIN A standard Personal Identification Number (PIN).

See PIN on page 2-15.

Domain Authentication RequirementsFor domain authentication single sign-on (SSO), ensure that the following requirementsare met:

• The user belongs to a policy group with domain authentication enabled.

• Make sure that the Host Name and Domain Name are configured properly.

• PolicyServer and all Endpoint Encryption devices using domain authentication arein the same domain.

Trend Micro Endpoint Encryption Administrator Guide

7-16

• The user account is configured in both Active Directory and PolicyServer. The username is case sensitive and must match exactly.

Additionally, domain authentication has the following limitations:

• Domain authentication cannot be used with a Smart Card PIN.

• Remote Help is available to domain users. However, the domain password must bereset in Active Directory if it is forgotten.

Forced Password ResetFile Encryption prevents unauthorized access to encrypted files and folders by lockingprotected files when there are too many unsuccessful authentication attempts or if theendpoint has not communicated with PolicyServer for a specified duration of time.Depending on the policy configuration, File Encryption locks a user from access orenacts a time delay before authentication attempts can be made.

Endpoint Encryption Device Policy RulesThe following table explains the security policy rules for lost or stolen EndpointEncryption devices. Depending on the policy settings, too many consecutiveunsuccessful authentication attempts to the Endpoint Encryption devices delays thenext authentication attempt, locks the Endpoint Encryption device, or erases all datacontrolled by the associated Endpoint Encryption agent.

File Encryption

7-17

Table 7-6. Device Security Options

SecurityOption Description

Time delay PolicyServer temporarily locks the Endpoint Encryption device andnotifies the Endpoint Encryption user that the device is locked. Theability to authenticate or reset the password is disabled during thetime delay. The duration of the time delay is determined by policy.Once the time delay has expired, the user is permitted toauthenticate.

NoteThe Endpoint Encryption user may use Self Help or RemoteHelp authentication to avoid waiting for the time delay periodto expire.

Remoteauthenticationrequired

PolicyServer locks the Endpoint Encryption device until the EndpointEncryption user contacts receives Remote Help authentication froman authenticator or from Support.

NoteFor more information, see Remote Help on page 2-15.

Erase the device PolicyServer erases all data controlled by the associated EndpointEncryption agent.

WARNING!The Endpoint Encryption user cannot recover the erased data.

Policy SynchronizationThe following list explains the events that initiate policy synchronization between agentsand PolicyServer:

• After the operating system loads and the agent service starts

Trend Micro Endpoint Encryption Administrator Guide

7-18

NoteFor information about Endpoint Encryption services, see Endpoint Encryption Serviceson page C-1.

• At regular intervals based on the PolicyServer synchronization policy

• Manually, by clicking the Synchronize Policies button in the agent context menu

NoteDevice actions initiate after the agent receives policy updates.

8-1

Chapter 8

Encryption Management for Third-Party Products

A key feature of Full Disk Encryption is the ability to manage third-party encryptionproducts. The Endpoint Encryption agents fully integrate with the encryption solutionsbuilt into the host operating systems.

Trend Micro Endpoint Encryption Administrator Guide

8-2

About Encryption Management AgentsThe following table explains the two Full Disk Encryption agents for third-partyproduct encryption management.

NoteFor information about all available Endpoint Encryption agents, see Endpoint EncryptionAgents on page 2-11.

Table 8-1. Encryption Management Agents

Agent Description

Encryption Management forMicrosoft BitLocker

The Endpoint Encryption Full Disk Encryption agentfor Microsoft Windows environments that simply needto enable Microsoft BitLocker on the hosting endpoint.

Encryption Management forApple FileVault

The Endpoint Encryption Full Disk Encryption agentfor Mac OS environments that simply need to enableApple FileVault on the hosting endpoint.

Encryption Management Agent PolicyLimitations

The following table explains the policy limitations for Encryption Management forApple FileVault and Encryption Management for Microsoft BitLocker. To use allpolicies, install the Full Disk Encryption agent instead.

Encryption Management for Third-Party Products

8-3

Note

• Encryption Management for Microsoft BitLocker does not require authentication andis not affected by authentication policies. Client, login, password, and authenticationpolicies, or allowing the user to uninstall the Endpoint Encryption agent software onlyaffects the Full Disk Encryption and File Encryption agents.

• Encryption Management for Apple FileVault does not require authentication forendpoints with hard drives not using APFS (Apple File System). However, forendpoints running Mac OS High Sierra (10.13) with SSDs using APFS, EncryptionManagement for Apple FileVault prompts for the user's password when the EncryptDevice policy is later updated to to No.

The following table explains the policies affecting each agent. Use it to understand thepolicy limitations of third-party agents.

Table 8-2. Policies Affecting Full Disk Encryption Agents

Policy Full DiskEncryption

EncryptionManagement

for AppleFileVault

EncryptionManagement

for MicrosoftBitLocker

Allow UserRecovery

Allow User toUninstall

Encrypt Device

Account LockoutAction

Account LockoutPeriod

Dead Man Switch

Device LockedAction

Trend Micro Endpoint Encryption Administrator Guide

8-4

Policy Full DiskEncryption

EncryptionManagement

for AppleFileVault

EncryptionManagement

for MicrosoftBitLocker

Device Killed Action

Failed LoginAttempted Allowed

If Found

Legal Notice

Lock Device TimeDelay

Preboot Bypass

Support Info

TokenAuthentication

AuthenticationMethods Allowed

Sync Interval

Allow User toConfigure Wi-Fi

Wi-Fi Settings

Apply Wi-Fi settings(in ControlManager)

Encrypt Only UsedSpace

Select EncryptionKey Size

Encryption Management for Third-Party Products

8-5

Policy Full DiskEncryption

EncryptionManagement

for AppleFileVault

EncryptionManagement

for MicrosoftBitLocker

Logon BackgroundColor

Customizebackground color(in ControlManager)

Logon Banner

Customize banner(in ControlManager)

Encryption Management for MicrosoftBitLocker

Encryption Management for Microsoft BitLocker manages BitLocker DriveEncryption™ for endpoints running Microsoft Windows. Encryption Management forMicrosoft BitLocker is designed to protect data by providing encryption for entirevolumes. By default, BitLocker uses the AES encryption algorithm in CBC mode with a128-bit or 256-bit key.

Viewing Encryption Status

Procedure

1. Click the Full Disk Encryption icon ( ).

• For Windows, go to the system tray.

• For Mac OS, go to the menu bar.

Trend Micro Endpoint Encryption Administrator Guide

8-6

2. Open the Encryption Status tab.

3. See Understanding Encryption Status on page 8-6 for details.

Understanding Encryption StatusThe Encryption Status tab provides details about the encrypted drives, the types ofencryption, and the ratio that the drive is encrypted or not encrypted. See the figure anddescription below for more information.

Table 8-3. Device Encryption Status

Item Description

Pie Chart The pie chart represents the ratio that the hard disk is encryptedand not encrypted.

Encryption Management for Third-Party Products

8-7

Item Description

Drive The hard disk with the agent installed.

Encrypted The percentage that the drive is encrypted.

Action The current encryption status.

Encryption The type of encryption deployed on the endpoint.

NoteEncryption Management for Apple FileVault and EncryptionManagement for Microsoft BitLocker always use software-based encryption.

FIPS mode Whether FIPS is enabled.

Trend Micro Endpoint Encryption Administrator Guide

8-8

Understanding Agent Information

The Information tab provides detailed information about the user account, EndpointEncryption device, and policy synchronization. See the figure and description below formore information.

Table 8-4. Agent Information

Label Description

TMEE username

The Endpoint Encryption account used to log on the EndpointEncryption device. This is different from the Windows logon.

Device ID The unique ID that identifies the agent and endpoint to PolicyServer.

Operatingsystem

The operating system and version currently installed on the endpoint.

Encryption Management for Third-Party Products

8-9

Label Description

Computername

The endpoint computer name to identify it on the network.

Last sync The timestamp for the last policy synchronization to PolicyServer.

Sync withPolicyServer

Forces an immediate policy update.

Synchronizing Policies with PolicyServerThere are two ways to synchronize policies with PolicyServer. For information aboutpolicies affecting Encryption Management for Microsoft BitLocker devices, seeEncryption Management Agent Policy Limitations on page 8-2.

• Synchronizing Policies From the Menu Bar on page 8-18

• Synchronizing Policies from the About Screen on page 8-10

Policy Synchronization

The following list explains the events that initiate policy synchronization between agentsand PolicyServer:

• After the operating system loads and the agent service starts

Note

For information about Endpoint Encryption services, see Endpoint Encryption Serviceson page C-1.

• At regular intervals based on the PolicyServer synchronization policy

• Manually, by clicking the Synchronize Policies button in the agent context menu

Note

Device actions initiate after the agent receives policy updates.

Trend Micro Endpoint Encryption Administrator Guide

8-10

Synchronizing Policies from the About Screen

For information about policies limitations affecting the Encryption Management forMicrosoft BitLocker agent, see Encryption Management Agent Policy Limitations on page 8-2.

Procedure

1. Make sure that the Endpoint Encryption device has network access.

2. Click the agent icon ( ).

3. Select About Full Disk Encryption to open the agent menu.

4. Open the Information tab.

5. Click Sync with PolicyServer.

If successful, all Endpoint Encryption policies are up-to-date.

Synchronizing Policies From the System Tray

Procedure

1. Make sure that the Endpoint Encryption device has network access.

2. Click the agent icon ( ).

3. Select Sync with PolicyServer.

If successful, all Endpoint Encryption policies are up-to-date.

Updating PolicyServer SettingsEndpoint Encryption allows the update of PolicyServer settings in EncryptionManagement for Microsoft Bitlocker and Encryption Management for Apple FileVault,even after installation.

Encryption Management for Third-Party Products

8-11

Procedure

1. To update policy settings for agents where Encryption Management for MicrosoftBitlocker is intalled, perform the following:

a. On the agent, open a command line window as an administrator.

b. Navigate to the following path:

%Program Files%\Trend Micro\FDE Encryption Management

Verify that the TMFDEForBitlocker.exe file exists on the location.

c. Type the following commands:

TMFDEForBitlocker.exe -ChangeServer username=<UserID>password=<Password> newserver=<Newserverhostname>

TMFDEForBitlocker.exe -ChangeServereusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<Newserverhostname>

TMFDEForBitlocker.exe -ChangeEnterpriseusername=<UserID> password=<Password>newserver=<Newserverhostname>newenterprise=<Newenterprisename>newadmin=<Groupadminonnewserver>newpassword=<Passwordforgroupadmin>

TMFDEForBitlocker.exe -ChangeEnterpriseeusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<Newserverhostname>newenterprise=<Newenterprisename>newadmin=<eGroupadminonnewserver>enewpassword=<ePasswordforgroupadmin>

Trend Micro Endpoint Encryption Administrator Guide

8-12

NoteTo use encrypted values for user names and passwords generated byCommandLineHelper.exe, replace the argument names with theeusername= and enewpassword= parameters.

2. To update policy settings for agents where Encryption Management for AppleFileVault is intalled, perform the following:

a. On the agent, open a command line window as an administrator.

b. Navigate to the following path:

/Library/Application/Support/TrendMicro/FDEMM/

c. Type the following commands:

$sudo SupportTool –ChangeEnterprise username=<UserID>password=<password> newserver=<newserverhostname>newenterprise=<newenterprisename>newadmin=<groupadminonnewserver>newpassword=<passwordforgroupadmin> [skipKeyCheck=<true|false>]

$sudo SupportTool -ChangeServereusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<newserverhostname>

$sudo SupportTool -ChangeEnterpriseeusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<newserverhostname>newenterprise=<newenterprisename>enewadmin=<groupadminonnewserver>enewpassword=<passwordforgroupadmin>

NoteTo use encrypted values for user names and passwords generated byCommandLineHelper.exe, replace the argument names with theeusername= and enewpassword= parameters.

Encryption Management for Third-Party Products

8-13

3. Verify that the changes were applied to the agent.

Encryption Management for Apple FileVaultEncryption Management for Apple FileVault manages Apple FileVault™ to encrypt theentire OS X startup volume, which typically includes the home directory, abandoningthe disk image approach. Encryption Management for Apple FileVault managesencryption using Apple FileVault with the user's password as the encryption pass phrase.Encryption Management for Apple FileVault uses the AES-XTS mode of AES with 128bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST. Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use thecomputer until it is shut down.

Note

Mac OS local accounts or mobile accounts are able to initiate encryption on Mac OS XMountain Lion or later. Other Mac OS user account types will be unable to initiateencryption.

To create a mobile account for Active Directory on your Mac, see Creating a Mobile Accountfor Active Directory on Mac OS on page 8-20.

Viewing Encryption Status

Procedure

1. Click the Full Disk Encryption icon ( ).

• For Windows, go to the system tray.

• For Mac OS, go to the menu bar.

2. Open the Encryption Status tab.

3. See Understanding Encryption Status on page 8-6 for details.

Trend Micro Endpoint Encryption Administrator Guide

8-14

Understanding Encryption Status

The Encryption Status tab provides details about the encrypted drives, the types ofencryption, and the ratio that the drive is encrypted or not encrypted. See the figure anddescription below for more information.

Table 8-5. Device Encryption Status

Item Description

Pie Chart The pie chart represents the ratio that the hard disk isencrypted and not encrypted.

Drive The hard disk with the agent installed.

Encrypted The percentage that the drive is encrypted.

Action The current encryption status.

Encryption Management for Third-Party Products

8-15

Item Description

Average speed The rate (MB/second) that the drive is encrypting ordecrypting.

Estimated time The amount of time until the drive is 100% encrypted ordecrypted.

Understanding Agent InformationThe Information tab provides detailed information about the user account, EndpointEncryption device, and policy synchronization. See the figure and description below formore information.

Trend Micro Endpoint Encryption Administrator Guide

8-16

Table 8-6. Agent Information

Label Description

TMEE user name The Endpoint Encryption account used to log on theEndpoint Encryption device. This is different from the MacOS logon.

Device ID The unique ID that identifies the agent and endpoint toPolicyServer.

Operating system The operating system and version currently installed on theendpoint.

Computer Name The endpoint computer name to identify it on the network.

Enterprise The Enterprise name of the PolicyServer managing agentpolicies.

Last sync The timestamp for the last policy synchronization toPolicyServer.

For details about synchronizing policies, see SynchronizingPolicies From the Menu Bar on page 8-18.

Synchronize now Forces an immediate policy update.

Synchronizing Policies with PolicyServer

There are two ways to synchronize policies with PolicyServer. For information aboutpolicies affecting Encryption Management for Apple FileVault devices, see EncryptionManagement Agent Policy Limitations on page 8-2.

• Synchronizing Policies from the About Screen on page 8-17

• Synchronizing Policies From the Menu Bar on page 8-18

Policy Synchronization

The following list explains the events that initiate policy synchronization between agentsand PolicyServer:

Encryption Management for Third-Party Products

8-17

• After the operating system loads and the agent service starts

NoteFor information about Endpoint Encryption services, see Endpoint Encryption Serviceson page C-1.

• At regular intervals based on the PolicyServer synchronization policy

• Manually, by clicking the Synchronize Policies button in the agent context menu

NoteDevice actions initiate after the agent receives policy updates.

Synchronizing Policies from the About ScreenFor information about policies limitations affecting Encryption Management for AppleFileVault agents, see Encryption Management Agent Policy Limitations on page 8-2.

Procedure

1. Make sure that the Endpoint Encryption device has network access.

2. Click the agent icon ( ).

3. Select About Full Disk Encryption to open the agent menu.

4. Open the Information tab.

5. Click Synchronize now.

If successful, all Endpoint Encryption policies are up-to-date.

Trend Micro Endpoint Encryption Administrator Guide

8-18

Synchronizing Policies From the Menu Bar

Procedure

1. Make sure that the Endpoint Encryption device has network access.

2. Click the agent icon ( ).

3. Select Synchronize Policies.

If successful, all Endpoint Encryption policies are up-to-date.

Updating PolicyServer SettingsEndpoint Encryption allows the update of PolicyServer settings in EncryptionManagement for Microsoft Bitlocker and Encryption Management for Apple FileVault,even after installation.

Procedure

1. To update policy settings for agents where Encryption Management for MicrosoftBitlocker is intalled, perform the following:

a. On the agent, open a command line window as an administrator.

b. Navigate to the following path:

%Program Files%\Trend Micro\FDE Encryption Management

Verify that the TMFDEForBitlocker.exe file exists on the location.

c. Type the following commands:

TMFDEForBitlocker.exe -ChangeServer username=<UserID>password=<Password> newserver=<Newserverhostname>

TMFDEForBitlocker.exe -ChangeServereusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<Newserverhostname>

Encryption Management for Third-Party Products

8-19

TMFDEForBitlocker.exe -ChangeEnterpriseusername=<UserID> password=<Password>newserver=<Newserverhostname>newenterprise=<Newenterprisename>newadmin=<Groupadminonnewserver>newpassword=<Passwordforgroupadmin>

TMFDEForBitlocker.exe -ChangeEnterpriseeusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<Newserverhostname>newenterprise=<Newenterprisename>newadmin=<eGroupadminonnewserver>enewpassword=<ePasswordforgroupadmin>

NoteTo use encrypted values for user names and passwords generated byCommandLineHelper.exe, replace the argument names with theeusername= and enewpassword= parameters.

2. To update policy settings for agents where Encryption Management for AppleFileVault is intalled, perform the following:

a. On the agent, open a command line window as an administrator.

b. Navigate to the following path:

/Library/Application/Support/TrendMicro/FDEMM/

c. Type the following commands:

$sudo SupportTool –ChangeEnterprise username=<UserID>password=<password> newserver=<newserverhostname>newenterprise=<newenterprisename>newadmin=<groupadminonnewserver>newpassword=<passwordforgroupadmin> [skipKeyCheck=<true|false>]

$sudo SupportTool -ChangeServereusername=<EncryptedUserID>

Trend Micro Endpoint Encryption Administrator Guide

8-20

epassword=<EncryptedPassword>newserver=<newserverhostname>

$sudo SupportTool -ChangeEnterpriseeusername=<EncryptedUserID>epassword=<EncryptedPassword>newserver=<newserverhostname>newenterprise=<newenterprisename>enewadmin=<groupadminonnewserver>enewpassword=<passwordforgroupadmin>

NoteTo use encrypted values for user names and passwords generated byCommandLineHelper.exe, replace the argument names with theeusername= and enewpassword= parameters.

3. Verify that the changes were applied to the agent.

Creating a Mobile Account for Active Directory on Mac OSMac OS local accounts or mobile accounts are able to initiate encryption on Mac OS XMountain Lion or later. Other Mac OS user account types will be unable to initiateencryption.

Encryption Management for Third-Party Products

8-21

If a Mac OS account other than a local account or mobile account attempts to initiateencryption, the following notification appears:

The following task shows how to create a mobile account for your Mac OS account tobypass this issue.

Procedure

1. Go to System Preferences... in the Apple menu.

The System Preferences window appears.

2. Select User Groups under the System section.

3. Click the lock icon in the lower left corner.

4. Click Create... next to Mobile account.

5. On the following screens, select any personal settings, and click Create to proceedfrom one screen to the next.

6. When prompted, enter your Active Directory password and click OK.

Trend Micro Endpoint Encryption Administrator Guide

8-22

Your mobile account has been created. You may now use this mobile account toinitate encryption.

Troubleshooting Password and Encryption IssuesAfter installing Encryption Management for Apple FileVault and restarting theendpoint, Apple FileVault attempts to encrypt the disk.

Encryption Management for Third-Party Products

8-23

If the password specified during installation did not match the specified user account,the following window appears:

• For endpoints with hard drives not using APFS (Apple File System), restart theendpoint again after specifying the correct password. If the password was the issue,Apple FileVault encrypts the endpoint after restarting.

• For endpoints running Mac OS High Sierra (10.13) with SSDs using APFS, arestart is not required. Apple FileVault encrypts the endpoint after specifying thecorrect password.

If this problem persists, or if the encryption status displays that the endpoint is notencrypting, then another issue is restricting Apple FileVault functionality. Do thefollowing procedure to determine the location of the issue and whether to send the issueto Trend Micro Support.

Procedure

1. From the Apple menu, go to Security & Privacy > FileVault.

2. If the lock icon is locked, click the lock icon to make changes.

3. Click Turn On FileVault....

Trend Micro Endpoint Encryption Administrator Guide

8-24

A window appears that asks for your password.

4. Type your password and click Start Encryption.

If your user account has permission to turn on FileVault, your credentials arecorrect, and FileVault is working properly, FileVault begins encrypting the disk.

5. If FileVault encounters any issues during encryption after this point, take relevantscreenshots of those issues and contact Trend Micro Support.

9-1

Chapter 9

RecoveryThis chapter explains methods to recover inaccessible drives encrypted by Full DiskEncryption.

Trend Micro Endpoint Encryption Administrator Guide

9-2

Preboot Errors after InstallationIf the first run of the preboot is unable to load immediately after installation, Full DiskEncryption performs the following:

• Restores the normal boot process, and boots into Windows

• Prevents encryption from starting

• Displays the following message:

This may be due to the following issues:

Issue Description Solution

Incompleteinstallation

The installerwas not able tocompleteinstallation.

Uninstall Full Disk Encryption, reboot and tryrunning the installer again.

Recovery

9-3

Issue Description Solution

Unexpectedshutdown

Usually does notcause an issue.However, it ispossible that theinstaller was notable to completeinstallation.

Restart the endpoint first. If the error persists,uninstall Full Disk Encryption, reboot and tryrunning the installer again

Incompatiblehardware

Unable tocompletepreboot loadingdue toincompatiblehardware orfirmware.

Uninstall Full Disk Encryption, and then do oneof the following:

• Remove all incompatible hardware

• Update all incompatible firmware

NoteTo determine if a specific hardwareor firmware is incompatible with theFull Disk Encryption installation,contact Trend Micro support for moredetails.

• Re-install Full Disk Encryption again.

If the issue persists, contact Trend Micro support for assistance.

Full Disk Encryption Recovery MethodsIf a device is fully encrypted by Full Disk Encryption, issues may occur with the systemor program that hinder or prevent access to Windows or related services. In these cases,use the following methods and tools to recover your system, displayed in order from theleast severe to most severe situation.

Trend Micro Endpoint Encryption Administrator Guide

9-4

Situation RecoveryMethod Description

Windows is workingnormally but Full DiskEncryption affects someapplications, reducesWindows performance,or displays errormessages.

Uninstall FullDisk Encryption

Uninstalling Full Disk Encryption removesFull Disk Encryption from the device. Onceuninstallation is complete, you mayproceed with other recovery actions withinWindows if necessary. Afterwards, youmay attempt to reinstall Full DiskEncryption.

For uninstallation steps, see the EndpointEncryption Installation Guide.

The Full Disk Encryptionpreboot loads, butWindows does not.

RecoveryConsole onpage 9-5

The Full Disk Encryption RecoveryConsole can be viewed from the Full DiskEncryption preboot.

To decrypt the hard disk, open the Full DiskEncryption Recovery Console > ManageDisk > Decrypt This Disk option decryptsthe selected hard disk on-the-fly or savesan image of the decrypted hard disk toremovable media.

NoteThis method is not recommended ifWindows is functioning normally.

At startup, neitherWindows nor the FullDisk Encryption prebootstarts up. The endpointdisplays a black screenwith an unmoving inputsymbol.

Recovery Toolon page 9-23

This issue normally occurs because theMBR is corrupted. The Full Disk EncryptionRecovery Tool attempts to repair the MBR.If successful, the Full Disk Encryptionpreboot loads normally the next time theendpoints starts.

Recovery

9-5

Situation RecoveryMethod Description

At startup, the endpointdisplays the backgroundof the Full DiskEncryption preboot, butthe logon window doesnot load.

Recovery Toolon page 9-23

This issue normally occurs because theFull Disk Encryption database is corrupted.The Recovery Tool attempts to obtaininformation from PolicyServer and replacethe corrupted Full Disk Encryptiondatabase. If successful, the Full DiskEncryption preboot loads normally the nexttime the endpoints starts.

The endpoint is unableto start Windows, oraccess the Full DiskEncryption preboot. TheRecovery Tool is unableto repair the disk.

ContactTechnicalSupport

Attempt to perform other recovery methodsfirst. If the previous recovery methods areinaccessible or do not work, contact TrendMicro support. The Trend Micro supportteam will do their best to resolve yourissue.

For more information, see TechnicalSupport on page 11-1.

Recovery ConsoleThe Full Disk Encryption Recovery Console allows Administrators, Authenticators, andpermitted Users to do the following:

• Recover Full Disk Encryption devices in the event of primary operating systemfailure

• Troubleshoot network connectivity issues

• Decrypt disks to retrieve inaccessible data

• Manage policies when not connected with PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

9-6

WARNING!

If the disk is encrypted, do not use Windows or third-party repair utilities to recover data.Use the Recovery Console and decrypt the disk first. Otherwise, data may be lost,corrupted, or become inaccessible.

All policy changes are overwritten when the Full Disk Encryption agent synchronizespolicies with PolicyServer.

Recovery Console Options

Console Menu Description

Manage Disks Displays options for managing disks on the endpoint.

For details, see Manage Disks Options on page 9-8

Mount Partitions Provide access to the encrypted partitions for filemanagement. View encrypted files or copy files to anexternal device.

NoteThis option is only available for disks usingsoftware encryption. This option is unavailable ifthe disk is a SED.

Manage Users Add or remove users from the device when notconnected to PolicyServer.

Manage Policies Modify policies for devices that are either not managedby PolicyServer or are managed but are temporarily notconnected to PolicyServer. If the device is managed,policy changes are overwritten the next time that thedevice communicates with PolicyServer.

View Logs View and search the various Full Disk Encryption logs.

NoteLogs are available only when the RecoveryConsole is accessed from Windows.

Recovery

9-7

Console Menu Description

Network Clicking Network opens two screen options:

• Setup: Configure your Internet connection settings,including whether you use a static or dynamic IPaddress, your PolicyServer address, and your Wi-Fisettings.

• Troubleshooting: View your DHCP logs and runtrace route commands.

Back to Login Exit Recovery Console and return to the login screen.

Exit Exit the Recovery Console.

Accessing the Recovery Console from Full DiskEncryption Preboot

By default, only Administrator and Authenticator accounts may access the RecoveryConsole. To allow other users to access the Recovery Console, enable user recoveryfrom your management console. For Control Manager, see Configuring Full DiskEncryption Rules on page 5-15.

Procedure

1. Start or restart the endpoint.

The Full Disk Encryption preboot appears.

2. Select the Recovery Console check box.

3. Specify Endpoint Encryption user account credentials.

4. Click Login.

The Recovery Console opens.

Trend Micro Endpoint Encryption Administrator Guide

9-8

Accessing Recovery Console from Windows

Procedure

1. In Windows, go to the Full Disk Encryption installation directory.

The default location is C:\Program Files\Trend Micro\Full DiskEncryption\.

2. Open RecoveryConsole.exe.

The Recovery Console window appears.

3. Specify the Endpoint Encryption user name and password, then click Login.

Recovery Console opens to the Manage Disks page.

Manage Disks Options

The options displayed in the Manage Disks screen change depending on the status ofthe disks attached to the device.

Option Description

Encrypt Encrypt new unencrypted disks

This is the only option available if the Recovery Console is accessedfrom Windows. The system disk is selected by default.

For details, see Encrypt Disks on page 9-9.

Decrypt All Decrypt the system disk and all data disks attached to the endpoint

Decrypt thisDisk

Decrypt the selected disk

For details, see Using Decrypt Disk in Preboot on page 9-11.

Stop Stop the decryption process

Recovery

9-9

Option Description

Detach Disk Exclude the disk from being managed by Full Disk Encryption

This option is available only for data disks which have completeddecryption. After detaching the disk, Full Disk Encryption identifies thedisk as a new disk and excludes it from all policies. To manage the diskagain, use Full Disk Encryption to re-encrypt the disk.

Restore BootPartition

Roll back the MBR to a state before Full Disk Encryption installation

This option is available only for system disks which have completeddecryption. To enable this option, detach all data disks from theendpoint.

For details, see Restore Boot on page 9-13.

Unlock SED Remove the preboot from an SED system disk

This option is available only for SED system disks which havecompleted decryption. To enable this option, detach all data disks fromthe endpoint.

Encrypt DisksUse the Recovery Console to initialize the encryption of new unencrypted disks.

Note

This process requires a working connection to PolicyServer.

Procedure

1. Power off the endpoint and attach the new disk.

2. Boot into Windows.

Windows detects and installs drivers for the new disk.

3. Start the Recovery Console from Windows.

For details, see Accessing Recovery Console from Windows on page 9-8.

Trend Micro Endpoint Encryption Administrator Guide

9-10

4. Log on to Recovery Console.

5. On the Manage Disks screen, click Summary to review which disks to encrypt.

Note

Full Disk Encryption shows unencrypted disks as Unmanaged disks.

6. Select the disk that needs to be provisioned, and click Encrypt Disk.

A notification appears informing the user that the disk has been successfullyprovisioned for encryption.

7. (Optional) For devices with multiple disks, repeat the previous step to provisionadditional disks for encryption.

8. Restart the endpoint to begin encryption.

9. After restarting, click the Full Disk Encryption icon on the system tray and use theEncryption Status tab to monitor the progress of the encryption.

Decrypt Disks

Full Disk Encryption provides the following options for decrypting disks:

• Use PolicyServer to deploy a policy that decrypts all disks for a specific group. Setthe Encrypt Device value to No.

For details, see the Endpoint Encryption 6.0 PolicyServer MMC Guide.

• Uninstalling Full Disk Encryption automatically decrypts all disks attached to adevice.

For uninstallation steps, see the Endpoint Encryption Installation Guide.

• Start disk decryption from the Recovery Console in preboot.

For details, see Using Decrypt Disk in Preboot on page 9-11.

Recovery

9-11

ImportantUse the preboot's Decrypt Disk function only if you have problems booting intoWindows. If there are no issues accessing Full Disk Encryption from Windows,Trend Micro recommends using PolicyServer or the Full Disk Encryption uninstallerto decrypt disks.

Using Decrypt Disk in PrebootSelecting Decrypt Disk in preboot decrypts an encrypted Full Disk Encryption harddisk, but does not remove any of the encryption drivers.

WARNING!

• Read all instructions first before using Decrypt Disk. Data loss may occur ifperformed incorrectly.

• Use the preboot's Decrypt Disk function only if you have problems booting intoWindows. Do not use Decrypt Disk to remove Full Disk Encryption from anyEndpoint Encryption device that is functioning normally. UseTMFDEUninstall.exe instead.

To decrypt the Full Disk Encryption device, the user must have sufficient rights toaccess the recovery console. To allow all users in a group/policy to access the recoveryconsole, enable the following policy:

ManagementConsole Menu Path

PolicyServer MMC Go to Full Disk Encryption > Agent > Allow User Recovery.

Control Manager Create or edit a policy, then go to Full Disk Encryption > Usersare allowed to access system recovery utilities.

With an Administrator, Authenticator, or permitted User, perform the following todecrypt a disk.

Trend Micro Endpoint Encryption Administrator Guide

9-12

Procedure

1. Log on to Recovery Console.

See Accessing the Recovery Console from Full Disk Encryption Preboot on page 9-7.

Recovery Console opens to the Manage Disk page.

2. Do one of the following:

• Click Decrypt All to decrypt all encrypted drives in the device.

• Click Summary, select a disk, and click Decrypt to decrypt only the selecteddisk.

Decryption begins immediately and the Manage Disk page shows the decryptionprogress.

3. When decryption completes, Full Disk Encryption displays the following options:

• For system disks, Full Disk Encryption displays Restore Boot Partition orUnlock SED, depending on the disk type.

For details, see Restore Boot on page 9-13.

• For data disks, Full Disk Encryption displays Detach Disk. Click to excludethe disk from being managed by Full Disk Encryption.

4. Click Exit to reboot the Endpoint Encryption device.

5. Log on the Full Disk Encryption preboot.

6. Log on to Windows.

Verify that all disks selected for decryption are no longer encrypted.

Mount PartitionsUse Mount Partitions to copy files between the encrypted hard disk and externalstorage before imaging or reformatting the drive. The encrypted contents on the driveappear in the left pane and an unencrypted device can be mounted in the right pane. Use

Recovery

9-13

copy and paste to move file between panes. Files copied to the encrypted drive willencrypt. Files copied out of the encrypted drive will decrypt.

Restore BootThe Restore Boot option restores the original boot on the system disk of an EndpointEncryption device when the device is fully decrypted. Restore Boot is only availablefrom the Full Disk Encryption preboot.

Decrypt the disk before restoring the Master Boot Record (MBR).

WARNING!Read all instructions first before using Decrypt Disk. Data loss may occur if performedincorrectly.

Procedure

1. Log on to Recovery Console.

See Accessing the Recovery Console from Full Disk Encryption Preboot on page 9-7.

Recovery Console opens to the Manage Disks page.

2. Click Summary, and then click Decrypt All.

3. Wait for the disk to complete decryption.

4. After decryption, select a data disk and click Detach.

Repeat this procedure for all data disk in the endpoint. Only the system disk shouldremain.

Restore Boot Partition becomes available after all data disk have been detachedfrom the endpoint.

NoteIf the system disk is a SED disk, the Recovery Console displays Unlock SEDinstead.

Trend Micro Endpoint Encryption Administrator Guide

9-14

5. Click Restore Boot Partition.

A Replace MBR confirmation window appears.

6. Click Yes to replace the MBR.

A message confirming the MBR replacement displays.

7. Click Exit.

The Endpoint Encryption device boots into Windows.

Manage Full Disk Encryption UsersUse Manage Users to add or remove users from the Full Disk Encryption prebootcache or to change a user's cached password. The Manage Users option is useful whenthe Full Disk Encryption agent cannot connect to PolicyServer. Both the Full DiskEncryption preboot and Windows Recovery Console can use this option.

Note

• Manage Users is only available when not connected to PolicyServer.

• Changes made to users through Recovery Console are overridden when Full DiskEncryption connects to PolicyServer.

Some considerations about passwords:

• Assigned passwords are always a fixed password.

• Specify the user password expiration date using the Password Expirationcalendar.

• Setting the date to the current date or older forces an immediate password change.Setting the date to a future date commits a change on that specified date.

Editing UsersEditing users in Recovery Console follows the same rules as the Enterprise. Forinformation about roles and authentication, see Authentication Overview on page 5-2.

Recovery

9-15

Procedure

1. Select the user from the user list.

2. Update the desired information.

3. Select the user type.

For an explanation of account roles, see Authentication Overview on page 5-2.

4. Set the password expiration date.

5. Click Save.

The user account is updated.

Adding Users

Procedure

1. Click Add User.

2. Specify the user name and password, then confirm the password.

3. Select the authentication method from the Authentication Type drop-down list.

4. Set the password expiration date.

5. Click Save.

The new user appears in the User List and a confirmation window appears.

6. Click OK to close the confirmation window.

The new user account is added.

Trend Micro Endpoint Encryption Administrator Guide

9-16

Deleting Users

Procedure

1. Select a user from the user list.

2. Click Delete User.

A delete user confirmation window appears.

3. Click Yes.

The user is deleted from the user list.

Manage Policies

Use Manage Policies to set various policies for Full Disk Encryption RecoveryConsole.

For more information about these policies, see the Administrator's Guide for PolicyServerMMC.

Note

The Manage Policies option is only available when not connected to PolicyServer and anychanges are overridden the next time Full Disk Encryption connects to PolicyServer.

View Logs

Use View Logs to search for and display logs based on specific criteria. View Logs isonly available from Recovery Console using Windows. It is unavailable from the FullDisk Encryption Preboot.

For information about viewing Full Disk Encryption logs, see Accessing Recovery Consolefrom Windows on page 9-8.

Recovery

9-17

NetworkGo to Network > Setup to verify, test, and/or change the network settings that areused by Full Disk Encryption Preboot.

Go to Network > Troubleshooting to view DHCP logs and run trace routecommands.

Managing Network ConfigurationBy default, Get setting from Windows is selected for both IPv4 and IPv6. Deselectthis option to manually configure the network settings.

• Selecting DHCP (IPv4) or Automatically get address (IPv6) uses thedynamically assigned IP address.

• Selecting Static IP enables all fields in that section.

• In the IPv6 tab, selecting Static IP when the IP Address field is empty creates aunique IP address based on the hardware address of the machine.

Migrating Full Disk Encryption to a New EnterpriseOne PolicyServer instance may have multiple Enterprise configurations that eachrepresent a business unit or department. Moving to a new Enterprise removes theEndpoint Encryption device from the old Enterprise and adds the Endpoint Encryptiondevice to the new Enterprise within the same PolicyServer instance. The Full DiskEncryption agent may need to move to a new Enterprise when the employee moves to adifferent department or office location.

WARNING!Changing the Enterprise requires configuring policies again, recreating groups, and deletesall cached passwords, password history, and audit logs.

Procedure

1. Click Network Setup.

Trend Micro Endpoint Encryption Administrator Guide

9-18

2. Select the PolicyServer tab.

3. Click Change Enterprise.

The Change Enterprise screen appears.

Figure 9-1. Recovery Console Change Enterprise

4. Configure the following options:

Option Description

New Server User Specify a Group Administrator account user name, or username of account with permission to install to the group inthe new PolicyServer.

New User Password Specify the password for the Enterprise Administratoraccount.

New Server Address Specify the new PolicyServer IP address or host name.

New Enterprise Specify the new PolicyServer Enterprise.

Recovery

9-19

5. Click Save.

Full Disk Encryption validates the new PolicyServer information.

6. At the confirmation message, click OK.

Note

Restart the Full Disk Encryption agent to update the encryption status displayed inPolicyServer MMC and Control Manager.

Changing the Full Disk Encryption PolicyServer

Note

Changing the PolicyServer requires access to Full Disk Encryption Recovery Console.

Procedure

1. Start or restart the endpoint.

The Full Disk Encryption preboot appears.

2. Select the Recovery Console check box.

3. Specify Endpoint Encryption user account credentials.

Note

By default, only Administrator and Authenticator accounts may access the RecoveryConsole. To allow other users to access the Recovery Console, enable user recoveryfrom your management console.

4. Click Login.

The Recovery Console opens.

5. Go to Network > Setup.

Trend Micro Endpoint Encryption Administrator Guide

9-20

6. Select the PolicyServer tab.

7. Click Change Server.

8. At the warning message, click Yes.

9. Specify the new server address.

10. Click Save.

Configuring Wi-Fi SettingsWi-Fi settings are available from the Recovery Console accessible from the Full DiskEncryption Preboot.

NoteThe Full Disk Encryption preboot cannot automatically detect the authentication for WEPsecurity. If the authentication type is WEP-OPEN or WEP-PSK, manually specify thesecurity type.

Procedure

1. Go to the Wi-Fi tab on the Network Setup screen.

Recovery

9-21

The Wi-Fi settings screen appears.

From the Wi-Fi settings screen, you can disconnect from your current wirelessconnection by clicking Disconnect.

2. Click Configure to modify your wireless network.

Trend Micro Endpoint Encryption Administrator Guide

9-22

The Wireless Network Configuration screen appears.

3. Select your network.

• To use a listed network, select the SSID, then click OK.

• To configure an unlisted network, click Other Network, specify the SSIDsettings, then click Connect.

Important

Do not close the screen or restart your endpoint during configuration.

Network Troubleshooting

The tabs on the Troubleshooting screen allow you to do more in-depth investigationinto network problems. The following tabs are available:

Recovery

9-23

• DHCP Client: This tab displays the latest DHCP client logs. If no DHCP requesthas been made or there is an error, click Set Up Interface to automaticallyconfigure your network interface card and perform another DHCP request.

• Traceroute: Use this tab to test your network performance by performing atraceroute to PolicyServer. Click Traceroute to perform a new traceroute request.

Recovery ToolThe Full Disk Encryption Recovery Tool is a bootable disk used to repair a device if thedevice is unable to boot. The latest version of the Recovery Tool is available fordownload from the Trend Micro Download Center:

http://downloadcenter.trendmicro.com/

The Recovery Tool allows users to do the following:

• Scan and repair Full Disk Encryption issues that prevent users from logging onWindows

• Open the Full Disk Encryption preboot if the agent is unable to access the prebootnormally

• Recover files from an encrypted disk

NoteIn previous versions of Endpoint Encryption, a Repair CD was provided along with theproduct. In Endpoint Encryption 5.0 Patch 4, the Repair CD was replaced with theRecovery Tool.

Preparing the Recovery ToolThe Full Disk Encryption Recovery Tool is a preconfigured Linux environment insideof an ISO file. To use the Recovery Tool, install the Recovery Tool as a bootable disk ona DVD, USB flash drive, or other removable media device.

The following procedure shows one example of how to install the Recovery Tool to aUSB storage device using the free third-party program Rufus.

Trend Micro Endpoint Encryption Administrator Guide

9-24

Procedure

1. Download the Full Disk Encryption installation package.

The Endpoint Encryption installation packages are available on at the Trend MicroDownload Center:

http://downloadcenter.trendmicro.com/

2. Download and run Rufus.

The Rufus utility is available on the Rufus website:

http://rufus.akeo.ie/?locale=en_US

3. Attach a USB storage device to the endpoint.

WARNING!

This procedure will reformat the USB device, removing all data. Trend Microrecommends backing up all files on the USB device before proceeding.

4. In the Device field, select the USB device.

5. In the Partition scheme and target system type, select MBR partition schemefor BIOS or UEFI-CSM.

6. Select the option Create a bootable disk using, and choose the option ISOimage.

7. Click the image icon ( ) and select the imageRecoveryTool_x.x.x.xxxx.iso.

The Recovery Tool is located in the Full Disk Encryption installation package.

For example, if you are using the TMEE Suite package, the Recovery Tool is in thefollowing path:

<base_file_path>\TMEE Suite\TMEE_Full Disk Encryption-Windows\Tools\RecoveryTool\RecoveryTool_x.x.x.xxxx.iso

8. Click Start.

Recovery

9-25

9. On the ISOHybrid image detected screen, select an option based on theendpoint where the tool will be used:

• For endpoints that use BIOS, select Write in ISO Image mode(Recommended) and click OK.

• For endpoints that use UEFI, select Write in DD Image mode and clickOK.

Rufus begins reformatting the USB device and installs the Recovery Tool on theUSB device.

10. When Rufus finishes creating the bootable disk, close Rufus and remove the USBdevice from the endpoint.

Scanning and Repairing a DiskIf you are unable to open Windows or the Full Disk Encryption preboot on a device,use the Full Disk Encryption Recovery Tool to detect problems and potentially repairany issues on that device. The following task assumes that you have already installed theRecovery Tool to a bootable disk.

Procedure

1. On the endpoint to be repaired, set the boot priority to boot from the devicewhere the Recovery Tool has been installed.

For example, if your system uses BIOS, open the BIOS screen, and select the Boottab. If you used a USB storage device for the Recovery Tool, set RemovableDevices as the first boot priority.

2. Shut down the endpoint.

3. Attach the Recovery Tool device to the endpoint, or put the Recovery Tool CD orDVD in the disk drive.

4. Start the endpoint.

The device uses the Recovery Tool to boot. At system startup, the Recovery Toolautomatically opens the Recovery utility and begins scanning the system disk.

Trend Micro Endpoint Encryption Administrator Guide

9-26

If it detects a problem with the system disk, the Recovery Tool will attempt torepair the issue.

5. The Recovery tool shows one of the following statuses:

• FDE System Disk Repaired Successfully: The repair process is successfuland no further action is necessary.

Click View to see more details.

• Unable to Repair Device: The Recovery Tool requires an administratoraccount to perform the repair and displays the Extensive Repair option.

Click Extensive Repair to log on as an administrator and perform anextensive repair.

For details, see Using Extensive Repair on page 9-26.

6. Click Shut Down to shut down the endpoint.

7. Remove the Recovery Tool from the endpoint.

8. Start the endpoint.

If repairs were successful, the endpoint loads the Full Disk Encryption prebootscreen at start up.

Using Extensive RepairThe Recovery Tool displays the Unable to Repair Device status if it requires anadministrator account to perform the repair. Additionally, it adds the Extensive Repairoption to the screen. Clicking View also notifies you that authentication is required tocontinue repairs.

Procedure

1. Click Extensive Repair.

2. Log on PolicyServer with the following credentials:

Recovery

9-27

Field Description

User name Specify an Administrator account. Authenticator and normaluser accounts may not access the Recovery Tool, regardlessof policy configuration.

Password Specify the password for that user name.

PolicyServer Specify the PolicyServer IP address or host name.

Device ID Specify the device ID. For Full Disk Encryption 5.0 patch 4 orlater devices, the Recovery Tool attempts to automaticallygenerate this field. If the MBR or Full Disk Encryptiondatabase is corrupted, the Recovery Tool may be unable toretrieve this information.

If the Recovery Tool is unable to retrieve this information, orthe device has Full Disk Encryption 5.0 patch 3 or earlierinstalled, find and copy the device ID from PolicyServer MMCor Control Manager. In Control Manager, you can access thedevice ID from the Full Disk Encryption Status Report widget.See Full Disk Encryption Status on page 4-19.

NoteIf the Recovery Tool is unable to connect to PolicyServer, a message appearsrequesting that you configure your network. In that case, click Network Status andConfiguration to view your current network status. Click Configure to specify theendpoint IP address settings. Click Reconnect to attempt to connect to PolicyServeragain and refresh your network information.

3. The Recovery Tool automatically performs additional scanning and repairs.

After this process, the Recovery Tool shows FDE System Disk RepairedSuccessfully.

4. (Optional) To ensure that all users can log on after the repair, click AdvancedFunctions, and then click Cache All Users.

A notification appears informing the user that user accounts were cachedsuccessfully.

For more information about the available advanced functions, see AdvancedFunctions on page 9-29.

Trend Micro Endpoint Encryption Administrator Guide

9-28

5. (Optional) If you need to collect logs for further troubleshooting, click Start >Collect CDT to run the Case Diagnostic Tool.

The Recovery Tool saves the collected logs in the USB drive and shows anotification after collection is finished.

6. Click Shut Down to shut down the endpoint.

7. Remove the Recovery Tool from the endpoint.

8. Start the endpoint.

If repairs were successful, the endpoint loads the Full Disk Encryption prebootscreen at start up.

Recovery Tool OptionsThe Full Disk Encryption Recovery Tool opens a Linux operating system with thefollowing options available:

Option Description

Recovery Select this option to open the main utility of the Recovery Tool.This utility scans and attempts to repair the device. Afterscanning, additional functions become available for accessing theFull Disk Encryption preboot and viewing encrypted files on thedisk.

NoteThe Recovery Tool may require additional information fromPolicyServer to completely repair the device. After initialscanning, the Recovery Tool may request that youauthenticate with PolicyServer. Ensure that connection tothe network is available before using the Recovery Tool.The Recovery Tool supports wired Ethernet connections.

Recovery

9-29

Option Description

Zoom Select this option to open the Zoom video conferencing service.Trend Micro Support may ask you to use this service to shareyour display so that Support can better help you performnecessary tasks with the Recovery Tool.

NoteUsing Zoom requires access to the Internet.

Language Input The Recovery Tool supports several language inputs. Go to Start> Language Input and select the language of your keyboard.

Shut Down / Restart To shut down or restart the endpoint, go to Start > Shut Downand select either Shut Down or Restart.

Advanced FunctionsAfter the Recovery Tool finishes scanning and attempting to repair the device, thecompletion screen includes the options Advanced Functions and Shut Down. ClickAdvanced Functions to view a screen with one or more options depending on the disktypes installed on the device.

NoteAccessing the Advanced Functions screen requires authentication. For more informationabout scanning, repairing, and authentication, see Scanning and Repairing a Disk on page 9-25.

For standard hard drives (not a self-encrypting drive), the following options are available:

• Launch File Explorer: Click to open a window that shows your file directory. Youcan copy files from your drive to an external storage device. The Recovery Toolwill decrypt those files before adding them to the external device.

NoteTrend Micro recommends backing up your most important files this way. Decryptionusing this function may take a long time, so if you want to decrypt and copy all fileson the drive, instead decrypt the entire drive using the Recovery Console.

Trend Micro Endpoint Encryption Administrator Guide

9-30

• Enable Preboot: Click to set the endpoint to open the Full Disk Encryptionpreboot the next time that you restart with the Recovery Tool attached to theendpoint. The Recovery Tool includes an internal copy of the Full Disk Encryptionpreboot that you can use to access the Recovery Console to configure networksettings or decrypt the device.

• Cache All Users: Click to allow authentication without a network connection toPolicyServer. In case the endpoint experiences network connection issues after arepair task, users can still type their correct password to authenticate withoutconnecting to PolicyServer.

For self-encrypting drives (SED), the following option is available:

• Unlock SED: The Recovery Console performs one of the following actionsdepending on the disk configuration:

• If the SED disk is a system disk, the Recovery Console removes the Full DiskEncryption preboot from the disk so that the device no longer requiresauthentication with PolicyServer.

• If the SED disk is a data disk, the Recovery Console excludes the disk frombeing managed by Full Disk Encryption

Note

If the device uses an SED as a system disk and the Advance Functions option is notavailable, shut down the device and use the Recovery Tool to boot the device again.

Using the File Explorer

The following example demonstrates how to use the file explorer included in theRecovery Tool to copy local files to an external storage device.

Procedure

1. After the Recovery Tool finishes scanning and attempting to repair the device, clickLaunch File Explorer on the Advanced Functions screen.

The file explorer window appears.

Recovery

9-31

2. Select the files or folders you want to copy.

3. Right click on the files or folders you want to copy, and select Copy on the contextmenu.

Alternatively, press CTRL + C to copy the selected files.

4. Connect an external storage device to the endpoint.

The file explorer displays a new sub-tree for the recently attached external storagedevice.

5. Navigate to the external storage device, and locate a destination folder.

6. Right click on an empty area in the destination folder window, and select Paste onthe context menu.

Alternatively, press CTRL + V to paste the selected files.

The file explorer pastes the files copied earlier in the destination folder.

Note

The Recovery Tool will decrypt files before adding them to the external device.Decryption using this function may take a long time. If you want to decrypt and copyall files on the drive, another alternative is to decrypt the entire drive using theRecovery Console.

Remote Help AssistanceRemote Help allows users to reset a forgotten password or locked account. AnyEndpoint Encryption user who has a locked account or forgot the account passwordmust reset the password before being able to log on to any Endpoint Encryption device.Remote Help requires that the user contact the Help Desk for a Challenge Response.Remote Help does not require network connectivity to PolicyServer.

Trend Micro Endpoint Encryption Administrator Guide

9-32

Procedure

1. Log on to PolicyServer MMC using any account with Group Administratorpermissions in the same policy group as the user.

2. Ask the user to go to Help > Remote Help from the Endpoint Encryption agent.

3. Ask the user for the Device ID.

Figure 9-2. Remote Help Assistance

4. In PolicyServer MMC, open Enterprise Devices or expand the user's group andopen Devices.

5. In the right pane, right-click the user's device and then select Soft Token.

The Software Token window appears.

6. Get the16-digit challenge code from the user, and type it into the Challenge fieldof the Software Token window.

Recovery

9-33

7. Click Get Response.

The Response field loads with an 8-character string.

8. Tell the user the 8-character string from the Response field.

9. The user inputs the string in the Response field on the endpoint and clicks Login.

10. The user must specify a new password.

10-1

Chapter 10

Resolved and Known IssuesThis section describes the Endpoint Encryption issues that have been fixed and theremaining issues and limitations.

Trend Micro Endpoint Encryption Administrator Guide

10-2

Resolved IssuesThis section describes the previous Endpoint Encryption issues that have been resolved.

Resolved Issues in Endpoint Encryption 6.0

Issue Solution

1 Loading time from boot to the prebootscreen can take more than 5 minutes forsome specific endpoints.

This version adds improvements to makethe Full Disk Encryption preboot screenload faster.

2 Screen scaling issues on HD andUltraHD displays may cause the FullDisk Encryption preboot login screenpages and strings to appear too small.

This version resolves the issue by givingthe Full Disk Encryption preboot screena specific resolution.

3 Preboot authentication is slow ifPolicyServer is inaccessible.

This version adds improvements to theFull Disk Encryption preboot networkconnection structure.

4 The PolicyServer device managementscreen displays a "Not encrypted" statusat for self-encrypting drives.

This version resolves the "Notencrypted" status which the PolicyServerdevice management screen displays forself-encrypting drives.

5 The Wi-Fi connection is unable toconnect to PolicyServer during Full DiskEncryption preboot for some endpoints.

This version ensures that the Wi-Ficonnection successfully connects toPolicyServer by adding improvements tothe Full Disk Encryption preboot.

6 The Full Disk Encryption sync passwordtool encounters issues when workingwith 6.0 Full Disk Encryption agents.

The Full Disk Encryption Sync passwordtool supports both Endpoint Encryption5.0 and 6.0 agents.

7 The Full Disk Encryption support toolencounters issues when working with 6.0Full Disk Encryption agents.

The Full Disk Encryption Sync supporttool supports both Endpoint Encryption5.0 and 6.0 agents.

Resolved and Known Issues

10-3

Resolved Issues in Endpoint Encryption 6.0 Update 1

Issue Solution

1 PolicyServer is unable to complete theupgrade to version 6.0 if the databaseconnection encounters timeout errors.

This version fixes the issue by extendingthe timeout setting to 600 seconds.

2 The PolicyServer update status log sentto Control Manager may contain stringsthat are not recognized as valid datetime formats, which causes ControlManager to show incorrect policy anddevice status information.

This version adds improvements to theparsing of date time values.

3 Domain login is unsuccessful if thedefault password policy cannot beretrieved.

This version improves error handling fornull exceptions.

4 If the application pool is set to enable 32-bit applications, automatic port detectiondoes not work.

This version adds support for applicationpools running 32-bit applications in x64systems.

5 Using an Encryption Management forApple FileVault (Build 6.0.0.1033) pkgfile where the certificate has alreadyexpired may cause issues duringinstallation.

This version updates the certificate forthe installation pkg file.

6 Unable to successfully install or upgradethe Trend Micro Endpoint EncryptionDeployment tool (Build 6.0.0.1087) onOfficeScan XG.

This version (6.0.0.2005) updates the AUmodule to fix issues related to SSLcertificate verification.

7 After upgrading to a 6.0 server, a 5.0client may require more processing timeto sync policies. This causes the serverto stop answering client requests andcrash.

This version fixes the issue by extendingthe timeout setting to 600 seconds.

8 Unable to perform domain authenticationif the user's Distinguished Namecontains a special character.

This version fixes the issue by encodingspecial characters in the LDAP filter andalso prevents the occurrence of possibleLDAP injection events.

Trend Micro Endpoint Encryption Administrator Guide

10-4

Issue Solution

9 If PolicyServer sends a status log toControl Manager and an exception erroroccurs, Trend Micro Endpoint Encryptionagents may not appear in ControlManager.

This version improves error handling forrequests related to getting userinformation, thus preventing theexception error.

10

The ALPS touchpad in Dell laptops isunresponsive during the Full DiskEncryption preboot.

This version adds support for the ALPStouchpad in Dell laptops so that itfunctions normally during preboot onendpoints configured to boot using MBRor UEFI.

11

After installing Trend Micro Full DiskEncryption, a Windows systemconfigured to use UEFI may boot to ablack screen with a blinking cursor.

This version provides an updated TrendMicro Full Disk Encryption EFI programto provide increased compatibility withold UEFI firmware.

12

In the Encryption Management forMicrosoft Bitlocker agent console, the"TMEE Username" displays the userwho installed Encryption Managementfor Microsoft Bitlocker, instead of theuser who is currently logged on.

This version fixes the issue by hiding the"TMEE Username" value.

Known IssuesThis section describes the Endpoint Encryption issues and limitations groupedaccording to agent or console.

PolicyServer MMC Issues

The following are the PolicyServer MMC issues and limitations:

1. If a domain user has the Enterprise Administrator or Enterprise Authenticatorrole, no event log is created when Active Directory synchronization is unsuccessful.

Resolved and Known Issues

10-5

2. PolicyServer MMC is unable to display information for multiple enterprises.PolicyServer is only able to display the first enterprise entered into PolicyServerMMC.

3. Permission issues may prevent PolicyServer 5.0.0.3506 from upgrading directly to6.0. To prevent this issue, grant "db_ddladmin" permission to the database useraccount of PolicyServer before upgrading to 6.0, or upgrade PolicyServer to5.0.0.3793 first before upgrading to 6.0.

4. During preboot, Full Disk Encryption generates message id "10029" (successfullyfixed password login) if a user is authenticated by domain password. To distinguishbetween fixed password authentication and domain authentication, Full DiskEncryption assigns message id "100057" for domain authentication.

5. The Endpoint Encryption 5.0 MMC console is unable to correctly display newpolicies added in Endpoint Encryption 6.0. To avoid this issue, upgrade theEndpoint Encryption MMC from 5.0 to 6.0 after PolicyServer is upgraded.

6. The time filter function in log events displays incorrect results if the EndpointEncryption 6.0 MMC connects to a 6.0 beta version of PolicyServer. To solve thisissue, upgrade both the PolicyServer and the Endpoint Encryption MMC to the 6.0release version.

7. Control Manager and the Endpoint Encryption MMC displays the incorrectencryption status of a device after it is migrated to a New Enterprise before thedevice is rebooted. Control Manager and the Endpoint Encryption MMC shoulddisplay the correct encryption status after the device is rebooted.

8. The Log Integrity Alert report may show log events from the PolicyServer 6.0beta version as “log integrity compromised” events. Log events from thePolicyServer 5.0 or 6.0 versions should be reported correctly.

Control Manager Integration IssuesThe following are the Control Manager issues and limitations:

1. After deploying a new policy from Control Manager to PolicyServer, a new policygroup does not immediately appear in PolicyServer MMC. To see the new policygroup, log off from PolicyServer MMC and log back on.

Trend Micro Endpoint Encryption Administrator Guide

10-6

2. Users cannot be added to the policy if the Users panel in Control Manager PolicyManagement is disabled.

3. Deleting a policy that was created in Control Manager does not delete the policyfrom PolicyServer. The policy can still be viewed in PolicyServer MMC.

Endpoint Encryption Deployment Tool Plug-in Issues

The following are the Endpoint Encryption Deployment Tool plug-in issues andlimitations:

1. If the OfficeScan administrator tries to deploy server settings to PolicyServer usingan Endpoint Encryption user account, an error message returns that theconnection was unsuccessful.

2. Plug-in Manager does not display an error message when installing the EndpointEncryption Deployment Tool Plug-in on a server that does not meet the minimumsystem requirement of 1 GB free hard disk space.

3. The Endpoint Encryption device may still appear in Plug-in Manager even after theEndpoint Encryption agent has been uninstalled. Agents will disappear the nexttime that PolicyServer synchronizes with OfficeScan and the Plug-In Managerscreen refreshes.

4. Endpoint Encryption users with a one-time password (OTP) are only allowed todeploy agents using the Endpoint Encryption Deployment Tool Plug-in once. Allfuture deployments are unsuccessful. After the first deployment, the user must set afixed password before performing deployment again.

5. When the uninstall command is deployed from OfficeScan to Full Disk Encryptiondevices, the message “Successful agent uninstallation request” appears beforeuninstallation has completed. Endpoint Encryption decrypts the endpoint beforecompleting uninstallation.

Full Disk Encryption Issues

The following are the Full Disk Encryption issues and limitations.

Resolved and Known Issues

10-7

1. The Full Disk Encryption preboot login may encounter reduced performance ifthe Wi-Fi adapter is connected to an access point with no network access toPolicyServer.

This issue occurs when the PolicyServer IP address is used during Full DiskEncryption installation. Use the PolicyServer FQDN during installation to resolvethe issue.

2. The Full Disk Encryption preboot Wi-Fi is unable to automatically detect accesspoints with WEP-Shared security.

Manually specify WEP-OPEN or WEP-PSK security.

3. The Full Disk Encryption preboot is unable to log on Windows 8, 8.1, or 10 wheninstalled on a virtual machine using VMWare Workstation with the e1000eEthernet driver.

The e1000e Ethernet driver is the default driver for Windows 8 and 8.1. Full DiskEncryption does not support the e1000e Ethernet driver.

To resolve this issue, change the driver to e1000:

a. Shut down VMWare Workstation.

b. Using a text editor, open the vmware.vmx file.

c. Find the driver line:

ethernet0.virtualDev = "e1000e"

d. Change "e1000e" to "e1000".

e. Save the file and restart the virtual machine.

4. Full Disk Encryption displays an error message and is unable to lock the systemwhen the “LockDeviceTimeDelay” policy is 999999 minutes.

5. Full Disk Encryption is unable to log on by single sign-on when the endpointwakes from hibernation.

6. When a user logs on Full Disk Encryption, the tray icon shows the correct username. However, if the user logs off after the endpoint hibernates and another userlogs on, the user name stills shows the previous user name. No user data is at risk.

Trend Micro Endpoint Encryption Administrator Guide

10-8

7. Toshiba Tecra computers with self-encrypting drives may be unable to runWindows after installing Full Disk Encryption.

8. The Full Disk Encryption preboot does not support combinations of characterswith the “AltGr” key when using a Spanish keyboard layout.

9. The Full Disk Encryption preboot is unable to control the Num Lock indicator forsome HP laptops. In those cases, the Num Lock indicator can be configured in theBIOS settings.

10. Full Disk Encryption does not support installation alongside other third-party fulldisk encryption products. If multiple encryption products are installed on the sameendpoint, the endpoint may be unable to start Windows and may display a bluescreen error message.

11. The Full Disk Encryption Recovery Tool may encounter errors when logging onZoom by single-sign on, or by using Google or Facebook accounts.

To avoid this issue, only use Zoom to connect to meetings hosted by Trend Microsupport. Do not attempt to host meetings through the Recovery Tool.

12. Full Disk Encryption is unable to install on the HP Probook 6570b, HP EliteBookFolio 9470m, and Dell Inspiron 7386 if the boot configuration for these endpointsis set to UEFI. To ensure successful installation, set the boot configuration toBIOS prior to installation.

13. The Full Disk Encryption installer is unable to upgrade older Full Disk Encryptionversions on devices where the system disk contains more than 8 extendedpartitions. To upgrade these devices to the 6.0 version, uninstall the old versionfirst and then perform a clean install instead.

14. Full Disk Encryption may display an inaccurate percentage of completion if thevalue of the Encrypt Policy setting changes during encryption. To fix this issue,decrypt the whole disk and encrypt it again.

15. Disk conversion from MBR to GPT cannot be performed on a disk managed byFull Disk Encryption. To convert a managed disk from MBR to GPT, decrypt thewhole disk first, and then detach the disk from Full Disk Encryption. Afterwards,perform the disk conversion as usual.

16. During preboot, the Wire Network Configuration screen displays the hiddenSSID \x00\x00\x00\x00\x00\x00\x00\x00.

Resolved and Known Issues

10-9

17. In rare cases, sectors may become corrupted if the power is cut off whileencrypting. To prevent this issue, ensure that the power cord is connected duringthe initial encryption period of Full Disk Encryption.

18. Multiple device encryption complete messages from the same device appear inthe audit log for a period of time. This is because Full Disk Encryption generatesan "encryption complete" message to PolicyServer for encrypted disks wheneverthe Full Disk Encryption service restarts to ensure that the encryption status onserver side is up to date.

19. Full Disk Encryption is incompatible with the PLEXTOR PX-128M5 Pro (oldfirmware). The encryption status of the disk is displayed as (NaN%) when theencryption starts.

20. Full Disk Encryption usually queries DNS suffixes from Windows and applies it inpreboot. However, Full Disk Encryption only uses the first DNS suffix found. Tominimize issues, ensure that the preferred DNS suffix is set as the first DNS suffixin Windows.

21. Full Disk Encryption may incorrectly mark the network information display ofWindows XP VMware images with an (X). However, this is only a display issue.There is no impact on network connectivity.

22. During preboot, the touchpad of an Acer V3-372 ASUS BU400A machine may beunresponsive. To solve this issue, change the touchpad setting in the firmware fromEnhanced to Basic, or use an external USB mouse.

23. When deploying Full Disk Encryption using the Endpoint Encryption DeploymentTool Plug-in, the Endpoint Encryption Deployment Tool Plug-in does not displaythe result of safety check (a new feature of Full Disk Encryption in 6.0). As aworkaround, administrators can manually review the safety check result fromControl Manager or the Endpoint Encryption MMC console.

24. Full Disk Encryption may encounter issues if installed on an ASUS BU400Amachine using a UEFI SED configuration. This causes the firmware to delete theboot entry after the device has booted into Windows, which makes unlocking theself encrypting drive difficult after the device is powered on again. To minimizeissues, switch to BIOS with SED configuration, or UEFI with normal diskconfiguration. If the self encrypting drive cannot be unlocked, administrators mayuse the recovery tool to unlock the drive after authentication.

Trend Micro Endpoint Encryption Administrator Guide

10-10

25. WiFi SSID settings deployed from Control Manager does not support anglebrackets (< >). Remove angle brackets from the WiFi SSID settings.

26. The Full Disk Encryption preboot does not support the network port of theMicrosoft Surface Dock. However, the Full Disk Encryption preboot supports thebuilt-in Wi-Fi found on the Surface Pro 3 and Surface Pro 4. To establish aconnection to PolicyServer, configure the Full Disk Encryption Preboot to use thebuilt-in Wi-Fi.

27. Installation of Full Disk Encryption may cause the endpoint to require more timeto resume from hibernation. On average, time to resume from hibernation maytake 80 seconds for BIOS-configured endpoints, and 30 seconds for UEFI-configured endpoints.

28. If the Full Disk Encryption database of a data disk becomes corrupt, the data diskbecomes inaccessible in Windows. To resolve this issue, use the Full DiskEncryption recovery tool. The Full Disk Encryption recovery tool reports the diskas "Not an FDE disk", but will still automatically repair the database on the datadisk. If the issue persists, contact Trend Micro support for data recovery.

29. Full Disk Encryption is unable to complete installation on Lenovo Think StationP410 endpoints if the boot configuration is set to UEFI. To ensure successfulinstallation, set the boot configuration to BIOS prior to installation.

30. Full Disk Encryption is incompatible with some Dell Optiplex 980 models. To useFull Disk Encryption on these endpoints, install Encryption Management forMicrosoft Bitlocker.

31. For NVMe disks, Full Disk Encryption displays the "Failed to find FDE Device"error message if the firmware's SATA Operation setting is set to RAID on. Toresolve this issue, switch the firmware's SATA operation setting to AHCI, and theninstall Full Disk Encryption again.

32. Full Disk Encryption 6.0 Patch 1 release does not support the Gigabyte Q21B. Thecurrent workaround is to install the Full Disk Encryption 6.0.0.2056 build.

33. The Full Disk Encryption preboot is unable to display the network cardinformation of an ASUS T100TA. However, the network connection still works.

Resolved and Known Issues

10-11

File Encryption IssuesThe following are the Full Disk Encryption issues and limitations.

1. If you attempt to delete files or folders in an encrypted folder, Windows promptsthe following error: “Can't read from the source file or disk.”

This error occurs because File Encryption is unable to move deleted files andfolders in an encrypted folder to the Recycle Bin. To delete files and folders in anencrypted folder, use the permanent delete command Shift + Delete.

2. File Encryption does not support "Self Help" questions and answers. Atregistration, if the Endpoint Encryption user goes to the "Change Password"screen, the user should be given "Self Help" challenge questions.

3. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0, policiesare unable to synchronize if the File Encryption 3.1.3 agent uses port 8080 (TMEEService) during registration.

4. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0,authentication is locked at the "Change Password" screen if the File Encryption3.1.3 agent used port 8080 (TMEE Service port) during registration.

5. Uninstalling File Encryption without restarting the endpoint does not automaticallyremove the program from the Add/Remove Programs list.

6. The legal notice does not appear when the endpoint starts.

7. The File Encryption agent desktop shortcut and agent icon flash when the FileEncryption agent synchronizes with PolicyServer.

Encryption Management for Microsoft BitLocker IssuesThere are no known issues for Encryption Management for Microsoft BitLocker in thisrelease.

Encryption Management for Apple FileVault IssuesThe following are the Encryption Management for Apple FileVault issues andlimitations.

Trend Micro Endpoint Encryption Administrator Guide

10-12

1. After upgrading Mac OS to 10.13.1, Encryption Management for Apple FileVaultmay not start encryption if the domain user doesn't have a "secure token" to enableFileVault. Administrators may need to manually apply a secure token to the mobileaccount. For details, refer to the following Knowledge Base entry:

https://success.trendmicro.com/solution/1119488

2. After Encryption Management for FileVault receives the Kill command fromPolicyServer , all the user passwords on that device are reset to random characters.However, due to a Mac OS 10.10 security design , the Kill function may become"locked", and users are unable to unlock FileVault on that device.

11-1

Chapter 11

Technical SupportLearn about the following topics:

Trend Micro Endpoint Encryption Administrator Guide

11-2

Troubleshooting ResourcesBefore contacting technical support, consider visiting the following Trend Micro onlineresources.

Using the Support PortalThe Trend Micro Support Portal is a 24x7 online resource that contains the most up-to-date information about both common and unusual problems.

Procedure

1. Go to http://esupport.trendmicro.com.

2. Select from the available products or click the appropriate button to search forsolutions.

3. Use the Search Support box to search for available solutions.

4. If no solution is found, click Contact Support and select the type of supportneeded.

Tip

To submit a support case online, visit the following URL:

http://esupport.trendmicro.com/srf/SRFMain.aspx

A Trend Micro support engineer investigates the case and responds in 24 hours orless.

Threat EncyclopediaMost malware today consists of blended threats, which combine two or moretechnologies, to bypass computer security protocols. Trend Micro combats this complexmalware with products that create a custom defense strategy. The Threat Encyclopedia

Technical Support

11-3

provides a comprehensive list of names and symptoms for various blended threats,including known malware, spam, malicious URLs, and known vulnerabilities.

Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learnmore about:

• Malware and malicious mobile code currently active or "in the wild"

• Correlated threat information pages to form a complete web attack story

• Internet threat advisories about targeted attacks and security threats

• Web attack and online trend information

• Weekly malware reports

Contacting Trend MicroIn the United States, Trend Micro representatives are available by phone or email:

Address Trend Micro, Incorporated

225 E. John Carpenter Freeway, Suite 1500

Irving, Texas 75062 U.S.A.

Phone Phone: +1 (817) 569-8900

Toll-free: (888) 762-8736

Website http://www.trendmicro.com

Email address [email protected]

• Worldwide support offices:

http://www.trendmicro.com/us/about-us/contact/index.html

• Trend Micro product documentation:

http://docs.trendmicro.com

Trend Micro Endpoint Encryption Administrator Guide

11-4

Speeding Up the Support Call

To improve problem resolution, have the following information available:

• Steps to reproduce the problem

• Appliance or network information

• Computer brand, model, and any additional connected hardware or devices

• Amount of memory and free hard disk space

• Operating system and service pack version

• Version of the installed agent

• Serial number or Activation Code

• Detailed description of install environment

• Exact text of any error message received

Sending Suspicious Content to Trend MicroSeveral options are available for sending suspicious content to Trend Micro for furtheranalysis.

Email Reputation Services

Query the reputation of a specific IP address and nominate a message transfer agent forinclusion in the global approved list:

https://ers.trendmicro.com/

Refer to the following Knowledge Base entry to send message samples to Trend Micro:

http://esupport.trendmicro.com/solution/en-US/1112106.aspx

Technical Support

11-5

File Reputation Services

Gather system information and submit suspicious file content to Trend Micro:

http://esupport.trendmicro.com/solution/en-us/1059565.aspx

Record the case number for tracking purposes.

Web Reputation Services

Query the safety rating and content type of a URL suspected of being a phishing site, orother so-called "disease vector" (the intentional source of Internet threats such asspyware and malware):

http://global.sitesafety.trendmicro.com/

If the assigned rating is incorrect, send a re-classification request to Trend Micro.

Other ResourcesIn addition to solutions and support, there are many other helpful resources availableonline to stay up to date, learn about innovations, and be aware of the latest securitytrends.

Download Center

From time to time, Trend Micro may release a patch for a reported known issue or anupgrade that applies to a specific product or service. To find out whether any patchesare available, go to:

http://www.trendmicro.com/download/

If a patch has not been applied (patches are dated), open the Readme file to determinewhether it is relevant to your environment. The Readme file also contains installationinstructions.

Trend Micro Endpoint Encryption Administrator Guide

11-6

Documentation FeedbackTrend Micro always seeks to improve its documentation. If you have questions,comments, or suggestions about this or any Trend Micro document, please go to thefollowing site:

http://www.trendmicro.com/download/documentation/rating.asp

AppendicesAppendices

A-1

Appendix A

Maintenance ToolsThis section describes additional utilities packaged with Endpoint Encryption thatperform product maintenance tasks. Endpoint Encryption includes the following tools:

Tool Description

Diagnostics Monitor View Endpoint Encryption event logs in real time.

See Using the Diagnostics Monitor on page A-2.

Log Server Tool Generate a log package for all events that occur while replicatingspecific issues.

See Using the Log Server Tool on page A-5.

PolicyServerChange SettingsTool

Modify your SQL server and Windows service user credentialswithout reinstalling PolicyServer.

See Using the PolicyServer Change Settings Tool on page A-6.

Trend Micro Endpoint Encryption Administrator Guide

A-2

Using the Diagnostics MonitorThe Diagnostic Monitor allows administrators to view events related to EndpointEncryption in real time.

Procedure

1. Copy, download, or locate a PolicyServer installation package on the endpoint youhave installed PolicyServer on.

To download the PolicyServer installation package or the Endpoint EncryptionSuite, go to the Trend Micro Download Center:

http://downloadcenter.trendmicro.com/

2. Go to <PolicyServer Directory>\TMEE_PolicyServer\Tools\Diagnostics Monitor.

3. Run the file DiagnosticMonitor.exe as an administrator.

The License Renewal Tool screen opens.

ImportantWindows may encounter an error titled Xenocode Postbuild 2010 at this point. Themessage text states that the application is unable to load a required virtual machinecomponent. If this error occurs, open Windows Update, remove the update“KB3045999”, and try to run Diagnostic Monitor again.

4. Go to File > Options....

Maintenance Tools

A-3

The Live Monitor Options screen appears.

5. Go to LogAlerts and set the Minimum Level Displayed to Debug.

6. Set the Maximum Records Displayed field to a value between “3000” and“50000”.

After setting the Maximum Records Displayed value, an event may appear inDiagnostic Monitor stating that the system is out of memory. If this event appears,return to this window and set the Maximum Records Displayed to a lower value.

7. Click Apply to all Categories or select individual categories and apply specificsettings to each of them.

Trend Micro Endpoint Encryption Administrator Guide

A-4

8. Restart the service PolicyServerWindowsService from Windows Task Manager.

When the PolicyServer service restarts, Active Directory synchronizes withPolicyServer. The Diagnostic Monitor will display events related to ActiveDirectory synchronization.

9. View the logs in the Diagnostic Monitor window.

10. If you are using Diagnostic Monitor to troubleshoot a specific issue, perform alltasks necessary to replicate that issue while Diagnostic Monitor is open.

11. To generate a file of the diagnostic logs, go to File > Save to File.

A log file appears at your selected output folder. The default output folder is thedesktop. To change your selected output folder, go to File > Option > OutputFolder.

The name of the file is a timestamp of when you generated the file and the formatis PSDM.

Maintenance Tools

A-5

Note

If you contact Trend Micro Support regarding an issue, the support representativemay request that you send a copy of the diagnostic logs for bug verification.

Using the Log Server ToolThe Log Server Tool allows administrators to record all events related to EndpointEncryption over a period of time to troubleshoot specific issues. The recorded logs areintended for use by Trend Micro Support, so Trend Micro does not recommend usingthe Log Server Tool on your own. If you have an issue, contact Trend Micro Support,and the support representative may request that you replicate your issue while using theLog Server Tool.

Procedure

1. Open the PolicyServer program folder.

The default installation path is C:\Program Files\Trend Micro\PolicyServer.

2. Run the file LogServer.exe as an administrator.

A command prompt titled LogServer.exe appears. The Log Server Tool is runningat this time.

The Log Server Tool generates PolicyServer diagnostic logs. The logs appear as afile named psdedebug.log in a folder named log in the PolicyServer programfolder.

3. Perform all tasks necessary to replicate the issue that you contacted Trend MicroSupport to address.

4. Close the command prompt titled LogServer.exe.

5. Send the file psdedebug.log to the support representative who requested thatyou use this tool.

Trend Micro Endpoint Encryption Administrator Guide

A-6

Using the PolicyServer Change Settings ToolThe main purpose of the PolicyServer Change Settings Tool is to allow administrators tochange their SQL Server database credentials without requiring the user to reinstallPolicyServer. Additionally, this tool includes several related features, including testing thedatabase connection and changing the PolicyServer Windows Service credentials.

Procedure

1. Copy, download, or locate a PolicyServer installation package on the endpoint youhave installed PolicyServer on.

To download the PolicyServer installation package or the Endpoint EncryptionSuite, go to the Trend Micro Download Center:

http://downloadcenter.trendmicro.com/

2. Go to <PolicyServer Directory>\TMEE_PolicyServer\Tools\PolicyServer Change Settings.

3. Run the file PolicyServerChangeSettings.exe as an administrator.

4. Accept the End User License Agreement (EULA) to continue.

The EULA only appears the first time that you run this tool.

5. Change your settings as necessary using any of the following options:

Option Description

PrimaryDatabase

Specify your primary database SQL Server credentials in thissection.

If you only have one database that serves as both your primarydatabase and your log database, select Use Primary Settingsfor Log Database.

Log Database If your primary database and log database are separate,specify your log dabase SQL Server credentials in this section.

This section is disabled if Use Primary Settings for LogDatabase is selected.

Maintenance Tools

A-7

Option Description

Load From Disk Reset the credentials for the Primary Database and LogDatabase sections with the last saved configuration.

Test Connection Check that PolicyServer can communicate with the databasesshown in the Primary Database and Log Database sections.

Write To Disk Overwrite the last saved configuration with the credentials inthe Primary Database and Log Database sections.

Restart PS Restart PolicyServer.

If you changed the credentials and clicked Write To Disk,PolicyServer will attempt to connect using the new SQL Servercredentials.

Change ServiceCredentials...

Change the credentials for the PolicyServer Windows Service.

The Change PS Credentials window appears if you select thisoption. You may use either the local Windows system accountor specify the credentials for a different account.

B-1

Appendix B

PolicyServer Message IDsThe following tables explain PolicyServer error messages. The tables are grouped bycategory.

• Administrator Alerts onpage B-2

• Audit Log Alerts onpage B-6

• Certificate Alerts onpage B-7

• Device Alerts on pageB-8

• Error Alerts on pageB-10

• Full Disk EncryptionActivity Alerts on pageB-10

• Installation Alerts onpage B-13

• Login / Logout Alertson page B-13

• Mobile Device Alertson page B-17

• OCSP Alerts on pageB-18

• OTA Alerts on pageB-19

• Password Alerts onpage B-19

• PIN Change Alerts onpage B-22

• Smart Card Alerts onpage B-23

Trend Micro Endpoint Encryption Administrator Guide

B-2

Administrator Alerts

Message ID Description Applications

100002 Identifying Device Full DiskEncryption, FileEncryption,PolicyServer

100003 Security Violation Full DiskEncryption, FileEncryption,PolicyServer

100007 Critical Severity Full DiskEncryption, FileEncryption,PolicyServer

100019 Policy Change Unsuccessful Full DiskEncryption, FileEncryption,PolicyServer

100045 Unsupported configuration Full DiskEncryption, FileEncryption,PolicyServer

100046 Enterprise Pool created Full DiskEncryption, FileEncryption,PolicyServer

100047 Enterprise Pool deleted Full DiskEncryption, FileEncryption,PolicyServer

100048 Enterprise Pool modified Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-3

Message ID Description Applications

100049 Admin User locked due to too many failedlogins.

Full DiskEncryption, FileEncryption,PolicyServer

100052 Policy Value Integrity Check Failed Full DiskEncryption, FileEncryption,PolicyServer

100053 Policy request aborted due to failed policyintegrity check.

Full DiskEncryption, FileEncryption,PolicyServer

100054 File request aborted due to failed policyintegrity check.

Full DiskEncryption, FileEncryption,PolicyServer

100055 Admin Authentication Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100056 Admin Authentication Failed Full DiskEncryption, FileEncryption,PolicyServer

100062 Admin Password Reset Full DiskEncryption, FileEncryption,PolicyServer

100463 Unable to remove user. Try again. Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-4

Message ID Description Applications

100464 Unable to unable user. Try again. Full DiskEncryption, FileEncryption,PolicyServer

100470 Unable to change Self Help password. Aresponse to one of the personal challengequestions was incorrect.

Full DiskEncryption, FileEncryption,PolicyServer

102000 Enterprise Added Full DiskEncryption, FileEncryption,PolicyServer

102001 Enterprise Deleted Full DiskEncryption, FileEncryption,PolicyServer

102002 Enterprise Modified Full DiskEncryption, FileEncryption,PolicyServer

102003 The number of users has exceeded themaximum allowed by this license. Reducethe number of existing users to restore thisuser account.

PolicyServer

200000 Administrator updated policy PolicyServer

200001 Administrator added policy PolicyServer

200002 Administrator deleted policy PolicyServer

200003 Administrator enabled application PolicyServer

200004 Administrator disabled application PolicyServer

200100 Administrator added user PolicyServer

200101 Administrator deleted user PolicyServer

PolicyServer Message IDs

B-5

Message ID Description Applications

200102 Administrator updated user PolicyServer

200103 Administrator added user to group PolicyServer

200104 Administrator removed user from group PolicyServer

200200 User added PolicyServer

200201 User deleted PolicyServer

200202 User added to group PolicyServer

200203 User removed from group PolicyServer

200204 User updated PolicyServer

200300 Administrator deleted device PolicyServer

200301 Administrator added device to group PolicyServer

200302 Administrator removed device from group PolicyServer

200500 Administrator added group PolicyServer

200501 Administrator deleted group PolicyServer

200502 Administrator updated group PolicyServer

200503 Administrator copy/pasted group PolicyServer

200600 PolicyServer update applied. PolicyServer

200602 User added to device PolicyServer

200603 User removed from device PolicyServer

200700 Event executed successfully PolicyServer

200701 Failed event execution PolicyServer

200800 Event installed successfully PolicyServer

200801 Failed to install event PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-6

Audit Log Alerts

Message ID Description Applications

100015 Log Message Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103000 Audit Log Connection Opened Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103001 Audit Log Connection Closed Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103100 Audit Log Record Missing Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103101 Audit Log Record Integrity Missing Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

PolicyServer Message IDs

B-7

Message ID Description Applications

103102 Audit Log Record Integrity Compromised Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

103103 Audit Log Record Integrity ValidationStarted

Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

104003 Authentication method set to SmartCard. Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

904008 Unable To Send Log Alert Full DiskEncryption, FileEncryption,DriveArmor,KeyArmor, orPolicyServer

Certificate Alerts

Message ID Description Applications

104008 Certificate expired. Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-8

Device Alerts

Message ID Description Applications

100001 PDA to Desktop Sync Authenticationwas unsuccessful. There was no deviceID for this PDA found.

Full Disk Encryption,File Encryption,PolicyServer

100012 Device is not in its own PasswordAuthentication File. PAF corrupted?

Full Disk Encryption,File Encryption,PolicyServer

100044 Lock Device Action Received Full Disk Encryption,File Encryption,PolicyServer

100100 Install Started Full Disk Encryption,File Encryption

100101 Install Completed Full Disk Encryption,File Encryption

100462 Unable to connect to PolicyServer. Full Disk Encryption,File Encryption,PolicyServer

101001 The network connection is not working.Unable to get policy files fromPolicyServer.

Full Disk Encryption,File Encryption,PolicyServer

101002 Corrupted PAF (DAFolder.xml) file Full Disk Encryption,File Encryption,PolicyServer

105000 Unable to synchronize policies withclient. Verify that there is a networkconnection and try again.

Full Disk Encryption,File Encryption,PolicyServer

200400 Device added PolicyServer

200401 Device deleted PolicyServer

200402 Device added to group PolicyServer

PolicyServer Message IDs

B-9

Message ID Description Applications

200403 Device removed from group PolicyServer

200404 Device modified PolicyServer

200405 Device status updated PolicyServer

200406 Device status reset PolicyServer

200407 Device Kill Issued Full Disk Encryption,File Encryption,PolicyServer

200408 Device Lock Issued Full Disk Encryption,File Encryption,PolicyServer

200409 Device Synchronized PolicyServer

904012 User Not Allowed To Register NewDevice

PolicyServer

1000052 Uninstall of product Full Disk Encryption,File Encryption

1000053 Product Uninstall Denied By Policy Full Disk Encryption,File Encryption

907001 Database corruption Full Disk Encryption

907002 Database fixed successfully Full Disk Encryption

907003 Unable to fix database Full Disk Encryption

907004 Data disk database corruption Full Disk Encryption

907005 Data disk database fixed successfully Full Disk Encryption

907006 Unable to fix data disk database Full Disk Encryption

Trend Micro Endpoint Encryption Administrator Guide

B-10

Error Alerts

Message ID Description Applications

100005 General Error Full DiskEncryption, FileEncryption,PolicyServer

100006 Application Error Full DiskEncryption, FileEncryption,PolicyServer

Full Disk Encryption Activity Alerts

Message ID Description Applications

300700 Device log maximum size limit reached,event log truncated.

Full Disk Encryption

400001 User has successfully logged in. Full Disk Encryption

400002 User login failed. Full Disk Encryption

400003 Device decryption started. Full Disk Encryption

400004 Device Encryption Started. Full Disk Encryption

400005 Mounted encrypted partition. Full Disk Encryption

400006 Restored native OS MBR. Full Disk Encryption

400007 Restored Application MBR. Full Disk Encryption

400008 Device encryption complete Full Disk Encryption

400009 Device Decryption Completed Full Disk Encryption

400010 Device Encryption In Progress Full Disk Encryption

PolicyServer Message IDs

B-11

Message ID Description Applications

400011 System MBR Corrupt Full Disk Encryption

400012 System Pre-boot Kernel Deleted Full Disk Encryption

401000 Recovery Console accessed Full Disk Encryption

401009 Recovery Console error Full Disk Encryption

401010 Decryption in place started Full Disk Encryption

401011 Decryption in place stopped Full Disk Encryption

401012 Decryption in place complete Full Disk Encryption

401013 Decryption of removable device started Full Disk Encryption

401014 Decryption to removable device stopped Full Disk Encryption

401015 Decryption to removable device complete Full Disk Encryption

401018 Decryption in place error Full Disk Encryption

401019 Decryption to removable device error Full Disk Encryption

401020 Encrypted files accessed Full Disk Encryption

401021 Encrypted files modified Full Disk Encryption

401022 Encrypted files copied to removable device Full Disk Encryption

401029 Encrypted files access error Full Disk Encryption

401030 Network administration accessed Full Disk Encryption

401031 PolicyServer address changed Full Disk Encryption

401032 PolicyServer port number changed Full Disk Encryption

401033 Switched to IPv6 Full Disk Encryption

401034 Switched to IPv4 Full Disk Encryption

401035 Switched to dynamic IP configuration Full Disk Encryption

401036 Switched to static IP configuration Full Disk Encryption

Trend Micro Endpoint Encryption Administrator Guide

B-12

Message ID Description Applications

401037 DHCP port number changed Full Disk Encryption

401038 IP address changed Full Disk Encryption

401039 Subnet mask changed Full Disk Encryption

401040 Broadcast address changed Full Disk Encryption

401041 Gateway changed Full Disk Encryption

401042 Domain name changed Full Disk Encryption

401043 Domain name servers changed Full Disk Encryption

401049 Network administration error Full Disk Encryption

401050 User administration accessed Full Disk Encryption

401051 User added Full Disk Encryption

401052 User removed Full Disk Encryption

401053 User modified Full Disk Encryption

401069 User administration error Full Disk Encryption

401070 Locally stored logs accessed Full Disk Encryption

401079 Locally stored logs access error Full Disk Encryption

401080 Original MBR restored Full Disk Encryption

401089 Original MBR restoration error Full Disk Encryption

401090 Default theme restored Full Disk Encryption

401099 Default theme restoration error Full Disk Encryption

402000 Application Startup Full Disk Encryption

402001 Application Shutdown Full Disk Encryption

600001 Update was successful in the Pre-boot. Full Disk Encryption

600002 Pre-boot Update failed Full Disk Encryption

PolicyServer Message IDs

B-13

Message ID Description Applications

905003 Move disk successful FDE Full Disk Encryption

905004 Move disk failed Full Disk Encryption

Installation Alerts

Message ID Description Applications

100004 Install Error Full DiskEncryption, FileEncryption,PolicyServer

100020 Successful Installation Full DiskEncryption, FileEncryption,PolicyServer

905002 Install disks failed Full Disk Encryption

905003 Move disk successful Full Disk Encryption

Login / Logout Alerts

Message ID Description Applications

100013 Failed Login Attempt Full DiskEncryption, FileEncryption,PolicyServer

100014 Successful Login Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-14

Message ID Description Applications

100016 Unable to log in. Use RemoteAuthentication to provide the PolicyServerAdministrator with a challenge code.

Full DiskEncryption, FileEncryption,PolicyServer

100021 Unsuccessful ColorCode Login Full DiskEncryption, FileEncryption,PolicyServer

100022 Unsuccessful Fixed Password Login Full DiskEncryption, FileEncryption,PolicyServer

100023 Unsuccessful PIN Login Full DiskEncryption, FileEncryption,PolicyServer

100024 Unsuccessful X99 Login Full DiskEncryption, FileEncryption,PolicyServer

100028 Successful ColorCode Login Full DiskEncryption, FileEncryption,PolicyServer

100031 Successful X9.9 Login Full DiskEncryption, FileEncryption,PolicyServer

100032 Successful Remote Login Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-15

Message ID Description Applications

100035 Successful WebToken Login Full DiskEncryption, FileEncryption,PolicyServer

100036 Unsuccessful WebToken Login Full DiskEncryption, FileEncryption,PolicyServer

100050 Fixed Password login blocked due tolockout.

Full DiskEncryption, FileEncryption,PolicyServer

100051 User Login Successfully Unlocked Full DiskEncryption, FileEncryption,PolicyServer

100057 LDAP User Authentication Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100058 LDAP User Authentication Failed Full DiskEncryption, FileEncryption,PolicyServer

100059 LDAP User Password Change Succeeded Full DiskEncryption, FileEncryption,PolicyServer

100060 LDAP User Password Change Failed Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-16

Message ID Description Applications

100061 Access request aborted due to failed policyintegrity check.

Full DiskEncryption, FileEncryption,PolicyServer

100070 Successful Logout Full DiskEncryption, FileEncryption,PolicyServer

100433 The ColorCode passwords do not match. Full DiskEncryption, FileEncryption,PolicyServer

100434 Unable to change ColorCode. The newColorCode must be different than thecurrent one.

Full DiskEncryption, FileEncryption,PolicyServer

100435 Unable to change ColorCode. The newColorCode must meet the minimum lengthrequirements defined by PolicyServer.

Full DiskEncryption, FileEncryption,PolicyServer

100436 Unable to change ColorCode. The newColorCode must be different than anyprevious ColorCode used.

Full DiskEncryption, FileEncryption,PolicyServer

100437 ColorCode Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer

100459 X9.9 Password Change Failure - Unable toconnect to PolicyServer Host

Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-17

Message ID Description Applications

100460 X9.9 Password Change Failure - EmptySerial Number

Full DiskEncryption, FileEncryption,PolicyServer

100461 X9.9 Password Change Failure - InternalError

Full DiskEncryption, FileEncryption,PolicyServer

101004 Unable to reset locked device. Full DiskEncryption, FileEncryption,PolicyServer

104000 Smart Card login successful. Full DiskEncryption, FileEncryption,PolicyServer

104001 Smart Card login unsuccessful. Check thatthe card is seated properly and that theSmart Card PIN is valid.

Full DiskEncryption, FileEncryption,PolicyServer

Mobile Device Alerts

Message ID Description Applications

100037 Palm Policy Database is missing Full DiskEncryption, FileEncryption, orPolicyServer

100038 Palm Encryption Error Full DiskEncryption, FileEncryption, orPolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-18

Message ID Description Applications

100039 PPC Device Encryption Changed Full DiskEncryption, FileEncryption, orPolicyServer

100040 PPC Encryption Error Full DiskEncryption, FileEncryption, orPolicyServer

OCSP Alerts

Message ID Description Applications

104005 OCSP certificate status good. Full DiskEncryption, FileEncryption,PolicyServer

104006 OCSP certificate status revoked. Full DiskEncryption, FileEncryption,PolicyServer

104007 OCSP certificate status unknown. Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-19

OTA Alerts

Message ID Description Applications

100041 OTA Object Missing or Corrupt. Full DiskEncryption, FileEncryption,PolicyServer

100042 OTA Sync Successful Full DiskEncryption, FileEncryption,PolicyServer

100043 OTA Device Killed Full DiskEncryption, FileEncryption,PolicyServer

Password Alerts

Message ID Description Applications

100017 Change Password Error Full DiskEncryption, FileEncryption,PolicyServer

100018 Password Attempts Exceeded Full DiskEncryption, FileEncryption,PolicyServer

100025 Password Reset to ColorCode Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-20

Message ID Description Applications

100026 Password Reset to Fixed Full DiskEncryption, FileEncryption,PolicyServer

100027 Password Reset to PIN Full DiskEncryption, FileEncryption,PolicyServer

100029 Successful Fixed Password Login Full DiskEncryption, FileEncryption,PolicyServer

100030 Successful PIN Password Login Full DiskEncryption, FileEncryption,PolicyServer

100033 Unable to Reset Password Full DiskEncryption, FileEncryption,PolicyServer

100432 Unable to change password. The newpassword must be different than thecurrent password.

Full DiskEncryption, FileEncryption,PolicyServer

100439 Unable to change password. Thepasswords do not match.

Full DiskEncryption, FileEncryption,PolicyServer

100441 Unable to change password. Thepassword field cannot be empty.

Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-21

Message ID Description Applications

100442 Unable to change password. Thepassword does not meet the minimumlength requirements defined byPolicyServer.

Full DiskEncryption, FileEncryption,PolicyServer

100443 Unable to change password. Numbers arenot permitted.

Full DiskEncryption, FileEncryption,PolicyServer

100444 Unable to change password. Letters arenot permitted.

Full DiskEncryption, FileEncryption,PolicyServer

100445 Unable to change password. Specialcharacters are not permitted.

Full DiskEncryption, FileEncryption,PolicyServer

100446 Unable to change password. Thepassword cannot contain the user name.

Full DiskEncryption, FileEncryption,PolicyServer

100447 Unable to change password. Thepassword does not contain enough specialcharacters.

Full DiskEncryption, FileEncryption,PolicyServer

100448 Unable to change password. Thepassword does not contain enoughnumbers.

Full DiskEncryption, FileEncryption,PolicyServer

100449 Unable to change password. Thepassword does not contain enoughcharacters.

Full DiskEncryption, FileEncryption,PolicyServer

Trend Micro Endpoint Encryption Administrator Guide

B-22

Message ID Description Applications

100450 Unable to change password. Thepassword contains too many consecutivecharacters.

Full DiskEncryption, FileEncryption,PolicyServer

100451 Unable to change password. The newpassword must be different than anyprevious password used.

Full DiskEncryption, FileEncryption,PolicyServer

100452 Password Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer

101003 Successfully changed Fixed Password. Full DiskEncryption, FileEncryption,PolicyServer

PIN Change Alerts

Message ID Description Applications

100438 Unable to change PIN. The PINs do notmatch.

Full DiskEncryption, FileEncryption,PolicyServer

100440 Unable to change PIN. One of the fieldsare empty.

Full DiskEncryption, FileEncryption,PolicyServer

100453 Unable to change PIN. The PINs do notmatch.

Full DiskEncryption, FileEncryption,PolicyServer

PolicyServer Message IDs

B-23

Message ID Description Applications

100454 able to change PIN. The new PIN cannotbe the same as the old PIN.

Full DiskEncryption, FileEncryption,PolicyServer

100455 Unable to change PIN. The new PIN doesnot meet the minimum length requirementsdefined by PolicyServer.

Full DiskEncryption, FileEncryption,PolicyServer

100456 Unable to change PIN. The PIN cannotcontain the user name.

Full DiskEncryption, FileEncryption,PolicyServer

100457 Unable to change PIN. The new PIN mustbe different than any previous PIN used.

Full DiskEncryption, FileEncryption,PolicyServer

100458 PIN Change Failure - Internal Error Full DiskEncryption, FileEncryption,PolicyServer

Smart Card Alerts

Message ID Description Applications

104002 Registered SmartCard. Full DiskEncryption, FileEncryption,PolicyServer

104004 Unable to register Smart Card. Check thatthe card is seated properly and that theSmart Card PIN is valid.

Full DiskEncryption, FileEncryption,PolicyServer

C-1

Appendix C

Endpoint Encryption ServicesThe following table describes all Endpoint Encryption services. Use it to understandwhich services control which Endpoint Encryption agent or feature and to troubleshoota problem.

Trend Micro Endpoint Encryption Administrator Guide

C-2

Table C-1. Endpoint Encryption Services

PlatformService or

DaemonName

DisplayName Description File Name

PolicyServer PolicyServerWindowsService

PolicyServerWindowsService

ManagescommunicationbetweenEndpointEncryptionservices anddatabases.

PolicyServerWindowService.exe

TMEEService EndpointEncryptionService

ManagesEndpointEncryptionagent 5.0 (andabove)communicationin an encryptedchannel(RESTful).

TMEEService.exe

IIS/MAWebService2

Legacy WebService

ManagesEndpointEncryptionagent 3.1.3(and older)communicationin an encryptedchannel(SOAP).

N/A

TMEEForward TMEEForward Forwards trafficfrom EndpointEncryption 6.0Patch 1 agentsto PolicyServer.

TMEEForward.exe

TMEEProxyWindowsService

PolicyServerLDAProxyWindowsService

Provides securecommunicationsfrom TrendMicroPolicyServer toremote LDAPservers

LDAProxyWindowsServices.exe

Endpoint Encryption Services

C-3

PlatformService or

DaemonName

DisplayName Description File Name

Full DiskEncryption

DrAService Trend MicroFull DiskEncryption

Provides TrendMicro endpointsecurity and fulldisk encryption.

DrAService.exe

EncryptionManagementfor MicrosoftBitLocker

FDE_MB Trend MicroFull DiskEncryption,EncryptionManagementfor MicrosoftBitLocker

Provides datasecurity forendpoints usingMicrosoftBitLocker.

FDEforBitLocker.exe

EncryptionManagementfor AppleFileVault

Daemon:TMFDEMM

Agent: TrendMicro Full DiskEncryption

Trend MicroFull DiskEncryption,EncryptionManagementfor AppleFileVault

Providesendpointsecurity forendpoints usingApple FileVault.

File Encryption FileEncryptionService

Trend MicroFile Encryption

Provides TrendMicro endpointsecurity anddata protectionfor files, folders,and removablemedia devices.

FEService.exe

D-1

Appendix D

Policy Mapping BetweenManagement Consoles

Administrators may manage Endpoint Encryption using only PolicyServer MMC ormanage Endpoint Encryption using Control Manager for policy, user and devicemanagement and PolicyServer MMC for advanced log management and reporting.

The following tables explain how policies are mapped between PolicyServer MMC andControl Manager. For environments using Control Manager to manage PolicyServer, usePolicyServer MMC to control any policy not listed in the table.

Table D-1. Full Disk Encryption Policy Mapping

Control Manager Label PolicyServer MMC Path

Encryption

Encrypt endpoint Full Disk Encryption > Encryption > Encrypt Device

Client Settings

Bypass Full DiskEncryption preboot

Full Disk Encryption > Login > Preboot Bypass

Users are allowed to accesssystem recovery tools onthe device

Full Disk Encryption > Agent > Allow User Recovery

Trend Micro Endpoint Encryption Administrator Guide

D-2

Control Manager Label PolicyServer MMC Path

Notifications

If the endpoint is found,display the followingmessage

Full Disk Encryption > Login > If Found

Display Technical Supportcontact information

Full Disk Encryption > Login > Support Info

Show legal notice Full Disk Encryption > Login > Legal Notice

• Show legal notice >Installation

• Show legal notice >Startup

Full Disk Encryption > Login > Legal Notice > LegalNotice > Legal Notice Display Time

Show legal notice Full Disk Encryption > Login > Legal Notice > LegalNotice > Legal Notice Text

Table D-2. File Encryption Policy Mapping

Control Manager Label PolicyServer MMC Path

Folders to Encrypt

Folders to Encrypt text box File Encryption > Encryption > Specify Foldersto Encrypt

Encryption Key Used

Encryption Key Used File Encryption > Encryption > Encryption KeyUsed

Storage Devices

Disable optical drives File Encryption > Encryption > Disable OpticalDrive

Disable USB drives File Encryption > Encryption > RemovableMedia > Disable USB Drive

Policy Mapping Between Management Consoles

D-3

Control Manager Label PolicyServer MMC Path

Encrypt all files and folders onUSB drives

File Encryption > Encryption > RemovableMedia > Fully Encrypt Device

Specify the file path to encrypton USB devices

File Encryption > Encryption > RemovableMedia > Folders to Encrypt On RemovableMedia

Notifications

Show legal notice File Encryption > Login > Legal Notice

• Show legal notice >Installation

• Show legal notice > Startup

File Encryption > Login > Legal Notice > LegalNotice Display Time

Show legal notice text box File Encryption > Login > Legal Notice > LegalNotice Text

Table D-3. Common Policy Mapping

Control Manager Label PolicyServer MMC Path

Allow User to Uninstall

Allow non-administrator accounts touninstall agent software

• Full Disk Encryption > Agent >Allow User to Uninstall

• File Encryption > Agent > AllowUser to Uninstall

Lockout and Lock Device Actions

Lock account after <number> days Full Disk Encryption > Login > AccountLockout Period

Account lockout action Full Disk Encryption > Login > AccountLockout Action

Failed logon attempts allowed Full Disk Encryption > Login > FailedLogin Attempts Allowed

Trend Micro Endpoint Encryption Administrator Guide

D-4

Control Manager Label PolicyServer MMC Path

Full Disk Encryption:

Device locked action

Full Disk Encryption > Login > DeviceLocked Action

Full Disk Encryption:

Number of minutes to lock device

Full Disk Encryption > Login > LockDevice Time Delay

File Encryption:

Device locked action

File Encryption > Login > DeviceLocked Action

File Encryption:

Number of minutes to lock device

File Encryption > Login > Lock DeviceTime Delay

Password

User must change password after<number> days

Common > Authentication > LocalLogin > User Password > ChangePassword Every

User cannot reuse the previous<number> passwords

Common > Authentication > LocalLogin > User Password > PasswordHistory Retention

Number of consecutive charactersallowed in a password

Common > Authentication > LocalLogin > User Password > ConsecutiveCharacters Allowed

Minimum length allowed for passwords Common > Authentication > LocalLogin > User Password > MinimumLength

Password Character Requirements

Letters Common > Authentication > LocalLogin > User Password > Require HowMany Characters

Lowercase characters Common > Authentication > LocalLogin > User Password > Require HowMany Lower Case Characters

Policy Mapping Between Management Consoles

D-5

Control Manager Label PolicyServer MMC Path

Uppercase characters Common > Authentication > LocalLogin > User Password > Require HowMany Upper Case Characters

Numbers Common > Authentication > LocalLogin > User Password > Require HowMany Numbers

Symbols Common > Authentication > LocalLogin > User Password > Require HowMany Special Characters

Table D-4. Remote Help Policy Locations

Policy Name PolicyServer MMC MenuPath

Control ManagerMenu Path

Account LockoutAction

Login > Account Lockout Action Common > Lockout andLock Device Actions >Account Lockout Action

Account LockoutPeriod

Login > Account Lockout Period Common > Lockout andLock Device Actions >Lock account after [ ]days

Device LockedAction

For each agent:

Login > Device Locked Action

For each agent:

Common > Lockout andLock Device Actions >Device locked action

Failed LoginAttempts Allowed

For each agent:

Login > Failed Login AttemptsAllowed

For each agent:

Common > Lockout andLock Device Actions >Failed logon attemptsallowed

E-1

Appendix E

GlossaryThe following table explains the terminology used throughout the Endpoint Encryptiondocumentation.

Table E-1. Endpoint Encryption Terminology

Term Description

Agent Software installed on an endpoint that communicates with amanagement server.

Authentication The process of identifying a user.

ColorCode™ The authentication method requiring a color-sequencepassword.

Command Builder A Trend Micro tool to generate scripts used to installPolicyServer and Endpoint Encryption agents for automaticor mass deployments.

Command Line Helper A Trend Micro tool for creating encrypted values to securecredentials used by Endpoint Encryption agent installationscripts.

Control Manager Trend Micro Control Manager is a central managementconsole that manages Trend Micro products and services atthe gateway, mail server, file server, and corporate desktoplevels.

Trend Micro Endpoint Encryption Administrator Guide

E-2

Term Description

Device Any computer, laptop, or removal media (external drive, USBdrive) managed by Endpoint Encryption.

Domain authentication The authentication method for single sign-on (SSO) usingActive Directory.

DriveTrust™ Hardware-based encryption technology by Seagate™.

Encryption Managementfor Microsoft BitLocker

The Endpoint Encryption Full Disk Encryption agent forMicrosoft Windows environments that simply need to enableMicrosoft BitLocker on the hosting endpoint.

Use the Encryption Management for Microsoft BitLockeragent to secure endpoints with Trend Micro full diskencryption protection in an existing Windows infrastructure.

Encryption Managementfor Apple FileVault

The Endpoint Encryption Full Disk Encryption agent for MacOS environments that simply need to enable Apple FileVaulton the hosting endpoint.

Use the Encryption Management for Apple FileVault agent tosecure endpoints with Trend Micro full disk encryptionprotection in an existing Mac OS infrastructure.

Endpoint EncryptionService

The PolicyServer service that securely manages all EndpointEncryption 6.0 Patch 1 agent communication.

For Endpoint Encryption 3.1.3 and below agentcommunication, see Legacy Web Service.

Enterprise The Endpoint Encryption Enterprise is the unique identifierabout the organization in the PolicyServer databaseconfigured during PolicyServer installation. One PolicyServerdatabase may have multiple Enterprise configurations.However, Endpoint Encryption configurations using ControlManager may only have one Enterprise.

File Encryption The Endpoint Encryption agent for file and folder encryptionon local drives and removable media.

Use File Encryption to protect files and folders located onvirtually any device that appears as a drive within the hostoperating system.

Glossary

E-3

Term Description

Fixed password The authentication method for using a standard userpassword consisting of letters and/or numbers and/or specialcharacters.

Full Disk Encryption The Endpoint Encryption agent for hardware and softwareencryption with preboot authentication. Full Disk Encryptionsecures data files, applications, registry settings, temporaryfiles, swap files, print spoolers, and deleted files on anyWindows endpoint. Strong preboot authentication restrictsaccess vulnerabilities until the user is validated.

Legacy Web Service The PolicyServer service that securely manages all EndpointEncryption 3.1.3 and below agent communication. Fordetails, see About PolicyServer on page 2-8.

For Endpoint Encryption 6.0 Patch 1 communication, seeEndpoint Encryption Service.

OfficeScan OfficeScan protects enterprise networks from malware,network viruses, web-based threats, spyware, and mixedthreat attacks. An integrated solution, OfficeScan consists ofan agent that resides at the endpoint and a server programthat manages all agents.

OPAL Trusted Computing Group's Security Subsystem Class forclient devices.

Password Any type of authentication data used in combination with auser name, such as fixed, PIN, and ColorCode.

PIN The authentication method for using a Personal IdentificationNumber, commonly used for ATM transactions.

PolicyServer The central management server that deploys encryption andauthentication policies to the Endpoint Encryption agents.

Remote Help The authentication method for helping Endpoint Encryptionusers who forget their credentials or Endpoint Encryptiondevices that have not synchronized policies within a pre-determined amount of time.

Trend Micro Endpoint Encryption Administrator Guide

E-4

Term Description

Recovery Console The Full Disk Encryption interface to recover EndpointEncryption devices in the event of primary operating systemfailure, troubleshoot network issues, and manage users,policies, and logs.

Recovery Tool A bootable disk used to repair a device if the device is unableto boot. The Recovery Tool is distributed as an ISO file in theFull Disk Encryption installation package.

SED A self-encrypting drive. SEDs provide “hardware-basedencryption”, as opposed to the type of encryption that FullDisk Encryption provides, which is referred to as “software-based encryption”.

Self Help The authentication method for helping Endpoint Encryptionusers provide answers to security questions instead ofcontacting Technical Support for password assistance.

Smart card The authentication method requiring a physical card inconjunction with a PIN or fixed password.

IN-1

IndexAabout

authentication, 5-2Encryption Management for MicrosoftBitLocker, 8-5Endpoint Encryption Service, 2-8Legacy Web Service, 2-8PolicyServer, 2-8, 3-1widgets, 4-4

Accessibilityon-screen keyboard, 6-9

Active Directory, 2-14, 3-24configuration, 3-25import users, 3-27, 4-12overview, 3-24

agents, 2-11appendices, 1authentication, 2-3, 2-13

about, 5-2change method, 6-10changing password, 7-12ColorCode, 2-13, 2-14, 6-13domain, 2-14domain authentication, 2-13File Encryption, 7-2, 7-14fixed password, 2-13, 2-15Full Disk Encryption, 6-5LDAP, 2-14PIN, 2-15prerequisites, 2-14remote help, 6-15Remote Help, 2-13, 2-15, 6-15security options, 7-16Self Help, 2-13, 2-16, 6-17, 6-19

answers, 6-19setup requirements, 2-14single sign-on, 7-15smart card, 2-16, 6-16

authentication methods, 2-13

Ccentral management, 2-3changing passwords, 6-11ColorCode, 2-14, 6-13Command Line Helper, 6-3, 6-24, 6-25Command Line Helper Installer, 6-3Computer

Network Information, 6-8configuring proxy settings

managed server list, 3-23Control Manager, 3-18

agent, 3-19mail server, 3-18MCP, 3-19policies, 5-1report server, 3-18SQL database, 3-18Trend Micro ManagementInfrastructure, 3-19web-based management console, 3-19web server, 3-18widget framework, 3-20

Control Manager integration, 2-9

DDAAutoLogin, 6-3, 6-24dashboard, 4-1data protection, 2-1data recovery, 9-25

Trend Micro Endpoint Encryption Administrator Guide

IN-2

Decrypt Disk, 9-11decryption

Recovery Console, 9-11deleting

tabs, 4-3demilitarized zone, 6-22device, 2-3devices

Endpoint Encryption Devices widget,4-13lock, 5-25

Diagnostic Monitor, A-2documentation feedback, 11-6domain authentication, 2-14

File Encryption, 7-15draft policies, 5-9

Eencryption

features, 2-3file and folder, 7-1file encryption, 7-1full disk, 6-1hardware-based, 6-1software-based, 6-1

Encryption Management for AppleFileVault

about, 8-13supported operating systems, 3-15system requirements, 3-15

Encryption Management for MicrosoftBitLocker

about, 8-5supported operating systems, 3-13system requirements, 3-13

Endpoint Encryption, 2-1tools, 6-3

enhancements, 2-4error messages

authentication, 7-16

FFile Encryption, 7-1

authentication, 7-14domain, 7-15first-time, 7-2

changing password, 7-12first-time use, 7-2PolicyServer sync, 6-4, 7-10Remote Help, 7-13reset password, 7-10, 7-16secure delete, 7-10single sign-on, 7-15system requirements, 3-13tray icon

about, 7-10unlock device, 7-13

filtered policies, 5-9fixed password, 2-15Full Disk Encryption, 6-1

authentication, 2-16, 6-17changing password, 6-11

change, 9-19changing enterprises, 9-17connectivity, 6-22context menu, 6-4Decrypt Disk, 9-11menu options, 6-5Network, 9-17network configuration, 9-17network troubleshooting, 9-22patching, 6-26PolicyServer settings, 6-22port settings, 6-22

Index

IN-3

Recovery Console, 9-7manage policies, 9-16manage users, 9-14Windows, 9-8

recovery methods, 9-3Recovery Tool, 9-23Remote Help, 6-15Self Help, 6-18synchronize policies, 6-22system requirements, 3-9–3-11TCP/IP access, 6-22tools, 6-3tray icon

about, 6-4uninstall, 9-3Windows patches, 6-24

Full Disk Encryption Preboot, 6-5authentication, 6-10keyboard layout, 6-10menu options, 6-5network connectivity, 6-6Network Information, 6-8on-screen keyboard, 6-9wireless connection, 6-6

Hhardware based encryption, 3-9–3-11, 3-13, 3-15

Kkey features, 2-3

LLDAP, 2-14logs, 9-16

Mmanaged server list

configuring proxy settings, 3-23

management consoles, 2-9MBR

replacing, 9-13MCP, 3-19modifying

tabs, 4-3

Nnetwork

troubleshooting, 9-22network information, 6-8Network Setup, 9-17

Oon-screen keyboard, 6-9OPAL, 3-9–3-11, 3-13

Ppasswords, 2-3

Remote Help, 9-31pending targets, 5-7Personal Identification Number (PIN), 2-15PIN, 2-13policies, 2-3, 5-1

allow user recovery, 9-7common, 5-22File Encryption, 5-19Full Disk Encryption, 5-15, 6-22policy mapping, D-1synchronization, 6-1synchronizing, 6-22user, 5-13

policy list, 5-5policy management, 5-7

draft policies, 5-9filtered policies, 5-9pending targets, 5-7

Trend Micro Endpoint Encryption Administrator Guide

IN-4

policy list, 5-5policy priority, 5-6, 5-9specified policies, 5-9targets, 5-6understanding, 5-7

policy mappingControl Manager, D-1PolicyServer, D-1

policy priority, 5-6PolicyServer

AD synchronization, 3-24getting started, 3-1Remote Help, 9-31requirements

accounts, 3-8files, 3-7, 3-8SQL, 3-2

setup files, 3-7, 3-8software requirements, 3-6, 3-7SQL accounts, 3-8SQL requirements, 3-2system requirements

hardware, 3-2PolicyServer Change Settings Tool, A-6PolicyServer MMC, 2-11policy targets, 5-6policy types

draft, 5-9filtered, 5-9policy priority, 5-6specified, 5-9

product definitions, E-1proxy settings

managed server list, 3-23

Rrecovery console

logon, 9-8Recovery Console, 9-5

access, 9-7Windows, 9-8

changing enterprises, 9-17changing PolicyServer, 9-19Decrypt Disk, 9-11functions, 9-5log on, 9-7manage policies, 9-16manage users, 9-14Mount Partitions, 9-12Network, 9-17network configuration, 9-17network troubleshooting, 9-22recovery methods, 9-3Restore Boot, 9-13users

add, 9-15delete, 9-16edit, 9-14

view logs, 9-16Wi-Fi, 9-20

recovery methods, 9-3Recovery Tool, 9-23

repair, 9-25scan, 9-25

Remote Help, 2-15, 6-15, 7-16, 9-31Repair CD, 6-3, 9-3, 9-23reporting, 2-1, 2-3Restore Boot, 9-13

SSeagate DriveTrust drives, 3-9–3-11, 3-13security

account lock, 2-15, 6-15account lockout action, 2-15, 6-15

Index

IN-5

account lockout period, 2-15, 6-15device lock, 2-15, 6-15erase device, 7-16failed login attempts allowed, 2-15, 6-15remote authentication required, 7-16time delay, 7-16

Self Help, 2-16, 6-17answers, 6-19defining answers, 6-18

smart card, 2-16, 6-16smart cards, 2-16, 6-16specified policies, 5-9

priority, 5-9SSO, 2-14summary dashboard

adding tabs, 4-2deleting tabs, 4-3modifying tabs, 4-3tabs, 4-2

supportresolve issues faster, 11-4

system requirementsEncryption Management for AppleFileVault, 3-15Encryption Management for MicrosoftBitLocker, 3-13File Encryption, 3-13Full Disk Encryption, 3-9–3-11PolicyServer, 3-2, 3-6, 3-7PolicyServer MMC, 3-9

Ttabs

about, 4-2deleting, 4-3modifying, 4-3summary dashboard, 4-2

targets, 5-6pending, 5-7

terminology, E-1tokens, 6-17tools

Command Line Helper, 6-24DAAutoLogin, 6-24Recovery, 9-23Recovery Console, 9-17

Uusers, 5-3

import from AD, 3-27, 4-12lockout, 5-25

VVMware Virtual Infrastructure, 3-2

Wwhat's new, 2-4widgets

adding, 4-5adding tabs, 4-2configuring, 4-6Endpoint Encryption Device Lockout,4-25Endpoint Encryption SecurityViolations Report, 4-28Endpoint Encryption Status, 4-19Endpoint Encryption UnsuccessfulDevice Logon, 4-21Endpoint Encryption UnsuccessfulUser Logon, 4-24options, 4-6understanding, 4-4

Wi-Fi, 6-6, 9-20Windows patch management, 6-24