What's New

Trend Micro Endpoint Encryption 5.0 Patch 4 offers the following new features and enhancements.

Table 1. What's New in Endpoint Encryption 5.0 Patch 4

Features / Enhancements

Description

Supported Platform

Endpoint Encryption supports Encryption Management for Apple FileVault agent installation on Mac OS X™ "El Capitan".

Apple Fusion Drive Support

The Encryption Management for Apple FileVault agent supports policies, encryption, decryption, device locking, and device unlocking for Apple Fusion Drives on the following versions of Mac OS X:

  • OS X™ "El Capitan"

  • OS X™ Yosemite

  • OS X™ "Mavericks"

  • OS X™ "Mountain Lion", for builds Mac OS 10.8.2 or later

Language Display in Full Disk Encryption Preboot

The Full Disk Encryption preboot now displays the current keyboard language and allows the user to switch the language directly from the preboot Log On screen.

Full Disk Encryption Recovery Tool

Trend Micro provides a new Recovery Tool that can help users fix issues if they are unable to access Windows or the Full Disk Encryption preboot. The Recovery Tool allows users to do the following:

  • Scan and repair Full Disk Encryption issues that prevent users from logging on Windows

  • Open the Full Disk Encryption preboot if the agent is unable to access the preboot normally

  • Recover files from an encrypted disk

The new Full Disk Encryption Recovery Tool replaces the Repair CD that was provided with previous versions of Endpoint Encryption.

Network and Connection Information in Preboot and Recovery Console

The Full Disk Encryption preboot and Recovery Console include improvements to display network and connection information. This version includes the following specific enhancements:

  • The Full Disk Encryption preboot now includes the new screen Network Information. This screen displays a summary of the current connection status, including hardware, IP address, DNS, and PolicyServer information.

  • The Recovery Console now includes the new screen Troubleshooting. The two tabs on this screen allow you to scan through DHCP client logs and perform traceroutes.

    With this change, the previous Network Setup selection has been renamed to Network. After clicking Network, the two options Setup and Troubleshooting appear. The Setup screen has not been changed this version.

Table 2. What's New in Endpoint Encryption 5.0 Patch 3

Features / Enhancements

Description

Supported Platforms

Endpoint Encryption supports agent installation on the following platforms:

  • Windows 10 (32-bit/64-bit)

    Supported agents: Full Disk Encryption and File Encryption

  • Windows 10 Enterprise and Professional editions (32-bit/64-bit)

    Supported agent: Encryption Management for Microsoft BitLocker

  • Windows Embedded POSReady 7 (32-bit/64-bit)

    Supported agents: Full Disk Encryption, File Encryption, and Encryption Management for Microsoft BitLocker

In-place Windows Upgrade

Endpoint Encryption supports upgrading devices encrypted by Full Disk Encryption to Windows 8.1 and Windows 10 without decrypting the boot device.

To perform an in-place Windows upgrade, you will need to modify the Windows ISO file.

Wi-Fi Settings Enhancements

To prevent users from unintentionally modifying Wi-Fi settings, the Wi-Fi settings have been enhanced as follows:

  • Administrators can apply a policy to prevent or allow users to configure Wi-Fi settings. To modify the Wi-Fi settings policy, on PolicyServer MMC, go to Policies > Full Disk Encryption > Agent > Allow User to Configure Wi-Fi.

  • Wi-Fi settings have been moved to the Recovery Console accessible from the Full Disk Encryption Preboot. To see the Wi-Fi settings, on the preboot Recovery Console, go to the Wi-Fi tab on the Network Setup screen. If users are allowed to configure Wi-Fi settings, users can still use the wireless connection icon () to access Wi-Fi settings.

Active Directory Fine-Grained Password Policy Support

Endpoint Encryption supports fine-grained password and account lockout policies for Windows Server 2008 and Windows Server 2012 Active Directory servers. To enable this feature, add the PolicyServer computer to the Password Setting object (PSO) Security list on the Active Directory server.

Usability Enhancement

The Full Disk Encryption preboot logon screen now displays indicators if Caps Lock or Num Lock are enabled.

Table 3. What's New in Endpoint Encryption 5.0 Patch 2

New Feature

Description

Active Directory Synchronization across Multiple OUs

Endpoint Encryption now supports policy enforcement, authentication, and synchronization across multiple organizational units (OUs). This enhancement allows administrators to manage users with the same policy over different security groups, cross-functional groups, or regional groups. Endpoint Encryption requires that separate OUs must be within the same Active Directory tree.

Simplified Active Directory Integration

The process for enabling automatic account synchronization from Active Directory has been streamlined. When managing Endpoint Encryption from Control Manager, administrators no longer need to access PolicyServer MMC in addition to the Control Manager web console.

In addition, when configuring Active Directory from PolicyServer MMC, administrators no longer need to use the AD Synchronization Configuration Tool to complete configuration.

Supported Platforms

Endpoint Encryption supports PolicyServer installation on the following operating systems:

  • Windows Server 2012

  • Windows Server 2012 R2

Endpoint Encryption supports the following database management systems for PolicyServer:

  • Microsoft SQL Server 2012

  • Microsoft SQL Server 2012 Express

Endpoint Encryption supports Encryption Management for Apple FileVault installation on the following operating system:

  • Mac OS X Yosemite™

Automated Deployment of Encryption Management for Apple FileVault

Endpoint Encryption supports automated deployments of Encryption Management for Apple FileVault agents. The process uses the same parameters and Command Line Helper tool for automated deployments of Full Disk Encryption, File Encryption, and Encryption Management for Microsoft BitLocker agents.

SanDisk Self-Encrypting SSD Support

Endpoint Encryption supports enabling and disabling of hardware-based full disk encryption of SanDisk™ self-encrypting solid-state drives (SSDs).

Table 4. What's New in Endpoint Encryption 5.0 Patch 1

New Feature

Description

Control Manager License Management

Endpoint Encryption PolicyServer integrates with Control Manager License Management. Control Manager supports the following features with Endpoint Encryption:

  • View the current Endpoint Encryption license information

  • Deploy a full license to PolicyServer

  • Renew a license to PolicyServer

Control Manager User-Centered Visibility

Endpoint Encryption integrates with Control Manager User-Centered Visibility. The status logs sent to Control Manager include the user information for the following Endpoint Encryption endpoints:

  • Full Disk Encryption

  • File Encryption

  • Encryption Management for Microsoft BitLocker

  • Encryption Management for Apple FileVault

NIC and Wi-Fi adapter Support

Endpoint Encryption supports the following groups of network interface controllers (NIC):

  • Intel Ethernet Controller l217 Family

  • Intel Ethernet Controller l218 Family

Endpoint Encryption also supports the Intel Dual Band AC 7260 Wi-Fi adapter.

Table 5. What's New in Endpoint Encryption 5.0

New Feature

Description

New Communication Interface

Endpoint Encryption 5.0 introduces a new communication interface (Endpoint Encryption Service) that all Endpoint Encryption 5.0 agents and management consoles use to communicate with PolicyServer. Endpoint Encryption Service uses a Representational State Transfer web API (RESTful) with an AES-GCM encryption algorithm. Endpoint Encryption Service has three key features:

  • Access control: After user authentication, PolicyServer generates a token for that user in that session only.

  • Policy control: Before user authentication, Endpoint Encryption Service restricts all PolicyServer MMC, Control Manager, and OfficeScan policy transactions until after user authentication.

  • Automatic policy updates: After successfully registering with PolicyServer, Endpoint Encryption agents automatically obtain new policies without user authentication.

Control Manager Integration

Endpoint Encryption 5.0 integrates Control Manager for PolicyServer management.

For information about Control Manager, see Management Consoles.

OfficeScan Integration

Endpoint Encryption 5.0 provides support for OfficeScan deployments. Use the new Endpoint Encryption Deployment Tool plug-in to centrally deploy or uninstall Endpoint Encryption agents to any endpoint currently managed by OfficeScan.

License Management

Endpoint Encryption 5.0 integrates with the Trend Micro licensing portal. As in previous product versions, you can try Endpoint Encryption free for 30 days. After the trial license expires, an Activation Code is required.

Support for Apple FileVault™ and Microsoft BitLocker™

Endpoint Encryption 5.0 advances Full Disk Encryption by integrating with encryption solutions built into the host operating system through two new Endpoint Encryption agents:

  • Encryption Management for Microsoft BitLocker

  • Encryption Management for Apple FileVault

PolicyServer centrally manages both agents with policy controls to remotely wipe or kill the Endpoint Encryption device.

FileArmor Name Change and Move to Common Framework

Endpoint Encryption 5.0 renames the FileArmor agent to File Encryption to better match the Endpoint Encryption agent's new functionality. File Encryption has the benefits from FileArmor 3.1.3, including improved support for removable media.

File Encryption is also now better aligned with Full Disk Encryption for improved password and policy management.

Maintenance, Log, and Report Enhancements

Endpoint Encryption 5.0 has several improvements to product maintenance, logs and reports.

  • Mechanism to purge log database: It is now possible to purge the log database based on specific criteria.

  • Delete inactive Endpoint Encryption users and devices: To clean up the Enterprise devices and users, it is now possible to purge devices and users that are inactive for a specified time period.

  • Enterprise report for inactive users: The new Enterprise report shows all Endpoint Encryption users who have not logged on Endpoint Encryption devices for a specified period of time.

  • Enterprise report for inactive devices: The new Enterprise report shows all Endpoint Encryption devices that have not been logged on to for a specified duration of time.

Smart Card Enhancements

Endpoint Encryption 5.0 provides the following smart card enhancements:
  • Improved Endpoint Encryption agent deployment in environments using smart cards

  • Support for smart card password-sharing