DriveLock Agent

DriveLock Agent can be installed on different versions of Windows, Linux and macOS.

Operating system	Versions
Windows 11	As of 21H2, only Pro / Enterprise editions
Windows 10	As of 20H2, only Pro / Enterprise editions
Windows 10 LTSC	all LTSC versions until expiry of the respective Extended Support
Windows Server	2016, 2019, 2022
Windows 7	Windows 7 SP1 Enterprise / Ultimate with Extended Support. An additional Legacy Support license is required when running on Windows 7 systems.
Linux	CentOS 8, Debian 11, Fedora 34, IGEL OS 11.05, Red Hat Enterprise Linux 5, Suse 15.3, Ubuntu 20.04 or newer versions
macOS	starting with version Catalina (10.15) with Intel (x86_64) and Apple Silicon (arm64) architectures

The Windows DriveLock Agent is basically available for AMD-/Intel X86-based systems (32-bit and 64-bit architecture). We recommend using a 64 bit system for the DriveLock Agent. Server operating systems are only supported under 64-bit. You will find the restrictions of the individual functionalities described below.

.NET Framework 4.7.2 is required to display security awareness campaigns on DriveLock Agents.

See the following table for an overview of the functionality available on a particular operating system.

• Complete range of functions: ✔
• Reduced range of functions: ◒
• Not supported: ✖

Feature	Operating system / functions
	Windows 10 / 11	Windows Server	Windows 7	Linux	Mac OS
Device Control	✔	✔	◒	◒	◒
Application Control	✔	✔	✔	◒	✖
Encryption-2-Go	✔	✔	✔	◒	◒
BitLocker To Go	✔	✔	◒	✖	✖
BitLocker Management	✔	✔	◒	✖	✖
Security Awareness Multimedia campaigns	✔	✔	✔	✖	✖
Defender Management	✔	✔	◒	✖	✖
Vulnerability Management	✔	✔	✔	✖	✖
Security Configuration Management	✔	✔	✔	✖	✖
Disk Protection	✔(*)	✖	✖	✖	✖
File Protection	✔	✔	◒	✖	✖

(*): On Windows 10 and newer, Disk Protection is available only for UEFI systems, BIOS support has been discontinued.

Security Awareness: Please note that as of version 2022.1, Content AddOn packages can only be displayed correctly if Microsoft Edge WebView2 is installed on the agents . Please follow the download link: https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section. Windows 11 already has Microsoft Edge WebView2 installed automatically.

As of version 2024.1, the latest Microsoft Visual C++ Redistributable is required for File Protection. To download the Redistributable, please click this .link.

Details on the restrictions for operating systems that can only use some of the DriveLock features:

1. Restrictions for Windows Server

   • DriveLock pre-boot authentication is not available for server operating systems.

   • Microsoft Defender settings are only available for Windows Server 2016 and later.

2. Restrictions for Windows 7

   Make sure that the latest available patch level is installed on a Windows 7 client.

   • In general:

     • After updating, installing or uninstalling DriveLock Agent on Windows 7 x64, the Explorer (explorer.exe) may crash. This only occurs if the Windows command prompt is opened with admin privileges and the system has not been rebooted since the agent was updated/ installed/uninstalled.

     • KB3140245 must be installed on Windows 7
       Further information can be found under 'Update process' and 'Update catalog'.
       Without this update, WinHTTP cannot change any TLS settings and the error 12175 appears in the dlwsconsumer.log und DLUpdSvx.log log files.

     • KB3033929 (SHA-2 code signing support) must be installed on Windows 7 64 bit.

     • DriveLock Service adds missing registry values for TLS 1.2 connections on computers running Windows 7.

       The following registry values are the prerequisite for communication with the DES in addition to KB3140245:

       • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]"Enabled"=dword:00000001

       • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]"Enabled"=dword:00000001

       • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\WinHttp]

         "DefaultSecureProtocols"=dword:00000800

         If the DefaultSecureProtocols value already exists, add the value 0x00000800 for TLS 1.2.

   • BitLocker Management:

     • Only available for Windows 7 SP1 Enterprise and Ultimate, 64-bit - TPM chip is required

     • BitLocker does not encrypt on Windows 7 if the options "When the screen saver is configured and active" and "When no application is running in full screen mode" are enabled.

   • BitLocker To Go:

     • Only available for Windows 7 SP1 Enterprise and Ultimate

   • Device Control:

     • In Windows 7, you cannot use the Bluetooth options for devices in the Device class locking section.

   • File Protection:

     • Under Windows 7, only the limited functionality is available for the new encryption format and only the previous legacy driver is available for the old encryption format. The appropriate encryption format is selected automatically.

   • Security Awareness Multimedia Campaigns:

     • To be able to display Security Awareness multimedia campaigns you need a local installation of WebView2 for Windows 7. For more information, click here: https://docs.microsoft.com/en-us/microsoft-edge/webview2/

3. Restrictions for macOS

   • Device Control:

     In this version, only USB-attached drives identified by their hardware ID can be blocked or allowed.

     In addition, please note the following restrictions:

     • You need to configure your own rule types for whitelisting (Hardware ID instead of Product ID/Vendor)

     • No unlocking for specific users or user groups

     • No file filter and auditing

     • No forced encryption

     • No unlocking for drives already encrypted with Encryption 2-Go

     • No self-service functionality

   • Encryption 2-Go:

     • For macOS, the Mobile Encryption Application (MEA) is available as before for decrypting external USB drives.

     • The macOS Agent is not yet able to automatically encrypt drives with an Encryption 2-Go container.

     For more information about the macOS Agent, please refer to the separately available macOS documentation on DriveLock Online Help.

4. Restrictions for Linux

   • Device Control:

     • You need to configure your own rule types for whitelisting (Hardware ID instead of Product ID/Vendor)

     • No unlocking for specific users or user groups

     • No file filter and auditing

     • No forced encryption

   • Application Control:

     • DriveLock Application Control requires Linux kernel version > 5 for use on Linux agents.

     • Application Control cannot be used together with IGEL OS.

     • None of the Application Behavior Control functions are available on Linux.

   • Encryption 2-Go:

     • Containers or encrypted USB drives cannot be created, only connected.

   For more information about the Linux client and the limitations of its functionality, please refer to the separately available Linux documentation on DriveLock Online Help.

5. Restrictions for terminal server environments and thin clients

   • The DriveLock Agent requires the following system requirements in order to use the DriveLock Device Control functionality:

     • XenApp 7.15 or newer (ICA).

     • Windows Server 2016 or newer (RDP).

   • Security awareness campaigns for users at login and ICA drive connections are not available when using thin clients without DriveLock Agent installed.