1.4 Decommissioning a Device

You can prevent access to encrypted data by either temporarily or permanently decommissioning a device. Temporarily decommissioning a device removes all Pre-Boot Authentication (PBA) user accounts from the device; the device can be recovered through a PBA override or through the use of an emergency recovery disk. Permanently decommissioning a device erases all data on the encrypted devices; the erased data is unrecoverable.

1.4.1 Temporarily Decommissioning a Device

You can prevent access to encrypted data by temporarily decommissioning the device. When a device is temporarily decommissioned, all of the Pre-Boot Authentication (PBA) user accounts are removed. The only way to access the device after the users are removed is to perform a PBA override or an emergency recovery. Before decommissioning the device, you should ensure that an Emergency Recovery Information (ERI) file exists for the device (see Creating an Emergency Recovery Information File).

  1. Make sure you know the FDE Admin password for the policy that is assigned to the device.

    To temporarily decommission a device by removing all PBA users, you must know the FDE Admin password for the policy assigned to the device, or you must know the ZENworks Agent override password or key. For more information about passwords, see Section B.0, Administrator Passwords.

  2. Open the Full Disk Encryption agent on the managed device. See Accessing the Full Disk Encryption Agent.

  3. Click the Commands button.

  4. Supply the password, then click OK to display the Commands dialog box.

  5. Click the Temporary Decommission button.

  6. In the confirmation dialog box that is displayed, click Yes to proceed.

    The device immediately shuts down.

1.4.2 Permanently Decommissioning a Device

You can prevent access to encrypted data by permanently decommissioning the device. You do this by erasing all of the encrypted data. The erased data is unrecoverable.

  1. Make sure you know the FDE Admin password for the policy that is assigned to the device.

    To permanently decommission a device, you must know the FDE Admin password for the policy assigned to the device, or you must know the ZENworks Agent override password or key. For more information about passwords, see Section B.0, Administrator Passwords.

  2. Open the Full Disk Encryption agent on the managed device. See Accessing the Full Disk Encryption Agent.

  3. Click the Commands button.

  4. Supply the password, then click OK to display the Commands dialog box.

  5. Click the Permanent Decommission button.

  6. In the confirmation dialog box that is displayed, click Yes to proceed.

    The device immediately shuts down.