When the ZENworks PBA is installed, it changes the standard boot process. The following illustration shows the standard boot process (no disk encryption or pre-boot authentication), the boot process with disk encryption (no pre-boot authentication), and the boot process with disk encryption and pre-boot authentication.
The gray boxes represent protected components and data and the light blue boxes represent unprotected components and data. If you are using UEFI enabled devices, GPT is in place of MBR in those boxes.
The standard Windows boot process provides no data protection. The Windows login can be easily broken or the drive can be removed and installed as a secondary drive on another device to gain access to the data.
With full disk encryption applied to a device, the drive data is encrypted, and thus protected, until successful authentication to Windows occurs. The drive data cannot be accessed by removing the drive and installing it as a secondary drive on another device. The primary security weakness is the Windows login.
With full disk encryption and pre-boot authentication applied to a device, the drive data is encrypted until successful authentication to the ZENworks PBA occurs. This eliminates the Windows login as the key component to gaining access to the encrypted drives.
To protect the ZENworks PBA, the PBA’s Linux system includes only the components needed to complete the secure authentication. The system includes no networking components. USB and CD drivers are enabled to provide emergency recovery of the device if necessary. All ZENworks PBA components are protected against manipulation.