ZENworks 2020 Update 2 - Full Disk Encryption Deployment Quick Start

July 2021

This Quick Start helps you deploy ZENworks Full Disk Encryption to IDE, SATA, and PATA hard disks.

With hard disks, ZENworks Full Disk Encryption provides sector-based encryption of the entire disk or selected volumes (partitions). All files on a volume are software encrypted, including any temporary files, swap files, or operating system files. Because all files are encrypted, the data cannot be accessed when booting the computer from external media such as a CD-ROM, floppy disk, or USB drive. You can choose the industry-standard encryption algorithm (AES, Blowfish, DES, or DESX) and a key length that best meets your organizations requirements.

As an added layer of security, ZENworks Full Disk Encryption provides optional pre-boot authentication. With pre-boot authentication, the device boots to a Linux partition and loads the ZENworks Pre-Boot Authentication (PBA) module. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.

WARNING:When applying a full disk encryption policy, ensure that the encryption process is not interrupted prematurely with a power change on the disk drive(s); otherwise, all data on the disk can be lost due to disk corruption. You can check the encryption status on the device by accessing Full Disk Encryption > About in the ZENworks Agent.

Disk corruption due to power change has only been noted on secondary drives, but it may also be applicable to primary drives. For this reason, the following precautions are strongly recommended before applying a full disk encryption policy to a device:

  • If possible, select the AES algorithm when configuring the full disk encryption policy.

    Selecting the AES algorithm should preclude disk corruption from occurring in the event of a power-down during encryption. However, the additional precautions are best practices that will reduce the risk of possible disk corruption.

  • Pre-configure devices receiving the policy so that power options are set to never automatically shut off, hibernate, or sleep.

  • Inform all device users of the need to keep their devices running during the encryption process, to include avoiding Sleep and Hibernation options.




Make sure the hard drive meets the requirements for full disk encryption.

See “Managed Device Requirements” in the ZENworks Full Disk Encryption Agent Reference.

Make sure the Windows device with the hard drive meets the requirements for a ZENworks managed device.

The Windows device must meet certain requirements to support the ZENworks Agent as well as the ZENworks Full Disk Encryption Agent.

See “Managed Device Requirements” in the ZENworks Full Disk Encryption Agent Reference.

Install the ZENworks Agent on the Windows device (if necessary) and make sure that Full Disk Encryption is enabled.

If the ZENworks Agent is not installed on the device and you need help installing the agent, see Deploying the ZENworks Agent in the ZENworks Discovery, Deployment, and Retirement Reference.

Check that ZENworks Full Disk Encryption is enabled by right-clicking the ZENworks icon in the notification area of the device, and selecting Technician Application, to display the ZENworks Agent. If Full Disk Encryption is displayed in the left navigation pane, ZENworks Full Disk Encryption is enabled on the device. For help enabling ZENworks Full Disk Encryption, see Configuring Agent Settings on the Device Level in the ZENworks Agent Reference.

Create the Disk Encryption policy to apply to the device.

The Disk Encryption policy contains the encryption and pre-boot authentication settings to apply to the device.

For help creating the policy, see “Creating a Disk Encryption Policy” in the ZENworks Full Disk Encryption Policy Reference.

Assign the policy to the device.

For help assigning the policy, see Assigning a Disk Encryption Policy in the ZENworks Full Disk Encryption Policy Reference.

Enforce the policy on the device.

On the device, right-click the Z-icon, and then click Refresh to apply the policy. After the device reboots, log in to the ZENworks PBA (if the PBA is enabled) and boot to the Windows operating system.

If you can log in to the ZENworks PBA but the device then fails to boot to Windows, see The ZENworks PBA is not booting to the Windows operating system in the ZENworks Troubleshooting Full Disk Encryption reference.

Check the encryption status.

On the device, right-click the ZENworks icon, select Technician Application in the menu, and then click Full Disk Encryption. In the Full Disk Encryption Agent Actions section, click About to display the About dialog box. The Status field displays the current encryption status. When initial encryption is complete, the status will be Policy enforced, with drive encrypted.

Beginning in ZENworks 2017, you can enable an Agent Event in the ZENworks Control Center that will show when the encryption is complete. For more information, see Auditing Agent Events in the ZENworks - Auditing Full Disk Encryption Events reference.

Legal Notices

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

© Copyright 2008 - 2021 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (Micro Focus) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.