1.2 The PBA Boot Process

When the ZENworks PBA is installed, it changes the standard boot process. The following illustration shows the standard boot process (no disk encryption or pre-boot authentication), the boot process with disk encryption (no pre-boot authentication), and the boot process with disk encryption and pre-boot authentication.

The gray boxes represent protected components and data and the light blue boxes represent unprotected components and data. If you are using UEFI enabled devices, GPT is in place of MBR in those boxes.

Standard Boot Process

The standard Windows boot process provides no data protection. The Windows login can be easily broken or the drive can be removed and installed as a secondary drive on another device to gain access to the data.

Boot Process With Full Disk Encryption

With full disk encryption applied to a device, the drive data is encrypted, and thus protected, until successful authentication to Windows occurs. The drive data cannot be accessed by removing the drive and installing it as a secondary drive on another device. The primary security weakness is the Windows login.

IMPORTANT:Full Disk Encryption requires UEFI enabled devices to boot from Secure Boot Manager in the boot order. This configuration gets reverted to Windows Boot Manager in the boot order if the Disk Encryption policy is deployed to a device after the device is upgraded to a ZENworks 2020 Update 1 or later version from a ZENworks 2020 or earlier version. If the Disk Encryption policy is already deployed to a device before the upgrade, in this version scenario, the device continues to boot to Secure Boot Manager.

Boot Process with Full Disk Encryption and Pre-Boot Authentication

With full disk encryption and pre-boot authentication applied to a device, the drive data is encrypted until successful authentication to the ZENworks PBA occurs. This eliminates the Windows login as the key component to gaining access to the encrypted drives.

To protect the ZENworks PBA, the PBA’s Linux system includes only the components needed to complete the secure authentication. The system includes no networking components. USB and CD drivers are enabled to provide emergency recovery of the device if necessary. All ZENworks PBA components are protected against manipulation.