The following sections provide a best practice approach to removing Disk Encryption policies that have been deployed to devices.
WARNING:When removing a full disk encryption policy, ensure that the decryption process is not interrupted prematurely with a power change on the disk drive(s); otherwise, all data on the disk can be lost due to disk corruption. You can check the decryption status on the device by accessing Full Disk Encryption > About in the ZENworks Agent.
Disk corruption due to power change has only been noted on secondary drives, but it may also be applicable to primary drives. For this reason, the following precautions are strongly recommended before removing a full disk encryption policy from a device:
Pre-configure devices receiving the policy so that power options are set to never automatically shut off, hibernate, or sleep.
Inform all device users of the need to keep the device running during the decryption process, to include avoiding Sleep and Hibernation options.
This precaution is for user actions that are not a part of the reboot process that is required for decryption and policy removal.
Deleting a policy automatically removes the policy assignments. However, we recommend that you remove policy assignments before you delete a policy to see if the policy removal has any negative effects on the device. If so, the policy is still available to reassign.
Before uninstalling the ZENworks Agent or uninstalling or disabling the ZENworks Full Disk Encryption Agent from a device, remove the Full Disk Encryption policy assignment and refresh the device so that the device is decrypted and the ZENworks PBA (if installed) is removed.
An Emergency Recovery Information (ERI) file enables you to recover the encrypted disk information if problems occur during the removal of the Disk Encryption policy. Verify that the device from which you are removing the policy has a current ERI file.
In ZENworks Control Center, click Devices > Workstations.
Click the device to display its details.
Click the Emergency Recovery Information tab.
The device’s ERI files are displayed in the list. If there are no ERI files, or you are not sure if the ERI file is the most current, go back to the Workstations list, select the check box next to the device, then click Quick Tasks > FDE - Force Device to Send ERI File to Server. Wait for the task to complete and then verify that the ERI file is displayed in the device’s ERI list.
When you remove a Disk Encryption policy from a device, the encrypted disks must be decrypted, the encryption drivers removed, and the ZENworks PBA removed. This takes some time and requires multiple reboots of the device. We recommend that you make the user aware of what to expect. The Reboot Options configuration can include reboot notifications to the user. These settings are applicable to both policy deployment and policy removal.