13.5 Understanding What Happens After a Policy Is Assigned to a Device

The following process occurs after a Disk Encryption policy is assigned to a device:

  1. The next time the ZENworks Adaptive Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. On standard hard disks, a 100 MB ZENworks partition is created. This partition is used for storage of encryption files, the Emergency Recovery Information (ERI) file, and the ZENworks PBA Linux kernel (if ZENworks PBA is enabled in the policy).


    On self-encrypting drives (Seagate Momentus FDE.x series), ZENworks uses the disk’s protected partition, referred to as the MBR shadow for the encryption files and ZENworks PBA Linux kernel.

  4. The device reboots according to the disk encryption reboot setting in the policy. During the reboot, the following occurs:

    • On standard hard disks, a CheckDisk occurs if the Windows CheckDisk with Repair option is enabled in the policy. On Windows XP, the operation is performed if needed even if the option is not enabled in the policy.

    • The Disk Encryption drivers and the ZENworks PBA are initialized.

    • The user is prompted to log in to Windows.

  5. Disk encryption begins if the ZENworks PBA is not enabled.


    If the ZENworks PBA is enabled, the following occurs:

    • The device reboots according to the PBA reboot setting for the policy.

    • If user capturing is enabled, the user receives an informational prompt and then the Windows login is displayed. When the user logs in, the ZENworks PBA captures the credentials. On subsequent reboots, the user is presented with the ZENworks PBA login and must provide the captured credentials.

    • If user capturing is not enabled, the user is prompted to enter credentials at the PBA login screen. The user must enter valid credentials for a PBA user defined in the policy.

    • After success login, the disk encryption begins. Depending on the number of volumes and amount of data to be encrypted, this can take some time. If the device is rebooted during the encryption process, the process restarts where it left off prior to the reboot.