ZENworks Full Disk Encryption protects a device’s data when the device is powered off or in hibernation mode. As soon as someone successfully logs in to the Windows operating system, the encrypted volumes are no longer protected and the data can be freely accessed. To provide increased login security, you can use ZENworks Pre-Boot Authentication (PBA).
The ZENworks PBA is a Linux-based component. When the Disk Encryption policy is applied to a device with a standard hard disk, a 100 MB partition containing a Linux kernel and the ZENworks PBA is created on the hard disk. When the policy is applied to a device with a self-encrypting hard disk, the Linux kernal and ZENworks PBA are installed to the disk’s datastore memory.
During normal operation, the device boots to the Linux partition and loads the ZENworks PBA. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.
The Linux partition is hardened to increase security, and the ZENworks PBA is protected from alteration through the use of MD5 checksums and uses strong encryption for authentication keys.
ZENworks Pre-Boot Authentication is strongly recommended. If you don’t use the ZENworks PBA, encrypted data is protected only by Windows authentication.
For more information about ZENworks Pre-Boot Authentication, see the ZENworks 11 SP4 Full Disk Encryption PBA Reference