7.3 Configure Disk Encryption - Admin Password and Encryption Initialization

The information in this section assumes that you are on the Configure Disk Encryption - Admin Password and Encryption Initialization page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Admin Password and Encryption Initialization page lets you specify an Administrator password for the ZENworks Full Disk Encryption Agent and determine when a device is rebooted to initiate the encryption of the device’s volumes.

7.3.1 Admin Password

The Administrator password enables access to the Administrator options in the Full Disk Encryption Agent. These options help you see the current status of the agent and view the assigned Disk Encryption policy, as well as troubleshoot problems with the agent or policy.

To set the password, click Set, specify the password, then click OK.

If you ever need to allow a user to access the Administrator options, we recommend that you use the Password Key Generator utility to generate a password key. The key, which is based on the FDE Admin password, functions the same as the FDE Admin password but can be tied to a single device or user and can have a usage or time limit.

The Password Key Generator utility is accessible under the Configuration Tasks list in the left navigation pane.

7.3.2 Reboot Options

When the Disk Encryption policy is applied to a device, the device’s disks cannot be encrypted until the device reboots and loads the Full Disk Encryption Agent’s encryption drivers.

  • Reboot Behavior: Select one of the following:

    • Force device to reboot immediately: Reboots the device immediately after the Disk Encryption policy is applied.

    • Do not reboot device: Does not force a reboot after the Disk Encryption policy is applied. The user must initiate a reboot before disk encryption can occur.

    • Force device to reboot within XX minutes: Reboots the device within the specified number of minutes after the Disk Encryption policy is applied. Providing a reboot delay can give the user time to save work prior to the reboot. The default delay is 5 minutes.

  • Display predefined message to user before rebooting: If you selected the Do not reboot device option or the Force device to reboot within XX minutes option, you can display a message to the user. The Force device to reboot immediately option does not support a message.

    Select this option to display the following message:

    ZFDE Policy Enforcement

    Your ZENworks Administrator has assigned a Disk Encryption policy to your computer. To enforce the policy, your computer must be rebooted.

  • Override predefined message with custom message: This option is available only after you select the Display predefined message to user before rebooting option. It lets you override the predefined message with your own custom message. Select the option, then specify a title for the message window and the text to include in the message body.

7.3.3 CheckDisk Options

We strongly recommend that you run Windows CheckDisk with Repair during the reboot. The disk check and repair is performed on the system volume (C: drive), ensuring that system and partition records are error-free prior to encrypting the target volumes.

This option is selected by default. If you are sure that the target volumes are in perfect condition (for example, the disks are new), you can select the Do not run Windows check disk option.

NOTE:This setting does not apply to Windows XP. On Windows XP, CheckDisk is run if it is needed regardless of the setting.