2.5 Policy Enforcement Workflow

See below for the workflow that occurs after a policy is assigned to a device.

WARNING:When applying a full disk encryption policy, ensure that the encryption process is not interrupted prematurely with a power change on the disk drive(s); otherwise, all data on the disk can be lost due to disk corruption. You can check the encryption status on the device by accessing Full Disk Encryption > About in the ZENworks Agent.

Disk corruption due to power change has only been noted on secondary drives, but it may also be applicable to primary drives. For this reason, the following precautions are strongly recommended before applying a full disk encryption policy to a device:

  • If possible, select the AES algorithm when configuring the full disk encryption policy.

    Selecting the AES algorithm should preclude disk corruption from occurring in the event of a power-down during encryption. However, the additional precautions are best practices that will reduce the risk of possible disk corruption.

  • Pre-configure devices receiving the policy so that power options are set to never automatically shut off, hibernate, or sleep.

  • Inform all device users of the need to keep their devices running during the encryption process, to include avoiding Sleep and Hibernation options.

2.5.1 Policy Enforcement without Pre-boot Authentication

The following process occurs after a Disk Encryption policy is assigned to a device without pre-boot authentication (encryption only):

  1. The next time the ZENworks Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. The device reboots according to the disk encryption reboot setting in the policy. During the reboot, the following occurs:

    • A CheckDisk occurs if the Run Windows check disk with repair option is enabled in the policy.

    • A 500 MB ZENworks partition is created. This partition is used for storage of Full Disk Encryption files and the Emergency Recovery Information (ERI) file.

    • The Full Disk Encryption drivers are initialized.

    • The user is prompted to log in to Windows.

  4. The target disk volumes, as specified in the policy, are encrypted.

    Depending on the number of volumes and amount of data to be encrypted, encryption can take some time. If the device is rebooted during the encryption process, the process restarts where it left off prior to the reboot.

    You can view the ZENworks Full Disk Encryption About Box to monitor the encryption process:

2.5.2 Policy Enforcement with Pre-Boot Authentication

The following process occurs after a Disk Encryption policy (encryption and pre-boot authentication) is assigned to a device:

  1. The next time the ZENworks Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. The device reboots according to the disk encryption reboot setting in the policy. During the reboot, the following occurs:

    • A CheckDisk occurs if the Run Windows check disk with repair option is enabled in the policy.

    • A 500 MB ZENworks partition is created. This partition is used for storage of encryption files, the Emergency Recovery Information (ERI) file, and the ZENworks PBA Linux kernel.

    • The Disk Encryption drivers and the ZENworks PBA are initialized.

    • The user is prompted to log in to Windows.

  4. After successful Windows login, the device reboots according to the PBA reboot setting for the policy. During the reboot, the following occurs:

    • If user capturing is enabled, the user receives an informational prompt and then the Windows login is displayed. When the user logs in (either with userID/password or smartcard), the ZENworks PBA captures the credentials. On subsequent reboots, the user is presented with the ZENworks PBA login and must provide the captured credentials.

    • If user capturing is not enabled, the user is prompted to enter credentials at the PBA login screen. The user must enter valid credentials for a PBA user or smartcard defined in the policy. If single-sign on is not enabled, the Windows login is then displayed and the user must enter valid Windows credentials to log in.

  5. After successful login, the target disk volumes, as specified in the policy, are encrypted.

    Depending on the number of volumes and amount of data to be encrypted, this can take some time. If the device is rebooted during the encryption process, the process restarts where it left off prior to the reboot.

    You can view the ZENworks Full Disk Encryption About Box to monitor the encryption process: