2.2 Creating a Disk Encryption Policy

The Disk Encryption policy lets you configure both full disk encryption and pre-boot authentication for a device.

The following sections explain how to create a new Disk Encryption policy by using the Create New Policy Wizard.

In addition to using the wizard, you can create policies by:

  • Copying an existing Disk Encryption policy. All original system requirements, details, and settings are copied to the new policy. You can then make any desired modifications to the new policy. See Copying a Policy.

  • Creating a Sandbox version of an existing Disk Encryption policy and then publishing it as a new policy. For information, see Publishing a Sandbox Version.

2.2.1 Creating a Policy

To create a Disk Encryption policy by using the Create New Policy Wizard:

  1. In ZENworks Control Center, click Policies to display the Policies page.

  2. In the Policies panel, click New > Policy to launch the Create New Policy wizard.

  3. On the Select Platform page, select Windows, then click Next.

  4. On the Select Policy Category page, select Windows Full Disk Encryption Policies, then click Next.

  5. On the Select Policy Type page, select Disk Encryption Policy, then click Next.

  6. On the Define Details page, specify a name for the policy, select the folder in which to place the policy, then click Next.

    The name must be unique among all other policies located in the selected folder. For additional requirements, see Naming Conventions in ZENworks Control Center in the ZENworks Control Center Reference.

    NOTE:For ZENworks versions 17.2 and later, the Summary page of a Disk Encryption policy will automatically append [Policy version 17.x] in the Administrator Notes. This is to remind administrators that adding the ZENworks version here can help identify if the policy will work on UEFI devices.

    For the same reason, we recommend that you append the version number to the policy name for versions 17.1 and later. For more information about the change to Disk Encryption in 17.1, see the ZENworks - Full Disk Encryption Update Reference.

  7. Proceed with the wizard to define the details of the policy. Refer to the following sections for detailed information about each page of information you must supply:

  8. After you have defined the details listed above and are at the Summary page, review the information to make sure it is correct. If it is incorrect, click the Back button to revisit the appropriate wizard page and make changes. If it is correct, select either of the following options (if desired), then click Finish to create the policy.

    • Create as Sandbox: Select this option to create the policy as a Sandbox version. The Sandbox version is isolated from devices until you publish it. For example, you can assign it to devices, but it is applied only after you publish it. You can also use the Sandbox version to test the policy on devices you’ve designated as test devices. For information, see Testing a Disk Encryption Policy.

    • Define Additional Properties: Select this option to display the policy’s property pages. These pages let you define system requirements that must be met before the policy can be assigned to a device, assign the policy to devices, and add the policy to policy groups.

  9. To test the policy before assigning it to devices, see Testing a Disk Encryption Policy.

  10. To assign the policy to devices, see Assigning a Disk Encryption Policy.

2.2.2 Configure Disk Encryption - Volumes, Algorithm, and Emergency Recovery

ZENworks Full Disk Encryption supports encryption of IDE, SATA, and PATA hard disks. Encryption of SCSI hard disks is not supported; encrypting a SCSI drive can cause the device to become unbootable.

The information in this section assumes that you are on the Configure Disk Encryption - Volumes, Alogorithm and Emergency Recovery page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Volumes, Alogorithm and Emergency Recovery page lets you specify which disk volumes on a device to encrypt and the algorithm to use for the encryption. In addition, you can choose whether or not to allow users to create Emergency Recovery Information (ERI) files that can be used to regain access to encrypted volumes if a problem occurs with the device.

Local Fixed Volumes

Any of a device’s local fixed disk volumes can be encrypted. Removable disks, such as thumb drives, cannot be encrypted. Neither can non-local disks, such as network drives. As a security feature, additional partitions might get interpreted as removable drives on virtual machines (VM) and not get encrypted if you choose to Encrypt all local fixed volumes. As a best practice, you should choose the second option and assign drive letters to specific volumes when deploying the policy to VM devices with more than one partition.

  • Encrypt all local fixed volumes: Select this option to encrypt all volumes.

  • Encrypt specific local fixed volumes: Select this option to limit encryption to specific volumes. To specify a volume, click Add, then select the drive letter assigned to the volume. If a volume that you specify does not exist on a device to which the policy is assigned, or the specified volume is not a local fixed volume, no encryption of the specified volume takes place.

After the policy is applied, encryption of the target volumes is performed sequentially, one volume at a time. A maximum of 10 volumes are encrypted for disks using MBR, even if the device has more than 10 volumes. Disks equipped and enabled for GPT can encrypt up to 128 volumes per disk.

Encryption Settings

Encryption is the process of converting plain-text data into cipher text that can then be decrypted back into its original plain text. An encryption algorithm, also known as a cipher, is a set of steps that determines how an encryption key is applied to the plain-text data to encrypt and decrypt the text.

The following settings determine the algorithm that is used to encrypt the selected fixed volumes, and the length of the encryption key that is used in the encryption process.

IMPORTANT:In ZENworks Full Disk Encryption, UEFI-enabled devices only use AES 256. If you apply a Disk Encryption policy to a UEFI-enabled device using a different algorithm/key length, the policy settings will automatically be reconfigured to AES 256 when the policy is enforced.

  • Algorithm: Select one of the following encryption algorithms:

    • AES: The AES (Advanced Encryption Standard) algorithm is a symmetric-key encryption standard adopted by the U.S. government. AES has a 128-bit block size with key lengths of 128, 192, and 256 bits.

      AES provides the highest security coupled with fast encryption speed. This algorithm is the optimal choice for most users.

    • Blowfish: The Blowfish algorithm is a symmetric-key block cipher. It has a 64-bit block size with key lengths of 32 to 448 bits. It is a strong, fast, and compact algorithm.

    • DES: The DES (Data Encryption Standard) algorithm is a symmetric-key encryption standard that uses a 56-bit key.

      Because of its 56-bit key size, DES is not as secure as AES or Blowfish. DES keys have been broken in less than 24 hours.

    • DESX: The DESX algorithm is a variant of the DES algorithm. It uses a 128-bit key.

  • Key Length: Select a key length. Key lengths vary depending on the encryption algorithm you select. We recommend that you choose the maximum key length for the algorithm. Doing so provides the highest security with no significant performance loss.

  • Encrypt only the used sectors of the drive: During initial encryption of a fixed disk volume, all of the sectors are encrypted unless you select this option. If you select this option, only the sectors that contain data are encrypted. Additional sectors are encrypted as they are used.

    Encrypting all sectors (used and unused) greatly increases the initial encryption time. You should only encrypt unused sectors if you are concerned about unauthorized users possibly recovering previously deleted files from the unused (and unencrypted) sectors.

  • Block 1394 (FireWire) port: The 1394 interface provides direct memory access, or DMA. Direct access to system memory can compromise security by providing read and write access to stored sensitive data, including encryption and authentication data used by ZENworks Full Disk Encryption. Select this option to prevent direct access to memory through the 1394 port.

  • Enable software encryption of Opal compliant self-encrypting drives: Effective in ZENworks 2017 Update 1, this setting is preconfigured and cannot be disabled. It causes software encryption to be applied to self-encrypting drives, adding a second layer of encryption to the drives' hardware encryption.

  • Enable encryption lockdown: Prevents drive decryption when a Full Disk Encryption policy is removed from a device, unless this setting is disabled before the policy is removed.

    Once a policy is enforced on a device with encryption lockdown enabled, it can be disabled in one of three different ways:

    • Click the Disk Encryption policy in the Policies page of ZENworks Control Center, go to Details > Disk Encryption, deselect Enable encryption lockdown in Encryption Settings, and click Apply.

    • Select the check box for the device on the Devices page that has encryption lockdown enabled, and select FDE-Force Device to Decrypt in the Quick Tasks drop-down menu.

    • Use the Decrypt Drives command from the ZENworks Full Disk Encryption Agent Commands feature on the device itself in the ZENworks Agent > ZENworks Full Disk Encryption dialog box.

Emergency Recovery Information (ERI) Settings

An Emergency Recovery Information (ERI) file is required to regain access to encrypted volumes if a problem occurs with the device. When the policy is applied to a device, or the policy changes, an ERI file is automatically created and uploaded to the ZENworks Server. You can also enable users to manually create ERI files and store them locally.

  • Allow user to create ERI files: Select this option to enable users to create ERI files. This is done through the ZENworks Full Disk Encryption Agent’s About box.

  • Require user to provide a strong password when creating an ERI file: The ERI file is password-protected to ensure that no unauthorized users can use it to gain access to the encrypted device. The user enters the password when creating the file. Select this option to force the user to provide a password for the file that meets the following requirements:

    • Seven or more characters

    • At least one of each of the four types of characters:

      • uppercase letters from A to Z

      • lowercase letters from a to z

      • numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? , . / - = | \ ”

    For example: qZG@3b!

  • Use common password for system-generated ERI files: When this option is selected, all system-generated ERI files will use the password that is specified in this setting.

2.2.3 Configure Disk Encryption - Admin Password and Encryption Initialization

The information in this section assumes that you are on the Configure Disk Encryption - Admin Password and Encryption Initialization page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Admin Password and Encryption Initialization page lets you specify an Administrator password for the ZENworks Full Disk Encryption Agent and determine when a device is rebooted to initiate the encryption of the device’s volumes.

Admin Password

The Administrator password enables access to the Administrator options in the Full Disk Encryption Agent. These options help you see the current status of the agent and view the assigned Disk Encryption policy, as well as troubleshoot problems with the agent or policy.

To set the password, click Set, specify the password, then click OK.

If you ever need to allow a user to access the Administrator options, we recommend that you use the Password Key Generator utility to generate a password key. The key, which is based on the FDE Admin password, functions the same as the FDE Admin password but can be tied to a single device or user and can have a usage or time limit.

The Password Key Generator utility is accessible under the Configuration Tasks list in the left navigation pane.

Reboot Options

When the Disk Encryption policy is applied to a device, the device’s disks cannot be encrypted until the device reboots and loads the Full Disk Encryption Agent’s encryption drivers.

  • Reboot Behavior: Select one of the following:

    • Force device to reboot immediately: Reboots the device immediately after the Disk Encryption policy is applied.

    • Do not reboot device: Does not force a reboot after the Disk Encryption policy is applied. The user must initiate a reboot before disk encryption can occur.

    • Force device to reboot within XX minutes: Reboots the device within the specified number of minutes after the Disk Encryption policy is applied. Providing a reboot delay can give the user time to save work prior to the reboot. The default delay is 5 minutes.

  • Display predefined message to user before rebooting: If you selected the Do not reboot device option or the Force device to reboot within XX minutes option, you can display a message to the user. The Force device to reboot immediately option does not support a message.

    Select this option to display the following message:

    ZFDE Policy Enforcement

    Your ZENworks Administrator has assigned a Disk Encryption policy to your computer. To enforce the policy, your computer must be rebooted.

  • Override predefined message with custom message: This option is available only after you select the Display predefined message to user before rebooting option. It lets you override the predefined message with your own custom message. Select the option, then specify a title for the message window and the text to include in the message body.

CheckDisk Options

We strongly recommend that you run Windows CheckDisk with Repair during the reboot. The disk check and repair is performed on the system volume (C: drive), ensuring that system and partition records are error-free prior to encrypting the target volumes.

This option is selected by default. If you are sure that the target volumes are in perfect condition (for example, the disks are new), you can select the Do not run Windows check disk option.

2.2.4 Configure Pre-Boot Authentication Methods

The information in this section assumes that you are on the Configure Pre-Boot Authentication Methods page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

Encrypted data is available only after a user successfully authenticates to Windows on a device. If Windows authentication is not sufficient for your security requirements, you can enable ZENworks Pre-Boot Authentication (PBA) to add another layer of access protection.

The ZENworks PBA is a Linux-based component. When the Disk Encryption policy is applied to a device, a 500 MB partition containing a Linux kernel and the ZENworks PBA is created on the hard disk.

During normal operation, the device boots to the Linux partition and loads the ZENworks PBA. As soon as the user provides the appropriate credentials (user ID/password or smart card), the PBA terminates and the Windows operating system boots, providing access to the encrypted data on the previously hidden and inaccessible Windows drives.

The Linux partition is hardened to increase security, and the ZENworks PBA software is protected from alteration through the use of MD5 checksums and strong encryption for authentication keys.

ZENworks Pre-Boot Authentication

Select this option to enable the ZENworks PBA. This adds an additional layer of access protection before the standard Windows login.

Authentication Methods

These settings let you configure the methods that can be used for authenticating to a device’s encrypted disks. If you have enabled ZENworks Pre-Boot Authentication, you must select at least one of the methods.

  • Enable user ID/password authentication: Select this option to enable users to authenticate via a user ID and password. If you select this option, you must configure the settings in the User ID/Password Authentication Settings section.

  • Enable smart card authentication: Select this option to enable users to authenticate via a smart card. If you select this option, you must configure the settings in the Smart Card Authentication Settings section.

  • Default Authentication Method: If you enable both the user ID/password and smart card authentication methods, you must select the default method. Both methods are available to a user during pre-boot authentication, but the default method is presented if the user does not select a method within the allotted time.

  • Activate Single Sign-On for ZENworks PBA and Windows Login: Select this option to activate single sign-on for the PBA and Windows login. The user logs in to the PBA and the PBA handles the login to the Windows operating system. Single sign-on applies to both authentication methods (user ID/password or smart card).

User ID/Password Authentication Settings

If you selected Enable user ID/password authentication as one of the supported authentication methods, configure the following settings:

  • During PBA login, show user name of last successful logged-in user: Select this option to pre-populate the User ID field of the PBA login screen with the username of the last user who logged in to the PBA. This is convenient for the device’s primary user, but weakens security by providing unauthorized users with a valid user ID.

  • Create PBA account for first user who logs in to Windows after the policy is applied (User Capturing): Select this option to automatically capture the credentials of the first user to authenticate after the policy is applied. During the first reboot after the policy is applied, the Windows login is displayed and the PBA captures the credentials provided for the Windows login. During subsequent reboots, the PBA login is displayed and accepts the captured credentials.

    Captured credentials exist only on the device where they are captured. The credentials are not stored with this policy.

    If a device has multiple users, the PBA captures only the first user to log in after the policy is applied. You can capture additional users by using the FDE - Enable Additive User Capturing quick task for the device. When the quick task is applied to a device, it activates the user capturing mode for the next reboot. To use the quick task, select the device in Devices > Workstations, then click Quick Tasks > FDE - Enable Additive User Capturing.

    NOTE:The PBA captures the credentials of the first user to authenticate after reboot, whether the credentials are user ID/password or smart card. The PBA login screen allows the user to switch between user ID/password login and smart card login. If a device supports both types of login, you should make sure the device’s user logs in with the user ID/password and not the smart card. Otherwise, the smart card credential is captured and the user cannot log in via the user ID/password. This becomes a problem if you have not enabled smart cards as an authentication method (see Authentication Methods) because the user cannot log in.

  • Allow access for the following users: User capturing is the recommended way to create a PBA account for a device’s users. However, you can enable this option and use the PBA Users list to define PBA user accounts.

    All accounts that you add to the PBA Users list are created on all devices to which the policy is applied. Because of this, the PBA Users list is a good way to give Administrators access to each of the devices. For example, if you have a common Windows Administrator account that you use across devices, you can add the Windows Administrator as a PBA user. You can then log in to both the PBA and Windows on a device by using the Administrator account and password.

    To add a PBA user account, click Add, then fill in the following fields:

    • Replace password if user already exists in PBA: When the policy is applied, if the user you are adding matches an existing PBA user (for example, a user added by a previously applied Disk Encryption policy), the existing user account is retained, including the existing password. Select this option to replace the existing password with the one you specify in this dialog box.

    • User Name: Specify a user name for the PBA user. If single sign-on is active, this user name must be the same as the Windows user name. If single sign-on is not active, the user name does not need to match the Windows user name.

    • Domain: Specify a domain name for the PBA user. If single sign-on is active, this must be the Windows domain name or workgroup name. If single sign-on is not active, this field is optional. You can leave it blank or use it as another component to further distinguish the PBA user name.

    • Password: Specify a password for the PBA user. If single sign-on is active, this must be the Windows password. If single sign-on is not active, you can specify any password.

  • Remove existing users from PBA if not in this list: Select this option to remove any user accounts from the PBA that are not listed in the PBA Users list. Because captured users do not display in the list, they are also removed.

Smart Card Authentication Settings

If you selected Use smart card authentication as one of the supported authentication methods, configure the smart card settings.

  • Smart Card Reader: System configured to auto-detect the type of smart card reader. Reference Supported Smart Card Terminals and Tokens in the ZENworks Full Disk Encryption Agent Reference to see a list of supported smart cards.

  • PKCS#11 Provider: Select the PKCS #11 provider used by the devices to which this policy will be assigned.

  • Create PBA account for first smart card user who logs in to the ZENworks PBA after the policy is applied (User Capturing): Select this option to automatically capture the credentials of the first user to authenticate after the policy is applied. During the first reboot after the policy is applied, the PBA login screen is displayed and the user is prompted for the smart card. The PBA captures the smart card credentials (certificate and PIN). During subsequent reboots, the PBA login accepts the captured smart card credentials.

    If a device has multiple users, the PBA captures only the first user to log in after the policy is applied. You can capture additional users by using the FDE - Enable Additive User Capturing quick task for the device. When the quick task is applied to a device, it activates the user capturing mode and creates a PBA account for the next user who logs in. To use the quick task, select the device in Devices > Workstations, then click Quick Tasks > FDE - Enable Additive User Capturing.

    NOTE:The PBA captures the credentials of the first user to authenticate after reboot, whether the credentials are smart card or user ID/password. The PBA login screen allows the user to switch from smart card login to user ID/password login, but you should make sure the device’s user logs in with the smart card and not the user ID/password. Otherwise, the user ID/password credential is captured and the user cannot log in via the smart card. This becomes a problem if you have not enabled user ID/password as an authentication method (see Authentication Methods) because the user cannot log in.

  • Allow certificate content to be used for authentication: User capturing is the recommended way to create a PBA account for smart card users because it accurately captures the smart card certificate information. If you don’t enable user capturing, you must manually define certificates that can be used for authentication. If you do enable user capturing, you can still manually define additional certificates that allow access.

    To define a certificate, click Add, fill in the following fields, then click OK to add the certificate to the list:

    • Certificate Name: Specify a name to identify the certificate in this policy. This is simply a display name and does not need to match the certificate file name or any other certificate property.

    • Certificate Content: Open the certificate in a text editor, then cut and paste the contents of the certificate into this box. You must use an X.509 certificate (*.cer; base64-encoded).

  • Remove existing certificates from PBA if not in this list: Select this option to remove any certificates from the PBA that are not listed in the Certificates list. Because captured certificates do not display in the list, they are also removed.

  • Allow certificate key usages to be used for authentication: In addition to enabling user capturing or defining the certificates that can be used for authentication, you need to further identify the certificates via key usages (this setting) or labels (the Allow certificate labels to be used for authentication setting). This adds a second layer of security to the certificate authentication.

    • Key Usages: Key usages define the purposes for which a certificate’s public key can be used, such as Data Encipherment or Digital Signature. You can view a certificate’s key usages by using Microsoft Certificate Manager (available as a snap-in to Microsoft Management Console).

      To add a certificate’s key usages to the list, click Add, select the desired usages (Shift-click or Ctrl-click to select multiple usages), click the arrow to move the selected items to the Selected List box, then click OK.

      If you add more than one key usage, the PBA evaluates the key usages against the certificates in the order the usages are listed, from top to bottom. You can use Move Up and Move Down to change the order of the key usages in the list.

    • Match policy: The match policy determines how many of the defined key usages must be contained in the smart card’s certificate in order for the match to be made and authentication to take place. Select one of the following options:

      • Any: The certificate must contain at least one of the listed key usages.

      • All: The certificate must contain all of the listed key usages.

      • None: The certificate cannot contain any of the listed key usages. This option lets you use the Key Usages list as an exclusion list (blacklist) rather than an inclusion list (whitelist).

  • Allow certificate labels to be used for authentication: In addition to enabling user capturing or defining the certificates that can be used for authentication, you need to further identify the certificates via labels (this setting) or key usages (the Allow certificate key usages to be used for authentication setting). This adds a second layer of security to the certificate authentication.

    A certificate label is a property defined within the certificate. You need to use the PKCS #11 middleware provider software to view the certificate label.

    To add a certificate label to the list, click Add, specify the label (case-sensitive), then click OK.

    If you add more than one label, the PBA attempts to match the first label in the list to a certificate on the authenticating smart card. If no match occurs, the second label is tested, then the third label, and so on until a match occurs or authentication fails. You can determine the order of the labels in the list by selecting a label and clicking Move Up or Move Down to reposition it in the list.

2.2.5 Configure Pre-Boot Authentication - Reboot and Lockout

The information in this section assumes that you are on the Configure Pre-Boot Authentication - Reboot and Lockout page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

The Reboot and Lockout page lets you determine when the device is rebooted after initialization of the ZENworks PBA; the first pre-boot authentication does not occur until the device reboots. It also lets you specify the number of times a user can enter the incorrect PBA login information before being locked out.

Reboot Options

Both the ZENworks PBA and the Full Disk Encryption Agent’s encryption drivers are initialized the first time the device reboots after the Disk Encryption policy is applied. However, the ZENworks PBA requires an additional reboot to facilitate user capturing (if enabled) or authentication of a predefined user. In addition, encryption of the target volumes does not begin until this reboot occurs.

The following options let you specify how you want this second reboot to occur:

  • Reboot Behavior: Select one of the following:

    • Force device to reboot immediately: Reboots the device immediately after the PBA is initialized.

    • Do not reboot device: Does not force a reboot after the PBA is initialized. The user must initiate a reboot before user capturing or predefined user authentication can occur.

    • Force device to reboot within XX minutes: Reboots the device within the specified number of minutes after the PBA initializes. The default delay is 5 minutes.

  • Display predefined message to user before rebooting: If you selected the Do not reboot device option or the Force device to reboot within XX minutes option, you can display a message to the user. The Force device to reboot immediately option does not support a message.

    Select this option to display the following message:

    ZFDE Policy Enforcement

    Your ZENworks Administrator has assigned a Disk Encryption policy to your computer. To enforce the policy, your computer must be rebooted.

  • Override predefined message with custom message: This option is available only after you select the Display predefined message to user before rebooting option. It lets you override the predefined message with your own custom message. Select the option, then specify a title for the message window and the text to include in the message body.

Lockout Settings

The Lockout settings apply to the ZENworks PBA login.

  • Enable lockout for failed logins: Select this option to enable the PBA to lock out users based on failed login attempts, then configure the following settings:

    • Failed Logins after which Login is Delayed: Specify the number of failed logins to allow before delaying subsequent logins (the default is 3). When the specified number of failed logins is reached, each failed login attempt results in a 2 minute delay before the next attempt can be made. Make sure to specify a number that is less than the one entered in the Maximum Number of Failed Logins field.

    • Maximum Number of Failed Logins: Specify the maximum number of failed logins to allow before the lockout is enforced (the default is 10). When the maximum number of failed logins is reached, the device is locked. A PBA override must be performed to access the device and reset the failed login count. See PBA Override in the ZENworks Full Disk Encryption PBA Reference for more information.

    For example, using the defaults of 10 and 3 for the two settings, 10 failed logins are allowed before lockout, but after the third failed login all subsequent login attempts are delayed by 2 minutes.

  • PBA Keyboard Layout: Select the keyboard layout used for authentication.

2.2.6 Configure Pre-Boot Authentication - Boot Method

The information in this section assumes that you are on the Configure Pre-Boot Authentication - Boot-Method page of the Create New Disk Encryption Policy wizard. If you are not, see Creating a Policy for instructions about how to get there.

After pre-boot authentication occurs, the BIOS or UEFI settings must be correctly set for Windows. The Boot Method page provides default settings for both UEFI and legacy BIOS in the Simple Configuration option, which is sufficient for the great majority of devices using Full Disk Encryption.

With older or unusual hardware configurations, the standard ZENworks PBA boot method and Linux kernel configuration used to provide the BIOS settings might not work, resulting in hardware that does not function correctly or is not recognized by Windows. In the event that you do have pre-boot issues due to these hardware settings, you can modify the hardware settings (DMI) using the Advanced Configuration option.

Once you have configured the boot method required for the devices you will encrypt with the Disk Encryption Policy, the option that you save in the policy: Simple Configuration or Advanced Configuration, will be the proscribed settings for the PBA Boot Method. Information about each option, how to determine device hardware settings, and how to edit DMI settings using the Advanced Configuration, is provided in these sections.

Simple Configuration

When you have pre-boot authentication configured in a deployed Disk Encryption Policy, a pre-boot screen displays that enables the device user to enter the required PBA credentials.

In the Simple Configuration, you can set the PBA screen to have a graphical interface or a text interface for each firmware type, UEFI and legacy BIOS. The settings then function as the default boot method for both UEFI and legacy BIOS devices when you save this configuration, selected in the policy. Setting options for the Simple Configuration are described below.

Boot method for UEFI devices

The settings you configure here determine the type of PBA screen that displays in the pre-boot process on UEFI configured devices when the Simple Configuration is selected in the policy.

  • UEFI application with graphical interface:

    This option uses the UEFI application graphical interface when the device is configured for UEFI firmware. The PBA screen conforms to Windows resolution settings.

  • Linux kernel with graphical interface:

    This option has the PBA screen resolution defined by the Linux kernel settings when the device is configured for UEFI firmware. The default resolution for this setting is 800x600 pixels (4:3 aspect ratio), but you can change the resolution from the Common and Less Common options shown in the Resolution drop-down list.

  • Text interface:

    This option has a PBA screen that is a simple text interface when the device is configured for UEFI firmware.

Boot method for legacy BIOS devices

The settings you configure here determine the type of PBA screen that displays in the pre-boot process on legacy BIOS configured devices when the Simple Configuration is selected in the policy.

  • Linux kernel with graphical interface:

    This option has the PBA screen resolution defined by the Linux kernel settings when the device is configured for legacy BIOS firmware. The default resolution for this setting is 800x600 pixels (4:3 aspect ratio), but you can change the resolution from the Common and Less Common options shown in the Resolution drop-down list.

  • Text interface:

    This option has a PBA screen that is a simple text interface when the device is configured for legacy BIOS firmware.

Advanced Configuration

When you have pre-boot authentication configured in a deployed Disk Encryption Policy, a pre-boot screen displays that enables the administrator and, if so configured, the device user, to interact with PBA before Windows boots up. Some devices might not support the boot methods or Linux kernel configurations used to provide hardware compatibility. The Advanced Configuration provides support for older or unusual hardware configurations. These configurations might include the following:

  • Hardware that does not function correctly or is no longer recognized under Windows after successful pre-boot authentication. This failure occurs because not all of the BIOS settings can be correctly handled and set for Windows.

  • New hardware that is not yet natively supported.

  • Poorly programmed BIOS implementations.

After modifying the settings described in the section, you must have Advanced Configuration selected and saved in the policy to make it the default PBA boot method for disk encryption.

NOTE:Beginning in ZENworks 2017 Update 1, Full Disk Encryption began using a new Linux kernel, which greatly reduced issues with hardware compatibility for PBA. Information about the Linux kernel changes can be found in the ZENworks - Full Disk Encryption Update Reference reference.

Hardware compatibility is enabled through the use of the default Linux boot method and two alternative boot options for support. These alternative boot methods, as well as specific hardware settings, are defined through the use of a DMI (Direct Media Interface) file. Alternative boot methods include Simple PBA and Graphical PBA (UEFI firmware only). There is also an option to configure the PBA resolution. Graphical PBA and PBA resolution are particularly useful for tablet devices.

Configuration entries for these three DMI file options include the following:

  • Simple PBA: KERNEL=[SDP_KERNEL_SIMPLE_PBA]

  • Graphical PBA: KERNEL=[SDP_KERNEL_SIMPLE_PBA_GUI]

  • PBA Resolution:You can use the default setting or a custom configuration:

    • Default: PBA_RESOLUTION=DEFAULT

    • Custom: PBA_RESOLUTION=<explicit resolution>

The predefined file includes the default settings shown below. It is applied to all hardware configurations unless another configuration is explicitly defined in the file.

[default]
KERNEL=[SDP_KERNEL_DEFAULT]
KICKSTART=BIOS
PBA_RESOLUTION=DEFAULT

Any hardware configurations added to the DMI settings, after the default settings, will override differences in the default settings only on devices that match that type of hardware. For example:

[LENOVO, 20BS006*]
DMI_SYS_VENDOR=LENOVO
DMI_PRODUCT_NAME=20BS006
KICKSTART=BIOS
KERNEL=[SDP_KERNEL_SIMPLE_PBA_GUI]
PBA_RESOLUTION=1920x1280

To edit the DMI settings, you have to have the Advanced Configuration radio button selected. For more information, see Editing the Advanced Configuration.

Discovering Hardware Information

Before you can add a hardware configuration to the DMI file, you must know the hardware configuration. ZENworks provides a utility, DMICONFIG, to discover this information.

  1. Go to the device whose hardware configuration you want to discover.

  2. Open a command shell (run as Administrator) and run c:\windows\nac\sbs\dmiconfig dump.

  3. Write down the configuration lines that were dumped to the screen.

Editing the Advanced Configuration

If you are adding a hardware configuration, make sure you have the configuration information (see Discovering Hardware Information).

On the -Boot Method page of the Create New Disk Encryption Policy wizard or from the PBA Boot Method tab on the Details page of an existing policy:

  1. Select Advanced Configuration, and click Edit.

  2. Add the hardware information.

  3. Add the KICKSTART line with the method you want to use:

    • KICKSTART=BIOS: This is the standard method used by the ZENworks PBA and is for systems that have unusual hardware configurations. This method reboots the computer a second time so that the BIOS hardware settings can be passed to Windows.

    • KICKSTART=KEXEC: This method is similar to KICKSTART=BIOS but does not require a second reboot.

  4. Customize the boot option and PBA resolution, if applicable:

    • If you want PBA authentication using Simple PBA (no graphical interface), add the following line: KERNEL=[SDP_KERNEL_SIMPLE_PBA]

    • If you have hardware types that display the PBA screens with distorted resolution you can modify the resolution using one of the following options:

      PBA_RESOLUTION=DEFAULT

      -or-

      PBA_RESOLUTION=<explicit resolution>

      For example: PBA_RESOLUTION=1200x800

      NOTE:The x in the resolution parameter must be a lowercase x.

  5. Click OK to save your changes. See below for an example of a customized DMI configuration:

    [LENOVO, 20BS006*]
    DMI_SYS_VENDOR=LENOVO
    DMI_PRODUCT_NAME=20BS006
    KICKSTART=BIOS
    KERNEL=[SDP_KERNEL_SIMPLE_PBA]
    PBA_RESOLUTION=DEFAULT