11.5 Understanding What Happens After a Policy Is Assigned to a Device

After a policy is assigned to a device, the policy enforcement workflow on the device depends on the device type (standard or self-encrypting):

11.5.1 Standard Hard Disk

The following process occurs after a Disk Encryption policy (encryption only, no pre-boot authentication) is assigned to a device with standard hard disks:

  1. The next time the ZENworks Adaptive Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. The device reboots according to the disk encryption reboot setting in the policy. During the reboot, the following occurs:

    • A CheckDisk occurs if the Run Windows check disk with repair option is enabled in the policy. On Windows XP, the operation is performed if needed even if the option is not enabled.

    • A 100 MB ZENworks partition is created. This partition is used for storage of Full Disk Encryption files and the Emergency Recovery Information (ERI) file.

    • The Full Disk Encryption drivers are initialized.

    • The user is prompted to log in to Windows.

  4. The target disk volumes, as specified in the policy, are encrypted.

    Depending on the number of volumes and amount of data to be encrypted, encryption can take some time. If the device is rebooted during the encryption process, the process restarts where it left off prior to the reboot.

    You can view the ZENworks Full Disk Encryption About Box to monitor the encryption process:

11.5.2 Standard Hard Disk with Pre-Boot Authentication

The following process occurs after a Disk Encryption policy (encryption and pre-boot authentication) is assigned to a device with standard hard disks:

  1. The next time the ZENworks Adaptive Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. The device reboots according to the disk encryption reboot setting in the policy. During the reboot, the following occurs:

    • A CheckDisk occurs if the Run Windows check disk with repair option is enabled in the policy. On Windows XP, the operation is performed if needed even if the option is not enabled in the policy.

    • A 100 MB ZENworks partition is created. This partition is used for storage of encryption files, the Emergency Recovery Information (ERI) file, and the ZENworks PBA Linux kernel.

    • The Disk Encryption drivers and the ZENworks PBA are initialized.

    • The user is prompted to log in to Windows.

  4. After successful Windows login, the device reboots according to the PBA reboot setting for the policy. During the reboot, the following occurs:

    • If user capturing is enabled, the user receives an informational prompt and then the Windows login is displayed. When the user logs in (either with userID/password or smartcard), the ZENworks PBA captures the credentials. On subsequent reboots, the user is presented with the ZENworks PBA login and must provide the captured credentials.

    • If user capturing is not enabled, the user is prompted to enter credentials at the PBA login screen. The user must enter valid credentials for a PBA user or smartcard defined in the policy. If single-sign on is not enabled, the Windows login is then displayed and the user must enter valid Windows credentials to log in.

  5. After successful login, the target disk volumes, as specified in the policy, are encrypted.

    Depending on the number of volumes and amount of data to be encrypted, this can take some time. If the device is rebooted during the encryption process, the process restarts where it left off prior to the reboot.

    You can view the ZENworks Full Disk Encryption About Box to monitor the encryption process:

11.5.3 Self-Encrypting Hard Disk

The following process occurs after a Disk Encryption policy is assigned to a device with self-encrypting hard disks:

  1. The next time the ZENworks Adaptive Agent refreshes it receives the Disk Encryption policy.

  2. The ZENworks Full Disk Encryption Agent applies the policy to the device.

  3. ZENworks creates a 128 MB MBR shadow and copies the ZENworks PBA Linux kernel to it.

  4. ZENworks initiates a forced shutdown of the device after the time period specified by the PBA Force device to reboot within xx minutes setting in the policy. If another setting (either Force device to reboot immediately or Do not reboot device) is configured as the PBA reboot option, the setting is ignored and the forced shutdown occurs after 5 minutes.

    This is a hard shutdown, not a reboot. The user must power on the device after the shutdown.

  5. At startup, the user receives a ZENworks Full Disk Encryption informational prompt and then the Windows login is displayed.

    During this initialization process, User Capturing and Single Sign-On are enabled regardless of the policy settings. After this one-time initialization process, the PBA enforces the User Capturing and Single Sign-On settings configured in the policy.

  6. When the user logs in to Windows (either with userID/password or smartcard), the ZENworks PBA captures the credentials.

    On subsequent reboots, the user is presented with the ZENworks PBA login and can provide the captured credentials or any credentials predefined in the policy’s PBA User list or Certificates list.