4.2 Performing Recovery Operations on a Standard Hard Disk

The following sections provide information about the emergency recovery operations you can perform on standard hard disks. For information about emergency recovery operations for self-encrypting hard disks, see Performing Recovery Operations on a Self-Encrypting Hard Disk.

4.2.1 Decrypting a Drive

Typical scenarios where you might need to decrypt a drive include:

  • ZENworks Full Disk Encryption was removed from the device before the drive was decrypted.

  • Decryption was interrupted abnormally (for example, because of a power failure).

To decrypt a drive:

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. In the Workbench tree, select the drive you want to decrypt, then click the Partition menu > Decrypt to display the Decrypt Drive dialog box.

  3. Deselect the Decrypt only used sectors option if you want to decrypt all of the drive’s sectors (both used and unused).

    Decrypting all sectors (used and unused) can take significantly longer than decrypting only used sectors.

  4. Click OK to start the decryption process.

4.2.2 Repairing the Boot Chain

This section applies to standard hard drives encrypted by ZENworks Full Disk Encryption. It does not apply to self-encrypting drives.

If a device cannot locate the ZENworks partition at boot time, the boot chain might be damaged. You can repair the damaged boot chain. During the repair process, the Emergency Recovery application rewrites all of the files necessary to start the device and resets the ZENworks PBA settings to the defaults. This means that all PBA user accounts are removed.

To repair the boot chain:

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. Click the BootChain menu > Repair BootChain to display the Repair Boot Information dialog box.

  3. Choose one of the following options:

    • Repair FDE / Deactivate PBA (BartPE): Repairs the boot chain and deactivates the ZENworks PBA.

    • SBS-bootsector overwriting (Windows PE): Repairs the boot chain and deactivates the ZENworks PBA.

    • Self-init options: These options are available only if the Repair FDE / Deactivate PBA or SBS-bootsector overwriting option is not selected. After the boot chain is repaired, the ZENworks PBA remains active and you can use one of the following options to initiate user capturing on the first reboot of the device:

      • All Users SelfInit: Enables user capturing for either user ID/password or smart card authentication.

      • SmartCard SelfInit: Enables user capturing for smart card authentication only.

      • Password SelfInit: Enables user capturing for user ID/password authentication only.

  4. Click OK to start the repair process.

  5. When the repair process is complete, close the application.

  6. Shut down the device, then restart it.

4.2.3 Repairing the Master Boot Record

This section applies to standard hard drives encrypted by ZENworks Full Disk Encryption. It does not apply to self-encrypting drives.

When a Disk Encryption policy is applied to a device, the ZENworks Full Disk Encryption Agent creates a 100 MB partition, referred to as the ZENworks partition, and modifies the master boot record (MBR) to set the ZENworks partition as the boot partition.

It is possible for other applications to modify the MBR and cause the device to no longer boot to the ZENworks partition. If this occurs, you can repair the MBR. Repairing the MBR fixes any problems that prevent the device from booting to the ZENworks partition.

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. Click the BootChain menu > Repair MBR to display the Repair MBR dialog box.

  3. Click OK to start the repair process.

    The dialog box closes when the repair is complete.

  4. Close the application.

  5. Shut down the device, then restart it.

4.2.4 Restoring the Original Master Boot Record

This section applies to standard hard drives encrypted by ZENworks Full Disk Encryption. It does not apply to self-encrypting drives.

When a Disk Encryption policy is applied to a Windows device, the ZENworks Full Disk Encryption Agent creates a 100 MB partition, referred to as the ZENworks partition, and modifies the master boot record (MBR) to set the ZENworks partition as the boot partition.

You can restore the original MBR if necessary.

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. Click the BootChain menu > Restore Original MBR to display the Restore Original MBR dialog box.

  3. Click OK to start the restore process.

    The dialog box closes when the original MBR is restored.

  4. Close the application.

  5. Shut down the device, then restart it.

4.2.5 Erasing the Disk

This section applies to standard hard drives. It does not apply to self-encrypting hard drives. For information about erasing a self-encrypting hard drive, see Erasing the Disk.

The Emergency Recovery application can perform a secure erase of a standard hard disk. The process removes all data from the disk. This includes both encrypted and unencrypted volumes.

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. Click the Administration menu > Wipe Data (for BartPE) or Erase Harddrive (for Windows PE), then follow the prompts.

    It takes approximately 30 to 40 minutes to erase 10 GB of data, so the entire process can take a long time.

  3. When the erasure process is complete, close the application.

  4. Shut down the device.

4.2.6 Setting the Administration Password

This section applies to standard hard drives. It does not apply to self-encrypting hard drives. For information about setting the Administration password for a device with a self-encrypting hard disk. See Erasing the Disk

The ZENworks Full Disk Encryption components (Full Disk Encryption Agent and ZENworks PBA) have an Administration password that is for internal administrative functions as well as several administrator functions available during ZENworks PBA login. The only time you should need to use this password is in conjunction with Micro Focus Support.

The password is device specific and is randomly generated when a Disk Encryption policy is applied to the device. The password is recorded in ZENworks Control Center in the same location as the device’s ERI file (Full Disk Encryption > Emergency Recovery).

You can use the Emergency Recovery application to assign a new Administrator password to a device.

  1. Make sure you have launched the Emergency Recovery application and loaded the device’s ERI file. See Launching the Emergency Recovery Application.

  2. Click the Administration menu > Set Admin Password.

  3. Specify a new password, then click OK.

  4. Close the application.