2.1 Deployment Best Practices

As you deploy Disk Encryption policies to devices, we strongly recommend that you implement the practices in the sections below to achieve the best results.

2.1.1 Encryption Recommendations

The following recommendations apply to the encryption settings for a Disk Encryption policy:

  • Local Fixed Volumes: You can encrypt all volumes or selected volumes. If possible, encrypt all volumes. If you specify volumes, the drive volumes must be the same an all target devices (for example, C: on all devices).

  • Encryption: Use the default algorithm (AES) and key length (256) unless your organization requires a different algorithm and key length. For fastest initial encryption of a device, enable the Encrypt only the used sectors of the drive option. After initial deployment, additional data written to the disk is automatically encrypted.

  • Reboot Behavior: Force a reboot but provide a reasonable time out before the reboot. Provide a custom message with the reboot. Run Windows check disk during the reboot to ensure disk integrity.

2.1.2 Pre-Boot Authentication Recommendations

The following recommendations apply to the pre-boot authentication settings for a Disk Encryption policy:

  • Single Sign-On: Activate single sign-on. This enables credentials to be entered one time at the PBA login screen and passed to both the Windows login and ZENworks login.

  • User ID/Password Authentication: If you enable user ID/password authentication, the following recommendations apply:

    • Populate the PBA Users list with IT administrators and key personnel that should always have access to the data on the device.

    • Enable user capturing so that the ZENworks PBA captures the credentials of the first user to log in to Windows after the policy is applied. The captured credentials can be used to log in to the PBA and Windows.

  • Smart Card Authentication: If you enable smart card authentication, the following recommendations apply:

    • A Disk Encryption policy can specify only one smart card reader and one PKCS#11 provider. If you have devices with different readers or providers, create different policies for the devices.

    • Enable smart card user capturing so that the ZENworks PBA captures the smart card credentials of the first user to log in after the policy is applied. The captured credentials can be used to log in to the PBA and Windows.

  • Reboot Behavior: Force a reboot but provide a reasonable time out before the reboot. Provide a custom message with the reboot. Be aware that encryption of the target volumes does not start until this final reboot occurs.

  • Lockout: Don’t use lockout settings unless your organization requires it. Leave the PBA keyboard layout set to auto detect so that the layout is determined the Windows operating system locale.

2.1.3 Image Devices Before Applying Policies

ZENworks Full Disk Encryption encrypts data. As with any encryption product, you should image target devices prior to performing encryption. With ZENworks Full Disk Encryption, this means that you should image a device before assigning a Disk Encryption policy to it. If encryption or pre-boot authentication fails on a device, you can apply the image to restore the device.

For information about using ZENworks Configuration Management to image devices, see the ZENworks 2017 Preboot Services and Imaging Reference.

2.1.4 Test Policies Before Assigning Them to Production Devices

Before applying a policy to production devices, apply the policy to test devices that have the same hardware configurations as the production devices.

This practice is essential if the policy installs ZENworks Pre-Boot Authentication to devices. After successful pre-boot authentication occurs, the ZENworks PBA must configure the BIOS settings correctly for Windows. With some hardware configurations, the standard boot method and Linux kernel configuration used by the PBA might not work, resulting in hardware that does not function correctly or is not recognized by Windows. In some cases, the device might not boot to Windows.

As part of the Disk Encryption policy, you can customize the DMI (Direct Media Interface) file to provide compatibility for hardware configurations that are not supported. This is a discovery process that can require multiple customization attempts. The easiest way to recover from a failed attempt is to reimage the device (see Image Devices Before Applying Policies).

For information about testing devices, see Testing a Disk Encryption Policy.

2.1.5 Control the Policy Assignments

A Disk Encryption policy can be assigned to devices or to device folders. A device inherits any Disk Encryption policies assigned to the folders in which the device resides. It then applies the policy that is closest to it. For example, if a policy is assigned to a device and another policy is assigned to the device’s parent folder, the device applies the policy assigned to it and ignores the folder-assigned policy. For more information, see Effective Policy.

Because of the system requirements and hardware support considerations for Full Disk Encryption, we strongly recommend that folder assignments be used with caution. Before assigning a Disk Encryption policy to a folder, you should ensure that all devices within the folder (and subfolders) can support the policy. If a device cannot, you can move the device to another folder or assign an appropriate Disk Encryption policy directly to the device.

The same policy can be applied to devices with standard hard disks and devices with self-encrypting hard disks. With self-encrypting hard disks, the Full Disk Encryption Agent ignores the encryption settings and only applies the pre-boot authentication settings.

2.1.6 Do Not Encrypt SCSI or RAID Hard Disks

Encryption of SCSI and RAID hard disks is not supported. If you target a SCSI or RAID hard disk for encryption, the device becomes unbootable. To recover the device, you must use a use a bootable operating system CD (or Windows PE or Bart PE) to delete the ZENworks (NAC) partition created when the policy was applied.

If possible, you should disable or uninstall the Full Disk Encryption Agent on devices with SCSI or RAID hard disks. For instructions, see Uninstalling the Full Disk Encryption Agent in the ZENworks Full Disk Encryption Agent Reference.

2.1.7 Make Sure the ERI File is Uploaded to the ZENworks Server

After the Disk Encryption policy is applied to a device, the Full Disk Encryption Agent generates an emergency recovery information (ERI) file. If the agent has contact with the ZENworks Server, the file (and its auto-generated password) is uploaded to the server. Otherwise, the agent retries the upload every 5 minutes until it is successful.

The ERI file and password are required to recover the device if a problem occurs. Without the ERI, the device’s encrypted data is lost. You should ensure that the agent has network access to the ZENworks Server so that the file is uploaded as soon as possible. To verify that the file is uploaded, use ZENworks Control Center to view the Emergency Recovery Information list for the device (ZENworks Control Center > Devices > device object > Emergency Recovery).

2.1.8 Remove and reapply the policy after adding a new disk drive or volume

When you apply a Full Disk Encryption policy to a device, you have the option to encrypt all local fixed volumes or specify the volumes that will be encrypted. Once the policy is applied, the specified volumes are encrypted.

If you add a new disk drive to the device, or you want to specify another volume on the device for encryption, the policy must be removed, including disk decryption, and then be reapplied to recognize the new volumes. If the existing policy is not set to encrypt all local fixed volumes, you need to edit the Local Fixed Volumes setting in the policy to recognize the new volumes before reapplying the policy and encrypting the drives.