" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" /> ZENworks 2020 Update 2 Troubleshooting Full Disk Encryption

ZENworks 2020 Update 2 Troubleshooting Full Disk Encryption

August 2021

This document provides troubleshooting guidelines for common problems related to ZENworks Full Disk Encryption. If, after completing the troubleshooting steps, the problem is not resolved, you should contact Technical Support for additional help.

1.0 Windows PE Emergency Recovery Disk (ERD) is not working

2.0 Issues with PBA login or boot sequence

After pre-boot authentication occurs, the BIOS or UEFI settings must be correctly set for Windows. With unusual DMI hardware configurations, the standard ZENworks PBA boot method and Linux kernel configuration used to provide the BIOS settings, might not work, resulting in hardware that does not function correctly or is not recognized by Windows.

Beginning in ZENworks 2017 Update 2, the Full Disk Encryption Agent includes DMI menu options to repair the boot sequence for issues relating to these DMI configurations. This menu is accessible by using the Ctrl + G keyboard command at a brief point when Full Disk Encryption is shown during a device restart.

Menu boot options:

Full Disk Encryption PBA (previous)

Full Disk Encryption Simple PBA

Full Disk Encryption PBA (KICKSTART=FAST)

Full Disk Encryption PBA (KICKSTART=BIOS)

Full Disk Encryption PBA (KICKSTART=BIOS) low resolution

Full Disk Encryption PBA (KICKSTART=BIOS) without DRM

Full Disk Encryption Debug PBA (KICKSTART=FAST)

Full Disk Encryption Debug PBA (KICKSTART=BIOS)

Full Disk Encryption Debug PBA (KICKSTART=BIOS) without DRM

Windows Boot Manager

The two issues below are known issues that are resolved with the DMI repair options indicated. If you experience a different issue in the boot process on devices using PBA, you can troubleshoot by trying different options in this menu.

2.1 The ZENworks PBA is not booting to the Windows operating system

Symptoms: After logging in to the PBA, the user encounters a black screen or GRUB error and the device does not boot the operating system.

To resolve this issue, you need to repair the device’s master boot record or GUID partitions tables so that the device boots directly to the operating system.

  1. Reboot the device that is having the issue.

  2. When the black screen displays the text Full Disk Encryption, press Ctrl + G on the keyboard.

    NOTE:The Full Disk Encryption text only displays for 2 seconds. The Ctrl + G command must be executed while the text is still visible.

  3. A menu opens with several DMI boot options. Choose Full Disk Encryption Simple PBA to repair the boot sequence and load the Simple PBA login prompt.

  4. Log in with authorized credentials.

You need to then modify the Direct Media Interface (DMI) file provided by ZENworks Full Disk Encryption so that it includes the correct settings to boot the device.

IMPORTANT:ZENworks added a new Linux kernel in ZENworks 2017 Update that resolves many of the PBA hardware issues that can occur when applying a new Full Disk Encryption policy.

The procedure provided below was written for ZENworks Full Disk Encryption versions prior to 2017 Update 1 and it uses the DMI settings from those versions as examples. Although this ZENworks version uses the new default DMI settings, the process for modifying the DMI file is still applicable in the event of an unknown PBA issue in ZENworks.

  1. Repair the device’s MBR or GPT:

    • Windows 7: Boot the device from a Windows 7 installation disk. When the Windows 7 splash screen displays, click Repair your computer. After the scan completes, select the Windows installation to repair and continue. If you are prompted to repair the problem automatically, select No. When the System Recovery Options dialog is displayed, click the Command Prompt option, then enter bootrec.exe /fixmbr at the command prompt. You should see a success message after running the command. Type exit to exit out of the command prompt and continue to boot into Windows.

      If you don’t have a Windows 7 installation disk, you can use a Windows 7 system recovery disk. To create the disk on a working Windows 7 machine, click Start > All Programs > Maintenance > Create a System Repair Disc.

    • Windows 8 or Windows 10: Boot the device from a Windows 8 or Windows 10 installation disk, respectively. When the Windows splash screen displays, click Repair your computer. On the next screen, select Troubleshoot, then select Advanced options. From the Advanced options, launch a command prompt, then enter bootrec.exe /fixmbr. When the operation is finished, reboot the device.

      If you don’t have a Windows 8 or Windows 10 installation disk, you can use a system recovery disk created from the Windows ADK and the ZENworks WinPE plugin.

  2. Modify the dmi.ini file settings:

    The dmi.ini file provides the boot method to be used to transition from the Linux kernel to the Windows operating system. The file contains a default boot setting and a list of known hardware configurations that require different boot settings. The default setting is applied unless the device’s hardware configuration is in the list. The dmi.ini file’s default setting and first few entries are shown below:

    [default]
    KICKSTART=FAST
    
    [FUJITSU SIEMENS,LIFEBOOK C1110]
    DMI_SYS_VENDOR=FUJITSU SIEMENS
    DMI_PRODUCT_NAME=LIFEBOOK C1110
    KICKSTART=BIOS
    
    [LENOVO,20021,2959]
    DMI_SYS_VENDOR=LENOVO
    DMI_PRODUCT_NAME=20021,2959
    KICKSTART=BIOS
    
    [LENOVO,0831CTO]
    DMI_SYS_VENDOR=LENOVO
    DMI_PRODUCT_NAME=0831CTO
    KICKSTART=KEXEC
    KERNEL_PARAM=pci=snb-enable-ahci-to-legacy

    You need to discover the correct settings for your device and add an entry to the dmi.ini file. This discovery is a trial and error process; you will need to try different settings until one enables the machine to boot successfully.

    1. On the device, open a command prompt with Administrator privileges, change to the c:\windows\nac\sbs directory, then run the dmiconfig dump command to see the device’s current dmi.ini settings.

    2. Create a new dmi.ini text file on your desktop and copy the results from the dmiconfig dump into the file. Edit the last line to remove the semicolon and change the KICKSTART value to another boot option (listed below), as shown in the following example:

      Finding the correct setting is a trial and error process. The possible DMI settings are listed below in the order we recommend trying them. For some settings, recommendations are given for when to use them.

      Setting

      Example

      KICKSTART=BIOS

      This setting is effective in resolving issues where the ZENworks PBA displays the credential or user capture prompt but then fails to boot to Windows.

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=BIOS

      KICKSTART=KEXEC

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=KEXEC

      KICKSTART=FAST

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=FAST

      KICKSTART=KEXECKERNEL_PARAM=pci=snb-enable-ahci-to-legacy

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=KEXEC
      KERNEL_PARAM=pci=snb-enable-ahci-to-legacy

      KICKSTART=KEXECKERNEL=/boot/bzImage-acpi

      This setting is effective in resolving issues where the ZENworks PBA screen displays but the credential or user capture prompt never displays.

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=KEXEC
      KERNEL=/boot/bzImage-acpi

      KICKSTART=KEXECKERNEL_PARAM=pci=snb-enable-ahci-to-legacyKERNEL=/boot/bzImage-acpi

      [LENOVO,2767AL9]
      DMI_SYS_VENDOR=LENOVO
      DMI_PRODUCT_NAME=2767AL9
      KICKSTART=KEXEC
      KERNEL_PARAM=pci=snb-enable-ahci-to-legacy
      KERNEL=/boot/bzImage-acpi
    3. In the c:\windows\nac\sbs directory, make a backup copy of the current dmi.ini file, then copy your edited dmi.ini file to the directory.

    4. Open a command prompt with Administrator privileges, change to the c:\windows\nac\sbs directory, then run the dmiconfig import --force command to import the settings from the new dmi.ini file. Run dmiconfig dump to verify the change.

    5. Reboot the device. If the device fails to boot to the Windows operating system, repair the MBR, then repeat the above process using another setting.

    6. After you find the correct setting, you can edit your Full Disk Encryption policy to add it to the policy’s dmi.ini file (ZENworks Control Center > Policies > Full Disk Encryption policy details > DMI Settings tab > Edit).

2.2 The ZENworks PBA screen does not have a login prompt

Syptoms: When restarting an encrypted device with PBA, the PBA splash screen opens without a login prompt.

To resolve this issue, you need to repair the device’s master boot record or GUID partitions tables so that the device boots directly to the operating system.

  1. Reboot the device that is having the issue.

  2. When the black screen displays the text Full Disk Encryption, press Ctrl + G on the keyboard.

    NOTE:The Full Disk Encryption text only displays for 2 seconds. The Ctrl + G command must be executed while the text is still visible.

  3. A menu opens with several DMI boot options. Choose Full Disk Encryption PBA (KICKSTART=BIOS) without DRM to repair the boot sequence and load the PBA login screen.

  4. Log in with authorized credentials.

3.0 The ZENworks Endpoint Security service (ZESService) is crashing

  • Check to see if the device is using the Intel IRRT driver. This driver causes the device to crash and is not supported. If the device is using the driver:

    1. Disable the driver through the device’s adapter settings.

    2. Reboot the device to BIOS and change from IRRT to AHCI mode.

4.0 New disk drive not encrypting with existing Full Disk Encryption policy

When you apply a Full Disk Encryption policy to a device, you have the option to encrypt all local fixed volumes or specify the volumes that will be encrypted. Once the policy is applied, the specified volumes are encrypted.

If you add a new disk drive to the device, or you want to specify another volume on the device for encryption, the policy must be removed, including disk decryption, and then be reapplied to recognize the new volumes. If the existing policy is not set to encrypt all local fixed volumes, you need to edit the Local Fixed Volumes setting in the policy to recognize the new volumes before reapplying the policy and encrypting the drives.

For information about removing, editing, and applying Full Disk Encryption policies, see the ZENworks Full Disk Encryption Policy Reference.

5.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

© Copyright 2008 - 2021 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (Micro Focus) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.