The secretary encryption updating and sweet boobs!

To get the enhancements of the new Linux kernel, you must update your devices to the 17.1 ZENworks Agent and employ a new Disk Encryption policy from an updated server. Reviewing the comments in this section will help you to successfully transition Full Disk Encryption to ZENworks 2017 Update 1:

Prerequisites when updating the Full Disk Encryption agent to ZENworks 17.1

Perform the prerequisites below to successfully update the Full Disk Encryption Agent to 17.1:

  1. If you are updating from ZENworks 17.0, enable the event in ZENworks Control Center before decrypting any devices. See Monitor Agent Events in ZCC in Step 3 below.

    Skip this step for 11.4.3 and earlier versions.

  2. Remove Disk Encryption policy assignments from encrypted devices, and refresh those devices to start disk decryption and, if applicable, PBA removal.

    See in the ZENworks Full Disk Encryption Policy Reference.

  3. Verify the completion of disk decryption on applicable devices using one of the following methods:

    • Monitor Agent Events in ZCC: This option is only available in 17.0 and later versions of the ZENworks Control Center, and you need to have the event enabled before starting decryption. The events display in > > .

      See and in the ZENworks 2017 Update 1 - Auditing Full Disk Encryption Events reference.

    • Registry key value: Open the feature from Windows Start on the device, and type regedit in the field to open the Registry Editor. In the Registry Editor, go to HKEY_LOCAL_MACHINE\\Software\\SECUDE\\SNB\\FDE. If a device is still in an encryption state: encrypted, encrypting, or decrypting, the registry keys will have the following status of encryption or decryption:

      • DriveInProgress: SZ registry key indicates which drive is encrypted, encrypting, or decrypting by the drive letter.

      • OperationInProgress: DWORD registry key indicates encryption status (1) or decryption status (2).

      • ProgressPercent: DWORD registry key indicates percent complete of encryption or decryption (hex 64 or decimal 100).

      If there is not an EncryptionProgress folder with the registry keys provided above, there is not a Disk Encryption policy enforced on the device.

      NOTE:You can also run a batch file through the Active Directory or deploy a bundle to run the batch file rather than accessing individual devices to check the registry keys.

    • Component status FDE command: Open a command prompt on the device and change the directory (cd) to %ZENWORKS_HOME%\esm. From this directory type zescommand.exe/componentStatus FDE

      • Volume(s) encrypted: If the return value is negative, then a policy is enforced with encryption in place.

      • No policy or encryption: If the return value is positive, there is no Disk Encryption policy in place or initialized.

    • FDE About Box: Open the Full Disk Encryption About box on the device, and check the encryption Status. For more information, see in the ZENworks Full Disk Encryption Agent Reference.

  4. After first verifying they are not referencing managed devices, delete unused 17.0 or earlier version Disk Encryption policies.

    To verify no devices are being referenced, select the policy in the ZENworks Control Center, and verify there are no Device, User, or Group assignments in the page.

    For deleting a policy, see in the ZENworks Full Disk Encryption Policy Reference.

Once you successfully remove Disk Encryption policies from devices, decrypt drives, and delete old Disk Encryption policies, you are prepared to update the ZENworks Agent to ZENworks 17.1 and to create and apply a new Disk Encryption policy.

For information on updating ZENworks to the ZENworks 17.1, see the ZENworks System Updates Reference.

For information on creating and applying a new Disk Encryption policy, see in the ZENworks Full Disk Encryption Policy Reference.

Best Practices

You cannot successfully apply a 17.0 or earlier Disk Encryption policy to a Full Disk Encryption Agent running ZENworks 17.1.

  • For the reason stated above, you should delete pre-17.1 Disk Encryption policies after removing them from Full Disk Encryption agents that you are updating to 17.1.

  • When deleting a pre-17.1 Disk Encryption policy, ensure that it is not referencing a managed device. See Step 4 in the prerequisites below.

  • We recommend that any new Disk Encryption policies you create in Update 1 have 17.1 appended to the policy name until you have a management zone that is free of any pre-17.1 Disk Encryption policies.