Unassign from FDE Policy don't decrypt disk

Hello!

After unasign a pc from a FDE policy the policy is removed from ZENworks agent, but not from the FDE agent.

The disk left un encrypted state. Only after manually remove the policy from FDE agent the disk is decrypted.

(FDE agent - Commands - remove policy)

Agent Version is 17.4.0.171, API 12.3.907.11

Windows 10 1903 Build 18362.30

Any ideas?

 

best regards

Andre

 

  • Make sure your policy does not have "Enable encryption lockdown" enabled.

    This setting is designed to make the encryption persistent, even upon policy removal or even a device unregistering from a zone.  It would take manual steps from someone with the FDE passwords to locally override.

  • Thank you for your response.

    Unfortunately the setting is not set. Here are the needful policy settings:

    Disk Encryption : Encrypt all local fixed volumes

    Encryption Settings :

    - AES /256
    - Encrypt only the used sectors of the drive = true
    - Block 1394 (FireWire) port = false
    - Enable software encryption of Opal compliant self-encrypting drives = true
    - Enable encryption lockdown = false

    Emergency Recovery Information (ERI) Settings: nothing checked

    - Enable pre-boot authentication = true
    - Enable user ID/password authentication = true
    - Create PBA account for first user who logs in to Windows after the policy is applied (User Capturing) = true
    - Allow access for the following users (one user allowed)
    - Remove existing users from PBA if not in this list = false

    best regards

    André

     

  • #1 - I presume if the Core ZCM Agent Stopped Talking to the zone, it would never see that the policy was removed.  However, i suspect you would have noticed and noted that in your comment, so unlikely.

    #2 - At some point, there were some undocumented reg keys to enable FDE lockdown so perhaps if those were in place.  Again, not likely, since you would have known about them.  Those keys were used briefly after the feature was added to the FDE Client but before the ZCC/Policies were updated to support the feature.  AFAIK only a couple customers ever used them.  So again, likely not relevent.

     

  • I'm evaluate the FDE for my company. We don't know the hidden and secret regestry keys
    The miracle is that the rest of ZCM working fine, in the status of assign policy the FDE policy is removed.
    Only the FDE don't knows that the policy was removed. If i use the command "remove policy" rom the fde client the policy will be removed and the drive is decrypted.

    I'll proof this behavior on a clean PC and will open an SR (or contact the presales team) if it failes again.
    I think it's a bug in the FDE client.

    best regards

    André

     

  • Verified Answer

    What a embarrassment!
    I was too impatient. It takes about 20 Minutes before FDE recognize that the policy was removed.
    After a client refresh the policy removed directly from the ZCM client. 20 minutes later it was removed from the FDE client and the decryption process begans.

    I apologize for my impatience

     

    best regards

    André