What’s coming in ZENworks Full Disk Encryption 2017 Update 1
ZENworks 2017 Update 1--now in beta with an expected release date in June--provides significant enhancements to ZENworks Full Disk Encryption. Here are the highlights of what’s new, what’s changed, and what you should know as you prepare to roll out ZENworks Full Disk Encryption 2017 Update 1.
- Support for UEFI firmware and GPT partitioning: Now, in addition to encrypting Windows devices that use BIOS firmware and MBR partitioning, you can encrypt Windows devices that use UEFI firmware and GPT (GUID Partition Table) partitioning. The supported UEFI/GPT and BIOS/MBR platforms are:
- Windows 7 32-bit: BIOS/MBR
- Windows 8.1 32-bit: BIOS/MBR
- Windows 10 32-bit: BIOS/MBR
- Windows 7 64-bit: UEFI/GPT or BIOS/MBR
- Windows 8.1 64-bit: UEFI/GPT or BIOS/MBR
- Windows 10 64-bit: UEFI/GPT or BIOS/MBR
- Better, and easier, support for newer hardware: We've updated the Pre-boot Authentication module with a new Linux kernel. This means fewer hardware configuration (DMI) issues; in most cases, the default DMI setting works without modification. Add if an issue does occur that causes the PBA’s boot to Windows to fail, you can restart the device and press Ctrl+G before the PBA starts to invoke a configuration menu. Using the menu you can change the DMI setting to try a new one, making recovery from incorrect DMI settings much easier.
- Support for newer hardware and device standards: The new PBA Linux kernel also supports newer standards such as USB 3.0 and USB-C, resulting in fewer boot issues.
- Newer smart card support: The new PBA Linux kernel supports smart card readers that use the CCID (Chip Card Interface Device) protocol, greatly increasing the number of supported smart card readers while maintaining the majority of PKCS#11 providers previously supported (a couple of outdated providers have been deprecated).
- Windows 10 feature updates while the device is encrypted: You can now update a device from one Windows 10 feature version—RTM (1507), November Update (1511), Anniversary Update (1607), and Creators Update (1703)--to another while the device is encrypted. This in-place update applies only to Windows 10; updates between other major Windows releases (for example, Windows 7 to Windows 10) continue to require decrypting of the device before performing the update.
- Additional encryption auditing events: In the ZENworks 2017 release we added audit events that record when encryption or decryption completes on a device. In Update 1, we closed the loop by adding audit events that record when encryption or decryption starts on a device. Now, you can know both the start time and end time for both encryption and decryption on your devices.
- Support for OPAL-compliant SED drives: All OPAL drives are now treated like standard drives (non-self-encrypting drives) and are automatically software encrypted. This makes all OPAL drives compatible with ZENworks Full Disk Encryption.
- Removed support for BartPE ERD: BartPE is no longer supported for creating an emergency recovery disk (ERD). You must now use WinPE.
What to plan for during rollout
Your rollout depends on whether you are installing ZENworks Full Disk Encryption 2017 Update 1 to a new (unencrypted) device or to a currently encrypted device.
New installation on a unencrypted device
If you are encrypting a new (unencrypted) device, all you need to do is ensure that the device is one of the supported platforms and meets the system requirements. The Update 1 Full Disk Encryption Agent is installed to the device during the ZENworks agent update (or initial installation for newly managed devices); once it is installed, it is ready to encrypt the device according to the Disk Encryption policy you assign to the device.
Update of a currently encrypted device
If you are updating a device that is currently encrypted, you will need to decrypt the device before updating to the ZENworks 2017 Update 1 agent.
Decryption only needs to be done this one time. Once Update 1 is on a device, new updates (for example, ZENworks 2017 Update 2) can be installed without decrypting the device. This release requires the device to be decrypted because we had to change the ZENworks partition size to support the new Linux kernel size and related files. It’s large enough now to avoid this issue in the future.
We recognize that decrypting and re-encrypting a device is no small task. Because of that, when the ZENworks agent is updated on a device, we won’t update the Full Disk Encryption agent if that device has a Disk Encryption policy applied. In other words, if the device is encrypted, we won’t update it and it will continue to be encrypted with the current ZENworks version (for example, ZENworks 2017, 11.4.3, 11.4.2, and so on). While we encourage you to update all devices, this approach allows you to focus on devices that need updating while delaying (or excluding) the update of a device if:
- The device encryption is working fine and the device does not require any of the new Update 1 encryption functionality mentioned in the What’s new section.
- The device has an OPAL-compliant self-encrypting drive that is using native hardware encryption and drive locking only (no software encryption) and you want to continue to use it that way.
More Help with Updating
Our ZENworks Full Disk Encryption team is developing a detailed Update guide to provide you with the information and instructions needed to successfully update. This will be available on our ZENworks 2017 doc site when Update 1 releases in June.
You can look forward to more exciting enhancements in future releases of ZENworks Full Disk Encryption. Check back after the Update 1 release for a sneak peak at what we plan for Update 2.