Highlighted
Respected Contributor.
Respected Contributor.
328 views

Unassign from FDE Policy don't decrypt disk

Jump to solution

Hello!

After unasign a pc from a FDE policy the policy is removed from ZENworks agent, but not from the FDE agent.

The disk left un encrypted state. Only after manually remove the policy from FDE agent the disk is decrypted.

(FDE agent - Commands - remove policy)

Agent Version is 17.4.0.171, API 12.3.907.11

Windows 10 1903 Build 18362.30

Any ideas?

 

best regards

Andre

 

0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

What a embarrassment!
I was too impatient. It takes about 20 Minutes before FDE recognize that the policy was removed.
After a client refresh the policy removed directly from the ZCM client. 20 minutes later it was removed from the FDE client and the decryption process begans.

I apologize for my impatience

 

best regards

André

View solution in original post

0 Likes
5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Make sure your policy does not have "Enable encryption lockdown" enabled.

This setting is designed to make the encryption persistent, even upon policy removal or even a device unregistering from a zone.  It would take manual steps from someone with the FDE passwords to locally override.

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Thank you for your response.

Unfortunately the setting is not set. Here are the needful policy settings:

Disk Encryption : Encrypt all local fixed volumes

Encryption Settings :

- AES /256
- Encrypt only the used sectors of the drive = true
- Block 1394 (FireWire) port = false
- Enable software encryption of Opal compliant self-encrypting drives = true
- Enable encryption lockdown = false

Emergency Recovery Information (ERI) Settings: nothing checked

- Enable pre-boot authentication = true
- Enable user ID/password authentication = true
- Create PBA account for first user who logs in to Windows after the policy is applied (User Capturing) = true
- Allow access for the following users (one user allowed)
- Remove existing users from PBA if not in this list = false

best regards

André

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

#1 - I presume if the Core ZCM Agent Stopped Talking to the zone, it would never see that the policy was removed.  However, i suspect you would have noticed and noted that in your comment, so unlikely.

#2 - At some point, there were some undocumented reg keys to enable FDE lockdown so perhaps if those were in place.  Again, not likely, since you would have known about them.  Those keys were used briefly after the feature was added to the FDE Client but before the ZCC/Policies were updated to support the feature.  AFAIK only a couple customers ever used them.  So again, likely not relevent.

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

I'm evaluate the FDE for my company. We don't know the hidden and secret regestry keys 😁
The miracle is that the rest of ZCM working fine, in the status of assign policy the FDE policy is removed.
Only the FDE don't knows that the policy was removed. If i use the command "remove policy" rom the fde client the policy will be removed and the drive is decrypted.

I'll proof this behavior on a clean PC and will open an SR (or contact the presales team) if it failes again.
I think it's a bug in the FDE client.

best regards

André

 

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

What a embarrassment!
I was too impatient. It takes about 20 Minutes before FDE recognize that the policy was removed.
After a client refresh the policy removed directly from the ZCM client. 20 minutes later it was removed from the FDE client and the decryption process begans.

I apologize for my impatience

 

best regards

André

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.