Understanding and Troubleshooting FDE Issues related to: UEFI, Boot Configuration Data, and Boot Loader

  • 7022842
  • 11-Apr-2018
  • 12-Apr-2018


ZENworks Full Disk Encryption 2017


UEFI Systems require a UEFI Boot Manager to load the operating system.
The Default Windows UEFI Boot Manager is " Windows Boot Manager" -> \EFI\Microsoft\Boot\bootmgfw.efi
If UEFI device is encrypted with ZCM Full Disk Encryption, then the ZCM FDE Boot Manager must be used.
The ZCM FDE Boot manager is "Secure Boot Manager" -> \EFI\Microsoft\Boot\sbs.efi
(Note: If Device is not currently encrypted and there is no FDE Policy assigned, the "Secure Boot Manager will not be enabled.)
If the UEFI Settings on the device attempt to boot using the "Windows Boot Manager" while encrypted with FDE, Windows will likely fail to boot and enter into "Repair Mode".
Attempts to repair will likely cause Windows to reveal the root cause:  Being unable to access bootmgfw.efi


Restoring "Secure Boot Manager" as the default Boot Manager in UEFI would allow the device to again boot normally.
UEFI Configuration may vary slight vendor to vendor, but the graphics below provide a walk through on a VMware Workstation on how to reset the UEFI Boot Manger settings.


In some instances, Windows 10 (Primarily Version 1703 or Prior) would attempt to "Auto-Correct" the UEFI Boot Manager settings back to the default MS Boot Manager, replacing any other Vendors Boot Manager as the Default.
(Note: In some cases, setting a UEFI password prevented Windows from doing this.)