FDE Encryption fails to start on UEFI Device when "Secure Boot Manager" is not first in UEFI Boot Order

  • 7023528
  • 16-Nov-2018
  • 16-Nov-2018

Environment


ZENworks Configuration Management
ZENworks Full Disk Encryption

Situation

When the a UEFI device's Hard Disk Drive is encrypted, it will only be accessible to the ZCM FDE Boot Manager - "Secure Boot Manager".
Microsoft's "Windows Boot Manager" cannot directly access a ZCM FDE Encrypted Drive,since it is securely encrypted.
Only the "Secure Boot Manager" has access to all the keys necessary to allow access to the boot files.
 
For this reason, ZCM FDE will verify that "Secure Boot Manager" is the Primary Boot Manager prior to starting to encrypt the drive.
 
The ZCM FDE Agent install will issue "BCDEdit" commands that will set the "Secure Boot Manager" as primary.
Some devices may have security settings in the UEFI that block or revert any UEFI changes.
This must be disabled prior to installing the ZCM FDE Agent.
 
Some Devices, such as the "Acer Veriton 4630g" do not permit the UEFI Boot Manger settings to be changed.
As a result, additional Boot Manager's such as ZCM's "Secure Boot Manager" cannot be added.
Such devices would not be compatible with "ZCM FDE".
 
Such devices also do not allow other Operating Systems such as "Ubuntu" to be installed and boot properly.
When troubleshooting difficulties updating the UEFI on certain devices with ZCM's "Secure Boot Manager", it is often useful to do INTERNET searches on "Linux" installs on the same model device.
Installing "Linux" or other Non-Windows operating systems will require altering the UEFI Boot Managers.
If other Operating Systems are not able to be installed in UEFI mode via normal means on a device, as is the case with the Acer Veriton 4360g, then ZCM FDE will also not work.
If other Operating System can be installed in UEFI mode via normal mean, then there is most likely not an UEFI configuration restrictions that would prevent ZCM FDE from working on the device in UEFI mode.
 
Note: The Acer Veriton may be configured to boot in Legacy BIOS mode instead of UEFI, which will allow for ZCM FDE to be applied to the device.