The ZENworks PBA can be enabled to capture the credentials (user ID/password or smart card) of the next user who logs in to the device. This process is referred to as user capturing.
If a Disk Encryption policy has user capturing enabled, the ZENworks PBA captures the credentials of the first user to log in after the policy is applied. You can also enable user capturing after the policy is applied through a ZENworks Control Center Quick Task or through the ZENworks Full Disk Encryption Agent. After user capturing is enabled, the ZENworks PBA captures the credentials of the next user to log in and adds them to any other captured credentials.
The following sections cover both methods of enabling user capturing.
To use a ZENworks Full Disk Encryption Quick Task in ZENworks Control Center, a ZENworks administrator must be assigned the Manage Endpoint Security Settings and Tasks privilege. This privilege is configured through the Quick Tasks rights for administrators and administrator groups. For help configuring Quick Tasks rights, see the ZENworks Administrator Accounts and Rights Reference.
For user capturing to be enabled on a device through a Quick Task, the device must be running and have a network connection to the ZENworks Server. Otherwise, the ZENworks Server cannot deliver the Quick Task to the device.
To enable user capturing on a device:
In ZENworks Control Center, click Devices.
In the Devices panel, locate the device for which you want to enable user capturing.
Select the check box next to the device, click Quick Tasks, click FDE: Enable Additive User Capturing, then click OK to confirm the task.
In the Quick Task Status dialog box, click Start if you want to use the default options.
or
Configure the options as desired, then click Start.
For information about the options, click the Help icon in the Quick Task Status dialog box.
As soon as the Quick Task is complete, have the user restart the device.
Until the device restarts and the correct user’s credentials are captured, the device’s security is compromised. Having the user immediately restart the device minimizes this possible security threat.
To use the ZENworks Full Disk Encryption Agent to enable user capturing on a device, you must know the FDE Administrator password for the policy assigned to the device, or you must know the ZENworks Agent override password or key.
On the device, right-click the ZENworks icon in the notification area, and select Technician Application.
Click Full Disk Encryption in the ZENworks Agent navigation menu.
In the Full Disk Encryption Agent Actions section, click About to display the About dialog box.
Click the Commands button.
Supply the password to display the Commands dialog box.
Click the Enable User Capture button.
You can verify the setting by viewing the agent status (in the About dialog box) and looking at the PBA Self Initialization Mode value. If user capturing is enabled, the value is WINDOWS_CRED_SELFINIT.
Exit the Full Disk Encryption Agent and restart the device.
Until the device restarts and the correct user’s credentials are captured, the device’s security is compromised. Immediately restarting the device minimizes this possible security threat.