This section explains how to copy and decrypt fixed disk folders encrypted by the Microsoft Data Encryption Policy using the standalone ZENworks Folder Decryption Tool to recover encrypted data. It also explains how folder encryption works and the behavior of default encrypted folders for multi-user folders, which are not currently supported. While multi-user folders are not supported, the data can be recovered for a user who is denied access to a multi-user folder using this same decryption procedure.
ZENworks Endpoint Security manages the Microsoft Encrypting File System (EFS) feature to encrypt fixed disk folders on managed devices when folder encryption is enabled in the Microsoft Data Encryption Policy. EFS uses certificates as part of the encryption process. When the policy is first enforced, it looks for an existing EFS certificate to encrypt folders. If one is not found on the device, a new EFS certificate is created. These certificates are uploaded to the ZENworks server for recovery purposes and can also be viewed in the Personal folder of Certificate Manager (certmgr) on the managed device.
Multi-user encrypted folders are not currently supported for default folders encrypted by the Microsoft Data Encryption Policy. Access to encrypted public folders outside of a user’s profile directory is only guaranteed for the user logged into the device when the policy is applied. If any users receive the prompt that the file or folder is inaccessible due to permissions, they can use the copy and decrypt procedure below to decrypt the files they are trying to access.
To see who can access a policy encrypted folder that is public or available for more than one user, right-click the encrypted folder or file on the manged device and go to Properties > General tab > Advanced > Details. You can use this information to associate the user with the required encryption certificate in ZENworks Control Center, which is required to decrypt folders.
Before performing these steps, ensure that you have access to the encrypted folder via portable media or a network share and can identify the user who has access to the folder. You will also need network access to the ZENworks Control Center to access the encryption password and download the EFS certificate.
Download and install the ZENworks Folder Encryption Tool via the ZENworks Control Center download page by going to Administrative Tools > Endpoint Security.
Download the applicable folder encryption certificate to a portable media device, a local drive, or a network share by selecting the managed device in ZENworks Control Center and going to the Encryption tab.
You can identify which certificate to download by first discovering the user that has access to the folder. For more information, see Identifying the user who has access to a multi-encrypted folder.
Follow the instructions in the ZENworks Folder Encryption Tool to provide the paths for the certificates, the encrypted folder, and the destination for copying and decrypting the folder.
NOTE:If needed, the Options menu at the top of the Encryption Tool provides the means to change the language in the tool.