5.5 Microsoft Data Encryption Policy

The following instructions assume that you are on the Configure BitLocker Encryption for Removable Data Drives page in the Create New Microsoft Data Encryption Policy Wizard (see Creating Security Policies) or that you are on the Details page for an existing Microsoft Data Encryption policy (see Editing a Policy’s Details).

The Microsoft Data Encryption policy manages Microsoft’s BitLocker and Encrypting File System (EFS) tools to encrypt removable drives and fixed disk folders, respectively.

Refer to the sections below for policy details:

5.5.1 General Information

As you configure Microsoft Data Encryption policies and apply them to devices, be aware of the following:

  • The Microsoft Data Encryption policy is a device-only policy. It cannot be assigned to users.

  • The Microsoft Data Encryption policy does not support inheritance. The Microsoft Data Encryption policy that is assigned closest to the device becomes the effective policy for the device. For example, if a Microsoft Data Encryption policy is assigned to a device and to a group in which the device is a member, the device-assigned policy becomes the effective policy and the policy assigned to the device group is ignored.

When the policy is applied to a managed device, users are automatically notified upon drive insertion of the policy’s enforcement. The notification can take several forms depending upon the state of the removable drive and the settings in the policy.

Operating System Requirements

Microsoft BitLocker is native to the operating systems listed below:

  • Windows 7 Ultimate and Enterprise (cannot encrypt used sectors only)

  • Windows 8 and 8.1 Professional and Enterprise

  • Windows 10 Professional, Enterprise, and Education

5.5.2 Removable Data Drives

You can use ZENworks to control Microsoft BitLocker encryption of removable data drives (RDD) on managed devices when the Microsoft Data Encryption Policy is applied to those devices. Removable Data Drives encryption can be enabled or disabled, giving you the ability to apply the policy to devices for one or both policy options, (1) Removable Data Drives encryption and (2) Fixed Disk Folder encryption.

The policy enables you to configure locking and unlocking of encrypted data drives using either a user password or auto-unlock feature when drives are used on managed devices. Depending on the configuration options you choose, you can also enable RDDs that are encrypted via this policy to support unlocking the drives on non-managed devices.

Removable data drives include, but are not limited to, USB thumb drives and externally attached hard drives.

Continuing reading for information about each of the configurable options for encrypting removable data drives.

Enable Removable Data Drive encryption

This box must be checked for encryption of removable data drives to be enabled on devices with the Microsoft Data Encryption Policy enforced. With the capability to disable encryption of removable data drives, you can still have Fixed Disk Folder encryption enabled when a Microsoft Data Encryption policy is enforced.

Encryption Algorithm

Both the AES-CBC and the XTS-AES algorithms use AES (Advance Encryption Standard) with 256-bit encryption. Compatible mode encryption provides the greatest compatibility on Windows 7 and newer operating systems. New encryption mode is a newer encryption algorithm that works only on Windows 10 version 1511 and newer operating systems.

If you use the policy on devices with both Windows 10 v1511 and earlier operating systems, you can choose the XTS-AES if supported option, and the policy will automatically apply XTS-AES encryption to Windows 10 v1511 and AES-CBC encryption to earlier OS versions.

Initial Encryption

You can set the encryption for used drive space only or the entire drive. The former is the fastest means of encryption, but the latter provides the greatest security, because it ensures that any deleted files are not recoverable.

Unlock Method

The options for unlocking removable data drives include both managed and non-managed devices. You can enable the user to provide an unlock password to unlock the drive on any device. Or, you can use the zone encryption key for the drive with no user unlock password, so only managed devices in your zone will be unlocked.

  • Always prompt for the unlock password: This option requires a password every time the user inserts the drive into a device, whether the device is a managed or non-managed device. It enables the user to unlock the drive on any Windows device.

  • Prompt for the unlock password on first use: This option uses the BitLocker Auto-Unlock feature. The first time the user inserts a drive into the device the unlock password is required. Subsequent uses on the same device do not require the password. This option also enables the user to unlock the drive on any Windows device.

  • No unlock password: This option uses the zone encryption key to unlock the drive on managed devices only. Select this option to automatically unlock BitLocker encrypted drives in the management zone. The drive is automatically unlocked without a user password when inserting the drive into a managed device, but it cannot be unlocked on non-managed devices.

    To unlock a removable drive that uses this setting on a device in a different zone, you need to export the encryption key from the zone managing the encryption and import it into the alternate zone. The Microsoft Data Encryption policy must also be enforced on the device in the alternate zone. For more information, see Data Encryption Key Management.

  • Require a strong unlock password: Select this option to force users to define an unlock password that meets the following requirements when using a password option:

    • Eight or more characters

    • At least one of each of the four types of characters:

      • uppercase letters from A to Z

      • lowercase letters from a to z

      • numbers from 0 to 9

      • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”

      For example: y9G@wb?

Encrypted Drives

If you have a drive that is already BitLocker encrypted, you can enable the drive to retain its current BitLocker settings to be used on managed devices, or you can apply the policy settings to the encrypted drive.

If the drive was BitLocker encrypted via ZENworks, you can also enable the policy to override the existing encryption settings if they are different than this policy’s settings.

NOTE:Changing an encrypted drive's BitLocker settings might require the drive to be decrypted and then re-encrypted. This will be done automatically if required.

Excluded Drives

All removable data drives are encrypted by default. Use the Excluded Drives option to add removable drives that you do not want encrypted.

You can add drives for exclusion, copy existing exclusions to use as a template for adding drive exclusions, and import or export exclusions to be used from or in a different policy, respectively.

  • Create New: Click Add > Create New to manually define the drive to be excluded. When the Add Drive to Exclude from Encryption dialog box is displayed, click the Help icon in the upper-right corner of the dialog box for details about defining a drive.

  • Copy Existing: Click Add > Copy Existing to copy drives that are already defined in other Microsoft Data Encryption policies. When you copy excluded drives from another policy, all drives are copied; after the copy is complete, you can remove any unwanted drives from the list.

  • Import: You can import drives from a policy export file or from a Device Scanner file. Only class 8 (Mass Storage) drives are imported; all other drive classes are ignored.

    To import drives from a policy export file, click Add > Import, make sure that Existing Policy/Component is selected in the Select Source of Data list, then browse for and select the policy export file.

    To import drives from a Device Scanner file, click Add > Import, then select ZESM Device Scanner Tool in the Select Source of Data list. Browse for and select the Device Scanner file to import, then select the data fields you want imported. The recommended data fields are selected by default. You can deselect any recommended data fields and select any additional fields. The more data fields that you import, the more you limit the number of matches for a drive. If you include all of the data fields for a scanned device, you can literally isolate a drive definition to the specific USB port on the computer where the drive was scanned.

  • Export: You can export one or more drive entries to an XML file, which can then be imported at a later time or in another zone for use in another Microsoft Data Encryption Policy.

    To export one or more drives, select them in the Drives to Exclude from Encryption list, and click Export. The XML file is automatically downloaded based on your browser download settings.

5.5.3 Fixed Disk Folders

In addition to Microsoft BitLocker, the Microsoft Data Encryption policy can also manage the Microsoft Encrypting File System (EFS) for file and folder encryption on fixed disks. Fixed Disk Folder encryption can be enabled or disabled, giving you the ability to apply the policy to devices for one or both policy options, (1) Removable Data Drives encryption and (2) Fixed Disk Folder encryption.

With this feature enabled, end users will be able to encrypt personal folders once the policy is applied to their devices. Additionally, you can add folders to the policy that are encrypted by default upon policy enforcement.

Fixed disk folder encryption cannot be enforced on the following program folders:

  • C:\Program Files

  • C:\Program Files (x86)

  • C:\Windows\System

  • C:\Windows\System32 "RECYCLE.BIN"

  • C:\ProgramData

NOTE:Fast user switching is not supported in the policy and may prohibit users from accessing encrypted folders on devices the policy is deployed to. Fast user switching in the context of the Microsoft Data Encryption policy is defined as multiple users having access to a device and switching users without closing programs or fully logging out.

Continuing reading for information about each of the configurable options for encrypting fixed disk folders.

Enable folder encryption

This box must be checked for encryption of fixed disk folders to be enabled on devices with the Microsoft Data Encryption Policy enforced. With the capability to disable encryption of fixed disk folders, you can still have Removable Data Drive encryption enabled when a Microsoft Data Encryption policy is enforced.

Administrator Recovery

An administrator decryption password is required to use folder encryption in the Microsoft Encryption policy. Once the policy is enforced, you can use the password to decrypt folders on any device to which the policy is applied.

To define the password that the policy will use, click Set in the Administrator Recovery panel and provide a password.

To get recovery information for encrypted folders on a specific device, click the device link in the ZENworks Control Center and go to Encryption > Folder Encryption Certificates. In combination with the encryption password, these certificates can be used via the ZENworks Folder Decryption Tool to decrypt folders encrypted by the policy.

For more information, see Recovering Data in Folders Encrypted by the Microsoft Data Encryption Policy in the Troubleshooting Endpoint Security section.

Default Encrypted Folders

You can specify folders that you want encrypted by default, which will include their files and subfolders. These may also be referred to as policy-encrypted folders. If the folder path that you provide does not exist on assigned devices, a new folder will be created on each device when the policy is applied. You can use an environment variable or full folder path to create or add a default encrypted folder to the policy. For example:

  • %userprofile%\Documents

  • %SYSTEMROOT%\BB_Sys_Root

  • C:\Windows

  • C:\Users\username\Documents\EncryptedContent

IMPORTANT:Multi-user folders are not currently supported. This means if you add a default folder to the policy that is outside of the user profile or home path that multiple users can access when logged into a device, the user logged in at the time of policy enforcement will be the only user that will have access to the folder and its contents.

In the event that one of these folders gets created and another user requires access to the folder who cannot access it, a recovery process is available to copy and decrypt the data. For more information see Recovering Data in Folders Encrypted by the Microsoft Data Encryption Policy.

To add one or more default folders:

  1. Click Add in the Encrypted Folders section.

  2. Type the folder path. For example:

    C:\%USERPROFILE%\Documents

  3. Click OK.

  4. Add additional folders if required.

Secondary Authentication

Primary authentication to access encrypted folders happens when a user logs in to a Windows device that has the Microsoft Data Encryption policy applied. You can apply secondary authentication to the policy to require a user to enter another password after the Windows login.

When Secondary Authentication is enabled, the user is initially prompted to create a password during the following conditions:

  • You have one or more default folders added to the policy:

    The user is prompted to provide a password for encrypted folders when the policy is applied.

  • There are no default folders added to the policy:

    The user is prompted to provide a password when attempting to encrypt a folder via the right-click menu.

Once the initial password is in place, the user will be required to enter that password once for each Windows session, either after login if there are default folders, or when first accessing an encrypted folder when there are no default folders.

If the user cancels a password prompt for encrypted folders after login, encrypted folders will be inaccessible during that Windows session. The user can override this issue by providing the password via About > Encryption Management in the ZENworks Endpoint Security Agent.

To require secondary authentication for encrypted folders, select After Windows login, require user to enter a secondary password to unlock folders.

Require a strong secondary password: Select this option to force users to define a decryption password that meets the following requirements when using a Secondary Authentication:

  • Eight or more characters

  • At least one of each of the four types of characters:

    • uppercase letters from A to Z

    • lowercase letters from a to z

    • numbers from 0 to 9

    • at least one special character ~ ! @ # $ % ^ & * ( ) + { } [ ] : ; < > ? ,. / - = | \ ”

    For example: y9G@wb?