none
Windows MDM and Data Protection Policies RRS feed

  • Question

  • I've been using a Surface Pro 3, running Windows 10 Pro, and had no luck getting Data Protection to function. I am able to enable the feature, and even able to get a context menu item to display in order to encrypt files, but the item does not actually function.

    I've sent the following SyncML commands:

            <Replace>
                <CmdID>4</CmdID>
                <Item>
                    <Target>
                        <LocURI>./Vendor/MSFT/Policy/Config/DataProtection/EDPEnforcementLevel</LocURI>
                    </Target>
                    <Meta>
                        <Format xmlns="syncml:metinf">int</Format>
                    </Meta>
                    <Data>3</Data>
                </Item>
            </Replace>
            <Replace>
                <CmdID>4</CmdID>
                <Item>
                    <Target>
                        <LocURI>./Vendor/MSFT/Policy/Config/DataProtection/EnterpriseProtectedDomainNames</LocURI>
                    </Target>
                    <Data>onmicrosoft.com</Data>
                </Item>
            </Replace> 

    After doing this, if from the Surface device I right-click on a file, I have an option for "Encrypt To", under which I have the options "Not Encrypted" and "onmicrosoft.com (managed)".

    Selecting "onmicrosoft.com (managed)" does not encrypt the file or appear to have any affect. No error message is displayed either.

    The documentation(https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962%28v=vs.85%29.aspx) does not mention any specific requirements for this to function, so I do not know what is going wrong.

    I have attempted to specify a DataRecoveryCertificate in the hopes that this was mandatory but unstated, and could not figure out what kind of formatting is required for the field. I've tried a number of variations on this for sending a cer file's base64 encoded binary data, and it doesn't seem to be taking anything. The certificate is using a custom CA that I have installed as a root authority on the Surface, and is given the intended purpose of "Encrypting File System, File Recovery".

    My chief questions are:

    1. What is required for the encryption option to actually function?
    2. What is the exact required formatting for the DataRecoveryCertificate field?

    Any help is appreciated. Thanks.



    • Edited by eckerj Friday, August 21, 2015 9:28 PM
    Friday, August 21, 2015 9:25 PM