Let’s learn about Intune Decrypt Files Protected by WIP Policy . Windows Information Protection (WIP) is an accidental Data Leakage protection solution from Microsoft. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about Decrypt Files Protected Intune SCCM WIP Policy.
Certificates Details – Intune/SCCM WIP Policies
Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.
EFSDRA.CER is used for encrypting the data with WIP policies. EFSDRA.PFX file contains your private key, and it should be used at the time of the decryption process. I have a post that explains “How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM and Intune.”
Issue Statement – Personal Files Encrypted with WIP Policy
We may need to go through the migration process in the journey towards modern management. This has happened during one of the user migrations, and it didn’t go well. And the user’s files got encrypted with the WIP policy. The user un-enrolled and re-enrolled his Windows 10 device as part of troubleshooting.
Access to the protected files got revoked during the troubleshooting process, and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the protected files still stay locked by the WIP certificate.
How to Decrypt WIP Protected Files
To decrypt the protected files – you need to import the PFX file to the computer where you want to perform the decryption process. You need to be very careful because of the private keys in your DRA.PFX file can be used to decrypt any WIP file.
The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.
- Import EFSDRA.pfx
Double click on EFSDRA.PFX file to start the certificate import wizard. This wizard helps to import the certificate on to user’s machine. Make sure you select Store Location as a Current user.
Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, and you need to enter the password to proceed further with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”
Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.
Confirm whether the certificate or private key PFX file is imported successfully to the certificate store. Certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.
2. Cipher /d command to Decrypt the Files
- C:>cipher /d “SCCM Intune.docx”
- Decrypting files in C:\WINDOWS\system32\
- SCCM Intune.docx [OK]
- 1 file(s) [or directories(s)] within 1 directories(s) were decrypted.
Confirm the private file is imported into the certificate store of a machine. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.
Troubleshooting – Check the WIP Logs
WIP troubleshooting can be done through Windows event logs. Navigate via Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.
Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin Source: Microsoft-Windows-EDP-Audit-TCB Date: 25-11-2017 10:54:03 Event ID: 101 Task Category: None Level: Information Keywords: Windows Information Protection Audit Protection Removed Keyword User: ANOOP-SURFACE-B\Anoop C Nair Computer: Anoop-Surface-Book Description: Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" /> <EventID>101</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000889787810</Keywords> <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" /> <EventRecordID>15</EventRecordID> <Correlation /> <Execution ProcessID="876" ThreadID="11836" /> <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel> <Computer>Anoop-Surface-Book</Computer> <Security UserID="" /> </System>
Resources
- How to collect Windows Information Protection (WIP) audit event logs
- best practices for Windows Information Protection (WIP)
- How to Create and verify an EFS and Data Recovery Agent (DRA) certificate
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………