Video Tutorial Decrypt Files Protected Intune SCCM WIP Policy

0

Windows Information Protection (WIP) is accidental Data Leakage protection solution from Microsoft. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. In this post, we will see more details about Decrypt Files Protected Intune SCCM WIP Policy.

Certificates Details – Intune/SCCM WIP Policies 

Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. Cipher /r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.

EFSDRA.CER is used for encrypting the data with WIP policies. EFSDRA.PFX file contains your private key, and it should be used at the time of decryption process. I have a post which explains “How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM and Intune.”

Decrypt Files Protected Intune SCCM WIP Policy

Issue Statement – Personal Files Encrypted with WIP Policy

In the journey towards modern management, we may need to go through the migration process. This has happened during one of the user migration, and it didn’t go well. And the user’s files got encrypted with WIP policy. The user un-enrolled and re-enrolled his Windows 10 device as part of troubleshooting.

Access to the protected files got revoked during the troubleshooting process and unenrollment from Intune. The user can’t open any files because those files are encrypted using WIP policy and certificate. User re-enrolled the device to Intune, but the protected files still stay as locked by WIP certificate.

How to Decrypt WIP Protected Files

To decrypt the protected files – you need to import the PFX file to the computer where you want to perform the decryption process. You need to be very careful because the private keys in your DRA .PFX file can be used to decrypt any WIP file.

The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.

  1. Import EFSDRA.pfx 

Decrypt WIP Protected Files through Intune Policy

Double click on EFSDRA.PFX file to start the certificate import wizard. This wizard helps to import the certificate on to user’s machine. Make sure you select Store Location as a Current user.

Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, and you need to enter the password to proceed further with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”

Select the certificate store in the import wizard. The best way to have the default location of cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.

Confirm whether the certificate or private key PFX file is imported successfully to the certificate store. Certificates – Current User – Personal – Certificates. Check out for Intended Purposes tab in the console and check whether there is any certificate called File Recovery.

Decrypt Files Protected Intune SCCM WIP Policy

2. Cypher /d command to Decrypt the Files

C:\>cipher /d "SCCM Intune.docx"
Decrypting files in C:\WINDOWS\system32\
SCCM Intune.docx [OK]
1 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

Confirm the private file is imported into certificate store of a machine. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.

Troubleshooting – Check the WIP Logs

WIP troubleshooting can be done through Windows event logs. Navigate via Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.

Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
 <EventID>101</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>0</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8000000889787810</Keywords>
 <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
 <EventRecordID>15</EventRecordID>
 <Correlation />
 <Execution ProcessID="876" ThreadID="11836" />
 <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
 <Computer>Anoop-Surface-Book</Computer>
 <Security UserID="" />
 </System>

Decrypt Files Protected Intune SCCM WIP Policy

Resources:-

  • How to collect Windows Information Protection (WIP) audit event logs – here
  • best practices for Windows Information Protection (WIP) – here
  • How to Create and verify an EFS and Data Recovery Agent (DRA) certificate – here

LEAVE A REPLY

Please enter your comment!
Please enter your name here