Intune Decrypt Files Protected by WIP Policy

Let’s learn about Intune Decrypt Files Protected by WIP Policy . Windows Information Protection (WIP) is an accidental Data Leakage protection solution from Microsoft. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about Decrypt Files Protected Intune SCCM WIP Policy.

Certificates Details – Intune/SCCM WIP Policies 

Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.

EFSDRA.CER is used for encrypting the data with WIP policies. EFSDRA.PFX file contains your private key, and it should be used at the time of the decryption process. I have a post that explains “How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM and Intune.”

Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 1

Issue Statement – Personal Files Encrypted with WIP Policy

We may need to go through the migration process in the journey towards modern management. This has happened during one of the user migrations, and it didn’t go well. And the user’s files got encrypted with the WIP policy. The user un-enrolled and re-enrolled his Windows 10 device as part of troubleshooting.

Patch My PC

Access to the protected files got revoked during the troubleshooting process, and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the protected files still stay locked by the WIP certificate.

How to Decrypt WIP Protected Files

To decrypt the protected files – you need to import the PFX file to the computer where you want to perform the decryption process. You need to be very careful because of the private keys in your DRA.PFX file can be used to decrypt any WIP file.

The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.

  1. Import EFSDRA.pfx 
Decrypt WIP Protected Files through Intune Policy Intune Decrypt Files Protected by WIP Policy
Intune Decrypt Files Protected by WIP Policy 2

Double click on EFSDRA.PFX file to start the certificate import wizard. This wizard helps to import the certificate on to user’s machine. Make sure you select Store Location as a Current user.

Adaptiva

Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, and you need to enter the password to proceed further with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”

Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.

Confirm whether the certificate or private key PFX file is imported successfully to the certificate store. Certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.

Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 3

2. Cipher /d command to Decrypt the Files

  • C:>cipher /d “SCCM Intune.docx”
  • Decrypting files in C:\WINDOWS\system32\
  • SCCM Intune.docx [OK]
  • 1 file(s) [or directories(s)] within 1 directories(s) were decrypted.

Confirm the private file is imported into the certificate store of a machine. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.

Troubleshooting – Check the WIP Logs

WIP troubleshooting can be done through Windows event logs. Navigate via Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.

Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
 <EventID>101</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>0</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8000000889787810</Keywords>
 <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
 <EventRecordID>15</EventRecordID>
 <Correlation />
 <Execution ProcessID="876" ThreadID="11836" />
 <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
 <Computer>Anoop-Surface-Book</Computer>
 <Security UserID="" />
 </System>
Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 4

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.