From 4573ff486cfab120c74635868cd6e43626ddffe9 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 12 Jul 2016 09:55:00 -0700 Subject: [PATCH] Pulled content out of topics and into its own to better address customer questions --- windows/keep-secure/TOC.md | 1 + ...reate-and-verify-an-efs-dra-certificate.md | 85 +++++++++++++++++++ .../create-edp-policy-using-intune.md | 48 +---------- .../create-edp-policy-using-sccm.md | 41 +-------- 4 files changed, 89 insertions(+), 86 deletions(-) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 504f41304c..0e7321d864 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -22,6 +22,7 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) +#### [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md new file mode 100644 index 0000000000..5f98952a87 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -0,0 +1,85 @@ + +--- +title: Create and verify an Encrypting File System (EFS) DRA certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) DRA certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where `<”new_location”>` is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 17b58ff4b3..81f4eb2745 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -304,56 +304,10 @@ There are no default locations included with EDP, you must add each of your netw 2. Add as many locations as you need, and then click **OK**.

The **Add or Edit Enterprise Network Locations box** closes. -3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](#create-and-verify-an-encrypting-file-system-efs-dra-certificate) section of this topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

+3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png) -### Create and verify an Encrypting File System (EFS) DRA certificate -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. To add your EFS DRA certificate to your policy by using Microsoft Intune, see Step 3 in the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - ## Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 9fd513eda2..5668449d99 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -441,49 +441,12 @@ There are no default locations included with EDP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png) -#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - **Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. - ### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.