At Microsoft, we have Work Folders deployed for our internal users. I have worked closely with people from the IT group to investigate issues and learn about management operations which relate to Work Folders. One such operation is to recover data after an encryption key is revoked. Erez Benari from Microsoft IT is the expert on the data recovery topic, and we collaborated on this blog post to give an in-depth look into the Work Folders data encryption on Windows.
When we were designing Work Folders, one of the goals was to ensure data security, as the devices which have Work Folders may not be under IT management. The policy we exposed to the IT admins is “Require encryption” on the Sync Share, which indicates whether the sync server requests that the contents of Work Folders be encrypted on each PC and device that syncs with the sync share. I.e. if the admin configures “encryption required” on the server, the Work Folders client will enforce it.
The Work Folders client gets the policy from the sync server, and enforce it by setting the encryption on the Work Folders path and all the files “touched” (e.g. created/moved/synced) under the path will be protected with the encryption. Existing files will be encrypted during the next run of the Work Folders Maintenance Work configured in the Task Scheduler.
If the admin disables the encryption policy on the server at any time, the client will get the change on the next sync, and remove the encryption at the root path of the Work Folders, so new files generated under the Work Folders path will not be encrypted, but existing files will remain encrypted. User can remove the encryption by opening the folder, right clicking on the encrypted folder or file and clicking Remove enterprise control to decrypt the files on the client.
If the user chooses to remove enterprise control on files to decrypt the data, and where policy on the server indicate “require encryption”, the Work Folders client will encrypt the files during the next maintenance task run.
Encryption under the cover
The encryption technology that Work Folders leverages on Windows to protect the data is called “Selective Wipe”. At a high level, the encryption uses a key which is associated an Enterprise ID (EID), which is the company’s top-level domain (for example contoso.com). The selective-wipe encryption mechanism is very similar to EFS, but a major difference is that it is non-PKI based. The encryption key is stored in the Windows Vault (a.k.a. Credentials Manager), which is not stored in Active Directory as part of the users’ profile, and windows does not offer a backup mechanism for it (the built-in credentials manager backup mechanism doesn’t backup that key as part of the backup process). One potential mitigation comes from the fact that when a device is domain-joined (note that this is different than “Workplace joined”), the EID encryption will use both the EID key on the user device and the domain’s Data Recovery Agent (DRA) key. This will allow an enterprise administrator to decrypt the files in case of the key revocation or loss on the domain joined devices.
How can a file be encrypted and decrypted with both the user’s key and the DRA?
The answer to this is in the basic design of the Windows Encrypting File System (EFS). EFS doesn’t encrypt the file using the user’s key but using a unique and random key generated specifically for each and every file EFS has to encrypt. The file’s key is then encrypted using the user’s key and attached to the file. If the device is domain-joined, the file’s key is then encrypted once again, this time using the DRA, and also attached to the file.
When it’s time to decrypt the file, if it’s the user who is decrypting, then EFS decrypts the file key that was encrypted with the user’s key, and if it’s the DRA, then the file key that was encrypted with the DRA is decrypted.
You can read more about the design and operations of EFS here:
In case of a device compromise, the encryption key can be revoked by an admin using a Mobile Device Management (MDM) solution such as InTune, which can issue a command to set the device’s status to “revoke access”. When the Work Folders client attempts to sync, it first checks the Work Folders encryption status. If the status shows “revoke access”, the Work Folders client immediately revokes the sync partnership, and no further sync can take place. The user will see the following message on the control panel:
The Enterprise ID for this PC was remotely revoked by the issuing authority. Access to files in WorkFolders is blocked on this PC. To resume syncing, in the Work Folders Control Panel, click Stop using Work Folders and then recreate the Work Folders synchronization partnership.
If the user doesn’t wish to use Work Folders anymore, he can click “Stop using Work Folders” from the Work Folders control panel:
At any time, when user lost access to the encryption key. This could happen due to a corruption or damage to the hard-drive, or if the user’s profile is deleted or damaged in some way (for example, because of a virus or hack). If the key is lost, the user will not be able to open any of the files, and require a recovery.
Key revocation can be triggered remotely by the administrator at any time. After key revocation, the user will no longer be able to open any of the files. Any attempt to access a file will return an “Access denied” error.
If the user should no longer access the data, the admin should remove the user access to the sync share. If the user wants to get the data back, there are 2 options listed below.
Re-enable the sync
Work Folders syncs the data in the background between the client and the file server. The user can get the data back on the client by re-configuring the Work Folders client. After the setup, data will sync down from server to client.
During the Work Folders setup, the Work Folders default path is %user profile%\Work Folders. There is a specific check for the encryption status of the Work Folders root folder. If the folder is encrypted with a revoked key, the following message will be displayed to the user:
This folder can’t be used because it was wiped by your organization. Delete the wiped folder or choose another location
The user can either rename the existing folder path, if there is a need to recover un-synced files; or delete the existing Work Folders path if there is no need for recovery.
Recovery of un-synced data
In some cases, the client and server data are out of sync. The main reason which can cause the sync to fail on the client is requiring user to enter credential. If some files are not synced to the server after key revocation, user will need to request an administrator’s assistance to recover the un-synced files.
To decrypt the data on Windows 8.1 and RTM release on Windows 10, the admin will require console access to the computer holding the files. This could be either physical access to the computer, or access through remote desktop (RDP). With November release and later of Windows 10, this can also be done directly over the network (where the user can share the files over a regular SMB share). The primary challenge for data recovery is time consumption. In our experience, it requires about 20-60 minute per GB.
Risks of using DRA
When performing data recovery using the DRA, a specific risk is for the DRA to be used as a means for a user to access files encrypted by another (for example, an employee gaining access to his boss’s or the company’s confidential info). To reduce the risk, the person performing the recovery should take the necessary precautions to confirm that the user who is making the recovery request is in fact the owner of the files, or that he has the authority or permission for it. One way to do this is to run the DIR command with the /q option, which shows the file’s owner:
Decryption with Cipher
Decrypting a few files is simple, but when a large number of files with many sub-folder need to be decrypted, things can get tedious. Even though you can uncheck the encrypt option at the top-level folder, the engine might not succeed in decrypting all sub folders and files, resulting in a partially decrypted data set. To perform decryption more efficiently, you can use a command line tool Cipher, which is built into Windows. Cipher can be run at a top level of the drive or folder, or go through the entire drive.
Cipher is included with Windows. To use it, run it with the /D parameter:
Cipher /D “/s:c:\my files”
While decrypting, Cipher will list out the files it scanned and the result. Be sure to watch out for any failures. If there are any, try re-running the tool, and if it still fails, open the folder using Explorer, and decrypt the files manually.
If the DRA certificate is stored on a smartcard and requires a PIN to unlock, the administrator should provide the PIN quickly before Cipher times out and moves to the next file. Be cautious that Windows may show the PIN dialog as a system-tray notification icon or a pop-up that’s hiding behind the active Window (this might mislead one to think Cipher is stuck).
Another case which requires the PIN to be entered again is when the decryption engine’s key cache expired. This means that the administrator needs to pay attention to the recovery process and inspect the progress on a regular basis. If the pin is not provided quickly, Cipher will skip to the next file and might fail to decrypt many files. In such a case, you can re-run Cipher and it will skip over the already-decrypted files quickly. It’s generally a good idea to re-scan with Cipher at least once again after the decryption has completed, as it might be able to decrypt files that it skipped or missed in the initial scan. Also, during the 2nd scan, the administrator should look for any files that haven’t been successfully decrypted. Such files can usually be decrypted manually using the Windows file GUI.
Encryption adds extra data security on the device, but you should be aware and plan for data recovery.
As always, hope you find the information helpful, and share your feedback on Work Folders with us.
 In the context of this technology, “Wipe” means that access to the files is revoked, but the files aren’t actually deleted.