mcouturier2 Absent Member.
Absent Member.
387 views

Data Encryption Policy

Hi,

We use a Data Encryption Policy to encrypt USB sticks. The problem is that it is not possible to access the data on a device that does not have the policy. The files are visible, but a message indicating that they are corrupted appears when you open the files.

Does the Data Encryption Policy have to be associated with a device in order to access encrypted USB keys?

We use Zenworks agent version 17.3.0.1270.

Thank you!
Labels (1)
0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: Data Encryption Policy

The USB Stick would be accessible by any other Windows device....even one w/o the ZCM Agent.
ZCM uses Bitlocker to manage the encryption of the device.

The only limitation is that the other device has to support Bitlocker and the Encryption level.
Some of the highest encryption levels are not supported on older operating systems.
It is also possible that the bitlocker services were disabled on a PC...which they are not by default.

However, I use my ZESM Data Encryption Policy on my Work Computer and encrypt my Work USB.
I take that same stick to my families PC's running Windows 7 and 10 and access the files no problem....after being prompted for a password.
Those PCs do not have any ZCM software installed.



mcouturier2;2500064 wrote:
Hi,

We use a Data Encryption Policy to encrypt USB sticks. The problem is that it is not possible to access the data on a device that does not have the policy. The files are visible, but a message indicating that they are corrupted appears when you open the files.

Does the Data Encryption Policy have to be associated with a device in order to access encrypted USB keys?

We use Zenworks agent version 17.3.0.1270.

Thank you!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Data Encryption Policy

What are all of your Policy Settings.....
Do you have the "Password" option disabled?
I have not played with every possible combination...
0 Likes
mcouturier2 Absent Member.
Absent Member.

Re: Data Encryption Policy

Only "Enable encryption for removable storage devices" is enabled.

The goal is to encrypt USB keys so that they are not accessible on a device without the Zenworks agent.

Is that possible?

Thank you!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Data Encryption Policy

That is why I came back and asked again....
There are 3 Unlock options...

"Always Prompt for Unlock" - With this setting the Stick is usable on Any Device if you know the PWD (What I usually use)
"Prompt on 1st Use on a particular device...Then automatic."
"No Unlock Password: auto-unlock on managed device only".

I presume you are using number 3.
I would have to play with that a bit more to see what happens between devices that do or do not have any Encryption Policy....
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Data Encryption Policy

Also to be clear you are using the ZCM "MICROSOFT DATA ENCRYPTION POLICY".
There is an older "DATA ENCRYPTION POLICY" that still exists....

But "Microsoft Data Encryption Policy" was a new policy added starting with 17.1 if I recall correctly.
Definitely work with that one and play with its options...


CRAIGDWILSON;2500178 wrote:
That is why I came back and asked again....
There are 3 Unlock options...

"Always Prompt for Unlock" - With this setting the Stick is usable on Any Device if you know the PWD (What I usually use)
"Prompt on 1st Use on a particular device...Then automatic."
"No Unlock Password: auto-unlock on managed device only".

I presume you are using number 3.
I would have to play with that a bit more to see what happens between devices that do or do not have any Encryption Policy....
0 Likes
mcouturier2 Absent Member.
Absent Member.

Re: Data Encryption Policy

Ok I was using a Data Encryption Policy.

I created a Microsoft Data Encryption Policy and I encrypted a USB key successfully.

Now what I notice is that on a device without the encryption policy it is necessary to click the "Unlock drive" button in the "Encryption management" window to access the drive.

Is it possible to bypass this step on devices without any encryption policy assigned?

Thank you!
0 Likes
bbeachem Absent Member.
Absent Member.

Re: Data Encryption Policy

mcouturier2;2500172 wrote:
Only "Enable encryption for removable storage devices" is enabled.

The goal is to encrypt USB keys so that they are not accessible on a device without the Zenworks agent.

Is that possible?

Thank you!


This policy type is being deprecated. We recommend using the Microsoft Data Encryption policy. In that policy there is an option for "Unlock Method" that shows "no unlock password: auto-unlock on ZENworks managed devices ONLY; no access on non-managed devices".
This uses Microsoft BitLocker encryption, but we manage it entirely. When the user inserts the device in a managed ZONE, then it will unlock automatically with no user intervention. If they insert it into an Windows 7 or newer device (that supports BitLocker) it will prompt for a recovery key, which they don't know unless they are a ZCC Admin with access to that in ZCC UI. So effectively, they cannot unlock it on any unmanaged device.
0 Likes
mcouturier2 Absent Member.
Absent Member.

Re: Data Encryption Policy

Ok I was using a Data Encryption Policy.

I created a Microsoft Data Encryption Policy and I encrypted a USB key successfully.

However, the USB key is still not accessible on a device with the Zenworks Agent. A "BitLocker" window appears asking for an unlock code.

Is there something else that must be done to enable the auto-unlock on ZENworks managed devices?

Thank you!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.