Windows Selective Wipe for Device Data Management
Applies To: Windows 8.1, Windows RT 8.1, Windows Server 2012 R2
This topic for the IT professional describes the Selective Wipe feature that was introduced in Windows Server 2012 R2 and Windows 8.1. It links to resources to help Exchange Server and Windows Intune administrators manage enterprise data on devices and develop apps to leverage the Windows Selective Wipe capabilities.
Did you mean…
Windows Selective Wipe enables administrators to secure the enterprise’s corporate data that is dispersed to corporate or personal devices. Apps can be developed to set a Selective Wipe policy on data and protect it in an Internet domain that is owned by the enterprise. Administrators can later choose to revoke access to data that is protected in that domain.
Protecting files to an Internet domain encrypts them to a key on the device that is associated with that domain, and those files are only accessible to users who are running the app that is protecting them. By revoking access to the data, the key that is associated with the given domain is destroyed, which renders the protected content inaccessible. Selective Wipe uses the Encrypting File System (EFS) to protect access to the data with a symmetric key that is stored in Credential Locker.
Selective Wipe is used by the Mail app to protect attachments in accounts that have an Exchange ActiveSync (EAS) security policy set, and to revoke access to those attachments when an EAS RemoteWipe command is received for the account. Similarly, Work Folders policy can be configured to encrypt data, and uses Selective Wipe protection.
For information about the Mail app that is published by Microsoft, see Mail, Calendar, People, and Messaging App for Windows in the Windows Store.
For information about Work Folders, see Work Folders Overview.
For information about using Windows Intune to manage mobile devices, see What's New in Windows Intune - New Features, Changes.
Enterprise employees often have the ability to access their email and open or store enterprise content on their personal devices. This presents a possible avenue for corporate data to leave the control of the enterprise. Selective Wipe enables the enterprise to regain a measure of control over their data when it is shared to personal or corporate issued devices. Administrators can use Selective Wipe to control access to enterprise data as follows:
Register personal devices to allow Selective Wipe to receive enterprise content
Enterprises can allow access to corporate email from a personal device if the device complies with policy controls, which include the ability to wipe corporate data on demand.
By using Windows Intune as a client management tool, administrators can require employees to register their devices with the corporation and consent to corporate use policies to get access to resources. This allows the corporation to propagate policies to the devices so that all corporate applications and data that is protected by Selective Wipe can be wiped from the device by the IT administrator.
Unregister personal devices to remove local corporate data access
When an employee no longer requires access to corporate data due to departing from the enterprise, retiring the device, or changing responsibilities, the IT administrator or the user can unregister the device. When Windows Intune is used for data management, unregistering the device destroys the enterprise identifier keys for all the managed email domains of the user. All corporate data that is protected in these domains will be inaccessible on that device.
Prohibit access to corporate data from a device connected to the network
If a registered device is no longer controlled by the enterprise, for example through loss or retirement, the IT administrator can issue a revoke access command for that specific device. Mobile device management solutions that use the Windows Open Mobile Alliance Device Management (OMA DM) agent, such as Windows Intune, can do this. When the device connects to the management service and receives the revoke command, this prevents access to any data that is encrypted with the enterprise identifier key.
The following list describes the major functionality that is available when enterprise apps or corporate data are protected with Windows Selective Wipe.
Enterprise apps or data sources that protect their data with Selective Wipe can render their data that remains on the device inaccessible upon a remote wipe request from the enterprise administrator.
Administrators can delegate permission to Windows Store apps so that they can wipe content from any applications that are associated with an enterprise identifier.
The owner of the device has the ability to accept or reject management that might include remote wipe policy for their personal Windows device.
Personal data on a personal device is not marked with Selective Wipe protection, so it is never removed or rendered inaccessible because of an enterprise remote wipe command.
How it works
Because Selective Wipe associates the corporate data with a symmetric key to an Internet domain, destroying the key that is associated with the domain revokes all access to the protected content.
An encrypted key is generated by Windows for each enterprise identifier (EID) that is used with the Selective Wipe protection API. Protected files are encrypted for Selective Wipe by EFS, and the EID is used to look up the key and revoke it. The enterprise ID must represent an Internet domain that belongs to the enterprise in standard international domain name format. Only the second level domain, in other words the top level entity of the domain name, matters for the purpose of matching an EID. For example, contoso.com is an EID, and it would be matched by any subdomain in the contoso.com hierarchy, such as mail.contoso.com and fileserver1.serverfarm.contoso.com.
For data to be revocable, an application must first protect it to the enterprise by using the Windows Selective Wipe API, FileRevocationManager. Some Windows features and applications, such as Work Folders and Mail, already implement this protection. Non-Microsoft applications can use FileRevocationManager to develop this capability.
Your enterprise must also have a revocation channel or method to issue revoke commands on its content. The most reliable method for personal devices that access enterprise content is to require a mobile device management solution, such as Windows Intune, which uses the OMA DM agent in Windows as the revocation channel.
The app or the management tool that issued the revoke command is responsible for reporting the command’s status.
By using the Windows Intune management features, you can also revoke content for email domains that are managed for that tenant on devices running Windows 8.1 or Windows RT 8.1. The Mail application that comes with Windows 8.1 can also respond to an EAS RemoteWipe command by revoking access to content for the wiped mail account domain. However, removing a Mail account does not issue a revoke for the removed account’s content, but effectively removes this revocation channel for the device.
How the data protection works
The Selective Wipe API for protect is ProtectAsync. It encrypts files by using the Encrypting File System (EFS) feature of the NTFS file system with a new key management mechanism that is used by Selective Wipe. The application provides the enterprise’s Internet domain as the enterprise identifier (EID) in the Selective Wipe API call to target a file or folder.
When a file is the target, EFS encrypts it by using a new EID protector type. This is a symmetric key that is stored in the user’s local Credential Locker, and is indexed by that EID. If a key doesn’t exist for that EID in the user’s profile, EFS will generate a new one, and if one already exists it is reused.
Key creation also generates a new globally unique identifier (GUID) for that instance of the EID key. This GUID is used during wipe detection to distinguish a key that was wiped from a later instance for the same EID. This happens when a key wipe for an EID is followed by a call to protect data for the same EID.
When a folder is the target of ProtectAsync, the folder must be empty or the call fails. If the folder is empty, it is marked as protected by that EID, and key generation occurs, if necessary. Thereafter, new files that are added to that folder are encrypted and protected with that EID. A file or folder can only have one EID.
How the selective key wipe works
The Selective Wipe API for revocation is Revoke. It securely deletes the key that is associated with the specified EID from the user’s Credential Locker. This makes all files that are encrypted with that key unreadable. Even if the Selective Wipe API for protection (ProtectAsync) is called again, a completely new key is generated for that EID. Revoked files are unrecoverable from that device, by design. The content recovery mechanism, if allowed, is to download that content from the enterprise again.
File revocation applies to all content that is protected under the same second level domain as the provided enterprise identifier. For example, revoking an EID of mail.contoso.com revokes the user’s access to all content protected under the contoso.com hierarchy.
Attempting to read a revoked file simply produces an Access Denied error message.
How the selective wipe detection works
The Selective Wipe API to check for protection status is GetStatusAsync. It allows apps to easily determine the protection status of a file or folder, in particular, when an Access Denied error message appears because the file was revoked. The app calls this Selective Wipe API for a file or folder, and it receives a status that indicates if it is unprotected, wiped, protected, or protected for another user.
Because ProtectAsync can be called for an EID that was previously wiped, the Selective Wipe key management infrastructure inspects the EID and the key’s GUID in the file system metadata to determine if the instance of the EID key that is used by the file or folder has been wiped.
An enterprise can develop a line-of-business app as a desktop app or as a Windows Store app by using the Selective Wipe API, FileRevocationManager. As described earlier, this API can be used to set and enforce a Selective Wipe policy.
When corporate data is generated by a line-of-business app
An enterprise can lose control of its data when the data is saved to an employee’s personal device that has been joined to the enterprise’s network. For example, if an app allows an employee to save a file or save a file with a different name and move the file out of the app container, the file might become vulnerable to data leakage.
Line-of-business apps can be used to view and manipulate that data, for example, a corporate expense report that is generated as an Excel spreadsheet by a Windows Store app.
By using Windows Intune, an administrator can provision a line-of-business app that protects the corporate data used by the app with an enterprise identifier. The app can later be removed from the employee’s device, and access to all data that is associated by the enterprise identifier to the corporate domain can be revoked.
If the enterprise’s Windows Store app implements the Selective Wipe APIs, the app can encrypt all files with the enterprise identifier key. If any files leave the app container, the app can revoke access to it by using the command Revoke(domain.com) and destroying the key.
Commands to revoke the EID key that protects any enterprise data can be issued by apps that are designed to delegate data management. For example, your organization might require that all employees install a department-specific, time-reporting app on all devices. When an employee leaves the company or moves to another department, the time-reporting app, which has been delegated the authority to selectively wipe keys, can be used to revoke the EID keys for all data associated with the company or department.
For more information about delegation, see How revoke delegation works in this topic.
Enterprise developers could write a line-of-business app to revoke its data when the app uninstalls. This action would leave data protected by other apps intact (if the apps are Windows Store apps which are not delegated. The file that was saved by the app which was later uninstalled cannot be opened by the user. Even if the app is not written to revoke its own content, the Windows Intune administrator can issue the Revoke command which deletes the key it used to encrypt all that content.
App developers can create a variety of means for apps to implement wipe commands and app-specific wipe channels. For example, they might want to use a a configuration change or file sync hint to trigger the action. In Windows Intune, the OMA DM agent is used as the wipe channel, and its wipe commands apply to all apps in the system.
When corporate data is shared through the Mail app
Exchange ActiveSync can revoke access to data that is tagged with the employee’s corporate email domain when the Mail app is used to access work email. Because removing an email does not issue a revoke command, this wipe channel is not as reliable as the Windows Intune wipe channel. However, if the Mail app is meant as the revocation channel for Work Folders, the Work Folders protection policy should be configured with a matching domain to the email account.
The Mail app can also receive the command to revoke access when the device is managed through Windows Intune, or any mobile device management solution that uses the Windows OMA DM agent. Windows Intune uses the OMA DM agent, and it revokes the domains of all managed email addresses when it receives a wipe or unregisters the device.
Mail apps are common within corporations, and it is not unusual for employees to have multiple accounts while using the same app. This is problematic for data security because corporate data can be mixed with personal data.
Windows Selective Wipe can be implemented through the app scenario When corporate data is generated by a line-of-business app described earlier, or by setting Exchange ActiveSync security policies and enforcing the use of the Mail app, which by default has Selective Wipe capabilities. The Mail app reads the requirement of Exchange ActiveSync security policies on the employee’s corporate account and the Mail app encrypts the attachments that are associated with the enterprise identifying key to the work domain while leaving the other personal accounts alone.
If the Mail app receives a revoke command for the corporate account, the app issues a revoke for the domain of the email account as part of its RemoteWipe processing. Any protected attachments that the employee might have saved are inaccessible, even if they were copied through Internet Explorer and out of reach of the running app.
For information about what policies are available by using the Exchange ActiveSync policy engine, see Exchange ActiveSync Policy Engine Overview.
How revoke delegation works
Windows Store apps can protect content that is associated with an EID, but they can only revoke access to content that they protected. You can identify and enable specific apps to revoke the EID key that is protecting any enterprise data. For example, your organization might require that all employees install a department-specific accounting app on all their devices. When that employee leaves the company or moves to another department, the app, which has been delegated the authority to selectively wipe keys, can be used to revoke the EID keys for all data that is associated with the company or the department.
To allow an application to revoke access to all content on a device that is protected by a particular enterprise, you can configure the Group Policy setting Allow Windows Runtime apps to revoke enterprise data by listing your enterprise apps that are permitted to revoke all protected data from a device for a specific EID.
If you enable this policy setting, the application that is identified by the Package Family Name is permitted to revoke access to all content that is protected by the specified EID keys on the device.
This policy setting is located under User Configuration\Administrative Templates\Windows Components\File Revocation, and it is not configured by default.
Selective Wipe technology relies on improvements to the Encrypting File System and updates to related Windows Store APIs, which are supported on computers running Windows 8.1.
The following table provides information about other resources that are available to administer Selective Wipe and to develop apps that are enabled with Selective Wipe.
Planning and Deployment
Not yet available
Not yet available
Not yet available
Tools and settings
Not yet available
Not yet available