How I Successfully Encrypted Windows Phone

[BitPusher2600]

As the title says, I have successfully encrypted my Windows Phone device memory by activating BitLocker, and since the information regarding all of this is so vague online, I want to share my experience and offer some definitive information. I'm writing this for those who place maximum priority on utilizing every avenue available for data security since they understand the relevance of a subject like data encryption.

I have spent an ungodly amount of time researching this subject because I'm pondering leaving BlackBerry for Windows Phone, and it is imperative to me I be allowed to encrypt my device memory. I've been calling a handful of 800/877 Microsoft numbers, spent time in many MS support live chats and both MS and non-MS forums and info sites simply trying to find out how to encrypt my device memory and nobody had anything concrete, just run arounds.
If you look at a site like this:
Windows Phone for business | Security | Windows Phone (United States)

You would think this is what you're getting when you buy a Windows Phone and what you read on that page isn't entirely true. Some of the security of Windows Phone isn't available to consumers, at least not exactly, hence why the information above is under the "Windows Phone For Business" section of Microsoft's site, because there are security functionalities on Windows Phone that can only be pushed via a very specific EAS IT policy.

The screenshot above from the Settings>Phone Storage menu is what you see when BitLocker has been enabled. To clear the speculation I've seen all over the place:

*Windows Phone is NOT encrypted by default, it is not encrypted at first boot or out of the box. It leans on protocols like MTP rather than standard mass storage access so to a small point, you can't directly access your data, but while walled off from the average user, it isnt't encrypted. Apps on the device however are code signed and sandboxed.

*Adding any sort of Exchange account to the device (including Outlook.com email) does not enable or give the option to enable encryption.

So, how did I manage to do this? Well, I can say it is possible if you do not have your Windows Phone in an enterprise environment to push IT policies to your device(s) and that is by either setting up your own Exchange server, or utilizing a paid option for one already in place.

Microsoft is offering a one month free trial for a lot of their Office365 and Exchange host services. I signed up for the only one that allows advanced IT administration, and that is the Office365 for Enterprise E3 package, which goes about $20 per month, and among the various Office365 and Exchange packages available, this is the only one that allows you to enable various on-device security capabilities with policies. You don't have to spend a dime after the trial ends and in the future, you can look at it as a one-time fee if the need arises to encrypt a different Windows Phone.

Here's how you do this; once all of your services are set up you configure your Exchange email address and associate whatever IT policies you need to it, and this includes a tick box for "require device encryption." After that is done, you go into the accounts menu in Windows Phone and add this address to your accounts. After it connects, the device will ask if you want to accept the policies and once you do, BitLocker becomes enabled. Once you've done this, your Windows Phone is encrypted for the life of the install, or in other words it will stay encrypted unless you do a factory reset of the device. At this point, you are done with Exchange, you are welcome to go into your accounts menu again and completely remove the new email address from your phone. So just to be clear, no matter what you do from here, your device memory will remain encrypted unless you do a factory reset on the device or use an Exchange account to manually push a new policy to the device disabling Bitlocker.

That's it folks. It's relatively easy once you figure your way around the Web interface and again, if data security matters and you are dead set on Windows Phone, this is the only way this can be done. It's a shame other platforms allow you to do such a simple function by pulling up it's respective settings menu and simply tapping enable. My experience with this had lead me to believe Microsoft does not feel the regular consumer has a need for such data security measures, and for people who place their highest priorities on what apps they can get or how many cores are in their CPU, that's probably true. They may change that in the future with security becoming an ever growing issue, but who knows.

As far as I know, the process I've detailed is the only way for a regular consumer to encrypt their device. To whomever it concerns, good luck. As for me, I believe I'm about ready to make that all-in jump to Windows Phone and depart a fair history with BlackBerry, I just wish my carrier (Sprint) had a Nokia Lumia. If I had the kind of money to do so, i'd switch carriers, but in the meantime, here goes.

 

[commo]

Good point. I use office 365 small business and checked my settings and did not see the option to encrypt. Such a feature should be enabled by default. I did a quick search and found the following article proving your point.

http://winsupersite.com/office-365/managing-mobile-devices-office-365

 

[Evangelosb]

Would you say it affects performance of read/writes at any noticeable level?
Perhaps one could test with an app like WP Bench Free?

 

[Jaskys]

Im sorry but what's the point of encrypting for "normal" user?

 

[BitPusher2600]

Firstly, I've noticed zero performance change but I should point out that other than occasionally firing up a little Angry Birds (can't believe I just confessed that), I don't do much gaming, so everything else seems to perform as it did. (I'm assuming playing higher end video games taxes the processor and ram more than anything else.)

And Jaskys, this is only relevant to people who are a little more understanding or intense about personal data security, like a certain former BlackBerry lover named....me. It makes my tinfoil hat gleam just a little brighter, that's all.

 

[theetommyt]

You mentioned not being able to sure moving to another carrier. Did you know TMobile will pay your ETF fees to move from Sprint? They'll even take your old phone as trade in credit toward a new lumia 925.

Posted via the WPC App for Android!

 

[BitPusher2600]

You mentioned not being able to sure moving to another carrier. Did you know TMobile will pay your ETF fees to move from Sprint? They'll even take your old phone as trade in credit toward a new lumia 925.

Posted via the WPC App for Android!

I appreciate that and thanks but the thought had crossed my mind certainly but their service is not too good here, one of my closest buds has a Galaxy with them and regrets having left Verizon for them. Beside that, my credit isn't great and I also notice that the basic specs between that and this Ativ S Neo are really similar. I can't justify the jump though I'd deal with the subpar service if they carried the Lumia 1520 I bet

 

[genuine555]

I think it is very nice of OP to have figured it out for himself.


But OP, you made a typo in your first post: it ISN'T possible without an enterprise/Exchange environment. You just said it was, so might want to change that to prevent confusion...

To be more specific, it can only be done through an Exchange ActiveSync policy.
ActiveSync is what triggers the service on your WP device.

The back-end exchange server actually triggers and controls the service through activeSync policies.
SD cards are not encrypted because it can only store media btw...


Quite useful for business oriented WP users, but quite useless for any home user (imho).
It also affects performance, but only slightly noticable when running a lot of apps simultaneously or doing heavy gaming.

@work though, we have noticed many other business-related shortcomings compared to iPhone and especially BB...which is why they decided to (mainly) stick with BB's and iPharts for now.
WP is on its way, but still not quite there yet.


In business circles it is well known by now though that it can be done on WP, and how it can be done, and the information is freely available if you know where to look :

http://go.microsoft.com/fwlink/?LinkId=270085
Windows Phone and Encryption (BitLocker) - Windows Phone

Windows Phone for business | Security | Windows Phone (United States)


Basically you have to understand the basic mechanics of Exchange activesync policies and how to enable/modify them and push them onto hosts. You basically have to have some administrative knowledge about exchange and server policies in general, or you will have a hard time understanding how this encryption service is controlled through exchange activesync.
Understanding Exchange ActiveSync Mailbox Policies: Exchange 2010 Help.

Since he had a hard time figuring this out, I think that OP isn't a business user, but must be a home BB user that wanted to know how to use the bitlocker service on WP.


As can also be found online, there are several options to turn to when wanting WP device encryption, but as OP stated, for home users the information provided is "vague" simply because little is known by those users about how these things actually work from back-end to front :

How can I turn on BitLocker encryption on Windows Phone 8? - Super User

• Traditional Exchange ActiveSync policy
• Windows Intune
• System Center Configuration Manager
• By subscribing to Office365 (and possibly Outlook.com but I've not been able to find any information on how to do this)

Basically all these "options" control this encryption service the same way: through an activesync policy !

We have the traditional exchange activesync that enables the back-end "RequireDeviceEncryption" policy through an exchange server in any business environment.

Then we have InTune and SCC Manager, which are both hosted management services for server/business environments, and they actually control the service the same way, and thus still require an exchange back-end server to push the same activesync policies. Think of these two basically as kind of administrative "front-ends" for your business back-end ;-) But it thus still requires a business environment, and is not available for home users.

Then we have the final option, Office 365. It still uses an exchange back-end server, and still pushes active-sync policies to your device just like all the others mentioned, but any user with a subscription can basically connect to that back-end and use the services provided through those policies.

For now only a business subscription or a home premium is possible, so still not very usefull for a "single" user, but that will change around spring time, since MS has announced the launch of a new subscription called Office365 PERSONAL, and requires only 1 user with 1 PC/laptop or tablet.
Microsoft adds personal Office 365 subscription | PCWorld


Access for most home users, as explained above, for now is very limited. But as stated that will probably change when MS launches the Office365 personal subscription.

But basically ANY hosted environment running an exchange back-end server can enable AND push this encryption service to your WP device very easily. You don't actually need a business environment, but you do explicitly need an operational exchange server that uses activesync !
Basically if you correctly configure an exchange server @home and set-up the activesync policy, you can have encryption on your wp device just like any "business"-related environment.

So access for home users is most DEFINATELY possible and actually easy if you know how to configure and set-up an exchange server @home.
Downfall is that you need to have a valid exchange licence which isn't that obvious for most home users off course, unless you are a student ;-)

 

[BitPusher2600]

Genuine,
Thank you for the thorough response. I want to try to address it as best I can.

Firstly, my opening was not a typo, just a choice of wording in that (and you are correct) that I am a single user and not involved at all with a corporation or business entity, as such I don't have a corporate IT department to report to, I'm a fellow on my own. What you are referring to when talking about "an enterprise/Exchange environment" is software wise, and in that you are correct.

Next, I'm aware that its only the internal memory that is encrypted, I knew that and I hope I didn't let on otherwise in my words, that much is defined on Microsoft's Bitlocker page.

Why do you find the idea of data encryption useless for a "home user?" The point of which, in my opinion, is to protect data, to make it's access all the more difficult to outside sources and whether or not that's entirely true or not is irrelevant because again, it makes my tinfoil hat a little more comfy.

As for the pages you linked, they explain that the device can be encrypted, not how. If an IT admin would look at this an instinctively get that, then I'll have to take your word for it. You are correct in assuming I am not an IT admin nor have I ever been. I am however the sort who has been building his only Linux kernels for years and using Slackware style package management, so that said (including scripting, things like iptables, etc) I believe I'm just competent enough to pull off what I did and both find the means and push the policies to my device, and found the easiest avenue to make it happen. I still insist at any rate that the question from any security minded user of "how do I encrypt" or "is my Windows Phone encrypted" is both fair and indeed vague nonetheless, try searching the net on matters of Windows Phone being encrypted or not and watch the questions and speculations mount in size. I'm not the first or the last non IT admin who wants their device to be encrypted, but unlike BlackBerry and even Android (which I personally wouldn't touch with someone else's 10ft pole) make encrypting device memory a literal snap.

To try to address the tail of your post, at present it is *only* thru the Office365 Enterprise E3 package that you are given the tools with O365 to be able to push EAS policies whatsoever, so small business and personal will not be capable of encrypting ones device. I know this factually because that is how it was explained to me on the phone from an MS rep, and we also had a poster on this thread with the small business package confirm the same.

 

[Jaskys]

And Jaskys, this is only relevant to people who are a little more understanding or intense about personal data security, like a certain former BlackBerry lover named....me. It makes my tinfoil hat gleam just a little brighter, that's all.

Alright tin foil hat terrorist, reported to NSA ...

 

[BitPusher2600]

Oh yes, since I don't know what software to fire up to create my own Exchange server, the E3 package I mentioned appears to me to have been my only tool that has the capability to let create and control device policies. The others MS is selling (like intune), very expensive. What is a cheaper means than what I've done to create my own Exchange server? I felt using one already in place (which was free this time and $20 should I need to "borrow" advanced Exchange capabilities again). Your recommendations are appreciated.

And this grueling process from start to finish has been gratifying in that 1: I was able to accomplish my goal of encrypting this puppy and 2: I now have a deeper understanding of how EAS and policies work than before I started. Its been very worth it and if I can feel better about my data security, the only loss is a customer to BlackBerry (though saying that breaks my heart, to me as asinine as it sounds, its like breaking up with your first true love.) I went thru this WP/BlackBerry scenario once already during that brief time BlackBerry was supposed to be selling off and didn't really want to go. I went back to BB in short order in the end but WP is drawing me in I guess

 

[genuine555]

Firstly, my opening was not a typo, just a choice of wording in that (and you are correct) that I am a single user and not involved at all with a corporation or business entity, as such I don't have a corporate IT department to report to, I'm a fellow on my own.

I see...a wordplay then ;-)

Next, I'm aware that its only the internal memory that is encrypted, I knew that and I hope I didn't let on otherwise in my words, that much is defined on Microsoft's Bitlocker page.

You didn't. I just thought it'd be worth mentioning

Why do you find the idea of data encryption useless for a "home user?" The point of which, in my opinion, is to protect data, to make it's access all the more difficult to outside sources and whether or not that's entirely true or not is irrelevant because again, it makes my tinfoil hat a little more comfy.

Well, as you state, it is indeed kind of a personal preference and a matter of opinion, and opinions do vary. I find it (personally) not really worth while for home usage because I never carry important data on a home-device. But that doesn't implicitly mean others are willing share that opinion.

So readers should take this as 'my' personal opinion, but nothing more at that, and other opinions are off course just as valid as my own.

As for the pages you linked, they explain that the device can be encrypted, not how. If an IT admin would look at this an instinctively get that, then I'll have to take your word for it.

That is absolutely correct. It isn't really mentioned "how", because an admin will indeed instinctively know the procedure(s) to follow to enable and configure the policy. It is general procedure that is known within the professional circles...Well at least they "should" know if they are administrators Trust me, for this you can take my word.

To try to address the tail of your post, at present it is *only* thru the Office365 Enterprise E3 package that you are given the tools with O365 to be able to push EAS policies whatsoever, so small business and personal will not be capable of encrypting ones device. I know this factually because that is how it was explained to me on the phone from an MS rep, and we also had a poster on this thread with the small business package confirm the same.

I see. THAT I didn't know. So this is then basically a marketing strategy, and MS deliberately chose not to provide the feature with their small bus. and personal licences...probably because it would have to come from their own back-end and they would have to adminster the extra server-load and administration...you see, any larger business or corporation that buys an O365 business licence, has its own server infrastructure and can have that policy ran from their own EAS policies. Personal users don't have their own infrastructure, so for them the policy would have to be maintained by and pushed from MS' own EAS policy. I guess they are simply not willing (or able) to take that extra responsability. Also I can immediately understand the added workload for MS if they would do that...so it is fairly logical for them not to.

But it is most def. possible, also through those licences, IF they would administer the feature through their own exchange policies. The back-end infrastructure is the same and involves an exchange server-family just like any large business-environment.

Anyway thanx for clarifying that. Makes much more sense indeed.

Good work OP ! :smile:

 

[John20212]

I was always wondering about encryption on WP since I remember way back MS mentioning it somewhere, so thanks to OP for the post.

I still find it rather strange why Microsoft decided to hide features like bitlocker encryption on the phone when its easily accessible in Windows. It would have been great to just have a simple on/off option in the settings for this. Or a 'Advanced Setting' section with all advanced options only very few users use but are still great to have when you need them [e.g. "Wipe the device after x number of failed password attempts." this would be really useful to have also].

It would be a real shame if this sort of stuff continues with WP8.1; but knowing MS it probably will.

 

[foxbat121]

It is never that easy. The biggest challenge is how to safely and automatically back up the encryption key so that you can use it to decrypt the phone in case of screw up by end user. I suspect current implementation uses Exchange server to back it up automatically. The new implementation in Windows 8.1 uses Microsoft OneDrive to automatically back up the key in the cloud. Not sure if that will get implemented in WP8.1. But again, if the key is backed up in the cloud, OP probably will not like it at all.

 

[tgp]

Once you've done this, your Windows Phone is encrypted for the life of the install, or in other words it will stay encrypted unless you do a factory reset of the device.

This could turn out to be an issue. WPs seem to need a factory reset every once in a while, for reasons such as clearing Other storage or spinning gears during an update. I don't believe I've ever gone more than 3 months or so without doing a hard reset. Hopefully you won't have this issue!

The biggest challenge is how to safely and automatically back up the encryption key so that you can use it to decrypt the phone in case of screw up by end user. I suspect current implementation uses Exchange server to back it up automatically. The new implementation in Windows 8.1 uses Microsoft OneDrive to automatically back up the key in the cloud. Not sure if that will get implemented in WP8.1.

That's an interesting thought. I don't understand encryption very well, so I have to wonder happens in a case like the OP's where he subscribes to Office 365 for a month to get the encryption, and then lets it lapse. Is the encryption key available?

 

[BitPusher2600]

That's an interesting thought. I don't understand encryption very well, so I have to wonder happens in a case like the OP's where he subscribes to Office 365 for a month to get the encryption, and then lets it lapse. Is the encryption key available?

The device(s) you push the policy keep it until the device gets wiped or the policy removed via Exchange. When I end the subscription, the device does not lose its encryption

 

[John20212]

It is never that easy. The biggest challenge is how to safely and automatically back up the encryption key so that you can use it to decrypt the phone in case of screw up by end user. I suspect current implementation uses Exchange server to back it up automatically. The new implementation in Windows 8.1 uses Microsoft OneDrive to automatically back up the key in the cloud. Not sure if that will get implemented in WP8.1. But again, if the key is backed up in the cloud, OP probably will not like it at all.

If the end user screws up then that's their own fault, there should only be a warning informing users of potential risks.

 

[BitPusher2600]

This is all true but factually speaking, there is no reason for me to unencrypt my device, defeats the purpose. Further, all data that I have that's important to me can be backed up anywhere as its decrypted by the device before leaving it (if I email something, send something to OneDrive, even copy to PC, it doesn't end up leaving the device in an encrypted state.) I should say I'm good to go.

If the option to encrypt the SD card were available however, that would present some different aspects to the matter, but in my case I understand and am familiar with the ins and outs thanks to a long history with BlackBerry as I've encrypted every device I've owned and had no plans to switch to this platform without being able to do the same.

 

[inrichco]

You can use Office 365 small business. That said, you are right the setting is not on the default admin console! What you need to do, is open up the lesser known Exchange Admin Console, and then the "hidden" options to enable encryption are available. Tutorial here: the connected small business – Tutorial: Setting up Windows Phone 8 for small business, including Office 365