The Schwartz Report

Blog archive

Microsoft Responds to Reader Demands for Automatic Windows Phone Encryption

Now that Nokia's handset business is part of Microsoft, it'll be interesting to see what compelling features come from the new devices and services group besides Cortana, the recently introduced voice-activated personal assistant. One improvement Microsoft might want to put on the fast track is its approach to encryption with Windows Phone.

The suggestion comes from a reader, who responded to my post a few weeks ago about Microsoft's then-pending, and now completed, acquisition of the Nokia handset business.

The reader had recently switched from an iPhone to a Nokia Lumia 521, which he described as a "very capable utility smartphone." However, he quickly discovered that Windows Phone 8.1 BitLocker encryption is not automatically enabled on an unmanaged device when a screen-lock passcode is created, unlike iPhones.

According to a Microsoft Channel 9 video (about 10 minutes in), he discovered Windows Phone 8 devices aren't encrypted at all until activating Exchange ActiveSync (EAS). The reader asked how to activate the built-in BitLocker encryption function from any WP8 handset without having to use EAS or mobile device management (MDM). Also, he wanted to know how to create arbitrary length alphanumeric passcodes from any WP8 handset without having to use EAS or MDM. In short, he can't --  at least not now.

That was something he concluded after seeing the Channel 9 video and reading the Microsoft documentation regarding the BitLocker encryption and how it's built into every Windows Phone. The problem, he argues,  is that Microsoft is avoiding the issue. He pointed out that his iPhone offered "on-the-fly device and file encryption as soon as one creates a screen lock password." This is also confirmed by Apple in its documentation (see pages 8-13).

Wondering if there's perhaps some undocumented workaround or if this will be addressed at a later date, I shared the reader's criticism with Microsoft. A company spokeswoman said the behavior observed by the customer is consistent with the design of Windows Phone 8/8.1. "Device encryption can only be invoked on devices using remotely provisioned management policy (via EAS or a MDM)," a Microsoft spokeswoman confirmed.

To protect personal information on a Windows Phone, Microsoft said users should set up a numeric PIN code. If the phone is lost, stolen or a malicious user attempts to brute force their way into the device, the device will automatically be wiped. To prevent attacks on the Windows Phone storage, Microsoft said it offers a few different solutions. First, when the phone is attached to a PC using USB, access to the data is gated based on successful entry of the user's PIN. Second, Microsoft said an offline attack affecting physical removable storage is addressed by fixing storage media to the device itself. Finally, users can register their Windows Phone devices which will enable them to locate, ring, lock or even erase the device when the phone is lost or stolen, Microsoft said.

Nevertheless, Microsoft is apparently taking this reader's suggestion to heart. "We will consider providing a means to enable device encryption on unmanaged devices for a future release of Windows Phone," the spokeswoman said. "In the meantime there are a series of effective security mechanisms in to protect your data. "

Is this a showstopper for you?


Posted by Jeffrey Schwartz on 05/09/2014 at 12:11 PM


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.