Top 10 Windows 10 Features

Top 10 Win10 Features #6: Enterprise Data Protection

6 minute read
Scott M. Fulton III avatar

It isn’t obvious to everyone, sometimes, until someone points it out and then it’s a revelation: If Windows truly does become all one platform next week as planned, then there is no more “mobile data management.”

Any management tool that protects and secures data on mobile Windows devices, and any tool that does the same for desktop Windows devices, must be the same tool.

It’s not any revelation to Microsoft ... today. It was unwelcome news for the company in 2010, just after the company rudely hinted at the Consumer Electronics Show of its intention to bridge the two platforms. A very shrewd reporter pursued the point that, if Windows and Windows Phone were becoming the same, device management policies would have to become the same.

At the time, Microsoft didn’t have an answer. Five years later, it’s here.

Mobile Device Management, Just Not for Devices

The concept goes by different names depending upon whom you ask, so we’ve settled on one: Enterprise Data Protection (EDP). The basic idea is this: Mobile platforms are never all one piece. They are segments of partly connected networks, but mobile devices float between these segments.

“Your devices today are a cache for the cloud,” said Microsoft Senior Security Program Manager Yogesh Mehta, during the company’s Ignite conference in Chicago last May. “Even on or off the device, this data is going to move around.”

It’s less possible now than it was five years ago for an MDM system to completely bridge the gaps, especially when employees travel by air with variable or no Wi-Fi, especially when people share data on cloud-based file sharing services like Dropbox and Box, and especially when it’s impossible to imagine any organization whose entire employee base uses a single brand of phone and the same brand of tablet.

Microsoft needed a data management policy that travels with shared documents — that enforces organizations’ access control when these documents traverse these zones of inaccessibility. Enterprise Data Protection seeks to accomplish this with a kind of encryption wrapper that both encodes the document and embeds the policy.

This encryption extends to the older FAT file system now, which is very important because it means it follows the file as it’s copied to removable drives, especially USB thumb drives.

Windows’ existing encryption scheme, BitLocker, encrypts volumes as a whole rather than the files inside them individually. An authorized user copying a file from a BitLocker-encrypted volume to a flash drive would produce an unencrypted file. But a file on any volume whatsoever that’s encrypted at the file level carries its encryption with it as it’s copied.

“One of the things we noticed,” said Mehta, “is that a lot of the leaks that happen, happen accidentally, because users are just using applications that often have no business interacting with that data.

“So what we introduced with Windows 10 is an integration of AppLocker... and EFS file-level encryption, in a unique manner. We have now given you the ability to say which applications can be trusted with enterprise data, and only those applications will have the ability to open your enterprise files.”


Even old applications rely on Windows for the basic resources of opening and saving files. For most of them, the Open and Save dialog boxes come from Windows, not from within themselves. Microsoft retrofitted these resources so that they enforce EDP policies on behalf of applications that would have no idea that a tablet wasn’t an ancient scroll uncovered by an archeologist.

Under EDP, when someone within an organization produces a document which company policy prevents from being opened (“No, you cannot Photoshop this image”), then that restriction follows the document even as it is replicated (assuming that is allowed), moved, and relocated on flash drives and Dropbox.

Mehta points out that this resolves the old problem of separating enterprise resources from personal resources, not by dividing the machine up but by distributing the resources. People should be allowed to use their own devices in their own way.

Which means, by extension, that companies should not be telling users how they can set up their own devices. Windows moves the focus of enterprise protection from the file system to the file.

And if you’re thinking, “But can’t I just copy and paste the data from a protected document I can open, into a new one that I’ve created?” Believe it or not, no. Just as Windows provides Open and Save dialog resources, it also provides cut, copy, and paste, including through an old technology we may have all forgotten about called Object Linking and Embedding.

Learning Opportunities

EDP actually prevents users from copying and pasting data from protected documents — it extends to the system Clipboard level.

So when it comes time for a company to wipe its intellectual property from former employees’ systems, it no longer has to perform a wipe of the device. It can perform a kind of file-level wipe that extends to the file level, passively.

I mean “passively” in this sense: If permission to use a file is revoked, then even a device that’s disconnected from the network can no longer open it, even if the file technically is still stored on the system. Once the device is connected, then it may be able to purge those files.

But even if the device is never connected to the company network again, then at least until the users delete the files themselves, their presence on their devices is pointless.

How No Difference Makes a Difference

Up to now, the move towards bridging the divide between mobile and desktop devices has not yielded big benefits for Microsoft, or for anyone else — certainly not with Windows 8. Users want to use mobile devices differently from PCs, so similarity of appearance here and there doesn’t necessarily appeal to them.

Here, at last, is one big reason to go forth with bridging the gap: enabling a uniform maintenance system that works essentially the same way, across all Windows devices — at least, all of them that upgrade. Whether Windows Phone users will have as easy a time upgrading to Windows 10 as Windows 8 users — to borrow a phrase from lazier journalists — remains to be seen.

But what we do see now, quite clearly, is that someone at Microsoft — someone in a capacity that listens to what enterprise users truly need — actually gets it.

Keep Up with the Countdown

Top 10 Windows 10 Features #10: Device Guard

Top 10 Windows 10 Features #9: Packaged App Deployment

Top 10 Windows 10 Features #8: Virtual Secure Mode

Top 10 Windows 10 Features #7: Hello Biometric Login