Hello,

I am trialling a Dell Latitude 10 tablet with Windows 8 Professional installed. One thing I have done is connect the Windows Mail application to my corporate Exchange 2010 server via ActiveSync.

Everything in the ActiveSync policy appears to be enforced automatically on the Windows 8 machine EXCEPT the "Require encryption on device" option - this is a critical security setting which must be automatically applied to any device connecting via ActiveSync.

Does anyone have any idea why a Windows 8 tablet will not automatically encrypt itself via ActiveSync? Is there a setting somewhere else I am missing.

Regards,

Matt.

Because turning on BitLocker is a big change to the system so it won't turn itself on automatically. For example, turning on BitLocker means you can't remotely restart a machine and have it boot up so you can remotely connect to it again - it would get stuck waiting for a BitLocker password if you set it for that.

Thank you for the response. I guess that rules out Windows 8 devices for mobile devices then!

Way to shoot yourself in the foot Microsoft - iPads it is...

Wait, so because this one simple step has to be done manually, it's a shot in the foot? How so?

In our scenario these users are offsite with no IT Admin. The beauty of using something like an iPad is that as soon as they connect to the ActiveSync the "Encrypt Device" setting is automatically enforced protecting corporate data before it is placed on the device - this also allows non-IT people to provision devices without IT intervention.

.

In the Windows 8 scenario as a non-IT person, I can configure the Mail App to speak with ActiveSync and quite happily download corporate data without any encryption on the device leading to potential data leakage. Even if the OS does not force-enable Bit Locker, it should at least say "sorry, this device is not encrypted, you are not compliant with the ActiveSync policies, so you're getting no corporate data on it".

.

If that isn't a shot in the foot, I don't know what is.

Oh, I get it now.

I wonder if, like segregating the communications apps from the rest of the system in events like a EAS remote wipe, only the communications apps get encrypted. BitLocker is a very different beast that can't just be turned on automatically.

Can someone else confirm if it's just the communications apps that get encrypted in this scenario?

There are a number of native options in the Windows 8/RT eco-system.

You can use a Windows RT device which alway has device encryption turned on when you first login with a Microsoft Account that has administrator privledges. Alternatively you can look at Windows To Go (aka. Windows 8 on a USB stick) which also forces BitLocker and can be plugged into almost anything capable of running Windows 7/8.

Also you can force BitLocker by group policy (requires connection to an Active Directory domain), System Center Configuration Manager - SCCM (requires infrastructure), InTune (cloud based service that does not require any infrastruture).

BitLocker is designed to be a managed not an individual technology, which is why it is only in the higher-level Windows editions and not Standard edition.

Another option is to implement a VPN with an end-point analysis client like DirectAccess or another 3rd party. Thus no BitLocker, no access to the network,

• Marked as answer by Niki HanModerator Friday, January 25, 2013 7:03 AM

Is there bigger issue here though? Does BitLocker actually meet the requirements for "Require encryption on device" ActiveSync setting?

We have a few Windows 8 Lenovo Thinkpad2 tablets. No as popular as iPads, but trying to encourage their use. We setup BitLocker before deploying them to users. However, when moving users to our mobile device Exchange ActiveSync policy which has "Require encryption on device" enabled, Exchange email/calendar/contacts are no longer available on these devices. Moving them back to the less restrictive policy resolves this.