Microsoft Responds to Reader Demands for Automatic Windows Phone Encryption

Now that Nokia's handset business is part of Microsoft, it'll be interesting to see what compelling features come from the new devices and services group besides Cortana, the recently introduced voice-activated personal assistant. One improvement Microsoft might want to put on the fast track is its approach to encryption with Windows Phone.

The suggestion comes from a reader, who responded to my post a few weeks ago about Microsoft's then-pending, and now completed, acquisition of the Nokia handset business.

The reader had recently switched from an iPhone to a Nokia Lumia 521, which he described as a "very capable utility smartphone." However, he quickly discovered that Windows Phone 8.1 BitLocker encryption is not automatically enabled on an unmanaged device when a screen-lock passcode is created, unlike iPhones.

According to a Microsoft Channel 9 video (about 10 minutes in), he discovered Windows Phone 8 devices aren't encrypted at all until activating Exchange ActiveSync (EAS). The reader asked how to activate the built-in BitLocker encryption function from any WP8 handset without having to use EAS or mobile device management (MDM). Also, he wanted to know how to create arbitrary length alphanumeric passcodes from any WP8 handset without having to use EAS or MDM. In short, he can't -- at least not now.

That was something he concluded after seeing the Channel 9 video and reading the Microsoft documentation regarding the BitLocker encryption and how it's built into every Windows Phone. The problem, he argues, is that Microsoft is avoiding the issue. He pointed out that his iPhone offered "on-the-fly device and file encryption as soon as one creates a screen lock password." This is also confirmed by Apple in its documentation (see pages 8-13).

Wondering if there's perhaps some undocumented workaround or if this will be addressed at a later date, I shared the reader's criticism with Microsoft. A company spokeswoman said the behavior observed by the customer is consistent with the design of Windows Phone 8/8.1. "Device encryption can only be invoked on devices using remotely provisioned management policy (via EAS or a MDM)," a Microsoft spokeswoman confirmed.

To protect personal information on a Windows Phone, Microsoft said users should set up a numeric PIN code. If the phone is lost, stolen or a malicious user attempts to brute force their way into the device, the device will automatically be wiped. To prevent attacks on the Windows Phone storage, Microsoft said it offers a few different solutions. First, when the phone is attached to a PC using USB, access to the data is gated based on successful entry of the user's PIN. Second, Microsoft said an offline attack affecting physical removable storage is addressed by fixing storage media to the device itself. Finally, users can register their Windows Phone devices which will enable them to locate, ring, lock or even erase the device when the phone is lost or stolen, Microsoft said.

Nevertheless, Microsoft is apparently taking this reader's suggestion to heart. "We will consider providing a means to enable device encryption on unmanaged devices for a future release of Windows Phone," the spokeswoman said. "In the meantime there are a series of effective security mechanisms in to protect your data. "

Is this a showstopper for you?