This article describes device wipe and device lock behavior for various operating system versions and devices.
Device wipe (also known as "remote wipe") is an Exchange ActiveSync (EAS) directive in which a user or administrator triggers a wipe of a device. Specifically, a user goes to Outlook Web App and then triggers the device wipe behavior, or a Microsoft Exchange administrator invokes device wipe.
Device lock behavior is triggered when the bad-password count exceeds the MaxDevicePasswordFailedttempts threshold. Device lock behavior in response to failed sign-in attempts differs, depending on operating system versions, device type, and whether the device is protected by BitLocker.
Device lock behavior includes the following:
The EAS protocol does not dictate a device wipe or a dataset delete when the MaxDevicePasswordFailedAttempts threshold is reached. Because Windows-based computers are frequently a user’s primary device on which single instances of photos, documents, and other data exist, device wipe is an unfriendly option. This is especially true because device wipe is usually invoked when friends or family type an incorrect log-in. The situation in Windows is made even more complex by the multiple-user support that we offer. This contrasts with smartphones.
There is no security boundary on Windows-based computers that are not encrypted, although they will restart and close all active sessions if the threshold is reached.
Windows 8 and Windows 8 RT address the security and usability of the MaxDevicePasswordFailedttempts compliance action through the BitLocker feature set and the consequent locking of the device.
For encrypted computers, device encryption is enabled automatically when the first Microsoft account log-in that is a member of the local Administrators security group is used in the out of box experience (OOBE). This should include most Windows RT-based devices.
Exceeding the MaxDevicePasswordFailedAttempts threshold on BitLocker-protected Windows RT-based devices and Windows 8 business SKUs will result in the closing of all active logon sessions, a restart of the computer, and the requirement that the BitLocker (or Device Encryption) recovery key be provided to unlock the volume.
It is our stance that BitLocker or Device Encryption protection is equal to or greater than the protection that is offered by wipe behavior on other devices, because Windows protects the integrity of all bits on the drive, and because tools such as restore and deeper storage analysis cannot recover anything off the volume other than encrypted bits.
For users and administrators who want device wipe, that option remains available for standard users through the Outlook Web App (OWA) interface and in Exchange for those who have administrative permissions.
Device wipe (also known as "remote wipe") is an Exchange ActiveSync (EAS) directive in which a user or administrator triggers a wipe of a device. Specifically, a user goes to Outlook Web App and then triggers the device wipe behavior, or a Microsoft Exchange administrator invokes device wipe.
Device lock behavior is triggered when the bad-password count exceeds the MaxDevicePasswordFailedttempts threshold. Device lock behavior in response to failed sign-in attempts differs, depending on operating system versions, device type, and whether the device is protected by BitLocker.
Device lock behavior includes the following:
- A full wipe of the device and a return to default settings
- The targeted deletion of application-specific data such the inbox, contacts, and calendar items for a mail application
- Halting applications and logon sessions and invoking operating system restarts to stop in-memory attacks and network sessions
- Putting the device in BitLocker recovery mode
The EAS protocol does not dictate a device wipe or a dataset delete when the MaxDevicePasswordFailedAttempts threshold is reached. Because Windows-based computers are frequently a user’s primary device on which single instances of photos, documents, and other data exist, device wipe is an unfriendly option. This is especially true because device wipe is usually invoked when friends or family type an incorrect log-in. The situation in Windows is made even more complex by the multiple-user support that we offer. This contrasts with smartphones.
There is no security boundary on Windows-based computers that are not encrypted, although they will restart and close all active sessions if the threshold is reached.
Windows 8 and Windows 8 RT address the security and usability of the MaxDevicePasswordFailedttempts compliance action through the BitLocker feature set and the consequent locking of the device.
For encrypted computers, device encryption is enabled automatically when the first Microsoft account log-in that is a member of the local Administrators security group is used in the out of box experience (OOBE). This should include most Windows RT-based devices.
Exceeding the MaxDevicePasswordFailedAttempts threshold on BitLocker-protected Windows RT-based devices and Windows 8 business SKUs will result in the closing of all active logon sessions, a restart of the computer, and the requirement that the BitLocker (or Device Encryption) recovery key be provided to unlock the volume.
It is our stance that BitLocker or Device Encryption protection is equal to or greater than the protection that is offered by wipe behavior on other devices, because Windows protects the integrity of all bits on the drive, and because tools such as restore and deeper storage analysis cannot recover anything off the volume other than encrypted bits.
For users and administrators who want device wipe, that option remains available for standard users through the Outlook Web App (OWA) interface and in Exchange for those who have administrative permissions.
