Reference Guide
Manage Policies
100
Mac example
Enter the string in this format:
• Variable with a $VALUE format, for example, $HOME/Documents or $HOME/Hidden
Note: For Force-protected mode, a sweep occurs in the /Users folder.
Inform users of the impact or usability
If you define a unique folder name in the Folder Exclusions for Basic File Protection policy so that users
can store files of a specific type that should not be encrypted, the policy does not create that folder on
the client computers. You must inform users of the folder name and the need to create it.
Users can add subfolders and create names. The content of subfolders is also excluded.
Note: If that folder already has files that are encrypted with Basic File Protection, those files are not
decrypted.
Unsupported applications and file types
• Do not add these Office file extensions to the Basic File Configuration policy: .docx, .pptx, .xlsx,
.docm, .pptm, .xlsm, .pdf. Basic File Protection does not scan these during a sweep.
• PhotosApp.exe (Windows 8.1)
Remove a file type
If you modify the Folder Exclusions for Basic File Protection policy to remove a file type, those
encrypted files on the client computer are decrypted.
However, if the computer has more than one user, only the current logged-in user has files decrypted. If
the logged in user logs out and a second user logs in, the sweep starts again but decrypts only the files
of the second logged-in user.
Use the Recovery Tool
For more information, see the Recovery Tool document > Data Guardian.
Plan for factors in configuration
You can modify Data Guardian to encrypt additional file types. However, to ensure protection, be aware
of the following factors.
File extension type or
environment
Issue Options or Solution
Cloud Encryption enabled (Windows 2.7 and
earlier)
Windows 8.1 - 10 and higher
Universal Windows Platform (UWP) application
added to Basic File Protection Configuration
policy
(See below for steps to add a UWP application.)
In the Basic File Protection Configuration policy, if
you add any UWP application and the processes
that support the app, all UWP applications are
enabled to read these encrypted file types.
Edge is a UWP application. File extensions added
to the policy, such as .txt or .png, are encrypted.
However, if users use Edge to upload these
encrypted files to a cloud storage provider, the file
is decrypted.
Options to avoid Edge decrypting files on upload:
• Do not add UWP apps to the
configuration field.
or
• If you add a UWP application, block
Edge through GPO or ensure that it is
not installed on computers.
• Consider which UWP applications you
want users to have encrypted.
However, test all UWP applications
before deploying Basic File Protection
to the enterprise to ensure that the
intended file types remain encrypted.
These applications are supported and can open a
.bmp file:
.bmp files require additional configuration in the
Basic File Protection Configuration policy.
Here is an example:
microsoft.photos.exe:bmp