Reference Guide
Manage Policies
174
SDE. This allows the SDE Key to be used to encrypt data that would not otherwise be possible with the
Common or User Keys due to time-based availability of the keys.
Due to the difference in how the SDE Key can be used, there are several caveats to be aware of when
considering use of this feature.
• The built-in exclusions covered in protected directories do not apply to SDE. By design, SDE excludes
portions of the operating system that are necessary for booting and updating.
• If a file is targeted for encryption by any key other than SDE in addition to SDE, then SDE will not
encrypt the file.
• All encryption rules apply when writing SDE policies.
Policies for SDE Encryption
The following is the default SDE policy. Any changes to this policy should be considered carefully.
The following directories have Category 1 exclusions (including subfolders unless specified):
%SystemRoot%\system32\ntoskrnl.exe
%SystemRoot%\system32\ntkrnlpa.exe
%SystemRoot%\system32\ntkrnlmp.exe
%SystemRoot%\system32\hal.dll
%SystemRoot%\system32\halacpi.dll
%SystemRoot%\system32\halmacpi.dll
%SystemRoot%\system32\winload.exe
%SystemRoot%\system32\kdcom.dll
%SystemRoot%\system32\kd.dll
%SystemRoot%\system32\kdnet.dll
%SystemRoot%\system32\kd1394.dll
%SystemRoot%\system32\kdusb.dll
%SystemRoot%\system32\kdstub.dll
%SystemRoot%\system32\mcupdate_AuthenticAMD.dll
%SystemRoot%\WinSxS\*\mcupdate_AuthenticAMD.dll
%SystemRoot%\WinSxS\*\mcupdate_GenuineIntel.dll
%SystemRoot%\system32\mcupdate_GenuineIntel.dll
%SystemRoot%\system32\winload.exe
%SystemRoot%\system32\PSHED.dll
%SystemRoot%\system32\BOOTVID.dll
%SystemRoot%\system32\CLFS.SYS
%SystemRoot%\system32\CI.dll
%SystemRoot%\system32\sethc.exe