USB install media and ‘Windows Information Protection’

[German]There is an interesting article from Microsoft for administrators who frequently create USB installation media in environments where Windows Information Protection (WIP) is enforced. Then WIP intervenes and prevents the USB installation media from booting or the setup from running.


Windows Information Protection (WIP)

Windows Information Protection (WIP) is a feature, available since Windows 10 V1607. WIP addresses the problem that private devices from employees used in organizations increases the risk of accidental data loss from apps and services that are not under corporate control, such as email, social media, and the public cloud. Such data loss occurs when, for example, an employee sends the latest technical drawings to his personal email account, copies and pastes product information into a tweet, or stores an up-to-date sales report in his public cloud repository.

Windows Information Protection (WIP) helps protect against these potential data leaks without impacting employees. Documents are encrypted before they are stored. WIP also protects corporate apps and data on corporate and personal devices that bring employees to work from accidental data loss. All of this is managed via Microsoft Intune or the System Center Configuration Manager (SCCM) and enforced via policies. Microsoft has published further notes here and here, for example.

USB media and WIP

Administrators who frequently create Windows installation images on USB media may encounter problems in environments that use Windows Information Protection (WIP). Microsoft employee Michael Niehaus points this out in an article and the following tweet.

When this USB flash drive is created on a Windows 10 device with WIP policies, the stored files are automatically encrypted, based on their file type. However, this may cause USB media with installation images to stop working. They either won’t boot or won’t be able to run the setup. It comes to the strangest errors like the message “access denied”.


Once files on the USB media are encrypted, they can no longer be used on another computer or in Windows PE. The deactivation of encryption by WIP for the media in question is usually frowned upon for security reasons.

Assign file ownership ‘Personal’

But the user may overwrite files on the USB device and change them to the status ‘personal’ so that they are decrypted. To do this, select the data in the File Explorer with the right mouse button and select the command “File ownership”-“Personal” in the context menu (see screenshot).

Dateibesitz persönlich
(Source: Microsoft)

Decrypt installation media

Unfortunately, there is no easy way to do this for many subfolders in the File Explorer. The solution comes with the command line tool cipher.exe, which is included in all Windows versions and can decrypt files. The following command decrypts for example all files on the USB medium with the logical drive letter D:

cipher.exe /d /s:D:\ *.*

After using the command, the files are unencrypted and declared as personnel.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *