How Microsoft Protects Corporate Data on Employee Devices

A system that lets companies remotely lock or delete specific work data on a phone or computer without wiping the user's personal files.

What it covers

This patent describes a software gatekeeper on a device that manages corporate data security. It provides an API, or a set of rules, that apps use to ask the system to encrypt specific files using a corporate key. If an employee leaves a company or loses their device, the company sends a signal to the device. The system then deletes the specific decryption key for that organization, effectively turning the work files into unreadable digital noise while leaving personal photos and apps untouched.

What it doesn't cover

• —Does not cover full-device remote wipes that erase all personal and system data.
• —Does not cover encryption methods that rely on user-entered passwords rather than managed keys.
• —Does not cover cloud-based storage security that does not involve local device-level key management.
• —Does not cover hardware-level security like Trusted Platform Modules (TPM) that exist independently of the OS API.

The clever bit

By managing security at the file and key level rather than the device level, the system enables selective 'corporate amnesia' where only work-related data is destroyed upon command.

Why it matters

This technology is a cornerstone of Bring Your Own Device (BYOD) policies. It allows businesses to enforce security compliance on personal smartphones without infringing on employee privacy, which is essential for modern enterprise mobility management.

Real-world examples

• 1.Microsoft Intune
• 2.Windows Information Protection
• 3.Enterprise Mobile Management (EMM) suites