The following sections explain concepts that can help you better manage the encryption keys for your Management Zone.
A Management Zone can have one or more encryption keys. At any one time, however, there is only one active key. The active key is used to encrypt new removable data drives. The non-active keys are retained in order to decrypt removable drives that were encrypted when the non-active keys were the active keys.
For example, assume that Key1 is the active key. All Endpoint Security Agents use Key1 to encrypt removable data drives. You then generate a new key, Key2, which automatically becomes the active key. After Key2 is distributed to devices (during an agent refresh), the Endpoint Security Agent uses it to encrypt new removable data drives. The agent uses Key1 to open any removable drives encrypted with that key.
Encryption keys are specific to Management Zones. This means that a removable data drive encrypted in one zone with the No unlock password setting enabled in the Microsoft Data Encryption policy cannot be opened on a device registered in another zone because the two zones do not automatically share keys.
If you have multiple zones and want to enable devices in all zones to open encrypted removable drives regardless of the zone in which they were encrypted or the settings configured in the Microsoft Data Encryption policy, you can manually share encryption keys by exporting them from one zone and importing them into another. For instructions, see Exporting Encryption Keys and Importing Encryption Keys.
If your organization’s policies include a requirement for regularly changing encryption keys, you can generate and activate a new key. After doing so, force an agent refresh to immediately distribute the new key to devices. Note that this key will only be used to encrypt new removable data drives on those devices. Removable drives encrypted using an older key will continue to unlock using the older key. For instructions, see Generating a New Encryption Key.