Click on the Windows icon

NOTE - Do NOT select Windows Rugged icon.

Click on the Windows Desktop icon

1. Click the Rules dropdown and select Encryption
2. Ensure is not encrypted is selected
3. Click Next

1. Select Profile from the Actions dropdown
2. Ensure Block/Remove All Profiles is selected
3. Click Next

This Action will remove all profiles from the device immediately upon becoming non-compliant.  However, it will leave the device enrolled so that all of the Profiles will be re-installed when the device comes back into compliance.

1. Click in the Assigned Groups field and select "All Devices ([email protected])"
2. Click Next

Click Finish & Activate

1. Click Devices
2. Click List View

1. You may need to scroll right to view the Compliance Status for your Windows 10 device.
2. Confirm the Windows 10 device shows Non-Compliant for your enrolled device. This may take a few minutes as the compliance check run every 5 minutes.  
3. If the device does not show "Non-Compliant", click on the Refresh icon to refresh the page.

NOTE - You may need to wait several minutes for the Compliance Check to complete since it runs every 5 minutes.  Please continue to refresh every few minutes until you see the device marked as Non-Compliant before proceeding.

1. Click the Windows button.
2. Type "user certificates" and the Search bar will populate.
3. Click the "Manage user certificates" option.

Click Yes when asked if you want to allow this app to make changes to your device.

1. Click the Personal folder to expand it.
2. Click the Certificates folder.
3. Check if the aduser certificate still exists.
4. If the aduser certificate exists, wait a few minutes and click the Refresh button to check again.  Continue to refresh until you see that the aduser certificate is no longer shown.

Do not continue to the next step until you've confirm that the aduser certificate has been removed.

NOTE - Due to lab scalability and limitations, the aduser certificate may take a few minutes to be removed.

1. Click the Windows button.
2. Click the Workspace ONE app icon from the start menu.

1. The server address "https://ws1user.vidmpreview.com" should already be set when launching the Workspace ONE app, enter the value in the Server Address field if it is not already set.
2. Click Next.

1. Enter "aduser" for the username.
2. Click Next.

1. Confirm that authentication into the Workspace ONE app fails.
   
   The authentication fails because our encryption Compliance Policy was setup to remove all Profiles should the device become non-compliant.  Since the Windows 10 device we are testing from is not encrypted, the device became non-compliant once the Compliance Check completed and so the Profile containing the certificate used to login to the Workspace ONE portal was revoked.  Without the certificate, the user can no longer login to the Workspace ONE app.
   
2. Click the Close button to exit the Workspace ONE app.