Data Encryption Errors After Restoring Microsoft Dynamics CRM Database

Paul Nieuwelaar, 08 October 2014

If you’re seeing an error similar to the one above, you’ve probably done a database backup and restore from a Dynamics CRM 2013 instance into a new Dynamics CRM 2013 or 2015 instance. This error will pop up when you try and modify a user’s email address, or open personal options from outlook, as well as when performing some other tasks around CRM that include sensitive data.

The Data Encryption error states: “There are encrypted fields in the organization database, but the data encryption feature isn’t activated. Contact your Microsoft Dynamics CRM system administrator to activate data encryption. To activate, go to System Settings > Data Management > Data Encryption…”

The reason this error occurs is because when we restore/import a database, data encryption is disabled by default, even if it was enabled in the system we took a backup from. This is because the encryption settings are stored in the config database, so the .bak file does not contain these settings.

According to the error, to enable encryption we need to go into Data Encryption under Data Management. However, we can only enable Data Encryption if Dynamics CRM is using the https protocol, and usually the reason we’ve done a backup/restore is because we’re setting up a Dev or UAT copy of Prod, which may not need to be https.

This error states that “The HTTPS protocol is required for this type of request. Enable the HTTPS protocol and try again.” However, enabling https may not be ideal, and we still need to be able use the system.

Fortunately, there is a SQL script we can run on the config database which will allow us to use data encryption without using the https protocol:

                UPDATE [MSCRM_CONFIG].[dbo].[DeploymentProperties]
                SET [BitColumn]=1
                WHERE ColumnName='DisableSSLCheckForEncryption'

You shouldn’t do this on a production instance, but for Dev or UAT instances this is necessary.

Once that’s updated you need to do an IISRESET on the CRM server for the changes to take effect.

If we try opening that Data Encryption window again, we should see that encryption is disabled, and we can create a new key and activate it.



You should be able to get the encryption key from the original CRM system you backed up from. If not, then you can simply create a new encryption key.

When you activate, you might be faced with another error which states “Please select an account that is a member of the PrivUserGroup security group and try again”.

This is because although we might be a system admin in Dynamics CRM, we cannot update the encryption key unless we are a member of the PrivUserGroup in Active Directory. We can either log into Dynamics CRM as the user who installed Dynamics CRM, or we can get our user added to that security group.



Once that’s done we should now be able to activate the encryption key. 

You should now be able to edit user email addresses, and perform any other operations that require data encryption without any errors.

NOTE: This encryption error only happens when we restore from a Dynamics CRM 2013 or 2015 backup. If we create a new org through Deployment Manager, or if we upgrade a Dynamics CRM 2011 database, encryption will still be enabled by default. We can see when creating a new org the wizard informs us that encryption will be enabled.