Reading time (approx.): 5 minutes (excl. video)
In most of my posts I talk about protecting information using platforms like Azure Information Protection or Office 365. But we cannot forget that information is being accessed using an endpoint machine. So for this blog I decided to look more closely at Windows Information Protection.
As seeing-is-believing, I’ve included some demo-video’s as-well.
Windows Information Protection (WIP)
In essence, WIP uses encryption to protect sensitive (work) content. By encryption it can disallow content to be copy/pasted into other documents. It also allows document to be blocked from sharing using non-protected apps (like e-mail) or storage on non-protected locations (like an USB drive).
WIP uses the concept of “work” and “personal” ownership of content. If a document is considered personal, than it is not encrypted and can be stored/shared anywhere. If it’s considered work related, than it is encrypted and the restrictions come into place.
Based on the settings of the policy, users can change the ownership from work to personal and visa versa (less restrictive). Or this ownership is applied automatically (more restrictive). WIP uses a set of content locations (fileshares, cloud storage, and more) to determine if the content is either personal or work related.
In these video’s some of these functions are shown.
Copy document from work to personal location
Download a document
Protected and non-protected apps
There are two major components to WIP. There’s the application which are allowed to access protected content and there’s the location where this content is stored. You configure both of these components (and more!) using Microsoft Intune.
App protection policies
In Microsoft Intune you navigate to Client apps | App protection policies in order to configure WIP. In this example, I’m going to create a policy for Windows 10. But iOS and Android policies can also be set. Please note the Enrollment state, this checks if the machine is enrolled in MDM or not.
One of the aspects for the policy is the assigned group of users. These are your users, which will be effected by this policy (when working from a Windows 10 device).
These are the apps which can consume protected content. If a document is considered “work related”, then any of the configured apps can open it. Unless the app is “non-enlightened “. Which means that it cannot handle the encryption. In that case, the document will not be opened.
You can add apps which are recommended by Microsoft, apps from the Microsoft store or desktop apps. The recommended apps are added using all the required details. From the store and desktop apps, you will need to provide a publisher and even a filename of the application.
These settings determine what the user will be allowed to do. When set to Block, no work related content can be shared, copied, or copy/pasted to any personal location. If you Allow Overrides, the initial action is blocked. But can be overwritten by the user. If you set the option to Silent, then WIP will log all actions, but won’t take any actions.
I won’t go into detail on these. Instead, just go to here. But one thing I do need to explain and that’s the network boundary. This boundary determines where work related content is stored. This can be on file-shares, SharePoint sites or OneDrive for Business (for example). These locations are configured here.
Two important remarks on this. One; If your using Office 365, then create a cloud resource with the following addresses:
And two; If you have non-enlightened apps which need to access the internet, please at this remark to your cloud resources:
And a non-enlightened app can be Google Chrome or Mozilla Firefox, for example. If you don’t add this remark, then WIP will block any access from these types of client to the internet.
With these settings, the policy can be applied. This will take some time.
Take look at this short video on the configuration of a policy
All in all, a very powerful information protection solution. More information can be found here:
Using Windows Defender ATP and the sensitivity labels you can also mark labeled documents (from Office 365) as “work” documents. Bringing DLP capabilities from Office 365 to Windows 10. Very cool stuff.
Thanks for the article on WIP – really helpful!
I thought you might want to be aware (and perhaps draw awareness to) a serious limitation in Windows Information Protection that I’ve just come across:
It appears that Windows Information Protection does not protect Outlook OST and PST files for remote wipe or encryption by default.
This means if Outlook is used in Cached Exchange Mode (the default), any mailbox data downloaded by Outlook will not be removed as part of a remote device wipe, nor will it be protected by WIP encryption by default.
This is in my book a very serious flaw and something Microsoft need to address, as for most use email cases (people using Outlook on BYOD devices) it makes Windows Information Protection basically useless.
I have opened a UserVoice request on this: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/40034839-extend-wip-to-protect-outlook-mailbox-data
Any attention you can draw to this topic would be greatly appreciated,
Thanks for this update. That is really a serious flaw, I must agree. Thank you for bringing this to my attention!
Great article and it works (my webpages got blocked LOL) but I can’t for the life of me block copying files out of Sharepoint using Windows Explorer. What am I missing please?
Sorry about the delay. But can you elaborate somewhat? Do you use OneDrive for this (the explorer bit) or webdav or something else? Hope to hear from you.
after deployed wip policy to a user group and i excluded the user group, the wip policy still applies. how to cleanly remove wip policy on a computer that applied to the user group?
I would need to check this.
But perhaps this might help for now?