Reading time (approx.): 5 minutes (excl. video)
In most of my posts I talk about protecting information using platforms like Azure Information Protection or Office 365. But we cannot forget that information is being accessed using an endpoint machine. So for this blog I decided to look more closely at Windows Information Protection.
As seeing-is-believing, I’ve included some demo-video’s as-well.
Windows Information Protection (WIP)
In essence, WIP uses encryption to protect sensitive (work) content. By encryption it can disallow content to be copy/pasted into other documents. It also allows document to be blocked from sharing using non-protected apps (like e-mail) or storage on non-protected locations (like an USB drive).
WIP uses the concept of “work” and “personal” ownership of content. If a document is considered personal, than it is not encrypted and can be stored/shared anywhere. If it’s considered work related, than it is encrypted and the restrictions come into place.
Based on the settings of the policy, users can change the ownership from work to personal and visa versa (less restrictive). Or this ownership is applied automatically (more restrictive). WIP uses a set of content locations (fileshares, cloud storage, and more) to determine if the content is either personal or work related.
In these video’s some of these functions are shown.
Copy document from work to personal location
Download a document
Protected and non-protected apps
There are two major components to WIP. There’s the application which are allowed to access protected content and there’s the location where this content is stored. You configure both of these components (and more!) using Microsoft Intune.
App protection policies
In Microsoft Intune you navigate to Client apps | App protection policies in order to configure WIP. In this example, I’m going to create a policy for Windows 10. But iOS and Android policies can also be set. Please note the Enrollment state, this checks if the machine is enrolled in MDM or not.
One of the aspects for the policy is the assigned group of users. These are your users, which will be effected by this policy (when working from a Windows 10 device).
These are the apps which can consume protected content. If a document is considered “work related”, then any of the configured apps can open it. Unless the app is “non-enlightened “. Which means that it cannot handle the encryption. In that case, the document will not be opened.
You can add apps which are recommended by Microsoft, apps from the Microsoft store or desktop apps. The recommended apps are added using all the required details. From the store and desktop apps, you will need to provide a publisher and even a filename of the application.
These settings determine what the user will be allowed to do. When set to Block, no work related content can be shared, copied, or copy/pasted to any personal location. If you Allow Overrides, the initial action is blocked. But can be overwritten by the user. If you set the option to Silent, then WIP will log all actions, but won’t take any actions.
I won’t go into detail on these. Instead, just go to here. But one thing I do need to explain and that’s the network boundary. This boundary determines where work related content is stored. This can be on file-shares, SharePoint sites or OneDrive for Business (for example). These locations are configured here.
Two important remarks on this. One; If your using Office 365, then create a cloud resource with the following addresses:
And two; If you have non-enlightened apps which need to access the internet, please at this remark to your cloud resources:
And a non-enlightened app can be Google Chrome or Mozilla Firefox, for example. If you don’t add this remark, then WIP will block any access from these types of client to the internet.
With these settings, the policy can be applied. This will take some time.
Take look at this short video on the configuration of a policy
All in all, a very powerful information protection solution. More information can be found here:
Using Windows Defender ATP and the sensitivity labels you can also mark labeled documents (from Office 365) as “work” documents. Bringing DLP capabilities from Office 365 to Windows 10. Very cool stuff.