Windows Information Protection

License: Gold

Applicable to: Windows 10+

A Windows Information Protection (WIP) configuration defines WIP settings to protect enterprise data. This configuration can be applied to devices enrolled under management. You can also view WIP details for a configured device on the overview page of that device.

Setting Up Windows Information Protection for Windows

Procedure

  1. Go to Configuration > +Add.
  2. Select the  Windows Information Protection configuration.
  3. Enter a name for the configuration.
  4. Enter a description.
  5. In the Configuration Setup section, specify the remaining settings as described in the following table.
  6. Click Next.
  7. Select a distribution for this configuration.

Category

Setting

What To Do
 

Name

Enter a name that identifies this configuration.

 

Description

Enter a description that clarifies the purpose of this configuration.

Enterprise Information

All Versions (Windows 10+ Desktop and Mobile)
  Protected Domain Names Specify the list of identities for which Data Protection policies are configured. Emails and other data associated with these identities will be considered enterprise and protected.
  • This is a list of domains separated by | with the first domain in the list considered the primary identity for the purposes of Windows UI.
  • For example: "domain1.com|domain2.co.uk"

 

 Network Domain names Specify the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected.
  • These locations will be considered a safe destination for enterprise data to be shared to.
  • This is a comma-separated list of domains.
  • For example: "mail.domain3.com, domain4.com"

 

 Cloud Resources Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data.   Specify one or more domain names with optional proxy addresses in brackets.
  • For example: "domainname1.com, domainname2 (10.0.0.1)".
  • If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the specified proxy server (on Port 80).
  • All proxy addresses specified in this field should also be entered in the following Internal Proxy Servers field.

 
IP Range

Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges.

  • This is a comma-separated list of IPv4 and IPv6 ranges.

  • Select the IP Ranges are authoritative option when the client must accept the configured list and not use heuristics to attempt to find other subnets.

 

 Neutral Resources

Specifies the list of domain names that can be used for work or personal resource.
  Proxy Servers

Specifies the comma-separated list of proxy servers. Any server on this list is considered non-enterprise.

  • For example: "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".

  • Select the Proxy Servers are authoritative option when the client must accept the configured list of proxies and not try to detect other work proxies.
 
Internal Proxy Servers

Specifies the comma-separated list of internal proxy servers.

  • For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".

  • These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseCloudResources policy to force traffic to the matched Cloud Resources through these proxies.

Data Protection All Versions (Windows 10+ Desktop and Mobile)
 
Enforcement Level

Choose one of the following enforcement levels:

  • Off - No protection (previously encrypted data will be un-encrypted).
  • Silent - Encrypt the data and and audit activities on the device after data is being protected. The user is not prompted on account of any negative data/app information.
  • Override - Similar to the Silent mode. In addition, if an app or data is being used incorrectly, the user is prompted to either proceed or cancel the operation the user is currently performing.
  • Block - Similar to the Silent mode. In addition, if an app or data is being used incorrectly, the operation the user is currently performing is blocked and the user is warned with the reason for blocking the operation.

 

Except in the Off mode, any data or app that was not supposed to use enterprise data or resources will be logged on the device. That data can be removed from the device using another configuration service provider (CSP).
  Data Recovery Certificate Specify a recovery certificate that can be used for data recovery of encrypted files.
  • This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS). However, this certificate is delivered through MDM instead of through the Group Policy.

 

You can also select one or more of the following options:

  • Allow User Decryption
  • Revoke On Unenroll
  • Show EDP Icons
  • Require Protection Under Lock (Windows 10 Mobile only)
RMS All Versions (Windows 10+ Desktop and Mobile)
  Allow Azure RMS Specify whether to allow Azure Rights Management (Azure RMS) encryption for WIP.
  RMS Template ID

Specify TemplateID GUID to use for RMS encryption. The RMS template allows the admins to configure the details about who has access to RMS-protected file and how long they have access.
App Control All Versions (Windows 10+ Desktop and Mobile)
  Specify a collection of apps that are built under the Apps > App Catalog page with a value of WIP. Specify the rule definitions for the apps using the following set of parameters:
  App Type Select one of the following app types:
  • Publisher/PFN Equals - applies to Windows 10 Mobile and Windows 10 Desktop supporting PFN.
  • EXE/Win32 Equals - applies to Windows desktop only.
  App Identifier Select the app from the choices displayed to add it to the App Identifier. You can also click Lookup Apps.
  App Description Enter a description for the app.