In this post I’ll focus on Windows Information Protection user experience (WIP) on MDM enrolled Windows 10 devices. If you haven’t read my previous post about WIP, have a look below.
This post is part of a series. Have a look at my other posts for more information about WIP.
- Introduction to Windows Information Protection
- Configuring MDM user scope and MAM user scope
- WIP-WE / MAM – Windows Information Protection without enrollment
- Windows Information Protection with Enrollment
- Windows Information Protection User Experience (this post)
- WIP-WE User Experience – WIP Without MDM enrollment
- Set up Azure Rights Management for WIP
- WIP Without Enrollment Selective Wipe
- Troubleshooting Windows Information Protection
- Monitoring and collecting WIP audit event logs
- WIP Learning mode
- Limiting Access to SharePoint Online on unmanaged devices
- Limiting Access to Exchange Online on unmanaged devices
Make sure you have all the prerequisites in place;
- Intune enabled as the MDM authority
- Windows 10 1703 and above (Pro, Enterprise, Education)
- EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
- My device is managed with Microsoft Intune (MDM enrolled)
- I have configured and assigned WIP policies
- In this scenario I did not configure Azure RMS
- I am Using Microsoft Edge Legacy because Edge Chromium needs extra configuration
Windows Information Protection configuration
I’ve configured the ‘Windows Information Protection mode’ to Allow Overrides. When I copy data from a protected to a non-protected app, I’m prompted with a warning message. The Network boundaries are configured as described in my previous post Windows Information Protection with Enrollment.
For the Windows Information Protection User Experience, I have a Windows 10 1909 Enterprise test-device and configured OneDrive for Business, OneDrive Personal and a personal Dropbox account. I’ve also synced a library from SharePoint.
Installed applications are:
- Office 365 ProPlus (with MS Teams)
- Notepad ++
- Adobe Acrobat Reader DC
- Google Chrome
- Microsoft Edge Legacy
- I also have Edge Chromium browser available
Windows Information Protection User experience
Depending on the protected apps you’ve configured, the described Windows Information Protection user experience can be different for you but if you go with the standard apps you can follow along. Do you remember the difference between enlightened apps and unenlightened apps? I’ll quickly explain it here but I encourage you to read my previous post about WIP Basics.
Enlightened vs unenlightened apps
The difference is that enlightened apps can differentiate between corporate and personal data whereas unenlightened apps cannot. Office 365 apps like Word, Excel, PowerPoint, OneNote, MS Teams, and Outlook are enlightened apps. Google Chrome, Firefox, Notepad ++ or Wordpad are examples of unenlightened apps.
If you want unenlightened apps to be able to access corporate data and encrypt files, you will have to add it to the WIP policy as an allowed (managed) application. When you do configure unenlightened apps as corporate-managed they will consider all data to be corporate, encrypting everything created or edited by default so think about this before you add unenlightened apps. Microsoft recommends only adding LOB apps to your allowed apps list.
When you open OneDrive for Business you’ll see there is an extra column “File ownership”. All the files have famsari.nl (my test tenant) set as the File ownership. The same is true for all the synced files from SharePoint and others sites you have added to your network boundaries. As a result all my documents in OneDrive for Business are protected with Windows Information Protection. Remember that file encryption based on EFS only occurs when downloading files locally on your device. Data is not encrypted online!
Copy paste restrictions between applications
There is a layer of protection based on restricting copy/paste actions from managed to unmanaged applications. In this example configuration, I’ve added the Office 365 Applocker file to allow pre-configured applications to access corporate data.
Note: There is no need to add all of the Office 365 Pro Plus suite applications manually to this list. Read more here.
When I open a document from OneDrive for Business with Microsoft Word and try to copy text to an application that is not approved, I see an error message;
I’m using Notepadd ++ as an example here to paste corporate data. Instead of pasting the information I copied, an error message is pasted; “Your organization doesn’t allow you to use work content with this application”
Copy paste from Word to Notepad or any other approved (protected) application works just fine. I can relocate data between approved and protected apps and network boundaries.
When I open Google Chrome and login to Gmail and try to paste data from the same word document it will not allow me to do so. The same error message is pasted again; “Your organization doesn’t allow you to use work content with this application”
This is true for any other website you open with Google Chrome. For example, I will not be able to paste information to SaaS applications or translate text using Google Translate (with Google Chrome). With approved browsers like Microsoft Edge Legacy (WIP compliant) , I am able to override WIP and paste data to Google Translate.
I’m not saying it’s bulletproof because with this configuration I can upload a WIP protected document as an attachment and send an e-mail to any recipient. However, I will see a warning message and must click Yes to continue. I override WIP and my actions are logged. I’ll write another post about Monitoring and collecting WIP audit event logs shortly. The example below shows that I was able to upload a WIP protected document as an attachment. Doing this removes the encryption and enables the recipient to access and read the document.
This event is written to the event log. Have a look at Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-Regular. The log shows that the File ownership (the famsari.nl tag) has changed from work protected, to personal. It also shows that I was using Google Chrome while doing this.
The Microsoft Edge legacy Browser supports WIP. When I copy and paste information to Gmail or other websites like SaaS applications, I’m allowed to override WIP and continue. Upon clicking Yes, the copy/paste action is completed and another log entry is written to the event log. The question “Use work content here?” helps by making users aware about their actions and possible accidental data leaks.
OneDrive for Business: Relocating protected files
Windows Information Protection Experience works a little different when I copy and paste or move documents from OneDrive for Business to any other location on my device (like C:\Temp). Documents are still protected with WIP policies after I copy them. You can double check this by looking at the File ownership property of your files.
I copied a file to another location on my local hard-drive, and now I can remove the WIP protection from these files. To do this, right click on any of your files and click on File Ownership in the menu. Next click on Personal.
In the example below the WIP protection is removed from the document. You might find yourself in a situation where you want to present a PowerPoint presentation but are not able to do this using your own device. You will have to copy the PowerPoint presentation to a USB drive an use another device for the actual presentation. I’ll show you how you can use USB drives and other devices with Windows Information Protection below.
When I change the File ownership from work protected to personal, this action will also be logged. Here is the event in the Event Viewer:
Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-TCB
If you have log analytics configured to receive Windows Event logs from your MDM enrolled devices, you can run queries and even set-up alert when certain events happen. I’ll write another post about Monitoring and collecting WIP audit event logs but here’s a sneak peak at the logs in Log Analytics:
Click one of these events and see all the information you need:
Relocating WIP protected files to OneDrive Personal
OneDrive Personal is better integrated with WIP and shows me a warning message when I copy documents. Now I have to change the File ownership to personal before I can copy files or skip it.
Relocating WIP protected files to Dropbox
I the example below I copied WIP protected files from OneDrive for Business to my personal Dropbox account and it looks like the file will sync to Dropbox.This is not true. Look closer and you will see that the files have the corporate file ownership tag and a red cross in the document icons indicating the files will not sync to Dropbox.
When I change the File ownership from work to private, the files will sync to Dropbox and the action is logged. This works as expected because I have set the ‘Windows Information Protection mode’ to Allow Overrides. Setting this to Block will effectively block file relocation.
Relocating WIP protected files to USB drives
When I copy or move WIP protected files to external storage like a USB drive, I’m prompted with a warning about relocating work protected data. Copy as personal will set the file ownership to personal and the action will be logged.
In the example below I copied a document by clicking copy as work protected. As a result the document can only be accessed on the original device where I copied it to the USB drive. No other user on any other device will be able to open the document. This is by design and you can read more about Windows Information Protection and it’s limitations here. It’s because I’m NOT using Azure RMS. By configuring Azure RMS, authenticated users in my organization will be able to access the document on their MDM enrolled devices. I’ll write another post about configuring Azure Rights Management with WIP and go through the user experience with Azure RMS configured.
In the example above, I copied one document as personal, and another as work protected to a USB drive. When I try to access the documents on another device I can see the work protected document has a key lock in the document icon.
When opening the document, I get a nice error warning about not having the required privileges to access the document.
Windows Information Protection – Block Mode
Remember that this scenario is based on the ‘Windows Information Protection mode’ set to Allow Overrides. When you set the ‘Windows Information Protection mode’ to Block, you will only have the option to copy data to a USB drive as work protected or skip the operation.
Most of the Windows Information Protection User experiences in this document might be different because by setting it to Block, you are not allowing users to override your WIP security settings.
Users will NOT be able to upload documents as attachments to Gmail or copy data to OneDrive Personal. The option to change the File ownership from work to personal will be grayed out. The Block setting is the most restrictive option you have with Windows Information Protection.
I probably forgot something important to write about here but for now I hope you’ve found this post valuable enough. Windows Information Protection works fine but there are some things to keep in mind. I’ll dive into this and more in a future post about troubleshooting Windows Information Protection and see what we can do to further protect corporate data.
I encourage you to engage here by leaving a comment so we all can learn more and help each other.
- Get ready to configure app protection policies for Windows 10
- Protect your enterprise data using Windows Information Protection (WIP)
- Limitations while using Windows Information Protection (WIP)