Windows Information Protection

Windows Information Protection User Experience

In this post I’ll focus on Windows Information Protection user experience (WIP) on MDM enrolled Windows 10 devices. If you haven’t read my previous post about WIP, have a look below.

This post is part of a series. Have a look at my other posts for more information about WIP.

  1. Introduction to Windows Information Protection
  2. Configuring MDM user scope and MAM user scope
  3. WIP-WE / MAM – Windows Information Protection without enrollment
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience (this post)
  6. WIP-WE User Experience – WIP Without MDM enrollment
  7. Set up Azure Rights Management for WIP
  8. WIP Without Enrollment Selective Wipe
  9. Troubleshooting Windows Information Protection
  10. Monitoring and collecting WIP audit event logs
  11. WIP Learning mode
  12. Limiting Access to SharePoint Online on unmanaged devices
  13. Limiting Access to Exchange Online on unmanaged devices

Prerequisites

Make sure you have all the prerequisites in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Pro, Enterprise, Education)
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
  • My device is managed with Microsoft Intune (MDM enrolled)
  • I have configured and assigned WIP policies
  • In this scenario I did not configure Azure RMS
  • I am Using Microsoft Edge Legacy because Edge Chromium needs extra configuration

Windows Information Protection configuration

I’ve configured the ‘Windows Information Protection mode’ to Allow Overrides.  When I copy data from a protected to a non-protected app,  I’m prompted with a warning message. The Network boundaries are configured as described in my previous post Windows Information Protection with Enrollment.

For the Windows Information Protection User Experience, I have a Windows 10 1909 Enterprise test-device and configured OneDrive for Business, OneDrive Personal and a personal Dropbox account. I’ve also synced a library from SharePoint.

Installed applications are:

  • Office 365 ProPlus (with MS Teams)
  • 7-zip
  • Notepad ++
  • Adobe Acrobat Reader DC
  • FireFox
  • Google Chrome
  • Microsoft Edge Legacy
  • I also have Edge Chromium browser available

Windows Information Protection User experience

Depending on the protected apps you’ve configured, the described Windows Information Protection user experience can be different for you but if you go with the standard apps you can follow along. Do you remember the difference between enlightened apps and unenlightened apps? I’ll quickly explain it here but I encourage you to read my previous post about WIP Basics.

Enlightened vs unenlightened apps

The difference is that enlightened apps can differentiate between corporate and personal data whereas unenlightened apps cannot. Office 365 apps like Word, Excel, PowerPoint, OneNote, MS Teams, and Outlook are enlightened apps. Google Chrome, Firefox, Notepad ++ or Wordpad are examples of unenlightened apps.

If you want unenlightened apps to be able to access corporate data and encrypt files, you will have to add it to the WIP policy as an allowed (managed) application. When you do configure unenlightened apps as corporate-managed they will consider all data to be corporate, encrypting everything created or edited by default so think about this before you add unenlightened apps. Microsoft recommends only adding LOB apps to your allowed apps list.

When you open OneDrive for Business you’ll see there is an extra column “File ownership”. All the files have famsari.nl (my test tenant) set as the File ownership. The same is true for all the synced files from SharePoint and others sites you have added to your network boundaries. As a result all my documents in OneDrive for Business are protected with Windows Information Protection. Remember that file encryption based on EFS only occurs when downloading files locally on your device. Data is not encrypted online!

Windows Information Protection User experience

Copy paste restrictions between applications

There is a layer of protection based on restricting copy/paste actions from managed to unmanaged applications. In this example configuration, I’ve added the Office 365 Applocker file to allow pre-configured applications to access corporate data.

Windows Information Protection Protected Apps

Note: There is no need to add all of the Office 365 Pro Plus suite applications manually to this list. Read more here.

When I open a document from OneDrive for Business with Microsoft Word and try to copy text to an application that is not approved, I see an error message;

Copy data content

I’m using Notepadd ++ as an example here to paste corporate data.  Instead of pasting the information I copied, an error message is pasted;  “Your organization doesn’t allow you to use work content with this application

Notepad ++

Copy paste from Word to Notepad or any other approved (protected) application works just fine. I can relocate data between approved and protected apps and network boundaries.

approved apps

Unapproved browsers

When I open Google Chrome and login to Gmail and try to paste data from the same word document it will not allow me to do so. The same error message is pasted again; “Your organization doesn’t allow you to use work content with this application

WIP unapproved apps

This is true for any other website you open with Google Chrome. For example, I will not be able to paste information to SaaS applications or translate text using Google Translate (with Google Chrome). With approved browsers like Microsoft Edge Legacy (WIP compliant) , I am able to override WIP and paste data to Google Translate.

Google Translate

I’m not saying it’s bulletproof because with this configuration I can upload a WIP protected document as an attachment and send an e-mail to any recipient. However, I will see a warning message and must click Yes to continue. I override WIP and my actions are logged. I’ll write another post about Monitoring and collecting WIP audit event logs shortly. The example below shows that I was able to upload a WIP protected document as an attachment. Doing this removes the encryption and enables the recipient to access and read the document.

gmail attachment

This event is written to the event log.  Have a look at Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-Regular. The log shows that the File ownership (the famsari.nl tag) has changed from work protected, to personal. It also shows that I was using Google Chrome while doing this.

WIP Event log

Approved browsers

The Microsoft Edge legacy Browser supports WIP. When I copy and paste information to Gmail or other websites like SaaS applications, I’m allowed to override WIP and continue. Upon clicking Yes, the copy/paste action is completed and another log entry is written to the event log. The question “Use work content here?” helps by making users aware about their actions and possible accidental data leaks.

WIP approved browsers

OneDrive for Business: Relocating protected files

Windows Information Protection Experience works a little different when I copy and paste or move documents from OneDrive for Business to any other location on my device (like C:\Temp). Documents are still protected with WIP policies after I copy them. You can double check this by looking at the File ownership property of your files.

OneDrive

I copied a file to another location on my local hard-drive,  and now I can remove the WIP protection from these files. To do this, right click on any of your files and click on File Ownership in the menu. Next click on Personal.

Windows Information Protection file ownership

In the example below the WIP protection is removed from the document. You might find yourself in a situation where you want to present a PowerPoint presentation but are not able to do this using your own device. You will have to copy the PowerPoint presentation to a USB drive an use another device for the actual presentation. I’ll show you how you can use USB drives and other devices with Windows Information Protection below.

file ownership

When I change the File ownership from work protected to personal, this action will also be logged. Here is the event in the Event Viewer:
Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-TCB

Event log

If you have log analytics configured to receive Windows Event logs from your MDM enrolled devices, you can run queries and even set-up alert when certain events happen. I’ll write another post about Monitoring and collecting WIP audit event logs but here’s a sneak peak at the logs in Log Analytics:

Log analytics

Click one of these events and see all the information you need:

Log Analytics

Relocating WIP protected files to OneDrive Personal

OneDrive Personal is better integrated with WIP and shows me a warning message when I copy documents. Now I have to change the File ownership to personal before I can copy files or skip it.

Onedrive

Relocating WIP protected files to Dropbox

I the example below I copied WIP protected files from OneDrive for Business to my personal Dropbox account and it looks like the file will sync to Dropbox.This is not true. Look closer and you will see that the files have the corporate file ownership tag and a red cross in the document icons indicating the files will not sync to Dropbox.

Dropbox

When I change the File ownership from work to private, the files will sync to Dropbox and the action is logged. This works as expected because I have set the ‘Windows Information Protection mode’ to Allow Overrides. Setting this to Block will effectively block file relocation.

Relocating WIP protected files to USB drives

When I copy or move WIP protected files to external storage like a USB drive, I’m prompted with a warning about relocating work protected data. Copy as personal will set the file ownership to personal and the action will be logged.

In the example below I copied a document by clicking copy as work protected.  As a result the document can only be accessed on the original device where I copied it to the USB drive. No other user on any other device will be able to open the document. This is by design and you can read more about Windows Information Protection and it’s limitations here. It’s because I’m NOT using Azure RMS. By configuring Azure RMS, authenticated users in my organization will be able to access the document on their MDM enrolled devices. I’ll write another post about configuring Azure Rights Management with WIP and go through the user experience with Azure RMS configured.

USB drives

In the example above, I copied one document as personal, and another as work protected to a USB drive. When I try to access the documents on another device I can see the work protected document has a key lock in the document icon.

EFS encryption

When opening the document, I get a nice error warning about not having the required privileges to access the document.

WIP error

Windows Information Protection – Block Mode

Remember that this scenario is based on the ‘Windows Information Protection mode’ set to Allow Overrides. When you set the ‘Windows Information Protection mode’ to Block, you will only have the option to copy data to a USB drive as work protected or skip the operation.

USB drive

Most of the Windows Information Protection User experiences in this document might be different because by setting it to Block, you are not allowing users to override your WIP security settings.

Users will NOT be able to upload documents as attachments to Gmail or copy data to OneDrive Personal. The option to change the File ownership from work to personal will be grayed out. The Block setting is the most restrictive option you have with Windows Information Protection.

file ownership

Conclusion

I probably forgot something important to write about here but for now I hope you’ve found this post valuable enough. Windows Information Protection works fine but there are some things to keep in mind. I’ll dive into this and more in a future post about troubleshooting Windows Information Protection and see what we can do to further protect corporate data.

I encourage you to engage here by leaving a comment so we all can learn more and help each other.

Links:

5 2 votes
Article Rating

Oktay Sari

CTO | Microsoft WI MVP | Likes to work on Creative #Cloud solutions | P-TSP | #Microsoft365 | #EMS | Father | #Diver | #RC Pilot & #Magician in spare time

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] Windows Information Protection User Experience […]

Moe
Moe
8 months ago

Hi Oktay,

Excellent work summarizing Windows Information Protection.
Just sharing my journey with WIP, I have used it before but ran to some limitations, and one of the limitations forced me to stop using in Production because user couldn’t print from shared printer, it somehow encrypted the driver on that PC and user wasn’t able to add the printer from new PC. You can add the printer but before applying WIP.

Tried to exclude the printer IP addresses and print server but didn’t fix either.

Thanks!
Moe

Harry Dubois
Harry Dubois
6 months ago

I had this week a strange thing: after using WIP, I was not able to copy text within the Office 365 applications. So I typed some text, copied it in the same Word document, but was unable to copy. In taskmanager I see winword.exe as corporate application. Also I am missing the briefcase icon. What is wrong here?

Nhan Le
Nhan Le
2 months ago

Hello Oktay,

Your post is very helpful.

How about RDP ?

For ex:

  1. I’ve configured WIP for both scenarios: Enrollment and Without Enrollment for Windows 10 laptop (I will call it “Laptop A”)
  2. I’m using Laptop B to connect Laptop A via RDP and try to copy/paste org data to Laptop B and its worked?!!!

It’s supposed block Paste org data via RDP! Any thought ?