WIP - Windows Information Protection

Windows Information Protection (WIP) – the basics

Certainly Windows Information Protection (WIP) is a great solution for companies who want to enable a bring-your-own-device solution and at the same time protect corporate data. In a previous blog I wrote about managing BYOD devices with Intune MAM Without Enrollment and how to manage BYOD with Intune MAM without the need to fully enroll devices into MDM. That blog post focused on mobile devices like phones and tablets running iOS or Android. Let’s have a look at the different options we have with WIP and how we can secure corporate data on Windows 10 without restricting users who want to work on their personal devices too much.

In this post I’ll give an introduction to Windows Information Protection (WIP) and talk about how to help protect organizations against data loss and leakage.

This post is part of a series and in upcoming posts will be about Microsoft Cloud App Security, Limiting Access to Exchange Online or SharePoint on unmanaged devices. Combining the power of these tools, will give you a great solution to enable a bring-your-own-device scenario. This first post in the series will focus on Windows Information Protection.

  1. Introduction to Windows Information Protection (this post)
  2. Configuring MDM user scope and MAM user scope
  3. Windows Information Protection without enrollment (WIP-WE / BYOD)
  4. Windows Information Protection with Enrollment
  5. Windows Information Protection User Experience
  6. WIP Learning mode
  7. Set up Azure Rights Management with WIP
  8. Monitoring and collecting WIP audit event logs
  9. Troubleshooting Windows Information Protection
  10. Microsoft Cloud App Security and unmanaged devices
  11. Limiting Access to SharePoint Online on unmanaged devices
  12. Limiting Access to Exchange Online on unmanaged devices

Data separation & Windows Information Protection

The main idea behind Windows Information Protection (WIP) is to keep work and personal data separate and protect corporate data. As a result, WIP can help reduce the risk of (accidental) data leaks through for example apps and email services like g-mail which are outside of the enterprise’s control. Therefore, WIP needs to know the difference between personal and work related data.

Corporate data

WIP adds a tag to corporate data defined by your corporate identity like contoso.com and network boundaries like contoso.sharepoint.com. Therefore data is automatically encrypted when saved from these corporate sources to your device using Windows Encrypting File System (EFS). In other words, WIP does not encrypt your files on SharePoint or OneDrive. It only encrypts corporate data saved to your device. Using WIP without enrollment (MAM), administrators can identify which apps are allowed to access corporate data and whether users can copy data from those files and then paste that data into personal documents.

Personal data

Performing a selective wipe will not delete personal files and when the user removes his or her workplace account only corporate data is removed. Protected corporate data will be revoked and inaccessible once a device is unenrolled from Azure AD. Administrators can also remotely wipe corporate data from the device while leaving personal data untouched.

Enlightened applications vs Unenlightened applications

There are two kinds of applications you need to know about; Enlightened applications (MAM aware) and Unenlightened (MAM Unaware) applications. The difference is that enlightened apps can differentiate between corporate and personal data whereas unenlightened apps cannot. Office 365 ProPlus apps like Word, Excel, PowerPoint, OneNote, and Outlook are enlightened apps. Google Chrome, Firefox or Wordpad are examples of unenlightened apps.

If you want unenlightened apps to be able to access corporate data and encrypt files, you will have to add it to the WIP policy as an allowed (managed) application. When you do configure unenlightened apps as corporate-managed they will consider all data to be corporate, encrypting everything created or edited by default so think about this before you add unenlightened apps. Microsoft recommends only adding LOB apps to your allowed apps list.

App Protection Policies with WIP

You can configure two kinds of policies for Windows Information Protection (WIP) to ensure corporate data remains safe or contained in a managed app. WIP with Enrollment in Mobile Device Management (MDM) and WIP Without Enrollment in MDM. Choosing the right solution will help you target the right group of users. WIP with enrollment in MDM  is for organizations managing devices using a MDM solution like Microsoft Intune. If you only want to manage the applications and data, you can use the  mobile application management (MAM) solution where there is no need to fully MDM enroll devices. A policy can be a rule that is enforced when the user attempts to copy/past corporate data to a unsanctioned application or location.

WIP with Enrollment

When you enroll a device in a mobile device management solution like Microsoft Intune you can manage the device from a central management portal. In most cases MDM enrolled devices will be corporate. These devices are targeted with WIP policies for enrolled devices (WIP With Enrollment) and you will have full control over these devices.

WIP without Enrollment (WIP-WE)

Users find full device management for BYO devices somewhat intrusive and rather prefer a less intrusive method where only the data in applications are managed. Assuming you don’t have automatic MDM enrollment enabled for your tenant, upon adding a work account the device will register in Azure AD and you will be able to manage corporate data without the need to fully manage the device with Microsoft Intune. These users can be targeted with WIP Without Enrollment (WIP-WE).

Windows information protection without enrollment is sometimes referred to as WIP-WE or MAM-WE. Mobile Application Management protects an organization’s data within an application. With MAM without enrollment (MAM-WE), an app that contains corporate data can be managed on corporate devices or personal devices in bring-your-own-device scenarios. MAM only manages the data in applications, where MDM can manage a device.


Prerequisites for WIP

To get you going you’ll need to have the following in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Pro, Enterprise, Education)
  • EMS E3 licenses (or at the very least Intune and Azure AD premium P1)
  • Configure your MAM provider in Azure AD (for WIP without enrollment)

Good to know

  • Windows Home edition supports WIP for MAM-only
  • WIP doesn’t support multi-identity. Only one managed identity per device
  • WIP protects enterprise data locally and on removable media
  • WIP gives admins the ability to revoke corporate data, while leaving personal data alone

Next steps

Read about Configuring MDM user scope and MAM user scope or skip to configuring Windows Information Protection without Enrollment (WIP-WE)


Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Brian Hastings Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of
Brian Hastings

Great post! In fact, I hired an enterprise mobility management service recently and will share this knowledge with my team as well. Keep up the good work.