Part 1 – Introduction: Windows 10 Enterprise Data Protection – Under the hood…
UPDATE: Enterprise Data Protection is available again from Windows 10 Version 1511 rs1 builds if you want to test Enterprise Data Protection!
UPDATE: Stay on Windows 10 Version 1511 th2 build 10576 if you want to test Enterprise Data Protection!
In this blog I’ll cover a brand new Windows 10 feature, Enterprise Data Protection (EDP). The Microsoft Intune product team recently announced EDP policies as part of the Intune October service update. With this update you’re able to create and deploy configuration policies for Windows 10 enterprise data protection (EDP) settings, such as the list of apps that should be protected by EDP, enterprise network locations, protection level, and encryption using the new Windows 10 Enterprise data protection template.
In a series blog posts I will provide some guidance how EDP works and how to configure protected apps, Configuration Manager and Microsoft Intune.
- Part 1 – Introduction: Enterprise Data Protection – Under the hood
- Part 2 – Retrieve Desktop & Universal Application Information with PowerShell
- Part 3 – Create & Deploy Enterprise Data Protection with System Center Configuration Manager Current Branch (1511)
- Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune
- Part 5 – Enterprise Data Protection & Azure RMS better together
In this blog I’ll show you how to configure and apply EDP to your Windows 10 devices. Including some experiences from the field.
Windows 10 by far most secure Enterprise Client Operating System
Enterprise Data Protection is alongside with Microsoft Passport (Hello), Credential Guard and Device Guard one of a kind enterprise grade security features which makes Windows 10 by far the most secure enterprise client operating system available.
Enterprise scenarios
Enterprise Data Protection addresses currently the following enterprise scenarios:
- You can encrypt enterprise data on employee-owned and corporate-owned devices.
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
- You can select specific apps that can access enterprise data, called “privileged apps” that are clearly recognizable to employees. You can also block non-privileged apps from accessing enterprise data.
- Your employees won’t have their work interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
Levels of protection
EDP lets you decide to block, allow overrides, or audit your employee’s data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there’s a problem, but lets the employee continue to share the info, and audit just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action. You can set Enterprise Data Protection to 1 of 4 protection levels:
- Block. EDP looks for inappropriate data sharing and stops the employee from completing the action.
- Override. EDP looks for inappropriate data sharing, letting employees know whether they do something inappropriate. However, this protection level lets the employee override the policy and share the data anyway, while logging the action to your audit log.
- Audit. EDP runs silently, logging inappropriate data sharing, without blocking anything.
- Off. EDP isn’t active and doesn’t protect your data.
HKLM\Software\Microsoft\EnterpriseDataProtection\Policies
| Setting | Value | |
| EDPEnforcementLevel | 0 | Off |
| 1 | Override | |
| 2 | Silent | |
| 3 | Block |
Configure Enterprise Data Protection policy
Using EDP you can control the set of apps that are made “privileged apps” or apps that can access and use your enterprise data. After you add an app to your privileged app list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-level.
1. Add new Windows policy and select Enterprise Data Protection (Windows 10 Desktop and Mobile and later). Provide a name and a description followed by configuring protecting apps. You can configure 2 application types, Universal and Desktop apps. In this example I configure a rule for desktop apps and uses the default wildcard.
NOTE! This is not recommended as all applications (executable) are indicated as privileged (insecure) and slows down your system performance!
2. Next step we’ll configure the protection level. In this example we select the Override mode as protection level.
3. Next step we’ll configure the network locations which the privileged apps has access to. Applications which aren’t configured are therefore not able to access corporate resources on these network locations. There are 6 network locations available which can be defined.
- Enterprise Cloud Domain
- Enterprise Network Domain
- Enterprise Proxy Server
- Enterprise Internal Proxy Server
- Enterprise IPv4 Range
- Enterprise IPv6 Range
4. Lastly there are 3 remaining settings available which can be configured. These settings allows you for example to use Azure RMS alongside with Enterprise Data Protection.
5. After we successfully created an Enterprise Data Protection policy we deploy this policies to users with a Windows (Mobile) 10 device.
The User Experience
First thing users will notice – once the Enterprise Data Protection policy became active – is that privileged applications will be identified as managed in the start menu.
Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device. Privileged applications are notified with an EDP window which indicates the application is protected by your organization.
Once we want to save our document locally – and thus not on a corporate network location defined earlier – the document will automatically encrypted. In this scenario once the document leaves “unintentional” the organization – aka data leakage – the document is by default encrypted and therefore useless.
If we open Windows Explorer you’ll notice the document is encrypted and can be identified by an lock icon. Optionally users are able to manually undo encryption of secured documents, if allowed by your organization.
When copy/paste data from documents which are located on the defined corporate network location(s) users will be prompted that copied data is losing encryption. This applies to an scenario where override protection is configured. If block protection level is enabled users won’t be able to perform the copy/paste action.
Resume
EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device
Enterprise Data Protection under the hood
For those who want to have some more insights about how Enterprise Data Protection works on your Windows 10 device hereby some details (eventvwr & registry keys).
HKLM\Software\Microsoft\PolicyManager\current\device\DataProtection
HKLM\Software\Microsoft\EnterpriseResourceManager\Tracked\{GUID}\Device\Default
Windows Event viewer:
- Microsoft Windows EDP Audit Regular Channel
- Microsoft Windows EDP Audit TCB Channel
Sources
Enterprise Data Protection overview https://technet.microsoft.com/en-us/library/dn985838(v=vs.85).aspx
Categories
Modern Workplace 
Hi Ronny. Great article, I have been testing EDP myself for a couple of days. Can you tell me which Win 10 build release you are using? Also have you tried creating a policy for a specific desktop app? I think it uses a publisher based rule for desktop apps (not file) but cannot get it to work using the info from AppLocker XML I have got some universal apps to work but not desktop. Thanks. Mark.
Hi Mark, I’ve started implementing EDP from Windows 10 Enterprise (Version 1511 Build 10576). I’ve to sort out the desktop opt-in as I’m challenging the same. Therefore I’ve used a star (*) as wildcard (not recommended!). Keep you updated when the magic happens! ;-)
Hi Ronny. Ah ok… glad I am not alone then :-). Some other documentation I have suggested using the publisher name from the Digital Signatures tab on the .exe but I think that is related to a file based rule. From what I can see in the registry after applying the Intune policy the new Intune rules do definitely create a publisher based one… if you manage to get to the bottom of it let me know! Thanks. Mark.
Hi Ronny.. just one quick question, sorry. You said you started with 10576 but are you using 10586 for your current testing? The reason I ask is that I cannot get some of the MDM settings to apply on 10576 although EDP is functioning to a degree. However on my 10586 install EDP seems completely broken… if you are using 10586 and it is working I will build a clean system. Thanks. Mark.
ICYMI: Enterprise Data Protection is disabled in Windows 10 th2 bld 10586! #WindowsInsiders #Windows10 #EDP #Intune #EMS
Unfortunately Enterprise Data Protection did not make it into the Windows 10 November update which is a bit of a shame as we can’t use the feature in production before Redstone 1 will be released.
EDP will be available again in the upcoming RS1 Insiders Preview Build.
Hi Mark, after installing 10586 I’m experiencing issues as well. My user profile seems broken and I can’t open Office (2016) applications anymore.
-Word could not create the work file. Check the temp environment variable.
-A problem occurred while repairing the Microsoft Office Document Cache
-The file C:\Users\\AppData\Local\Microsoft\Outlook\.ost cannot be opened.
When disabling EDP everything is working back to normal. Although I’m configuring not in an recommended setup. Stay tuned.
Hi Ronny… yes so what I noticed is that in 10586 I can configure EDP via Intune and the policies apply. If I make Edge managed then when I launch it I see the notification that any files will be protected. However the “managed” status never appears on the tile or start menu entry, data leakage is not prevented and there is no right-click option in explorer to protect a document.
I assume it is disabled in this build as per your previous comment.. :-(. I would be happy testing with 10576 but for some reason I cannot get all the policies to apply (like EnterpriseCloudResources). I see errors in the event log for those settings. What I would like to show is Edge or the Windows 10 mail app just protecting corporate resources (not the whole app) but it’s not clear to me whether they are fully enlightened to do this and even if they are whether it really works…
I am just going to try custom URI on 10576.
Mark.
Hi Ronny,
Do you have any information about :
– the encryption key
– the encryption “continuity” : is the data uploaded in encrypted state on Onedrive or Office365 ? or just encrypted locally ?
Thanks for this nice post :-)
Thanks Vince. I would but time is my worst enemy. I’m waiting when a new insiders build is release to continu testing EDP and will take these topics into account. Stay tuned!
Hi Ronny, is the actual Technical Preview 14257 compatible with EDP?
Thank you for reading my blog! I’ve performed some minor tests with the latest Insider Preview build. So far the current behavior is somehow odd to me, EDP has been more stable in previous builds, however take into account it’s still not final. Further I noticed some new registry settings, it’s seems Microsoft is shifting/(re)allocating EDP settings.
So be cautious testing EDP, it’s certainly not production ready. Will keep you informed through my blog.
We are all waiting for you Ronny… no pressure ;-). Mark.
Hi Ronny!
I cannot find a way to assign EDP via SCCM 1511. Can you point me where is it?
Do you have any info about “server side”? To protect documents from copying on terminal server.
Hi Sergey, stay tuned as I’ve this scheduled for this week to post! Ronny
Does using the EDP require that a SCCM or Intune client be running on the windows 10 machine? (or any client?) We are looking for a way to protect Enterprise data running on Windows 10 non-corporate owned or managed machines (Surface pros, not mobile). Is this a clientless solution?
Good question! No, EDP doesn’t require neither a Configuration Manager nor a Microsoft Intune client. It’s natively available to Windows (Mobile) 10 managed devices/pc’s through MDM-management channel. In theory this should work in a full client managed scenario however I didn’t tested myself. Take into account EDP is only applicable to managed devices, this puts your BYOD devices under a managed scenario.
Regards,Ronny
Does that mean it is Clientless for full blow Windows 10 also? I.e. no mobile?
Yes it’s clientless for Windows 10 including Windows 10 Mobile (prereq: managed through MDM channel (e.g. Microsoft Intune standalone or Hybrid)
Last question (no promises), is this only available in Enterprise editions of Windows?
Read my previous blog https://ronnydejong.com/2015/11/09/enterprise-data-protection-under-the-hood/ EDP is available for Windows 10 Professional, Enterprise and Education.
Hi Ronny,
Is it possible for IT admin to define which share drive is protected by EDP, while others may not need the protection. In daily operations, users have to share some non-sensitive data with external parties.
Thanks for sharing info. Your blog is very useful.
Kelvin
Interesting question! I do not believe file share’s are the intended purpose of applying EDP. Yes, based on your network definitions you are able to define implicit your corporate network boundaries where your file share’s are in. However you can’t explicit define your file share’s being protected or not. In my opinion it’s almost undoable and a crime to manage and maintain.
Regards, Ronny
Hi Kelvin.
You can use Azure AD RMS and Windows Server to reach this goal.
https://blogs.technet.microsoft.com/filecab/2014/10/29/automatic-rms-protection-of-non-ms-office-files-using-fci-and-the-rights-management-cmdlets/