Part 4 – Create & Deploy Windows Information Protection with Microsoft Intune


In this blog series of Windows Information Protection (WIP) I will provide you some more insights what WIP is, how it works and how to create & deploy WIP policies by Configuration Manager and Microsoft Intune.

In this 4th blog post I’ll outline how to create & deploy Windows Information Protection policies to Windows 10 devices by Microsoft Intune.

Prerequisites

Before we can deploy Windows Information Protection policies we need some basic information including protected applications and corporate network locations. This to define which protected apps can access corporate data on corporate network locations. See my previous EDP blog posts Part 1 – Introduction: Windows 10 Enterprise Data Protection – Under the hood… and Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection how you can define corporate network locations and protected applications.

Create a New Policy

Open the Intune administration console, and go to the Policy node. Click Add Policy from the Tasks area. Go to Windows, select the Enterprise Data Protection (Windows 10 and Mobile and later) policy, click Create and Deploy a Custom Policy, and then click Create Policy

image

Add an Universal App

From the Configure the following apps to be protected by EDP pane in the Protected Apps area, click Add.

image

Select Universal App, type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 mobile app as protected app.

Get-AppxPackage | select name, publisher | where {$_.name -like “*Excel”} | fl

Name        : Microsoft.Office.Excel
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Copy the Publisher value and paste them into the Publisher Name box and the Name value into the Product Name box of the Add app box, and then click OK.

image

Add an Desktop App

Select Desktop App, type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 as a protected app.

Get-AppLockerFileInformation -Path “<path of the exe>”

Where “<path of the exe>” goes to the location of the app on the device. For example, Get-AppLockerFileInformation -Path “C:\program files (x86)\Microsoft Office\Root\Office16”.

Get-AppLockerFileInformation -Directory “C:\program files (x86)\Microsoft Office\Root\Office16” -recurse -FileType Exe | where {$_.path -like “*winWord.exe”} | fl

Path      : %PROGRAMFILES%\MICROSOFT OFFICE\ROOT\OFFICE16\WINWORD.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE,16.0.4266.1003
Hash      : SHA256 0x75BB2A96B0341CF6E8FD127CC754AF69E6F95CCC95B7CFCA264EF310D6051A09
AppX      : False

Copy the Publisher value and paste them into the Publisher Name box, the Path value and split this up into the Product Name, File Name and Version (if required) box of the Add app box and then click OK.

image

Note!

Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the publisher name to enter in the Publisher box.

Where MICROSOFT OFFICE 2016 is the Product name to enter in the Product Name box.

Where EXCEL.EXE is the file name to enter in the File Name box. (if you leave * the default value all Office programs (.exe) will be defined as protected)

Where 16.0.4266.1003 is the version to enter in the Version box.

Repeat the above steps order to define your protected apps as needed.

image

Note! For a complete and detailed overview of retrieving application information see Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection

Choose EDP management mode for your enterprise data

After you’ve added the apps you want to protect with EDP, you’ll need to apply an app management mode. In this example we’re selecting Override.

image

Choose where apps can access enterprise data

After you’ve added a management mode to your protected apps, you’ll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.

To specify where your protected apps can find and send enterprise data on the network. From the Primary domain section of the Protected Apps area, type the name of your primary domain. You can specify all the domains owned by your enterprise, separating them with the “|” character. For example, ronnydejong.sharepoint.com. The first listed domain (in this example, ronnydejong.com) is used to tag files accessed by any app on the Protected App list.

image

To add other network locations your apps can access, you can click Add, and then choose your location type, including:

EDP Define protected network

Add as many locations as required, and then click OK. In the optional Use a data recovery certificate in case of data loss box, click Browse to add a data recovery certificate for your policy. Adding a data recovery certificate helps admins access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP protected data from the Windows 10 company computer.

Optional EDP-related settings

  • Block the user from decrypting data that created or edited by the apps configured above. Clicking Yes or Not configured lets your employees right-click to decrypt their enterprise data for protected apps. As I want to show you EDP kicks in when simulating a data leak scenario we leave the default value Not Configured.
  • Protect app content when the device is in a locked state for the protected apps. Clicking Yes lets EDP help to secure protected app content when a mobile device is locked. It’s recommend turning this option on to help prevent data leakage for things such as email text that appears on the lock screen of a Windows 10 Mobile phone.

image

Deploy Windows Information Protection (WIP) policy

After you’ve created your Windows Information Protection (WIP) policy, you’ll need to deploy it to your organization’s enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.

Use policies to manage computers and mobile devices with Microsoft Intune

The proof of the pudding is in the eating

Now we successfully deployed an WIP policy you’ll see when it kicks in the  protected apps (Office Excel 2016 and Excel Mobile) are subtle featured of a characteristic which indicates the app is protected by EDP.

image

The same applies when we opening Excel 2016 and Excel Mobile , which are both identified as managed.

image

When we simulate a data leak scenario, by accidently copy data away from this protected Word document we get prompted to make sure that our intention is right? We get prompted as we set the app management mode to Override previously. Now we are able to leak data on purpose.

image

The same applies when saving the document, it will be default automatically encrypted when storing it locally or on any other network location beyond your corporate network boundaries.

image

Conclusion

When managing Windows 10 devices, Configuration Manager Current Branch will be able to create and deploy configuration items for Windows 10 Windows Information Protection (WIP). WIP helps you restrict and/or alert/audit you to company data sharing/leaking. Configuration Manager WIP configuration items will manage the list of apps protected by WIP, enterprise network locations, protection level, and encryption settings.

Additional information about Enterprise Data Protection

Sources

Advertisements

6 thoughts on “Part 4 – Create & Deploy Windows Information Protection with Microsoft Intune

  1. Pingback: Deploy Enterprise Data Protection Policies with Intune - A Cloud Above the Rest

  2. Dave

    Hi Ronny, great blog – many thanks!
    I have a quick question – I have tried testing this and it seems to partially work. Is it possible to define only resources (e.g. SharePoint online) and have all locally stored data encrypted, regardless of how it is accessed. For example, if I only define SharePoint online and IE in my EDP policy, can I prevent the data being copied locally with Chrome or Firefox?
    Thanks,
    Dave

      1. Dave

        Hi Ronny, thanks for your reply.
        Maybe I’m missing something, but if using EDP in BYOD scenarios, is it not impossible to prevent a user from adding an application you are unfamiliar with and access your enterprise data from that application? You could, for example, add all the browsers you could think of to your list of protected apps and the user can still install some other browser that you’re not aware of. Data copied locally with these applications would then be unencrypted, correct?
        Thanks,
        Dave

  3. Mickey

    Hi Ronny, good learning.
    But if my testing environment doesn’t have AD and I use stand-along Intune to manage my device, all Account create on the Azure Portal.
    Which means I don’t have my corporate identity, corporate network definition -> Enterprise Network Domain Names and Enterprise IPv4 Range
    I use my testing Intune domain carriech.onmicrosoft.com and my personal LAN IP 10.0.0.2-10.0.0.50

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s