Part 4 – Create & Deploy Windows Information Protection with Microsoft Intune
In this blog series of Windows Information Protection (WIP) I will provide you some more insights what WIP is, how it works and how to create & deploy WIP policies by Configuration Manager and Microsoft Intune.
- Part 1 – Introduction: Enterprise Data Protection – Under the hood
- Part 2 – Retrieve Desktop & Universal Application Information with PowerShell
- Part 3 – Create & Deploy Enterprise Data Protection with Configuration Manager Current Branch
- Part 4 – Create & Deploy Enterprise Data Protection with Microsoft Intune
In this 4th blog post I’ll outline how to create & deploy Windows Information Protection policies to Windows 10 devices by Microsoft Intune.
Prerequisites
Before we can deploy Windows Information Protection policies we need some basic information including protected applications and corporate network locations. This to define which protected apps can access corporate data on corporate network locations. See my previous EDP blog posts Part 1 – Introduction: Windows 10 Enterprise Data Protection – Under the hood… and Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection how you can define corporate network locations and protected applications.
Create a New Policy
Open the Intune administration console, and go to the Policy node. Click Add Policy from the Tasks area. Go to Windows, select the Enterprise Data Protection (Windows 10 and Mobile and later) policy, click Create and Deploy a Custom Policy, and then click Create Policy
Add an Universal App
From the Configure the following apps to be protected by EDP pane in the Protected Apps area, click Add.
Select Universal App, type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 mobile app as protected app.
Get-AppxPackage | select name, publisher | where {$_.name -like “*Excel”} | fl
Name : Microsoft.Office.Excel
Publisher : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Copy the Publisher value and paste them into the Publisher Name box and the Name value into the Product Name box of the Add app box, and then click OK.
Add an Desktop App
Select Desktop App, type the Publisher Name and the Product Name into the associated boxes. In this example we are defining Microsoft Excel 2016 as a protected app.
Get-AppLockerFileInformation -Path “<path of the exe>”
Where “<path of the exe>” goes to the location of the app on the device. For example, Get-AppLockerFileInformation -Path “C:\program files (x86)\Microsoft Office\Root\Office16”.
Get-AppLockerFileInformation -Directory “C:\program files (x86)\Microsoft Office\Root\Office16” -recurse -FileType Exe | where {$_.path -like “*winWord.exe”} | fl
Path : %PROGRAMFILES%\MICROSOFT OFFICE\ROOT\OFFICE16\WINWORD.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE,16.0.4266.1003
Hash : SHA256 0x75BB2A96B0341CF6E8FD127CC754AF69E6F95CCC95B7CFCA264EF310D6051A09
AppX : False
Copy the Publisher value and paste them into the Publisher Name box, the Path value and split this up into the Product Name, File Name and Version (if required) box of the Add app box and then click OK.
Note!
Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the publisher name to enter in the Publisher box.
Where MICROSOFT OFFICE 2016 is the Product name to enter in the Product Name box.
Where EXCEL.EXE is the file name to enter in the File Name box. (if you leave * the default value all Office programs (.exe) will be defined as protected)
Where 16.0.4266.1003 is the version to enter in the Version box.
Repeat the above steps order to define your protected apps as needed.
Note! For a complete and detailed overview of retrieving application information see Part 2 – Define Privileged Desktop & Universal Applications for Enterprise Data Protection
Choose EDP management mode for your enterprise data
After you’ve added the apps you want to protect with EDP, you’ll need to apply an app management mode. In this example we’re selecting Override.
Choose where apps can access enterprise data
After you’ve added a management mode to your protected apps, you’ll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
To specify where your protected apps can find and send enterprise data on the network. From the Primary domain section of the Protected Apps area, type the name of your primary domain. You can specify all the domains owned by your enterprise, separating them with the “|” character. For example, ronnydejong.sharepoint.com. The first listed domain (in this example, ronnydejong.com) is used to tag files accessed by any app on the Protected App list.
To add other network locations your apps can access, you can click Add, and then choose your location type, including:
Add as many locations as required, and then click OK. In the optional Use a data recovery certificate in case of data loss box, click Browse to add a data recovery certificate for your policy. Adding a data recovery certificate helps admins access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP protected data from the Windows 10 company computer.
Optional EDP-related settings
- Block the user from decrypting data that created or edited by the apps configured above. Clicking Yes or Not configured lets your employees right-click to decrypt their enterprise data for protected apps. As I want to show you EDP kicks in when simulating a data leak scenario we leave the default value Not Configured.
- Protect app content when the device is in a locked state for the protected apps. Clicking Yes lets EDP help to secure protected app content when a mobile device is locked. It’s recommend turning this option on to help prevent data leakage for things such as email text that appears on the lock screen of a Windows 10 Mobile phone.
Deploy Windows Information Protection (WIP) policy
After you’ve created your Windows Information Protection (WIP) policy, you’ll need to deploy it to your organization’s enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
Use policies to manage computers and mobile devices with Microsoft Intune
The proof of the pudding is in the eating
Now we successfully deployed an WIP policy you’ll see when it kicks in the protected apps (Office Excel 2016 and Excel Mobile) are subtle featured of a characteristic which indicates the app is protected by EDP.
The same applies when we opening Excel 2016 and Excel Mobile , which are both identified as managed.
When we simulate a data leak scenario, by accidently copy data away from this protected Word document we get prompted to make sure that our intention is right? We get prompted as we set the app management mode to Override previously. Now we are able to leak data on purpose.
The same applies when saving the document, it will be default automatically encrypted when storing it locally or on any other network location beyond your corporate network boundaries.
Conclusion
When managing Windows 10 devices, Configuration Manager Current Branch will be able to create and deploy configuration items for Windows 10 Windows Information Protection (WIP). WIP helps you restrict and/or alert/audit you to company data sharing/leaking. Configuration Manager WIP configuration items will manage the list of apps protected by WIP, enterprise network locations, protection level, and encryption settings.
Additional information about Enterprise Data Protection
- Protect your enterprise data using enterprise data protection (EDP)
- Create and deploy EDP policies with Intune or Configuration Manager
- Understand the implications on app and cases where apps need updating
- Execute a series of testing scenarios to help them understand the scope of EDP
Sources
Categories
Modern Workplace 
Hi Ronny, great blog – many thanks!
I have a quick question – I have tried testing this and it seems to partially work. Is it possible to define only resources (e.g. SharePoint online) and have all locally stored data encrypted, regardless of how it is accessed. For example, if I only define SharePoint online and IE in my EDP policy, can I prevent the data being copied locally with Chrome or Firefox?
Thanks,
Dave
Hi Dave, many thanks for reaching out! In your scenario you’ve to define all your other browsers (eg. Chrome or Firefox) as protected app. Check the following link for an overview of all test scenarios with EDP https://technet.microsoft.com/en-us/library/mt670969(v=vs.85).aspx
Hope this helps,
Hi Ronny, thanks for your reply.
Maybe I’m missing something, but if using EDP in BYOD scenarios, is it not impossible to prevent a user from adding an application you are unfamiliar with and access your enterprise data from that application? You could, for example, add all the browsers you could think of to your list of protected apps and the user can still install some other browser that you’re not aware of. Data copied locally with these applications would then be unencrypted, correct?
Thanks,
Dave
No, you are still good in this scenario. Once you have protected (encrypted) the data you are only able to access/open it with a protected app.
Hi Ronny, good learning.
But if my testing environment doesn’t have AD and I use stand-along Intune to manage my device, all Account create on the Azure Portal.
Which means I don’t have my corporate identity, corporate network definition -> Enterprise Network Domain Names and Enterprise IPv4 Range
I use my testing Intune domain carriech.onmicrosoft.com and my personal LAN IP 10.0.0.2-10.0.0.50
Sir,
I have some question hope you can and will answer.
1)Does WIP only encrypt files/data on the user device?
2)Can files also become encrypted on a file share by WIP?
3)What happens when an app is not on the allow list and tries to open/save a file on a configured Cloud Resource?
4)What happens when an un-enlighted app tries to open/save a file from a configured Cloud Resource?
5)Is it possible to add a fileshare to WIP is adding only domain name sufficient?
6)If user1 saves a WIP protected document on a fileshare can user2 open it?
Hi Nils,
The intention of WIP is to prevent data leakage by defining trusted app’s and corporate (network) boundaries which allows you to differentiate between personal or corporate context. Data which is identified as corporate is protected, so when the data is stored/saved outside the corporate context on your device it’s protected (encrypted). When it’s within the corporate context (can be both cloud or on-premise) it’s not protected as it ‘lives’ on a trusted location (based on your network location definition). Apps which are not trusted you can create/save a file within corporate context, however it can’t be opened afterwards. Un-enlighted apps which are not exempted can’t open/save a file from a cloud resource which is defined as corporate. It’s a hassle but in theory you should be able to define a policy which results your file shares are indicated as corporate. This should be a combination of domain name and IP boundaries (domain namespace only won’t work). If user 1 saves a WIP protected document stored on a file share outside corporate context, user 2 isn’t able to open the document. When it’ saved on a file share within corporate context the document isn’t protected.
Hope this helps!
Hi Ronny,
That answer is really helpfull and i totally understand the concept now and the working of WIP. Thanks for your time and detailled reply. Also keep on this great blog.