Windows Information Protection…notes from the field! #MSIgnite
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps organizations to protect corporate data against potential data leakage.
The concept is fairly simple and is actually based on defining two lists:
- A corporate boundary list, which represents both on-premise & cloud network locations where managed apps can access corporate data;
- A list of managed (trusted) apps, which are allowed to open, modify & store corporate data within the corporate boundary list.
In this blog we will look at some practical examples which you have to consider for a successful implementation of Windows Information Protection including a top 4 of recommended practices.
Define your corporate identity
During the initial deployment we were facing issues with applications like Intune Company Portal (Store App), Dynamics CRM (Store App), Power BI (Store App) and Skype for Business (Desktop App). What these applications have in common is the fact that we need to log on with corporate credentials (identity) before we’re able to use the applications.
Corporate identity, usually expressed as your primary Internet domain (for example, inovativ.nl), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by Windows Information Protection policies. The same applies for the mentioned apps above, which where restricted because they are not managed.
After we added Intune Company Portal, Dynamics CRM, Power BI and Skype for Business to the managed app list we were able to use the applications again.
You can specify multiple domains owned by your enterprise by separating them with the “|” character. For example, (inovativ.nl|inovativ.be|livecare.nl). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. It’s recommend that you include all of your email address domains in this list.
Corporate Network boundaries
Big chance that you have your corporate data in the cloud. Thus, the more important that these cloud locations are within the defined corporate network boundaries. This to ensure only your managed applications only, are able to access this data. Below an overview of some examples of cloud network locations you can define, and may very based on the number of cloud services used.
| Cloud Service(s) | URL | Application(s) |
| SharePoint Online | <yourdomain>.sharepoint.com | OneDrive for Business, OneNote (Desktop App) |
| SharePoint MySite | <yourdomain>-my.sharepoint.com | OneDrive for Business, OneNote (Desktop App) |
| Power BI | app.powerbi.com | Microsoft Power BI (Store App) |
| Dynamics CRM Online | <yourdomain>.crm4.dynamics.com | Microsoft Dynamics CRM (Store App) |
| Exchange Online | outlook.office365.com | Microsoft Outlook (Desktop App) |
During the deployment we were facing issues with the default Office applications like Excel, PowerPoint & Word. The same applies to OneDrive for Business, OneNote & Outlook 2016. We couldn’t synchronize files with OneDrive for Business and weren’t able to open and edit Office documents located on SharePoint Online.
In order be able to access corporate data on the above cloud locations we had to add the complete Office 2016 suite to the managed application list. The same applies for additional browsers of choice from where you want to edit your Office documents online. Instead of defining the Office applications separately we added the Office 2016 suite as whole by using the following application rule.
By adding the complete Office suite, including Office Mobile and browser (Internet Explorer, Chrome or Firefox) of choice we remain productive and protect corporate data for accidental data leakage at the same time.
Another aspect of defining your managed applications is the difference between desktop- and store (modern/UWP) applications. As OneNote 2016 has a different product name as Office 2016 we had to add OneNote as a separate desktop app complementary to the Office 2016 suite.
Adding OneNote as managed app solved this challenge…at least for the OneNote desktop version.
OneNote Desktop App
Get-AppLockerFileInformation -Directory “C:\program files (x86)\Microsoft Office\Root\Office16\” -recurse -FileType Exe | where {$_.path -like “*onenote*”} | fl
OneNote is an exception as it’s available as both desktop- and store application. In order to ensure OneNote is working we had add them both application types to the managed application list.
OneNote Universal (Store) App
Get-AppxPackage | select name, publisher | where {$_.name -like “*onenote*”} | fl
So the solution was obvious, adding OneNote store app the managed application list.
Windows 10 Mobile Experience
So now we’re all good…or so you thought! As you probably already know Windows Information Protection is available for both Windows 10 and Windows 10 Mobile. The same challenges on Windows 10 were also applicable on Windows 10 Mobile. On the understanding that most applications working as they were added to the managed application list.
Since the Windows Information Protection policy was applied to our Windows 10 Mobile devices we couldn’t use the Microsoft Calendar & Outlook app. Both mail and agenda items couldn’t sync since then.
The challenging part here was to retrieve the application information of the Microsoft Calendar & Mail app in order to add it to the managed applications list. As it’s an universal windows app, the code base is the same for both Windows 10 and Windows 10 Mobile. Therefore we could retrieve the application information from a Window 10 where the Microsoft Calendar & Mail app is installed on.
The rest is history. After adding the Microsoft Calendar & Mail app to the managed application list we were able to receive and sending e-mail.
Lessons learned
To achieve a successful implementation of Windows Information Protection, it is important that you have a clear understanding what your scope is. Understand which corporate identities exists within your organization and which you want to operate with Windows Information Protection. Defining corporate identities might lead to (temporary) non-functioning of your applications.
- Tip 1: Identity your corporate identities which are in scope;
- Tip 2: Identity your applications which explicitly use corporate identities;
- Tip 3: Have an overview of applications utilizing data which are within your corporate network boundaries;
- Tip 4: Define managed applications first, secondly your network boundaries;
Furthermore, it is of importance that the relationship between your currently used (both desktop & store) applications and definition of your corporate network locations, whether on-premise or cloud is clear.
Categories
Microsoft Endpoint Manager, Modern Management, Security, Windows 10
Modern Workplace 
Hallo Ronny, dit is een zeer interessante technologie en je berichten erover in je blog zijn leuk om te lezen!
Zijn er nog prerequisites voor het inzetten van WIP? Zoals TPM of een ingeschakelde bitlocker?
Dit is een hele interessante technologie en je berichten hierover heb ik uitgebreid gelezen! Bedankt voor het heldere verhaal. Zitten er nog prerequisites aan het implementeren van WIP, zoals RMS, TMP of bitlocker?
Hi Arnout,
Great to hear the blogs are informative and helpful to you. The only requirements/prerequisites you’ve to met is Windows 10 Anniversary build (1607) and a management tool, preferably Microsoft Intune or Configuration Manager (1606). It could also be 3rd party MDM solutions but it’s harder to manage and keep track of auditing.
Regards, Ronny
Hi there,
I have attempted to create and re-create a WIP policy for my test Azure AD \ WIN10 MDM managed devices and have yet to get the policy to show up!
I followed your Office 2016 model and defined my corporate domains, and provided a generic IPv4 range. Is this all I need to do to allow this to apply?
Yes, in a nutshell you require Windows 10 (1607) or higher, defining you corporate boundaries and managed/allowed apps, set your identity and configure your level of protection. Further make sure your managed device is managed properly by Intune and finally make sure your defined policies get applied by checking the registry keys below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DataProtection