In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience. What is WIP/EDP? It is very important to understand that WIP is accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think, Microsoft invested heavily on mainly on 3 pieces and those are 1. Secure Identities 2. Information Protection and 3. Threat Resistance. Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommend to have 1. Encryption (Bit locker), 2. WIP/EDP and 3. Azure Information Protection (or RMS).
WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.
Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo. I used Windows 10 Insider Build 14342 with Microsoft Intune.
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP :-
How to start Implementing Windows 10 Windows Information Protection Using Intune
Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-
Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through WIP
Select the WIP/EDP Mode of protection
Configure the Network locations through EDP/WIP Policies
Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !!
Primary Domain (my primary domain is trail tenant)
PuneITPro.onmicrosoft.comEnterprise Cloud Domain (Exchange Online)
outlook.office.com|outlook.office365.comEnterprise Network Domain (Dummy URL is fine I think – it worked for me)
blogs.anoopcnair.comEnterprise IPv4 Range (Any IP range is fine I think – Hyper-V lab IP Range worked for me)
Internal IP range 192.0.0.1-22.214.171.124
Configure WIP/EDP Data recovery agent cert
Configure WIP/EDP Policy settings
Allow user to edit or decrypt data –> NO
Protect App content when the device is in locked state –> Yes
Windows 10 WIP/EDP – End User Experience
In my example here :-
WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal“
Internet Explorer(IE) provides a EDP Lock Symbol when you browse an Enterprise location :-
Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location :-
OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive account but not for personal OneDrive account
Reference :- Here