Intune Windows Information Protection (WIP) Policies test cases and notes from the field

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

Since few days, I have been busy in testing windows information protection policies on BYOD devices to protect enterprise data  and note the test cases for any such data leakage issues using corporate managed applications such as office 365 pro plus (word,excel and other apps).

If you want read more about what is Windows information protection ,please go through https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

During my testing ,i have noticed couple of issues on windows 10 with build 1703 (on my surface and also couple of vm’s)  of which ,some of them are fixed (with some simple configuration settings) but there are still some outstanding for which ,i have no fix on the data leakage.

In this blog post, i will list the issues that i have fixed and some outstanding issues .If you see any solution for the outstanding issues ,please report via comment section.

Note: I will be updating all my test cases in this post when i find something interesting .

1. If the device is WIP managed ,internet access is blocked on 3rd party browsers (exclude IE and Edge ) such as chrome,Firefox etc. The fix for this is ,to add /*AppCompat*/ to cloud resource section. More information about this ,please refer this post

2. Unable to upload o365 protected files to Onedrive (onedrive for business) on windows 10 using windows information protection (WIP) policies . I get the following error while trying to upload files that are saved on my desktop .These files are protected using my corporate identify which is set under required settings in WIP policy.

image

I open the corporate managed apps like word,excel or notepad and save the file as work with eskonr.onmicrosoft.com.After i save the doc ,it is protected with brief case icon on it (if you choose to display show enterprise data protection icon in WIP policy).

SNAGHTML60eeaea

when i try to upload these protected docs to my corporate onedrive ,it fail with error ,can’t be synced with onedrive . A policy set by your IT administrator prevents you from synching this work file to your onedrive. This is because ,all the files are protected with the user identify . In this case the user identify is eswar@eskonr.com .This is the user ID that user used to do workplace join on his BYOD to access company resources.

In this case ,user ID is eswar@eskonr.com ,UPN is eskonr.com which not recognized as protected domain. To fix this ,we need to edit the WIP policy to make some changes on the advanced settings.

Go to WIP policy that you have assigned to users ,click on advanced settings ,select Add network boundary ,choose protected domain for boundary type, give the name (anything that suit for you) and in the value ,add eskonr.com

If you have multiple UPN id’s like eskonr.com.sg ,eskonr.com.in,eskonr.com.hk ,you need to add the UPN names here separated with |.

In my case, the setting look like this for multiple UPN’s.

image

 

Once am done with this ,sync the policies on user device .This time ,it will allow you to upload files to onedrive .

Also note that , with this setting ,all the files in onedrive and files that you upload from outside one drive by default will be protected with file ownership as eskonr.microsoft.com ,which help to protect these files from anywhere even user tries to take it external disk.

3.If you have MAM and MDM settings enabled for windows 10 (azure active directory ,mobility (MAM and MDM, intune) for users , MAM will take precedence over MDM and why is this important ? Well ,when you create intune app protection policies (WIP) ,you must align the these policies with enrollment as  ‘With Enrollment’ or ‘without Enrollment’ .

What i have noticed in my testing is that ,if you have set managed type MDM in azure active directory and you create app protection policies for windows 10 with enrollment type ‘without enrollment’ ,these policies will not apply to end user.

After you create policy with enrollment type ‘with enrollment’ ,app protection policies will be applied which will protect your corporate data.

 

Now lets look at the outstanding issues:

1. I have copied word document or notepad (.docx,txt) from my onedrive which is protected with file ownership as ‘eskonr.microsoft.com’ to my BYOD desktop. This file is protected and i can see the briefcase icon on the file.

Since the file is protected ,if i open the document and try to do copy of the content from this doc file to any un-managed app ,it will block the paste action by saying the app can’t access content or paste action is blocked by your IT.

so far we talked about copy paste action which works only with managed apps which is good but now lets try to change the file ownership from work to personnel and see what happens. (I do not have azure RMS enabled with WIP policy).

Open the protected word document ,after it opens ,go to save as and in that, choose file name personal instead of work which allow to do it on windows 10 1703 and lower versions.

1                2                           3

This way you can leak the corporate data Open-mouthed smile .

What is the fix for this ? This issue is fixed in windows 10 1709 (Fall creators update) . In windows 10 1709 ,if you try to open corporate managed documents ,it will not allow you to save as personal .

2. Copy the data from protected app for ex: work1 from above notepad file ,paste it into run command ,explorer and cmd.exe which are un managed apps and from there i can save it personal.

 

Testing in progress ,please wait for more updates!

13 Responses to "Intune Windows Information Protection (WIP) Policies test cases and notes from the field"

  1. after deployed wip policy to a user group and i excluded the user group, the wip policy still applies. how to cleanly remove wip policy on a computer that applied to the user group?

    Reply
  2. Hello,
    I am looking for the Powershell command which Get/Set the WIP property on a file (such as can be done by right-click on the file / File Property / Professional). Can you advise ? Thank you.
    -Sylvain

    Reply
  3. Hi Eswar,

    i was looking into WIP profile , we are able to enroll and deploy protection policy successfully , but not able to understand how ip range and proxy in advance settings of application protection policy will work.

    Reply
  4. Hi Eswar,

    I have a windows 10 (v1803) device enrolled and complaint when logged with Azure AD. ( this is auto enrollment based on the configuration on SCCM) , also i am able to see enrolled device on Intune and SCCM as complaint

    Created WIP policies on Standalone Intune ( with enrollment )
    Azure- Mobility MDM and MAM scope is enabled.

    Sync is successful, However i do not see WIP policies coming up on device.

    c:\windows\system32\AppLocker and \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device do not have any entries.

    Can you suggest on this?

    Reply
    1. Hi Jagan,
      Sorry for late reply and not sure if this is solved or not but you can actually created dianostic report and look at it or event viewer will give you some clues on it.
      If this was solved ,let us know how did it solve so it help others.

      Thanks,
      Eswar

      Reply
  5. Can we enroll a device in intune and then also use wip?
    What does wip with enrollment mean? Does it mean wip for intune enrolled devices?
    Or does wip with enrollment mean the policy only applies to wip enrolled user/device?

    Reply
    1. It depends on how to set the configuration for windows 10 MDM (with enrollment) or MAM (without enrollment).
      If you set MDM ,then device must be enrolled into intune .The process to register/enroll device is same for both MDM and MAM ,the only change relies on is ,how the information is being sent to intune from windows 10 device and also the compliance/protection (WIP) policies are configured.
      This guide help you to understand more about WIP (windows information protection) https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

      Regards,
      Eswar

      Reply
  6. Hi Eswar.
    I have a scenario.
    Intune App Protection works on Android and iOS but WIP does not apply on Windows 10 computer with or without enrollment.
    I also want to prevent upload and download files to and from sharepoint online when you are working from a Windows 10 computer which is not in the domain
    I also have MDM enabled.
    I seems like WIP does not work at all?
    Morten

    Reply
    1. is the windows 10 computer MDM successfully done ? do you see the device with MDM in azure portal ? what version of windows 10 are you running ? the most updated version with many bug fixes applied is OS build 1709 . So get on to that.
      by default ,if you followed my article, user can upload any personnel or work docs to onedrive/sharepoint online as it does not harm anything and of course users need flexibility to upload own created docs into company sharepoint for later reference in office. the aim is to stop data leakage of corporate docs and for that we use WIP. Once user upload personnel /company docs into sharepoint portal/onedrive, he can download but they are all protected with briefcase icon on the file.

      Regards,
      Eswar

      Reply

Post Comment