How to add Microsoft store apps to Windows information protection (WIP) in Intune

Windows information protection (WIP) helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. For more information about WIP, please refer here

I recently installed the Microsoft To-Do application on my windows 10 from the Windows store.

clip_image002

After installing Microsoft To DO and try to sign-in, it throws an error ‘ A windows information protection (WIP) policy is preventing the use of Microsoft To-Do on this device’

This issue occurs because the device is enrolled to intune and there are WIP policies applied. So in order to use a work or school account to this app, the app must be protected and Enlighted in WIP policy.

clip_image004

So, I started looking at the Intune WIP policy to see the list of apps that are protected, Microsoft To-Do is not there.

we will now see how to add Microsoft Store apps into windows information protection policy in simple steps:

Login to Microsoft Azure or Device management portal, intune, app protection policies

Create a new policy or use an existing policy that you want to add Microsoft store apps as WIP enabled apps.

Click on protected apps, click add apps

clip_image006

Choose store apps

clip_image008

Two important fields that we need to fill in are Product name and publisher name.

we will get app locker data information with the help of the URL .

If it is desktop app then we can use Powershell cmdlet Get-AppLockerFileInformation –path <Path of the EXE file that used to launch the application>

Following is the URL that will be used to get the publisher and product information.

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/<AppID>/applockerdata

The font that is highlighted in red color refers to the application ID in the windows store.

To get the app ID for Microsoft To-Do, Go to the Microsoft Store for Business website, and find your app. For example, Microsoft To-Do, click on the app

clip_image010

You will see the app ID at the end of the URL, copy that value and paste it in the URL https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9NBLGGH5R558/applockerdata

clip_image012

You will see data in JSON format.

{

  "packageFamilyName": "Microsoft.Todos_8wekyb3d8bbwe",

  "packageIdentityName": "Microsoft.Todos",

  "windowsPhoneLegacyId": "6088f001-776c-462e-984d-25b6399c6607",

  "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

}

ProductName= packageIdentityName

Publisher Name=publisherCertificateName

Once we got all the necessary information, we will add these values to our WIP policy.

Name field can be anything (that makes sense) but product and publisher should be from the above app locker URL file.

clip_image014

Click on Ok and save the changes.

End-user results:

On the end-user device .it can take a few hours to receive the changes that we made on the WIP policy.

If you want to see the changes quickly, go to settings on windows 10 device that is managed by intune, work or school account and click Sync.

This sync button is like gpupdate /force to force the group policy changes.

clip_image016

Once you click on sync, the agent will communicate with intune and get the policy changes and inject it into the device.

How to check if the WIP policy settings are applied onto the device or not?

Go to C:\windows\system32\AppLocker\MDM

You will see a random number, keep going into the folder inside, you will see storeapps folder.

Insider this folder, you will see the policy file.

Edit the file using notepad and search for the name that we added to the WIP policy.

clip_image018

Once the policy sync and the changes are loaded into the device, go back to Microsoft To-Do app and click on sign-in

clip_image020

You should be able to sign-in to the app now.

If you have more windows store apps that you want to add to WIP policy for users to login with their work account, you can use the above steps to add the app into protected apps.

Reference: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

Leave a Reply