Windows information protection (WIP) helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. For more information about WIP, please refer here
I recently installed the Microsoft To-Do application on my windows 10 from the Windows store.
After installing Microsoft To DO and try to sign-in, it throws an error ‘ A windows information protection (WIP) policy is preventing the use of Microsoft To-Do on this device’
This issue occurs because the device is enrolled to intune and there are WIP policies applied. So in order to use a work or school account to this app, the app must be protected and Enlighted in WIP policy.
So, I started looking at the Intune WIP policy to see the list of apps that are protected, Microsoft To-Do is not there.
we will now see how to add Microsoft Store apps into windows information protection policy in simple steps:
Create a new policy or use an existing policy that you want to add Microsoft store apps as WIP enabled apps.
Click on protected apps, click add apps
Choose store apps
Two important fields that we need to fill in are Product name and publisher name.
we will get app locker data information with the help of the URL .
If it is desktop app then we can use Powershell cmdlet Get-AppLockerFileInformation –path <Path of the EXE file that used to launch the application>
Following is the URL that will be used to get the publisher and product information.
The font that is highlighted in red color refers to the application ID in the windows store.
To get the app ID for Microsoft To-Do, Go to the Microsoft Store for Business website, and find your app. For example, Microsoft To-Do, click on the app
You will see the app ID at the end of the URL, copy that value and paste it in the URL https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9NBLGGH5R558/applockerdata
You will see data in JSON format.
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
Once we got all the necessary information, we will add these values to our WIP policy.
Name field can be anything (that makes sense) but product and publisher should be from the above app locker URL file.
Click on Ok and save the changes.
On the end-user device .it can take a few hours to receive the changes that we made on the WIP policy.
If you want to see the changes quickly, go to settings on windows 10 device that is managed by intune, work or school account and click Sync.
This sync button is like gpupdate /force to force the group policy changes.
Once you click on sync, the agent will communicate with intune and get the policy changes and inject it into the device.
How to check if the WIP policy settings are applied onto the device or not?
Go to C:\windows\system32\AppLocker\MDM
You will see a random number, keep going into the folder inside, you will see storeapps folder.
Insider this folder, you will see the policy file.
Edit the file using notepad and search for the name that we added to the WIP policy.
Once the policy sync and the changes are loaded into the device, go back to Microsoft To-Do app and click on sign-in
You should be able to sign-in to the app now.
If you have more windows store apps that you want to add to WIP policy for users to login with their work account, you can use the above steps to add the app into protected apps.