Close Menu
    Facebook X (Twitter) Instagram
    Saturday, October 11
    X (Twitter) LinkedIn Reddit RSS
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»App protection policies»How to add Microsoft store apps to Windows information protection (WIP) in Intune

    How to add Microsoft store apps to Windows information protection (WIP) in Intune

    Eswar KonetiBy Eswar KonetiNovember 04, 10:16 pm4 Mins Read App protection policies 5,246 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Windows information protection (WIP) helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. For more information about WIP, please refer here

    I recently installed the Microsoft To-Do application on my windows 10 from the Windows store.

    clip_image002

    After installing Microsoft To DO and try to sign-in, it throws an error ‘ A windows information protection (WIP) policy is preventing the use of Microsoft To-Do on this device’

    This issue occurs because the device is enrolled to intune and there are WIP policies applied. So in order to use a work or school account to this app, the app must be protected and Enlighted in WIP policy.

    clip_image004

    So, I started looking at the Intune WIP policy to see the list of apps that are protected, Microsoft To-Do is not there.

    we will now see how to add Microsoft Store apps into windows information protection policy in simple steps:

    Login to Microsoft Azure or Device management portal, intune, app protection policies

    Create a new policy or use an existing policy that you want to add Microsoft store apps as WIP enabled apps.

    Click on protected apps, click add apps

    clip_image006

    Choose store apps

    clip_image008

    Two important fields that we need to fill in are Product name and publisher name.

    we will get app locker data information with the help of the URL .

    If it is desktop app then we can use Powershell cmdlet Get-AppLockerFileInformation –path <Path of the EXE file that used to launch the application>

    Following is the URL that will be used to get the publisher and product information.

    https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/<AppID>/applockerdata

    The font that is highlighted in red color refers to the application ID in the windows store.

    To get the app ID for Microsoft To-Do, Go to the Microsoft Store for Business website, and find your app. For example, Microsoft To-Do, click on the app

    clip_image010

    You will see the app ID at the end of the URL, copy that value and paste it in the URL https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9NBLGGH5R558/applockerdata

    clip_image012

    You will see data in JSON format.

    {

      "packageFamilyName": "Microsoft.Todos_8wekyb3d8bbwe",

      "packageIdentityName": "Microsoft.Todos",

      "windowsPhoneLegacyId": "6088f001-776c-462e-984d-25b6399c6607",

      "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

    }

    ProductName= packageIdentityName

    Publisher Name=publisherCertificateName

    Once we got all the necessary information, we will add these values to our WIP policy.

    Name field can be anything (that makes sense) but product and publisher should be from the above app locker URL file.

    clip_image014

    Click on Ok and save the changes.

    End-user results:

    On the end-user device .it can take a few hours to receive the changes that we made on the WIP policy.

    If you want to see the changes quickly, go to settings on windows 10 device that is managed by intune, work or school account and click Sync.

    This sync button is like gpupdate /force to force the group policy changes.

    clip_image016

    Once you click on sync, the agent will communicate with intune and get the policy changes and inject it into the device.

    How to check if the WIP policy settings are applied onto the device or not?

    Go to C:\windows\system32\AppLocker\MDM

    You will see a random number, keep going into the folder inside, you will see storeapps folder.

    Insider this folder, you will see the policy file.

    Edit the file using notepad and search for the name that we added to the WIP policy.

    clip_image018

    Once the policy sync and the changes are loaded into the device, go back to Microsoft To-Do app and click on sign-in

    clip_image020

    You should be able to sign-in to the app now.

    If you have more windows store apps that you want to add to WIP policy for users to login with their work account, you can use the above steps to add the app into protected apps.

    Reference: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

    intune M365 MDM mobility office 365 protected apps Windows 10 windows information protection WIP WIP policy preventing
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Export Microsoft Entra ID User Authentication Methods to CSV using PowerShell & Microsoft Graph API

    August 13, 2:08 pm

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    1 Comment

    1. Pingback: We couldn't sign you in to the Microsoft whiteboard using work or school account error code 80070164 | All about Microsoft Endpoint Manager

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2025 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.