Windows Information Protection
Use this profile configuration to assign a Windows Information Protection policy to your devices. Only one Windows Information Protection profile configuration can be assigned and installed on a device. Additional Windows Information Protection profile configurations assigned to a device will be ignored.
Settings
Use the options on the Settings tab of the WIP profile configuration to control the behaviour of WIP on your devices.
Protection Level | Select one of the following options to set the protection level for your enterprise data.
|
Other Settings: Allow user to decrypt data created or edited by Enforced Applications | When enabled, device users can decrypt any data created or edited by enforced applications by entering the file's Properties and deselecting the appropriate checkboxes. |
Other Settings: Revoke encryption keys on device unenrollment | When enabled, the device user's local encryption keys are revoked when the device is unenrolled. |
Other Settings: Allow encrypted data and Store apps to appear in Windows search | When enabled, Windows Search can search and index encrypted corporate data and Store applications. |
Data Recovery Certificate (Important in Case of Data Loss) | Allows you to recover encrypted data that might be lost if an account is locked or becomes inaccessible, by verifying your right to access that information.
Note: It is recommended that you use a Data Recovery Agent (DRA) template from ADCS.
|
Applications
Use the Applications tab to specify which applications have access to enterprise data on your devices.
Use the list of Available Applications to configure which applications can open your enterprise data. Available applications are divided into two sections: Predefined Legacy Applications (*.msi
) or Predefined Modern Applications (*.appx
). Applications with a lightbulb icon are Enlightened Applications. Enlightened applications can differentiate between corporate and personal data and only encrypt corporate data. Unenlightened applications consider all data corporate and encrypt everything. Exempt applications are allowed to access enterprise data without encrypting it.
Use the arrows to add applications to the Enforced Applications list. While an application is selected in the Available Application list, click the single right-pointing arrow to move it into the Enforced Applications list. Once an application is in the Enforced Applications list you can chose its behaviour. Double-click on Allow to open a drop-down with the following options:
- Allow: Applies your WIP policy to this application
- Block: Blocks the application from accessing your enterprise data
- Exempt: Exempts the applications from your WIP policy, allowing it to access enterprise data without encryption. This option is primarily for applications that may have compatibility issues with WIP but are necessary for your company's productivity. Use this option carefully as exemption from WIP increases the chances of a data leak from your applications.
Networks
Use this tab to set boundaries for the Windows Information Protection profile configuration. Each of the three network setting types (IP Address Range, Network Domain, and Protected Domain) must be configured, and you can configure multiple values for each type.
Add | Opens the Add Network Setting dialog box in which you can select, and specify values for, the network setting type you want to add. |
Edit | Opens the Edit Network Setting dialog box in which you can edit the values of the selected network setting.
You can also double-click a network setting in the list to edit it. |
Delete | Deletes the selected network setting. |
Network Domain
Enter the network domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name. All traffic to the network domains on this list will be protected. You can add multiple network domains.
Network Type | The network type you are configuring. This field is read-only when you are editing an existing network type. |
Location | Enter a fully qualified domain name. |
IP Address Range
Enter the range of IP addresses where enterprise data is accessible to your device users. Device users cannot access enterprise data while they are outside this range. You can add multiple IP address ranges.
Network Type | The network type you are configuring. This field is read-only when you are editing an existing network type. |
Type | Select an internet protocol version: IPv4 or IPv6. |
Starting Address | Enter the starting address for your IP address range. |
Ending Address | Enter the ending address for your IP address range. |
Protected Domain
Enter the Protected Domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name.
Network Type | The network type you are configuring. This field is read-only when you are editing an existing network type. |
Location | Enter a fully qualified domain name. |