Skip to main content
Microsoft Security

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In today’s security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edge’s navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (“without enrollment”) targeting, MDM (“with enrollment”), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when you’re ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Microsoft Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didn’t know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIP’s simple “business vs personal” information classification system ensures simplicity and ease of use.

USB flash drives aren’t the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management – Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources: