Windows Information Protection

Use this profile configuration to assign a Windows Information Protection policy to your devices. Only one Windows Information Protection profile configuration can be assigned and installed on a device. Additional Windows Information Protection profile configurations assigned to a device will be ignored.

General

Use the options on the General tab of the WIP profile configuration to control the behaviour of WIP on your devices.

Protection Level Select one of the following options to set the protection level for your enterprise data.
  • Block: Prevents Enterprise Data from leaving Enforced applications or networks.
  • Override: Allows device user to share protected data. However, user is notified that the shared data is protected and all overrides are logged.
  • Silent: Allows device user to share protected data without notification. All actions are logged.
  • Off: Allows device user to share protected data without notification and no actions are logged.
Allow User to Decrypt Data When enabled, device users can decrypt any data created or edited by enforced applications by entering the file's Properties and deselecting the appropriate checkboxes.
Revoke Encryption Keys on Device Unenrollment When enabled, the device user's local encryption keys are revoked when the device is unenrolled.
Allow Encrypted Data and Store Apps to Appear in Windows Search When enabled, Windows Search can search and index encrypted corporate data and Store applications.
Data Recovery Certificate Use this section to add data recovery certificates. A data recovery certificate enables you to recover encrypted data that might be lost if an account is locked or becomes inaccessible, by verifying your right to access that information.
Note: It is recommended that you use a Data Recovery Agent (DRA) template from ADCS.

Applications

Use the Applications tab to specify which applications have access to enterprise data on your devices.

Applications are divided into two sections: Legacy Applications (*.msi) and Modern Applications (*.appx). Applications with a lightbulb icon are Enlightened Applications. Enlightened applications can differentiate between corporate and personal data and only encrypt corporate data. Unenlightened applications consider all data corporate and encrypt everything. Exempt applications are allowed to access enterprise data without encrypting it.

For each application you can select one of the following options:

  • Allow: Applies your WIP policy to this application
  • Block: Blocks the application from accessing your enterprise data
  • Exempt: Exempts the applications from your WIP policy, allowing it to access enterprise data without encryption. This option is primarily for applications that may have compatibility issues with WIP but are necessary for your company's productivity. Use this option carefully as exemption from WIP increases the chances of a data leak from your applications.

Networks

Use the Networks tab to set boundaries for the Windows Information Protection profile configuration. Each of the three network setting types (IP Address Range, Network Domain, and Protected Domain) must be configured, and you can configure multiple values for each type.

IP Address Range

Enter the range of IP addresses where enterprise data is accessible to your device users. Device users cannot access enterprise data while they are outside this range. You can add multiple IP address ranges.

Type Select an internet protocol version: IPv4 or IPv6.
Starting Address Enter the starting address for your IP address range.
Ending Address Enter the ending address for your IP address range.

Domains

Enter the network or protected domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name. All traffic to the network domains on this list will be protected. You can add multiple domains.

Type Select the domain type you are configuring. This field is read-only when you are editing an existing domain.
Location Enter a fully qualified domain name.