Windows Information Protection: Your Private Security Helper

Windows Information Protection (WIP) provides organizations with a set of features to support a Mobile Device Management (MDM) system and enable separation of corporate and personal data to prevent leaks. In this article, I’ll explain how WIP works.

Why Use WIP?

As corporate data becomes increasingly mobile, leaving the confines of the office and traversing devices that are not always owned by the company, it’s important to ensure that employees cannot intentionally or accidently leak data breaking regulatory obligations and damaging their company’s reputation. Microsoft claims that 87% of senior managers admitted to sending company data to personal cloud storage and email, and 58% accidently sent data to the wrong person.

Just like any other security issue, there needs to be a defense-in-depth strategy to protect business data. Windows already provides device protection in the form of BitLocker, but until the Anniversary update of Windows 10 that shipped this summer, there was no way to separate personal and corporate data to prevent data leaks. Windows Information Protection aims to offer these features in the OS itself.

What Are the Benefits?

WIP can identify personal and business information, restrict which apps have access to business data and implement policies to control what users can do with business data, such as copy and paste restrictions. And while WIP is a built-in OS feature, it’s designed to work with Office 365 (ProPlus plans) to help protect data when it’s shared outside of an organization.

There are many Data Leakage Protection (DLP) solutions on the market, and although they’re able to separate business and personal data, it usually comes at the expense of user experience. One example is Knox, a security solution from Samsung for Android, which requires users to switch ‘modes’ to work with business data. It’s also common that DLP solutions require the use of custom email clients, which is also hardly an ideal solution. But because WIP is built directly into Windows 10 and Windows 10 Mobile, Microsoft can offer a seamless end-user experience.

WIP is managed using Mobile Device Management policies and is compatible with the Office 2016 Mobile Universal Windows Platform (UWP) apps. IT staff can create policies that allow users to decide whether data should be marked as personal or business, or block users from making those decisions. Microsoft Edge is WIP “enlightened,” so on sites marked as “business,” corresponding rules will be enforced. Saved files can be identified as personal or work by checking the status in the File ownership column in File Explorer. It’s worth noting that unenlightened apps will save everything as corporate data. At the time of writing, here’s the list of enlightened apps:

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

The great thing about WIP is that it’s easy to deploy because it doesn’t require on-premise infrastructure or complicated technical workarounds for users. Providing you have Windows 10 (Professional, Enterprise, and Education), Office 365 (ProPlus or higher), Windows 10 Mobile, and a system for deploying MDM policies, such as System Center or Intune, then WIP is a great solution for protecting corporate data, such as Office documents and email. However, WIP has certain limitations and there’s a list of issues on GitHub that is worth looking through before you decide to start testing: Limitations while using Windows Information Protection (WIP).

Discover specific measures to prevent infection immediately and other useful information on ransomware in our ultimate Defending Against Crypto-Ransomware Guide