How to prevent data loss with Windows Information Protection

Looking for a solution to keep company data out of the wrong hands? Windows 10's WIP might be the best option. Here's how WIP works.

Credit: Peter Sayer

Information that belongs to someone and has the potential to be very impactful to that person or organization needs to be protected in this day and age. Finding that information in the wrong hands can have severe negative implications and consequences. You need look no further than recent headlines to see the devastating consequences that information leakage can have, from Edward Snowden and the NSA to John Podesta and the Democratic National Committee.

Shops that primarily use Windows on the client side have a ready-made answer: Windows Information Protection (WIP) is a data loss prevention technology that looks for information classified as impactful to a business as well as for keywords that indicate sensitive information is potentially being passed outside the corporate security boundary. It then creates a plan to stop or mitigate that leakage.

  • You need to protect work-related information on both company- and employee-owned devices, such as their smartphone or tablet allowed to connect to your resources through a “bring your own device” (BYOD) program.
  • You use business applications that do not have data loss protection capabilities built-in and need an extra layer or two of leak protection.
  • You need a protection scheme that integrates with System Center or Microsoft’s Intune cloud-based device management platform. 

I’ll walk you through what WIP is and how to get started. One huge caveat: This is a Windows 10 technology. To bake WIP into your organization fully, you’ll need to complete your inevitable migration off Windows 7 and Windows 9.1.

How Windows Information Protection works

WIP starts working when new documents, spreadsheets, or other files are created on a protected device. Employees can be presented with a choice to save that file as a “work document,” enabling all the protections that come with WIP. That work document is considered enterprise data, even if it is stored local to the protected device or added to removable media like an SD card or a USB stick. All work files stored on the device or on removable media are encrypted at rest.

That protection is not limited to new content. When an employee visits a network share on a protected device or downloads content from a SharePoint document library or a corporate intranet set, WIP locks that data down via encryption and enforces policies on it. WIP also puts up fences around data accessed via applications on a protected device. Administrators can bless certain apps and allow them to work with “work data” and have that data copied and pasted between blessed applications. On the flip side, applications can also be blocked, so that protected work data cannot be moved into blocked applications (think Gmail, Secret, or anything else) on a device with WIP enforced.

By default, these app restrictions are enforced like a whitelist, with everything blocked and individual apps needing to be manually—read intentionally—added to the whitelist to be granted access to work data. Some applications, particularly Microsoft Office, are aware of WIP and can protect data even when employees copy data from a protected file, paste it into a new document, and attempt to save it as a new document. WIP will notice this and automatically encrypt the new file. Apps that understand WIP are known as “enlightened apps,” and in Windows 10 app developers can choose to create WIP-aware apps that inherit this functionality automatically without additional code.

WIP also supports different levels of protection. Sometimes you want to give employees discretion over whether to override WIP’s protections, or perhaps you want to be in audit-only mode so you can simply take the temperature of the organization’s actions to understand how data moves about. When the fecal matter hits the rotating air movement device, you can remotely wipe the protected enterprise data off any enrolled computer, even employee-owned devices, without blowing away the non-enterprise data.

All of this happens by virtue of the WIP policy, the cornerstone of WIP’s protection engine. The WIP policy is applied to devices and contains instructions to encrypt data from an enterprise source or marked as work related using the Encrypted File System (EFS) feature that comes with all recent Windows client operating systems. The policy also contains the whitelist of apps that are allowed to use and work with protected data, based on the AppLocker feature.

You then set up your WIP policy to one of four modes:

  • Block—WIP pays attention to what the user is doing with enterprise protected content. If it detects a potentially compromising action, it will simply block the user from completing the task. This largely consists of restricting cut-and-paste actions between protected and non-protected applications and sending protected data outside of the corporate network.
  • Override—You can choose to have WIP looking over the shoulder of your employee like it would in Block mode. Instead of simply cutting off the action, it can prompt the user so that he or she can make an informed decision about whether to continue with the action. If the user chooses to override the WIP warning, the action is logged so the administrator can audit and review later.
  • Silent—WIP will monitors the system, but simply logs everything it sees as potentially compromising without alerting the user or preventing any actions (except for obvious things like trying to access a protected file for which the user doesn’t have access rights). Most administrators would choose this mode to establish a baseline to understand how data moves in their network before using a more stringent mode.
  • Off—This disables WIP. If WIP was enabled before, Windows attempts once to decrypt protected files on devices. If you later decide to reenable WIP, you will need to reapply protection to files as this information is not retained between policy applications.

How to apply Windows Information Protection policies

You have two ways to apply and later manage WIP on your Windows 10 client devices: through Microsoft Intune, a subscription based management service that is basically System Center in the cloud, or through your existing deployment of System Center Configuration Manager (SCCM).

Using Microsoft Intune

To use Intune, open your browser and go to the Intune console. Expand the Policy node, and then from the Tasks area, click “Add Policy.” From the Windows section of the list on the “Select a template for the new policy” screen, select “Windows Information Protection (Windows 10 Desktop and Mobile and later).” Then click the “Create and Deploy a Custom Policy” radio button to the right, and next click the “Create Policy” button. On the next screen, type a name and a description for the policy.

Now it’s time to add app rules, which can include either Windows Store apps—these used to be called Modern apps or Windows 10 apps—or regular Win32-style desktop apps. I’ll focus on the desktop apps using the venerable Microsoft Excel. Click the “Add” button in the center of the screen, and in the “Add App Rule box,” enter a friendly name for the app. Choose the Windows Information Protection mode you wish to use (“Allow” in this case), choose “Desktop App” from the “Rule template” list, and then check the box net to “Binary name” and enter EXCEL.EXE.

Here is a handy tip: if you wish to filter on some of the other options including publisher, product name, and file version, you can use the following PowerShell command on a Windows 10 machine to get this information:

Get-AppLockerFileInformation
–Path “c:\path_to_binary\binary.exe”

That will return the information you seek, which you can then copy and paste into the Intune screen.

After you have added the apps that should be affected by your policy, you need to choose what Intune calls the “paste/drop/share restriction mode,” which is one of the four options: block, override, silent, or off.

You will then need to define your corporate identity, which is a list of domains your enterprise content lives on so WIP has some basis to identify work-related items. This list should include all domains for which your company receives e-mail. You can enter multiple domains in the “Corporate identity” field using the “|” character, as in 82ventures.com|jonathanhassell.com.

Next, set up the list of allowed network locations from which apps handling protected data get work data. This is basically a list of network locations that protected data can be written to and retrieved from, so your enterprise’s IP range is a good place to start. You can fine-tune the list as you go further in your deployment. You can also upload a data recovery agent (DRA) certificate that you get when you enable the Windows EFS feature, which will help Intune recover encrypted data if the key is lost.

Leave the optional settings as they are with their defaults for now and click Save. Voila, your policy is in place. You then use Intune’s policy node to add this policy to a list of deployment groups, and the policy is subsequently distributed to them.

Using System Center Configuration Manager (SCCM)

To use SCCM to deploy WIP, you need to create your policies using version 1606 or later, and if you have any older WIP policies you created in older versions of SCCM, you will need to delete and recreate them.

From the SCCM console, under “Assets and Compliance,” navigate through “Overview”/”Compliance Settings”/”Configuration Items.” Click the “Create Configuration” Item button. When the wizard starts, enter a friendly name and description and then specify Windows 10 as the supported platform for this particular item. On the “Select the device setting groups to configure” screen, check “Windows Information Protection.” Then you can add app rules similarly to how you work with Intune app rules.

Next, choose the paste/drop/share restriction mode, define the identity domains, choose the enterprise network locations where protected data lives, choose optional settings and the optional DRA certificate upload, and then review the settings and click “Continue.” Depending on how your SCCM deployment policies are set up, use one of the compliance settings or configuration baselines to push this policy out to SCCM-managed devices.

The last word

Various information rights management programs and data loss protection schemes are available, but there has not been information protection built into an operating system like WIP is in Windows 10 client before now. With Windows 7 approaching its ninth birthday and Windows 10 rapidly maturing into a reasonably stable landing spot for many organizations, WIP is worth a look, and pairing it with Microsoft Intune is an inexpensive way to get started.

Join the newsletter!

Error: Please check your email address.

More about ClickCustomExcelMicrosoftModernNSA

Show Comments

Market Place

<img height="1" width="1" style="border-style:none;" alt="" src="//insight.adsrvr.org/track/evnt/?adv=bitgblf&ct=0:jkis3bum&fmt=3"/>