Windows Information Protection

Windows Information Protection is a feature of Windows 10 Anniversary Update that helps protect corporation information by encrypting data using the Encrypted File System.

This is not to be confused with Azure Information Protection (which was rebranded from Azure Rights Management Services RMS).

How WIP works

Enterprise data is automatically encrypted after it’s downloaded to a device from SharePoint, a network share, or an enterprise web location, while using a WIP-protected device or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

A WIP Policy includes a list of applications that are allowed to access corporate data. This list of apps is implemented through AppLocker functionality.

Requirements

Requires Intune or SCCM Policy

Devices requires Windows 10 Anniversary Update or devices that are enrolled with Intune or a supported 3rd party MDM (I was unable to find a list of supported 3rd party MDMs).

Limitations

  • Files encrypted with WIP cannot be shared externally. Each user would need the ability to disable WIP on a particular file and then re-encrypt the file using a separate technology such as Azure Information Protection.
  • All clients in your environment must be running Windows 10 Anniversary update or a mobile device managed by Intune or supported 3rd party MDM. For example, a Mac OSX machine that downloads data from SharePoint, a file share, or wherever, is not going to be protected by WIP and therefore that employee can bypass WIP and leak sensitive information. Think of WIP as a client side solution that is only truly effective when all client systems fit the mold.
  • WIP is not compatible with Direct Access. The workaround is to replace DirectAccess with Windows 10 Always-ON VPN for client access to Intranet instead.*
  • WIP is not compatible with Network Isolation (IPSEC feature).
  • Cortana must be disabled otherwise Cortana can leak encrypted information*
  • WIP is not compatible with shared workstations.* One user per device.
  • Marriage/Separation name changes can disrupt WIP. Workaround: Disable WIP before changing someone’s first or last name.* This is pretty time intensive as it requires decrypting all files that were protected by WIP.
  • Internet Explorer 11 with webpages using ActiveX controls can cause data leakage. Work-around is to use Microsoft Edge browser. Issue is that not all websites are compatible with Edge.*
  • There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP.

*https://technet.microsoft.com/en-us/itpro/windows/keep-secure/limitations-with-wip
References

Original Announcement from 6/29/2016

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

Official Documentation for WIP

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

WIP “Enlightened Apps”

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

*These apps allow you to save things as personal (unencrypted). All other applications not listed will encrypt everything 100% with EFS encryption.

Patriot Guidance

Use Azure Information Protection and Avoid WIP unless you have a regulatory reason that justifies the effort to deploy WIP because of its restrictive encryption policy and only 11 apps allow the user to save things without encryption. One look at the implementation page (here) below shows how difficult an implementation would be, and more so to maintain.