Microsoft Intune & Windows Information Protection: Part II


If you read my last blog post (Microsoft Intune & Windows Information Protection: Part I), then you probably have a good idea about how to create and deploy a Windows Information Protection (WIP) policy to managed Windows 10 devices. If you didn’t read my last blog post, then you might want to take some time now to go check it out. Otherwise, I’ll just assume you know everything you need to know for context for this one—which shows you the end-user experience when WIP policies are deployed to Windows 10 computers managed as mobile devices with Intune.

Getting a glimpse of WIP

Because WIP capabilities are already integrated with the apps employees use every day, there’s no need to install an add-on client, use special folders, or change anything they normally do to get their jobs done. WIP works behind the scenes to help protect data on the device—and even if data is copied somewhere else. So users won’t normally notice WIP, but there are a few clues that you can provide to let them know WIP policies have been applied to their apps. Remember in the last blog I said I’d show you what enabling the WIP icon overlay when an app is protected by a WIP policy looks like? Yes, no, maybe? Well, anyway, here’s what it looks like in the Start menu when an app is protected by WIP policies:

start

Notice there’s now a blue “Managed” attribute under the app name on the left-hand side and the triangle with briefcase icon added to the app icon when it’s pinned to the Start menu? If you open up a Word document, or start any app protected by WIP, you’ll also see the briefcase. I’ll show you that in a bit.

So there’s apps, but we can also protect resources viewed through a web browser with WIP. Remember in the last blog where I said you could protect web sites? Check it out in Edge (I tested in Edge and Internet Explorer) and you’ll see the briefcase and that WIP protection is now applied when you browse to one of your protected urls. If you click on the briefcase, you’ll see the organization name that is managing WIP protection for this web address. Same thing happens if you protect Bing.com or whatever web address you decide to protect in your WIP policy settings. You’re not really managing Bing.com, but your users know that the organization is protecting company data from leaking out into the world from there. Of course, something like Outlook web access (outlook.office.com/owa/) might be a little more practical to start with. Again, I’ve clicked on the briefcase icon to show you what the message looks like when it’s displayed. Normally users will only see the briefcase icon overlay at the end of the address bar:

owa

WIP in action

Besides just looking pretty, WIP helps protect company data from being leaked to unprotected apps or improperly saved to locations it’s not supposed to frequent. You know, the old cut/copy/paste/save data protection policy stuff. So here goes in Word, now a WIP-protected app. With the WIP policy in place, you can copy content between WIP protected apps, but can’t share it to unprotected (“personal”) apps or to the public domain without the admin’s say so. In this example, we’ve set the WIP action rules in the policy to Override (see last blog post) so we will be able to move data between protected and unprotected apps, but our event logs will tell on us. More on that later, but for now let’s try to copy and paste something from Word (protected work app) to WordPad (not protected, personal app):

word1

I clicked on the briefcase icon again so you can see the same message displayed in Word letting users know this app is WIP protected and then copied that secret squirrel company data information. Let’s see what happens when I try to paste that information into WordPad as I try and shadow IT my way around this silly security stuff:

paste

Hmm busted. If I click Change to personal, the WIP policy will allow me to paste. This is because we have the WIP policy action set to Override…which I did so I’d have something interesting to show you here. If you think we’ve gotten away with something because the paste succeeded, just remember that when the admin lets you change file ownership to personal, it’s logged…it’s all logged. I’ll show you that in a second, but first, let’s talk a little more about this whole change from work to personal business. See the secret squirrel Word document below in File Explorer? Notice that it has the WIP protected briefcase icon overlay on it while the unprotected doc does not? If you want to remove WIP protection from that doc, in other words change ownership from work to yourself and make it a personal file, just right-click on the file name and select the personal option from the File ownership list (personal or work) displayed in the context menu. The screen shot to show you all this was just too big to use here, but I’m fairly certain you’ve seen a context menu before:

fileexplorer

Oh did I mention the logs? Yeah, what you just did there got logged to the event log.

WIP event logs

That’s really a bad title for this section. Technically, there aren’t any WIP event logs, there are EDP audit logs (remember WIP used to be called Enterprise Data Protection (EDP)). However, for the purposes of this discussion, we’ll just call them WIP logs. Whatever you call them, this auditing capability will occur in the background with or without your users knowledge depending on the WIP policy action settings. Once logged, said data can hopefully be leveraged to encourage your users to act more responsibly in the future and to also let you know what other apps or sites you might want to now protect with WIP. Moving on.

There are two logs that you can peruse for dastardly acts of data leakage and they’re both found in event viewer by going here: Event Viewer\Applications and Services Logs\Microsoft\Windows\. The first is called EDP-Audit-Regular and the second is called EDP-Audit-TCP. Here’s what they do.

EDP-Audit-Regular perks up its ears when someone takes some action against the WIP policy actions you’ve defined. For example, when I tried to copy from Word to Wordpad, the WIP Override action popped up with the option to allow me to switch to personal context and paste, but it also recorded the paste to personal action in the event log like so:

copy2unsecure

Next up is EDP-Audit-TCP. This event log file contains information about file ownership changes. Changes from work to personal and only changes from work to personal to be precise. You can change ownership from personal to work all day long with no resulting logging action. Why would you change something from work to personal you ask? Let me give you a reason and an example. When you WIP protect an app, it becomes very protective of anything you might edit or create for your company in the future. It also assumes that anything you open (even if it’s personal) should now be protected with the WIP powers bestowed upon the app. Which is generally a good thing, but if you’re using Excel to make a family budget or Word to make a grocery shopping list, you probably don’t need that being marked work and protected by WIP (unless you’re shopping for a secret recipe). So, in this situation, when you open an unprotected document in Word, you will see this message:

openunprotected

Just say OK to open the file and change its ownership to work. When you’re finished editing the file, save it and just change the file ownership back to personal. Oh yeah, remember if you do that, it’s going to be logged like so to the EDP-Audit-TCP event log:

removedprotection

And there you have it. WIP in a nutshell. Part I of this series showed you the admin experience and Part II explained the end-user goings on and how to view the log files. I hope my explanations helped and you’ll soon be taking advantage of this great feature for app data protection while managing Windows 10 as a mobile device with Intune!


You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.

Comments (1)

  1. Stefan says:

    Nice explanation, thankyou

Skip to main content