If you’ve been picking up what I’ve been putting down on my blog about Windows Information Protection (WIP) then by now you’ve read Part I & Part II. Which means you know how to create a WIP policy with Intune as well as what happens from the end user and Windows event logging perspective. If you haven’t read those then this post (the blog post trilogy-ending explanation of how to report on WIP activity) will not be super interesting.
At this point we’ve created a WIP policy and deployed it to Windows 10 (v1607+) computers being managed as mobile devices by Intune. You’ve seen the policy do its thing and what logs kick into gear when WIP policies get triggered. Don’t remember? OK that’s kind of like reporting so here’s that again:
- Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-Regular. This one tells on users when they do something to violate the WIP policies you’ve set (in override or silent mode). Things like copy/paste from Word (protected) to WordPad (unprotected).
- Event Viewer\Applications and Services Logs\Microsoft\Windows\EDP-Audit-TCP. This event log records when you’ve removed WIP protection from a previously protected file.
Bonus tip: if you want to verify that WIP policies have been applied to a PC, just look to see if these two registry keys have appeared: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection & HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDataProtection\Policies.
Now this might seem a little anti-climactic, but bear with me. The way to review interesting information about how the WIP policy you’ve deployed is getting on is to just run a standard Microsoft Intune Windows Information Protection report. That’s it, end of post. Almost.
Here’s where you go to run the report when using the Intune Silverlight console:
Notice how it defaults to the past 24 hours? Yes, I’m writing this just before I go on vacation—happy holidays! Anyway, that’s interesting because WIP events are only forwarded to the Intune service once a day at some random time per PC. This means you won’t see anything in these reports for up to 24 hours after an event occurs. That’s probably OK as you’ve most likely been running WIP in override or silent mode because you’re looking for apps that you need to protect. And it takes a while for a trend to develop worth your time to WIP’ify.
So what does the report look like? This (uninteresting columns removed to save screen shot space):
From the Intune Silverlight console you get the above information. Looks like this firstname.lastname@example.org guy has been up to a lot of no-good to me! You can see how data protection has been removed twice—or I’ve changed a work file to personal—and there’s also been some data copy shenanigans going on. Remove WIP protection from a file? That file path is listed to tell you which one. Copying data from a protected app to an unprotected app? The AppLocker information for those is present here too. By the way, that’s a nice way to grab the information to add new apps to your existing WIP policy. Here’s what the report information displays for source and destination app when I copied from Word (a protected app) to WordPad (unprotected app):
- Source: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE
- Destination: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE
Tip: Having a hard time reading the columns in the Intune report? Just export everything to .csv (top-right corner of the report). That will make it easy to pivot or copy and paste that AppLocker information for future WIP policy updates.
And that’s WIP in a nutshell. Time for me to go play with something else and find another interesting subject to blog for you. Maybe OMA-URI.
You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.