windows-itpro-docs/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md

title, description, ms.date, ms.prod, ms.topic, ms.localizationpriority, author, ms.author, ms.reviewer, manager

title	description	ms.date	ms.prod	ms.topic	ms.localizationpriority	author	ms.author	ms.reviewer	manager
How to disable Windows Information Protection (WIP)	How to disable Windows Information Protection (WIP)	07/15/2022	m365-security	how-to	medium	lizgt2000	lizlong	aaroncz	dougeby

How to disable Windows Information Protection (WIP)

Applies to:

• Windows 10

• Windows 11

  Note

  liz add blurb about disable

Use Intune to disable WIP

To disable Windows Information Protection (WIP) using Intune, you have the following options:

Option 1 - Remove the WIP Policy (Unassign) - preferred

Removing an existing enable policy will remove the intent to deploy WIP from those devices. When that intent is removed, a device will remove protection for files and the configuration for WIP.

Option 2 - Change current WIP policy to off

If you’re currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check-in after this change, the devices will proceed to unprotect files previously protected by WIP.

1. Sign in to the Microsoft Endpoint Manager.

2. Open Microsoft Intune and select Apps > App protection policies > In Client apps - App protection policies, select <> apps. Select the existing policy to turn off.

3. From App protection policy, select the name of your policy, and then select the name of your properties.

4. Edit required settings. :::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-disable-wip.png":::

5. Set Windows Information Protection mode to off.

6. After making this change, select review and save.

7. Select save.

   Note

   Another option is to create a disable policy.
   You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to your organization. You then stage the rollout by complimenting your existing enablement policy and moving entities slowly from being targeted with enable to the disable policy.

Use Configuration Manager to disable WIP

To remove Windows Information Protection (WIP) using Configuration Manager

Add a WIP policy

After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.

Warning

Don't just delete your existing WIP policy.

To create a configuration item for WIP

1. Open the Configuration Manager console, click the Assets and Compliance node, expand the Overview node, expand the Compliance Settings node, and then expand the Configuration Items node.

   

2. Click the Create Configuration Item button.

   The Create Configuration Item Wizard starts.

   

3. On the General Information screen, type a name (required) and an optional description for your policy into the Name and Description boxes.

4. In the Specify the type of configuration item you want to create area, pick the option that represents whether you use Configuration Manager for device management, and then click Next.

   • Settings for devices managed with the Configuration Manager client: Windows 10

     -OR-

   • Settings for devices managed without the Configuration Manager client: Windows 8.1 and Windows 10

5. On the Supported Platforms screen, click the Windows 10 box, and then click Next.

   

6. On the Device Settings screen, click Windows Information Protection, and then click Next.

   

The Configure Windows Information Protection settings page appears, where you'll configure your policy for your organization.

Manage the WIP-protection level for your enterprise data

liz I need a different figure below - this is Intune - need config mgr

Set the Windows Information Protection mode to Off.

:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-disable-wip.png":::

Define your enterprise-managed identity domains

Tip

For additional help filling out the required fields, please reference
Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager

Add your corporate identity

• Type the name of your corporate identity into the Corporate identity field. For example, contoso.com or contoso.com|newcontoso.com.

  

Choose where apps can access enterprise data

After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

To define where your protected apps can find and send enterprise data on you network

Add additional network locations your apps can access by clicking Add. The Add or edit corporate network definition box appears. Add the required fields.

In the required Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data box, click Browse to add a data recovery certificate for your policy.

Deploy the WIP policy

After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:

• Operations and Maintenance for Compliance Settings in Configuration Manager

• How to Create Configuration Baselines for Compliance Settings in Configuration Manager

• How to Deploy Configuration Baselines in Configuration Manager

Related topics

• How to collect Windows Information Protection (WIP) audit event logs

• General guidance and best practices for Windows Information Protection (WIP)

• Limitations while using Windows Information Protection (WIP)

• Create a configuration baseline that includes the new configuration item

• Create a new collection

• Deploy the baseline to the collection

• Move devices from old collection to new collection

liz for above do we have a reference link for doing this move