deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
Justin Hall dd76a1b02b fixed links
2019-03-05 14:32:55 -08:00

39 KiB
Raw Blame History

title, description, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, manager, audience, ms.collection, ms.topic, ms.date
title description ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.author manager audience ms.collection ms.topic ms.date
Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10) The Azure portal for Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, supporting mobile device management (MDM), to let you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. w10 explore library security medium justinha justinha dansimp ITPro M365-security-compliance conceptual 03/05/2019

Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune

Applies to:

  • Windows 10, version 1607 and later
  • Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)

Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.

Alternative steps if you use MAM only (without device enrollment)

This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune.

If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using Settings > Email & accounts > Add a work or school account), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in Settings.

Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.

Add a WIP policy

Follow these steps to add a WIP policy using Intune.

To add a WIP policy

  1. Open Microsoft Intune and click Client apps.

    Open Client apps

  2. In Client apps, click App protection policies.

    App protection policies

  3. In the App policy screen, click Add a policy, and then fill out the fields:

  4. Click Protected apps and then click Add apps.

    Add protected apps

    You can add these types of apps:

Add recommended apps

To add Recommended apps, select each app you want to access your enterprise data, and then click OK.

The Protected apps blade updates to show you your selected apps.

Microsoft Intune management console: Recommended apps

Add Store apps

To add Store apps, type the app product name and publisher and click OK. For example, to add the Power BI Mobile App from the Store, type the following:

  • Name: Microsoft Power BI
  • Publisher: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Product Name: Microsoft.MicrosoftPowerBIForWindows

Add Store app

To add multiple Store apps, click the elipsis .

If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.

  1. Go to the Microsoft Store for Business website, and find your app. For example, Power BI Mobile App.

  2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, 9nblgggzlxn1.

  3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where 9nblgggzlxn1 is replaced with your ID value.

    The API runs and opens a text editor with the app details.

        {
        "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
        "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
    }

  4. Copy the publisherCertificateName value into the Publisher box and copy the packageIdentityName value into the Name box of Intune.

    Important

    The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product Name boxes. This means that you have an app thats using a XAP package and that you must set the Product Name as windowsPhoneLegacyId, and set the Publisher Name as CN= followed by the windowsPhoneLegacyId.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }

If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.

Note


Your PC and phone must be on the same wireless network.

  1. On the Windows Phone, go to Settings, choose Update & security, and then choose For developers.

  2. In the For developers screen, turn on Developer mode, turn on Device Discovery, and then turn on Device Portal.

  3. Copy the URL in the Device Portal area into your device's browser, and then accept the SSL certificate.

  4. In the Device discovery area, press Pair, and then enter the PIN into the website from the previous step.

  5. On the Apps tab of the website, you can see details for the running apps, including the publisher and product names.

  6. Start the app for which you're looking for the publisher and product name values.

  7. Copy the publisherCertificateName value and paste it into the Publisher Name box and the packageIdentityName value into the Product Name box of Intune.

    Important

    The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product Name boxes. This means that you have an app thats using a XAP package and that you must set the Product Name as windowsPhoneLegacyId, and set the Publisher Name as CN= followed by the windowsPhoneLegacyId.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }

Add Desktop apps

To add Desktop apps, complete the following fields, based on what results you want returned.

Field Manages
All fields marked as “*” All files signed by any publisher. (Not recommended)
Publisher only If you only fill out this field, youll get all files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.
Publisher and Name only If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.
Publisher, Name, and File only If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.
Publisher, Name, File, and Min version only If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.
Publisher, Name, File, and Max version only If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
All fields completed If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.

After youve entered the info into the fields, click OK.

Note

To add multiple Desktop apps, click the elipsis . When youre done, click OK.

Microsoft Intune management console: Adding Desktop app info

If youre unsure about what to include for the publisher, you can run this PowerShell command:

Get-AppLockerFileInformation -Path "<path_of_the_exe>"

Where "<path_of_the_exe>" goes to the location of the app on the device. For example:

Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"

In this example, you'd get the following info:

Path                   Publisher
----                   ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the Publisher name and WORDPAD.EXE is the File name.

Import a list of apps

For this example, were going to add an AppLocker XML file to the Protected apps list. Youll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info about AppLocker, see the AppLocker content.

To create a list of protected apps using the AppLocker tool

  1. Open the Local Security Policy snap-in (SecPol.msc).

  2. In the left blade, expand Application Control Policies, expand AppLocker, and then click Packaged App Rules.

    Local security snap-in, showing the Packaged app Rules

  3. Right-click in the right-hand blade, and then click Create New Rule.

    The Create Packaged app Rules wizard appears.

  4. On the Before You Begin page, click Next.

    Create Packaged app Rules wizard, showing the Before You Begin page

  5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to Everyone, and then click Next.

    Create Packaged app Rules wizard, showing the Before You Begin page

  6. On the Publisher page, click Select from the Use an installed packaged app as a reference area.

    Create Packaged app Rules wizard, showing the Publisher

  7. In the Select applications box, pick the app that you want to use as the reference for your rule, and then click OK. For this example, were using Microsoft Dynamics 365.

    Create Packaged app Rules wizard, showing the Select applications page

  8. On the updated Publisher page, click Create.

    Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page

  9. Click No in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.

    Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page

  10. Review the Local Security Policy snap-in to make sure your rule is correct.

    Local security snap-in, showing the new rule

  11. In the left blade, right-click on AppLocker, and then click Export policy.

    The Export policy box opens, letting you export and save your new policy as XML.

    Local security snap-in, showing the Export Policy option

  12. In the Export policy box, browse to where the policy should be stored, give the policy a name, and then click Save.

    The policy is saved and youll see a message that says 1 rule was exported from the policy.

    Example XML file
    This is the XML file that AppLocker creates for Microsoft Dynamics 365.

        <?xml version="1.0"?>
    <AppLockerPolicy Version="1">
        <RuleCollection EnforcementMode="NotConfigured" Type="Appx">
            <FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
                <Conditions>
                    <FilePublisherCondition BinaryName="*" ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
                        <BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
                    </FilePublisherCondition>
                </Conditions>
            </FilePublisherRule>
        </RuleCollection>
        <RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
        <RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
        <RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
        <RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
    </AppLockerPolicy>

  13. After youve created your XML file, you need to import it by using Microsoft Intune.

To create an Executable rule and xml file for unsigned apps

  1. Open the Local Security Policy snap-in (SecPol.msc).

  2. In the left pane, click Application Control Policies > AppLocker > Executable Rules.

  3. Right-click Executable Rules > Create New Rule.

    Local security snap-in, showing the Executable Rules

  4. On the Before You Begin page, click Next.

  5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to Everyone, and then click Next.

  6. On the Conditions page, click Path and then click Next.

    Create Packaged app Rules wizard, showing the Publisher

  7. Click Browse Folders... and select the path for the unsigned apps. For this example, were using "C:\Program Files".

    Create Packaged app Rules wizard, showing the Select applications page

  8. On the Exceptions page, add any exceptions and then click Next.

  9. On the Name page, type a name and description for the rule and then click Create.

  10. In the left pane, right-click AppLocker > Export policy.

  11. In the Export policy box, browse to where the policy should be stored, give the policy a name, and then click Save.

    The policy is saved and youll see a message that says 1 rule was exported from the policy.

  12. After youve created your XML file, you need to import it by using Microsoft Intune.

To import a list of protected apps using Microsoft Intune

  1. In Protected apps, click Import apps.

    Import protected apps

    Then import your file.

    Microsoft Intune, Importing your AppLocker policy file using Intune

  2. Browse to your exported AppLocker policy file, and then click Open.

    The file imports and the apps are added to your Protected apps list.

Exempt apps from a WIP policy

If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.

To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list

  1. In Client apps - App protection policies, click Exempt apps.

    Exempt apps

  2. In Exempt apps, click Add apps.

    Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data.

  3. Fill out the rest of the app info, based on the type of app youre adding:

  4. Click OK.

Manage the WIP protection mode for your enterprise data

After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.

We recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, Block.

Note

For info about how to collect your audit log files, see How to collect Windows Information Protection (WIP) audit event logs.

To add your protection mode

  1. From the App protection policy blade, click the name of your policy, and then click Required settings from the menu that appears.

    The Required settings blade appears.

    Microsoft Intune, Required settings blade showing Windows Information Protection mode

    Mode Description
    Block WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.
    Allow Overrides WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see How to collect Windows Information Protection (WIP) audit event logs.
    Silent WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
    Off (not recommended) WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.

  2. Click Save.

Define your enterprise-managed corporate identity

Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.

Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field.

To change your corporate identity

  1. From the App policy blade, click the name of your policy, and then click Required settings.

  2. If the auto-defined identity isnt correct, you can change the info in the Corporate identity field. If you need to add domains, for example your email domains, you can do it in the Advanced settings area.

    Microsoft Intune, Set your corporate identity for your organization

Choose where apps can access enterprise data

After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).

Important

Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.

To define where your protected apps can find and send enterprise data on you network

  1. From the App policy blade, click the name of your policy, and then click Advanced settings.

  2. Click Add network boundary from the Network perimeter area.

    Microsoft Intune, Set where your apps can access enterprise data on your network

  3. Select the type of network boundary to add from the Boundary type box.

  4. Type a name for your boundary into the Name box, add your values to the Value box, based on the following options, and then click OK.

        <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. <br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code><br><br><strong>Note</strong><br>To add subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example: To add all subdomains within Office.com, use ".office.com" (without the quotation marks).<br><br>When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access) by using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
    <td>Protected domains</td>
    <td>exchange.contoso.com,contoso.com,region.contoso.com</td>
    <td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td>
</tr>
<tr>
    <td>Network domains</td>
    <td>corp.contoso.com,region.contoso.com</td>
    <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
    <td>Proxy servers</td>
    <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
    <td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
    <td>Internal proxy servers</td>
    <td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
    <td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
    <td>IPv4 ranges</td>
    <td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
    <td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
    <td>IPv6 ranges</td>
    <td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
    <td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
    <td>Neutral resources</td>
    <td>sts.contoso.com,sts.contoso2.com</td>
    <td>Specify your authentication redirection endpoints for your company.<br><br>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
    Boundary type Value format Description
    Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com    		 Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    Note
    To add subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example: To add all subdomains within Office.com, use ".office.com" (without the quotation marks).

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

  5. Repeat steps 1-4 to add any additional network boundaries.

  6. Decide if you want to Windows to look for additional network settings:

    Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise

    • Enterprise Proxy Servers list is authoritative (do not auto-detect). Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.

    • Enterprise IP Ranges list is authoritative (do not auto-detect). Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.

Upload your Data Recovery Agent (DRA) certificate

After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.

Important

Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the Data Recovery and Encrypting File System (EFS) topic. For more info about creating and verifying your EFS DRA certificate, see the Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate topic.

To upload your DRA certificate

  1. From the App policy blade, click the name of your policy, and then click Advanced settings from the menu that appears.

    The Advanced settings blade appears.

  2. In the Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data box, click Browse to add a data recovery certificate for your policy.

    Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate

Choose your optional WIP-related settings

After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.

To set your optional settings

  1. Choose to set any or all optional settings:

    Microsoft Intune, Choose if you want to include any of the optional settings

    • Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:

      • On. Turns on the feature and provides the additional protection.

      • Off, or not configured. Doesn't enable this feature.

    • Revoke encryption keys on unenroll. Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:

      • On, or not configured (recommended). Revokes local encryption keys from a device during unenrollment.

      • Off. Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions.

    • Show the enterprise data protection icon. Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:

      • On. Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the Start menu.

      • Off, or not configured (recommended). Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.

    • Use Azure RMS for WIP. Determines whether to use Azure Rights Management encryption with Windows Information Protection.

      • On. Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the Choose to set up Azure Rights Management with WIP section of this topic.

      • Off, or not configured. Stops using Azure Rights Management encryption with WIP.

    • Allow Windows Search Indexer to search encrypted files. Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.

      • On. Starts Windows Search Indexer to index encrypted files.

      • Off, or not configured. Stops Windows Search Indexer from indexing encrypted files.

Choose to set up Azure Rights Management with WIP

WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see Microsoft Azure Rights Management. To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.

To configure WIP to use Azure Rights Management, you must set the AllowAzureRMSForEDP MDM setting to 1 in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.

Optionally, if you dont want everyone in your organization to be able to share your enterprise data, you can set the RMSTemplateIDForEDP MDM setting to the TemplateID of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the EditRightsData option.

Important

Curly braces -- {} -- are required around the RMS Template ID.

Note

For more info about setting the AllowAzureRMSForEDP and the RMSTemplateIDForEDP MDM settings, see the EnterpriseDataProtection CSP topic. For more info about setting up and using a custom template, see Configuring custom templates for the Azure Rights Management service topic.

Related topics

Note

Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see Editing Windows IT professional documentation.