Windows 10 security guide to fortify your defenses
A comprehensive collection of articles, videos and more, hand-picked by our editors
The Windows 10 Anniversary Update includes a number of new features, and one of the most notable is Windows Information Protection.
Formerly known as Enterprise Data Protection, Windows Information Protection (WIP) allows organizations to control access to business data by distinguishing it from personal data on devices.
WIP brings an entirely new element to Windows 10. It is not a replacement for BitLocker, the Microsoft encryption software that also comes with Windows. BitLocker protects data if a device is lost, stolen or compromised. Windows Information Protection allows an organization to control what Windows 10 users can do with business data and what applications can access it, while leaving personal data alone.
What is Windows Information Protection?
Prior to the Windows 10 Anniversary Update, administrators had no way to identify and control business data on Windows devices without turning to other Microsoft or third-party products. WIP changes that. The new technology is built into Windows, and admins can control it by configuring policies in Microsoft System Center Configuration Manager, Intune or third-party mobile device management products that support the new policies.
Windows Information Protection prevents data leaks and ensures that only authorized applications and users can access specific data -- without users having to access specialized applications. WIP can also help protect data on devices with multiple user profiles and extend to users' personal devices. WIP protections can apply to any applications, including line-of-business (LOB) apps or off-the-shelf consumer products. Admins do not need to update apps to get the benefits of WIP.
Administrators can use WIP's audit reports to track user behavior and take remedial action. WIP also allows administrators to control certain user behaviors, such as copying and pasting protected data to nonprotected applications, or copying files to removable media such as a thumb drives. IT can permit users to only copy protected content between approved applications. WIP is designed to work with Office 365 ProPlus and Azure Rights Management to protect data after it leaves a device.
How Windows Information Protection works
Configuring WIP policies starts with listing which applications have access to business data. After admins add the applications, they must select the protection level to apply to the data.
They can select:
- Block: Stops users from completing inappropriate data sharing actions or sharing data outside the corporate network.
- Override: Warns users when they're about to perform an unapproved data sharing task, but does not stop them. If users carry out the tasks anyway, WIP logs the events to the audit log.
- Silent: Logs inappropriate data sharing without trying to prevent such actions. WIP still blocks actions users shouldn't take, when applicable, such as users trying to access network resources or WIP-protected data they are not authorized to view.
- Off: Disables the WIP policy and prevents it from affecting managed systems.
Once admins set the protection level, they must specify what data approved apps can access. To do so, they must provide the data's network locations and configure other settings as appropriate.
After admins configure and enable the policies, Windows Information Protection automatically marks any data users download from a registered network location as protected business data and encrypts it on the managed device. WIP also protects the data generated by a registered application or, depending on the application, permits users to specify the data as business or personal.
Because WIP is fully integrated into Windows 10, users can work like they always have, except they might not be able to perform certain tasks involving business data. For example, users may not be allowed to post business-related documents to Dropbox.
Show off your knowledge of Windows 10 features
Are you a Windows 10 expert? Flaunt your knowledge with this quiz about app compatibility, the OS upgrade process and more.
Introducing enlightened apps
Any data a WIP-registered application generates is protected without admins having to modify the app, but not all data an app generates is business related. In fact, employees routinely use applications to generate both personal and business data, especially with mobile devices.
This is where what Microsoft calls "enlightened applications" come into play. An enlightened application protects business data just like an unenlightened one, but the enlightened application differentiates between business and personal data. It protects business data only based on how admins configure WIP policies. Enlightened applications also provide users with the option to mark and save data as personal. Unenlightened apps encrypt all data.
If admins want to enlighten their LOB apps, they must update them to incorporate the Windows Information Protection features, using the new WIP APIs and settings available for Windows applications. For organizations running numerous LOB apps, this could represent a significant effort and entail careful planning for how and when to implement the changes. Microsoft has already enlightened many of its applications, including the Office 2016 suite and Edge.
Organizations that rely heavily on applications users commonly work with in both personal and business settings must choose an all-or-nothing approach to WIP data protection or wait until they're better prepared to make the switch. Then there are organizations running earlier versions of Windows, Office and other products not likely to reach enlightenment any time soon, if at all. The question then remains whether the WIP promise is enough of an incentive to convince organizations to upgrade their systems.
Explore Windows 10's security features
Complete Windows 10 security guide
How Windows 10 addresses key vulnerabilities