Microsoft Windows Information Protection (WIP)

Contributor(s): Eddie Lockhart

Windows Information Protection is a feature built into Windows 10 that allows IT shops to control and manage business data separately from personal data on users' devices.

Formerly known as enterprise data protection, Windows Information Protection (WIP) debuted in the Windows 10 Anniversary Update. In addition to separating business and personal data, IT administrators can use WIP to determine which users and which applications have access to what data and what users can do with corporate data. For example, IT can prevent users from copying corporate data from an approved app and pasting it in an unapproved app. They can also prevent users from moving data to removable disks or sending it to cloud-based tools such as Dropbox.

Users do not have to access a special app or enter a specific mode for WIP to work. Microsoft designed WIP to deliver the data protection IT requires while allowing users to continue to work with the apps they are familiar with.

To set policies for WIP, admins can use Microsoft System Center Configuration Manager, Microsoft Intune or third-party mobile device management tools. Admins can apply WIP settings on a user-by-user basis so if two or more users share a device, IT can assign different permissions to each user. Admins can apply WIP policies to line-of-business apps and consumer apps. When users access a protected website or app through the Microsoft Edge browser, a briefcase appears in the URL bar to indicate they are now subject to WIP rules.

After admins decide which applications and users can access what data, they must select a level of protection to put on the data. WIP offers four protection levels:

Block prevents users from taking unauthorized actions, including sharing data outside the corporate network;

A discussion about how to combat
accidental data disclosure through
email, social media and the public cloud
through Windows Information Protection.

Override alerts users when they try to perform an unauthorized action, but the user can go through with the action anyway. If the user ignores the warning, WIP logs that information and includes it in its audit log;

Silent essentially runs in the background, tracking users' actions without stopping them. This option still blocks users from seeing information they are not authorized to view;

 Off deactivates WIP.

Admins next set network locations for the data, which designates the data approved apps can access. WIP automatically encrypts any data users download from a registered network location. WIP also protects any new data approved apps generate. Admins can give users the option to mark new data as business or personal.

WIP delivers audit reports to IT admins that detail user behavior. It also works with Microsoft Office 365 Pro Plus and Azure Rights Management so WIP can protect data after it leaves a user's device or is shared.

This was last updated in April 2017

Continue Reading About Microsoft Windows Information Protection (WIP)

Dig Deeper on Endpoint security management tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What could Microsoft add to WIP to help IT secure corporate data even more?
In my tests, all I had to do to circumvent WIP was pickup my unmanaged Surface, log in with the same ID that I used on my managed/MAM laptop, and hey presto! I can log in to Office 365 and sync or download all my data. Once a WIP policy is applied to a group of users, they should not be able to download protected data from anywhere - that isn't the case today.
Anthony Murfet