Implementing Windows Information Protection

Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;

You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.

That lovely GitHub repo you want to clone will now be blocked 🙁

So how do we implement Windows Information Protection to ensure that are organizations are secure.

Lets start with WIP Learning

So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.

When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.

What are the protection modes?


WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

Allow Overrides

WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.


WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Switching on WIP

Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.

Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.

Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.

The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *