{"id":10700,"date":"2017-09-20T16:06:10","date_gmt":"2017-09-20T23:06:10","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10700"},"modified":"2023-06-09T11:22:44","modified_gmt":"2023-06-09T18:22:44","slug":"windows-information-protection-helps-enforce-data-policy-at-microsoft","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/windows-information-protection-helps-enforce-data-policy-at-microsoft\/","title":{"rendered":"Windows Information Protection helps enforce data policy at Microsoft"},"content":{"rendered":"
\n
\n
<\/div>\n

This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n

Microsoft manages a highly mobile workforce and sets policies for a wide variety of both personal and company devices. Although we champion mobility, it\u2019s also important that we protect our company data. Windows Information Protection, introduced in Windows 10, differentiates between personal and business information\u2014encrypting company data and helping to prevent inadvertent data sharing. We can protect our data and allow our employees to store work or personal information on any device.<\/p>\n

Windows Information Protection, formerly referred to as Enterprise Data Protection (EDP), helps people separate their work and personal data and keeps data encrypted wherever it\u2019s stored. Your employees can safely use both work and personal data on the same device without switching applications. Windows Information Protection helps prevent inadvertent data leaks by blocking data sharing through apps and services that are outside of your control. For example, employees can\u2019t send protected work files from a personal email account instead of their work account. They also can\u2019t accidently post confidential information from a corporate site into a tweet. Windows Information Protection also helps ensure that they aren\u2019t saving company information in a public cloud storage location.<\/p>\n

Core Services Engineering (CSE, formerly Microsoft IT) began piloting Windows Information Protection with the release of Windows 10 Anniversary Update. We are moving forward with the Windows 10 Creators Update, and we are working with some of the new features in Windows Information Protection that help prevent an employee\u2019s personal applications from accessing corporate data and network resources.<\/p>\n

Building information protection into Windows 10<\/h2>\n

Windows Information Protection can differentiate between personal and work information, determine which apps have access to it, and provide the necessary basic controls to determine what employees can do with work data, including where they can save work files or copy and paste text. Before the Windows\u00a010 Anniversary\u00a0Update, we relied on capabilities in other applications and platforms to help ensure that work data wasn\u2019t shared or leaked inadvertently.<\/p>\n

One of the original design goals for Windows Information Protection was to offer basic functionality that helps predict accidental data leaks through the most-used paths, which represent most leak cases (80\/20 rule). These paths include copy and paste errors and copying data to removable storage, for example.<\/p>\n

Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. Figure 1 shows how the different tools overlap to provide information protection.<\/p>\n

 <\/p>\n

\"Graphic
Figure 1. Windows Information Protection is part of a comprehensive information protection strategy<\/figcaption><\/figure>\n

Configuring Windows Information Protection<\/h2>\n

There isn\u2019t anything to install\u2014we simply turned Windows Information Protection on through the Windows Information Protection settings policy in System Center Configuration Manager (Configuration Manager) policy for domain-joined devices, and through Microsoft Intune for non-joined devices.<\/p>\n

Using Configuration Manager and Microsoft Intune, it\u2019s easy for us to create and deploy Windows Information Protection policies. We can choose protected apps, set our protection mode, and choose how to find work data on the network.<\/p>\n

Microsoft employees can sign up for a variety of pilot programs to help us gather feedback and test product usability. We\u2019re testing scenarios and configurations that apply Windows Information Protection policies to the personal and work devices of employees who signed up for the pilot deployment program. As we move closer to a broad Windows Information Protection deployment, we\u2019re considering rolling out different policies with different protection modes to separate user groups.<\/p>\n

Understanding enlightened and unenlightened applications<\/h3>\n

Apps can be\u00a0enlightened<\/a>\u00a0(also referred to as Windows Information Protection-aware) or unenlightened (also referred to as Windows Information Protection-unaware). The difference between the two is:<\/p>\n