Windows 7 has entered the extended support phase of its lifecycle.  What’s this mean? Well Microsoft won’t end security updates for your Windows 7 PC ‘s until the 14th of January 2020, so security should be covered.  However, feature updates (bug fixes), free phone and online support have already ended.  At the same time as Windows 7 leaves extended support Office 365 connection policies are changing to only allow Office clients in mainstream support to connect (that will be Microsoft Office 2016 or later and Microsoft Office 365 ProPlus)[i].  So, if you’re are running Windows 7 and/or Office 2013 or earlier now is the time to look to the future.
As we all know from the press and personal usage, the real successor to Windows 7 is the evergreen, bi-annually updated Windows 10.  The continual change of Windows 10 (aka Windows as a service) along with evergreen SaaS apps enterprises are increasingly adopting,  combined with an end user expectation of always updated and current apps (courtesy of smart phones) means the desktop strategies of yesterday (i.e. tightly managed, infrequently updated, limited or no personalisation) no longer look appropriate.
And BYO remains a hot topic for customers and pundits alike.
So how can you manage a continually changing desktop and support BYOD yet maintain the security of your data?
Microsoft have introduced a couple of capabilities to address these problems.  This blog will focus on developments in the ability to protect corporate data on lightly managed corporate or private devices – specifically, data at rest.
Windows Information Protection (WIP) is a new capability that harnesses Azure Rights Management and Intune (also available via System Center Configuration Manager) to protect data on Windows 10 Anniversary Update (build 1607) or later devices.  These are all part of the Azure Information Protection offering that addresses both client and server side protection of data.
WIP is an option under Intune -> Mobile Apps -> App Protection Policies.  As with any other Intune policy WIP can be applied to any Azure AD user group.
WIP has two main considerations regarding data security; data source and data access.

Data Source

In WIP you define network boundaries.   Below is the network boundaries blade in Intune.
Network boundary
A network boundary effectively defines where data does not need to be protected (i.e. within the boundary, say Office 365) and where it does (i.e. accessing outside the boundary such as downloading a file from Office 365, as per the figure below).
On-premises applications and file servers could be within another network boundary, as could other SaaS options.  When data is sourced externally (a PC on the internet) from within a network boundary it should be marked as “work” and encrypted, as shown below.

Data Access

WIP has the concept of “Allowed Apps”.  These are applications defined within the WIP policy to be allowed to access work data.  Below is the allowd apps blade in Intune.
allowed apps
Microsoft classifies applications into “enlightened apps” and “unenlightened apps”. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.  Unenlightened apps can’t differentiate between corporate and personal data, and so all data is considered corporate and encrypted (by Windows not the app).  The Microsoft client apps (Office, Edge, Notepad, etc.) are examples of “enlightened apps”.  Finally, if an application is not defined in Allowed Apps then it can’t read work data, nor can corporate data be cut and paste into an app that is Allowed.  If the scenario where an “unenlightened app” won’t work with WIP it can be defined as exempt and the corporate data is not encrypted.
With Windows Information Protection, Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). Windows Information Protection is designed specifically to work with the Office 365 ProPlus and Azure Rights Management, which can help protect business data when it leaves the device or when its shared with others (e.g.: Print restrictions; Email forwarding).[i]
And this capability is available in all editions of Windows 10 Anniversary Update (build 1607 or later).

Do you need Azure RMS?

WIP is focussed on securing enterprise data on a device.  It does not address securing enterprise data in the wild.  Azure RMS provides rights management to data once it has left a device.  Azure RMS works with a fairly limited set of applications (mainly Microsoft Office across most platforms). With WIP alone a protected file can’t be shared with another user, say by USB or an external drive or even an email attachment. It will be encrypted and inaccessible.  With RMS data protection can be extended to data that leaves the device, such as an email attachment from an enlightened app (think Word, Excel, PowerPoint, OneNote, etc.) or a file on a USB drive or a cloud drive. With RMS you can audit and monitor usage of your protected files, even after these files leave your organisation’s boundaries.

Addressing your Information Protection needs (on Windows 10)

WIP is not the definitive be-all and end-all capability for protecting corporate data.  Rather it is part of a suite of capabilities that Microsoft provide on Windows 10.  BitLocker protects the device, WIP provides data separation and data leakage protection and AIP provides additional more complex data leakage protection as well as sharing protection.   These three capabilities combine to protect the data at rest, in use and when shared.
So, now enterprise data can be secured on a Windows 10 device rather than the traditional approach of securing the device; suddenly BYOD doesn’t look that scary or impractical.
[i] Taken from Introducing Windows Information Protection <>
[i] Taken from Office 365 system requirements changes for Office <>


Join the conversation! 2 Comments

  1. FYI showstopper for me is that I have to *ask* the contractor with the BYOD Win10 device to disconnect his WIP/MAM account in order to make his downloaded WIP protected business information inaccessible. There seems to be no way for an Intune admin to send a disconnect request to a device that is MAM/WIP registered. All that sending a device delete does is stop the sync and disable OneDrive for Business – leaving the still accessible data behind on the device. Madness. Regards, Anthony Murfet.

    • During our pilot we found that it when rights were revoked in Azure AD it took up to 24 hours (the then default token lifetime) for rights to be denied on the device. Microsoft are addressing this with a new capability in public preview (Configurable token lifetimes in #AzureAD are now Public Preview! <>.. I haven’t tried it but hopefully this will address your concern (which isn’t uncommon) by reducing the maximum time it takes to revoke access. However this means the access rights need to be refreshed (by accessing Azure AD) more often.
      The inaccessiuble data swtill remains on the device.


Leave a Reply