Windows Information Protection Policies in Configuration Manager
The release of the 1606 build for SCCM Current Branch brought several new management capabilities around security. One of these enhancements is the ability to set policies for the new Windows Information Protection feature of Windows 10 (formerly known as Enterprise Data Protection). Let’s take a quick look at some of the changes and new features.
These policy options can be configured as a Configuration Item for Windows 10 clients managed by Configuration Manager:
Where some of these options were available in previous builds as Enterprise Data Protection, it is now labelled as Windows Information Protection:
Configuring the WIP policy, we’ll look first at the differences in application policy options:
App Types: Store Apps, Desktop Apps, or AppLocker Policy File (previously, only “Universal” and “Desktop” apps)
Custom Rule Names
Data Protection Mode: Allow or Exempt per app (previously , no exemption option)
There are also some differences in configuring the Network Locations that define the corporate network. You are now required to define at least an Enterprise Network Domain and an Enterprise IPv4 Range. You also have the option of defining “neutral resources” to account for existing authentication redirection endpoints in the environment. The list of any Proxy Servers or IP Ranges defined in the Network Locations can also now optionally be set as authoritative. Another interesting new feature is the ability to actually force an icon overlay for non-WIP aware apps that you’ve configured to allow access to protected data, as well as files that are protected.
As BitLocker is considered a foundational part of the overall Windows Information Protection solution, the previous option to specify a Data Recovery Agent certificate is now mandatory to ensure that encrypted data can be properly recovered. Rounding out the new features are the options to present users with a “Personal” file ownership option, and the ability to control whether corporate data and Store apps are exposed to Windows Search.
As enterprise environments continue to move to Windows 10 and begin taking advantage of more and more of the new Windows 10 security features, I’m sure we’ll see additional options appear in coming SCCM branch releases.