Blog Post

Intune Customer Success
5 MIN READ

Support tip: End of support guidance for Windows Information Protection

Intune_Support_Team's avatar
Intune_Support_Team
Icon for Microsoft rankMicrosoft
Jul 22, 2022

Updated April 2023

 

With the recent Windows announcement to end support for Windows Information Protection (WIP), Microsoft Intune will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we’ll also be removing support for WIP without enrollment scenario by the end of calendar year 2022.

Note: Devices receiving WIP policies with Intune enrollment will continue to be supported until the feature is removed from Windows (or an additional communication is issued). Stay tuned to this blog for updates.

 

Why are we ending support for Windows Information Protection?

As mentioned in the Windows blog (Announcing sunset for Windows Information Protection), Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.

 

If you’re currently using WIP, we recommend leveraging Microsoft Purview DLP and Information Protection to achieve the most robust data protection for your cross-platform and cross-cloud needs.

 

What is the timeline for the without enrollment scenario?

Managing WIP without enrollment will be decommissioned by the end of 2022. We will decommission tenants in the following order starting in December:

  1. Devices receiving no effective policies – These are devices that are actively registered and polling Intune for policy, but policy has not been defined.
  2. Devices that are disabling WIP – These are devices that are actively registered and polling for policy, but that policy is disabling WIP (the platform default).
  3. Devices that are configuring WIP – These are devices that are actively registered and polling for policy and that policy is configuring WIP on the endpoints.

What is the timeline and how will I know when this happens to me?

We are actively messaging to customers through the Message Center to specify which of the three buckets they fall into above. We are finding most customers who have policies deployed have very few devices checking in and receiving WIP policy. If you don’t see messages in your message center, and believe you are impacted, please reach out to Microsoft Support.

 

Note: If you have different configurations of WIP without enrollment policy you will receive notifications for each scenario that applies to your environment.

 

The general timeline is as follows:

  1. November 1st (or soon after) we will restrict creating new WIP ‘without enrollment’ policies from the Microsoft Intune admin center.
  2. Starting in December 2022, we will begin deregistration for devices utilizing WIP ‘without enrollment’. Refer to the Message Center for when this will occur for your organization. We plan on completing the deregistration in the following order:
    1. Devices receiving no effective policies.
    2. Devices receiving ‘disable WIP’ Policy.
    3. Devices receiving policy to configure WIP.

 

Important: Once the device is unregistered, users may see a notification indicating an account has been removed, “mddprov account has removed your workplace account…from your device.” You can safely disregard this message.


Why are you deregistering devices, I thought this was for the ‘without enrollment scenario’?

While the scenario is named Windows Information Protection without enrollment, devices are registered to our mobile application management (MAM) infrastructure. When we use the term ‘deregeristing’ in the unmanaged context, we are referring to deregeristing devices from the MAM infrastructure by removing the endpoints.

 

Important: We are not unenrolling devices from mobile device management as part of this process. Only devices that are registered to the endpoint to distribute WIP policy to unmanaged devices are impacted.


How do I know if I have WIP enabled on my devices?

We have seen low usage of WIP across enterprise and commercial customers. Most of this usage is from devices that are not receiving any effective policy or have not configured the necessary settings to enforce WIP Protection. To validate if you have WIP configured in your environment, do the following:

  1. Navigate to the Microsoft Intune admin center.
  2. In the left navigation, go to Apps > App protection policies.
  3. Under the Platform column, WIP policies are listed as “Windows Information Protection” and have either “With enrollment” or “Without enrollment” listed in the Management type column.

Note: As mentioned above, we are ending support for WIP policies listed “Without enrollment”. Follow the steps below to remove WIP from devices receiving those polices.

 

What do I do to disable WIP?

WIP can be easily disabled through Intune proactively. This will ensure that your organization and users are not impacted by end of support activities in the future. When you disable the feature, WIP automatically removes protection from most files.

 

To remove Windows Information Protection, you have the following options:

  1. (Recommended) Remove the WIP Policy (Unassign) – Removing an existing “enable” policy will remove the intent to deploy WIP from those devices. When that intent is removed, a device will remove protection for files and the configuration for WIP.
  2. Change your current policy to “Off” – If you’re currently deploying a WIP policy for enrolled or unenrolled devices, you can simply switch the intent of that policy to “Off”. When devices check-in after receiving this intent, they will proceed to unprotect files previously protected by WIP.
  3. Create a ”disable” policy – You can create a separate ”disable” policy for WIP (both enrolled and unenrolled) and deploy that to your organization. You can stage the rollout by complimenting your existing enablement policy and moving entities from being targeted with Enable to the disable policy. Note: Use this option if you are using Configuration Manager to disable WIP.


For more information, see How to disable Windows Information Protection (WIP).

 

Are there any special scenarios I need to account for when disabling WIP?

While WIP was designed to be used for a single user per device (see Limitations while using Windows Information Protection (WIP)), we wanted to mention what to do when removing WIP for a device with multiple users:

 

Devices with multiple users – We’ve seen scenarios where protection is not automatically removed for users that did not ‘initiate protection’. In this scenario, a user (User A) is targeted with WIP policy for unenrolled devices. User A is WIP enrolled and enforced. User B logs onto the device and accesses resources that are protected (either by Protected Domain or Cloud Resources, etc). These files are protected by WIP, based on the configuration for User A. When WIP is disabled for User A, User B’s files remain protected and accessible.

 

How to resolve: Once protection is disabled, User B can easily remove protection by right clicking on the file and changing the file ownership. Although the protection is in place, the file remains accessible to User B.

 

If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

10/12/22: with timeline and additional clarity.

04/3/23: updated for clarity.

Updated Dec 19, 2023
Version 5.0
Support Tip
windows
  • willjoneselite's avatar
    willjoneselite
    Copper Contributor
    Aug 01, 2022

    This is crazy, we have lots of customers using WIP and they only have m365 business premium licences. So you are saying they all need to pay an additional £9 per user per month to have something that they already had? No one will do that from our end so you are just exposing customers.

     

    Is there going to be a purview alternative that comes with the standard M365 Business premium licence without costing any more money?

     

     

     

  • Seamus Mc Bride's avatar
    Seamus Mc Bride
    Copper Contributor
    Jul 26, 2022

    Once again this is Microsoft chopping and changing products and information.

    I have been asking for over a year and a half now one very simple question, we are being told to move to Purview.

    although I already know that no one in Microsoft will answer this question but I'm going to ask is again, what are we to do with on premise AIP scanners.

    Purview is Microsoft implementation of an open source platform called “Apache Atlas” which does not have the capability of ingesting NTFS on premise file systems. does Microsoft intend to ever inform the public that they will not be a solution for file servers that we have been using Microsoft servers for over 22 years now.

    I look forward to no one once again answering this question.

  • sabarishn89's avatar
    sabarishn89
    Copper Contributor
    Jul 26, 2022

    Not an interesting news. End of 2022 is very short time.

    To my knowledge Microsoft Purview DLP, supports only Microsoft 365 apps.

    How about the situation where we need to protect other desktop apps (ex. Notepad, Wordpad).

    Also, how do we restrict content transfer between managed & unmanaged service?

  • TonzKing123's avatar
    TonzKing123
    Brass Contributor
    Jul 25, 2022

    What about "with enrollment" device ? any plan to remove this in the future ?

  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor
    Jul 24, 2022

    There is very little information or guidance when it comes to ending support for Windows Information Protection without enrollment. This was a workable solution for organizations that supported a BYOD scenario with client applications like Microsoft 365. Also worked for those wanting to sync OneDrive for Business files on their personal devices. Although not perfect, WIP filled a gap and has it's purpose. I can think of a number of scenarios to support BYOD in the future (replacing WIP) , but they will raise questions;

     

    • Start enrolling BYOD to Intune and then filter out any policy you don't want for personal devices?
    • Or perhaps a better solution like enforcing limited browser only access to corporate resources?

    Other questions I have:

    • What advice would Microsoft give to those who have WIP without enrollment scenario in place?
    • What happens to customers who have WIP without enrollment enabled and don't disable WIP? Will it just stop working?
    • You write end of support, but I also read "we’ll also be removing support for WIP without enrollment scenario by the end of calendar year 2022." This gives me the impression that the actual feature is going to be removed from Endpoint Manager and/or Windows by the end of 2022. Can you clarify this?