Microsoft
MicrosoftHi
I wanted to address questions posted here as well as in other channels:
Q: OK, so you are removing an existing E3 functionality (Windows Information Protection) in favor of functionality only available in E5 (Endpoint DLP + Microsoft Defender for Cloud Apps).
A: Microsoft provides a wide range of built-in data protection controls that are available to both E3 and E5 customers. Examples include our integrated DLP controls in email and online document collaboration, as well as native labelling controls with built-in encryption, content marking, and auditing and telemetry to help you not only keep data protected – but also track how and where its used every day. You can learn more about the features available in our documentation here: Microsoft Purview Information Protection - Microsoft Purview (compliance) | Microsoft Docs as well as detailed licensing requirements here: Microsoft 365 guidance for security & compliance - Service Descriptions | Microsoft Docs.
Additionally, Microsoft is working on a MAM solution for Windows Edge. This will allow protected org access, via Microsoft Edge, for home and occasional use on BYOPC. In addition to data protection, the solution will include app configuration for per profile Edge setting and App protection conditional access.”
Q: Can we please have guidance on how to configure File Ownership with the new Purview solution? Hundreds of our clients have come to depend on WIP (especially with the rise in remote work) since it can simply prevent users from copying data stored in OneDrive/SharePoint to other areas like C Drive, Google Drive, DropBox... From my understanding of DLP and its licensing limitations this feels much more like a "cash grab" by Microsoft rather than something your customers want/need.
What I am referring to is the mechanism of WIP that prevents (or logs depending on the Endpoint Manager admins preference) users from dragging/dropping their Work/School files to non-sanctioned locations. This is critical for Microsoft to continue to support as there is no direct (or even close) replacement within Priva.
A: To protect sensitive data on managed devices from egressing to unauthorized locations we recommend deploying our endpoint DLP solution in combination with our cloud-based DLP controls for Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and non-Microsoft apps through our integration with Microsoft Defender for Cloud Apps.
Q: Is there a deadline for WIP without enrollment?
A: After December 2022 customers will not be able to configure any new WIP policies for devices registered via MEM without enrollment. This does not apply to devices enrolled into MEM.
Q: What will happen to the existing WIP polices in Endpoint Manager after December 2022 for unmanaged Windows BYOD (MAM without enrollment)?
A: We understand customers are using the Without Enrollment BYOD scenario today and are working on a process to ensure an administrator can take the correct actions to leave their devices in a healthy state. More details on this will be coming as we get closer to the end of support date.
Q: How can I disable Windows Information Protection in my enterprise?
A: Please refer to our documentation How to disable Windows Information Protection (WIP) - Windows security | Microsoft Docs and this blog post: Support tip: End of support guidance for Windows Information Protection - Microsoft Tech Community