Forum Discussion
Windows Information Protection & the Windows Home edition conundrum
There doesn't seem to be a full answer to this problem, so I'm sounding it out here in case anyone has any bright ideas.
The crux of the problem, is that there's no "Edition" filter that we can apply within Intune enrolment or compliance policies (or Azure Conditional Access)...
Explaining why this is a shortcoming:
Due to the nature of this organisation, typically BYOD (personal devices) can be limited to browser-only access to SharePoint / OneDrive online through Azure Conditional Access Session Control; however there is an emerging use case for offline access on BYOD (the org already has a precedent of soft-managing BYO devices, so this part isn't a problem), but a requirement to ensure the files are kept securely.
This is where I feel WIP would provide suitable gap-filling capabilities; but there's quite a significant pre-requisite: It requires Windows 10 1607 Pro edition (or higher). The 1607 part of that isn't a big problem, as Intune can cater for version limits within enrolment policies, but there's no Edition filters/requirements.
This means we can set up WIP and MAM, and have all the nice secure controls applied to any BYO devices running Win 10 Pro, however as soon as someone enrols a Win 10 Home device, it simply ignores all of that and allows free-reign over non-encrypted files.
Seems like a bit of a hole to me.
I'm trying to come up with workarounds to this gap, things like attempting to apply a BitLocker compliance policy specifically to Home edition devices, which of course will fail and mark the device as non-compliant (which can subsequently be filtered in Azure Conditional Access), but this isn't an elegant solution.
Anyone else have any ideas, or also feels there's something missing here?
14 Replies
Where did you find that WIP only supports Windows 10 Pro and higher? For as I know is that WIP also Home Edition supports. With WIP you can manage your corporate data on Home edition. This only with MAM without enrollment. MDM is another story, but WIP and MAM without Enrollment on a Home edition is supported and works the same as a Windows 10 Pro edition.
Link for more information: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure
Quote from the link:
"Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access."
- Well, I tried it and it doesn't work. I was able to connect a personal device running home edition to a WIP-protected account (M365B) and it neither encrypted any work files nor did it manage the clipboard, nor did it block unmanaged apps from accessing work resources. The effect is: Work files can be downloaded and used in any way the user wants. Only requirements: An M365 account and a home device. Btw: File Explorer does show the "file ownership" column, but it is empty. A Pro device connected to the same account works exactly as expected. That is a severe information leak and should not happen under any circumstances - regardless of the MDM status... (tested on 17134.112).
But if you have any additional info on how to enforce WIP on home edition, we'd be happy to hear about it! 😉That is strange. So, the same policy works on Pro but not on a Home edition device? With the same user account? I have here a Home edition test virtual machine. Windows 10 1803 is on this machine installed. If I enable the MAM without enrollment for Windows 10 then WIP will activated on the Home Edition machine. I have allowed IE, Edge, Word, Outlook, Onedrive and OneNote. I have also included these network perimeters: <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com.
This is it.. More is not needed and your BYOD is managed by MAM without enrollment policy based on Windows Information Protection.
See here the settings:
The protected apps:
Required settings:
and the network perimeter:
And this is on a home edition:
We have exactly the same experience and I hope someone can explain how we can control also the Windows Home edition.
I guess you already tried this: device restriction settings in MS Intune profiles?
https://docs.microsoft.com/en-us/intune/device-restrictions-configure
On Windows 8.1 and later you can enforce encryption of files
WIP is appealing for BYO scenarios since it only applies to corporate data / apps, rather than wholesale applying overbearing policies to every part of the device, specifically causing constraints in the context of encryption (requirement for MS accounts; requirement for InstantGo hardware certification etc).
It appears the trade-off of not implementing the overbearing policies is an incomplete picture, if those on a Home edition can simply bypass the policies - and there's no way to conditionally stop them.
Despite there being an "operatingSystemEdition" field within the hardwareInformation properties of managedDevices in Graph, Intune isn't filling this in, so we can't even create dynamic groups based on OS edition.
+1 - nothing more to add!
