Forum Discussion

Chris Moore's avatar
Chris Moore
Copper Contributor
Jan 29, 2018

Windows Information Protection & the Windows Home edition conundrum

There doesn't seem to be a full answer to this problem, so I'm sounding it out here in case anyone has any bright ideas.   The crux of the problem, is that there's no "Edition" filter that we can...
Intune
Mobile Application Management (MAM)
Albert Neef's avatar
Albert Neef
Copper Contributor
Jun 21, 2018

Where did you find that WIP only supports Windows 10 Pro and higher? For as I know is that WIP also Home Edition supports. With WIP you can manage your corporate data on Home edition. This only with MAM without enrollment. MDM is another story, but WIP and MAM without Enrollment on a Home edition is supported and works the same as a Windows 10 Pro edition.   

 

Link for more information: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure

 

Quote from the link: 

"Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access."

 

 

Dominique Côté's avatar
Dominique Côté
Copper Contributor
Jun 21, 2018
Well, I tried it and it doesn't work. I was able to connect a personal device running home edition to a WIP-protected account (M365B) and it neither encrypted any work files nor did it manage the clipboard, nor did it block unmanaged apps from accessing work resources. The effect is: Work files can be downloaded and used in any way the user wants. Only requirements: An M365 account and a home device. Btw: File Explorer does show the "file ownership" column, but it is empty. A Pro device connected to the same account works exactly as expected. That is a severe information leak and should not happen under any circumstances - regardless of the MDM status... (tested on 17134.112).

But if you have any additional info on how to enforce WIP on home edition, we'd be happy to hear about it! 😉
  • Albert Neef's avatar
    Albert Neef
    Copper Contributor
    Jun 21, 2018

    That is strange. So, the same policy works on Pro but not on a Home edition device? With the same user account? I have here a Home edition test virtual machine. Windows 10 1803 is on this machine installed.  If I enable the MAM without enrollment for Windows 10 then WIP will activated on the Home Edition machine. I have allowed IE, Edge, Word, Outlook, Onedrive and OneNote. I have also included these network perimeters: <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com.

    This is it.. More is not needed and your BYOD is managed by MAM without enrollment policy based on Windows Information Protection.

     

    See here the settings: 

    The protected apps: 

    Required settings: 

    and the network perimeter: 

    And this is on a home edition: 

    • Dominique Côté's avatar
      Dominique Côté
      Copper Contributor
      Jun 21, 2018

      This is a direct comparison. For visibility, I turned the "show briefcase" policy on. Left=Pro/Business, right=Home. Same account, same tenant, same builds even.

       

      The basic polices I setup are pretty much the same as yours. But something is stopping Home from honoring MAM+WIP policies. Or it's plain broken. And nope - no MDM in sight anywhere. And even if there were, that Home just lets me extract work files unencrypted is unacceptable. Under ANY circumstances.

       

      So how did you make yours work and mine/ours doesn't? Any ideas?

      • Albert Neef's avatar
        Albert Neef
        Copper Contributor
        Jun 22, 2018

        Thanks for your response and screenshot.. How did you add the corporate user account? Via Word/Outlook or via the settings -> work/school account? It makes no difference, actually.   

         

        What I did you can find it here. I have blogged the steps what you have to do for MAM-WE on a Windows BYOD. The screenshots are from a Home Edition machine.

        https://albertneef.wordpress.com/2018/05/09/part-11-configure-microsoft-intune-mobile-application-management-without-enrollment/

         

        Maybe this will help? :) Otherwise you have to try a new Home Edition machine?