Forum Discussion
Windows Information Protection & the Windows Home edition conundrum
That is strange. So, the same policy works on Pro but not on a Home edition device? With the same user account? I have here a Home edition test virtual machine. Windows 10 1803 is on this machine installed. If I enable the MAM without enrollment for Windows 10 then WIP will activated on the Home Edition machine. I have allowed IE, Edge, Word, Outlook, Onedrive and OneNote. I have also included these network perimeters: <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com.
This is it.. More is not needed and your BYOD is managed by MAM without enrollment policy based on Windows Information Protection.
See here the settings:
The protected apps:
Required settings:
and the network perimeter:
And this is on a home edition:
This is a direct comparison. For visibility, I turned the "show briefcase" policy on. Left=Pro/Business, right=Home. Same account, same tenant, same builds even.
The basic polices I setup are pretty much the same as yours. But something is stopping Home from honoring MAM+WIP policies. Or it's plain broken. And nope - no MDM in sight anywhere. And even if there were, that Home just lets me extract work files unencrypted is unacceptable. Under ANY circumstances.
So how did you make yours work and mine/ours doesn't? Any ideas?
Thanks for your response and screenshot.. How did you add the corporate user account? Via Word/Outlook or via the settings -> work/school account? It makes no difference, actually.
What I did you can find it here. I have blogged the steps what you have to do for MAM-WE on a Windows BYOD. The screenshots are from a Home Edition machine.
https://albertneef.wordpress.com/2018/05/09/part-11-configure-microsoft-intune-mobile-application-management-without-enrollment/
Maybe this will help? :) Otherwise you have to try a new Home Edition machine?
Apologies - my bad. In TWO ways.
First: I simply didn't add OneDrive DESKTOP app to my policy:
I should've known better. Here's why:
We use Microsoft 365 Business. The WIP policies it comes with include some protected apps by default, among which is the OneDrive STORE app, but not the desktop next-gen sync client. I have no idea why M365B doesn't include ODfB Sync by default, but it mislead me. Again. Because already solved this problem a few months ago. 🤣
Anyways, I added the ODfB desktop/sync client to the list, and voila:
And SECOND: The W10 Pro VM I used to test above ^^ is actually AAD-joined - which I didn't know. A colleague of mine was using it for other purposes and joined it. So it was following a different set of policies: For enrolled devices, right? That policy obviously works just fine, so it naturally showed WIP protection active. I just validated my findings with a new, un-enrolled (AAD registered, not joined) W10 Pro VM and was able to get the same, expected (!) behavior on Pro and Home.
So, all is good, WIP on W10 Home DOES work. Which makes this an awesome and low-cost option for any kind of BYOD / work from home requirement. Sorry to bug you but, sometimes you just need a sounding board to validate what you're doing - or not. ;-)
Hi Dominique,
but what happens when the user skips the device registration?
say if he chooses to use 'this app only' as below:
in this case win home will bypass the WIP policy.
I'm wondering if there a way to enforce the WIP policy on windows home?
it's also mentioned here: https://social.technet.microsoft.com/Forums/office/en-US/890ed582-6b11-4c0c-bdff-580867a1fec2/wipwe-and-conditional-access?forum=microsoftintuneprod
Regards,
Stan
