SOLVED

WIP support

Copper Contributor

What is the status of Windows Information Protection (WIP) support in Edge?  Will all WIP features be supported prior to GA?

29 Replies
best response confirmed by hkusulja (MVP)
Solution

@markthomas 

Edge (Chromium based) support for WIP is under development and hence available behind a feature flag (edge://flags/#edge-dataprotection)

 

Make sure you apply this WIP Enterprise AppLocker policy before you start. 

 

As of now the following WIP integration functionalities are available to pilot:
• File protection on the device when downloaded from a work location
• Audit / Block / Override enforcement for File Uploads
• Briefcase visual indicator available on the address bar when browsing work locations
• Browsing to work locations from other profiles automatically redirects to the Work Profile (associated with the Azure AD Identity)
• IE Mode supports full WIP integration

Coming soon:
• Audit / Block / Override enforcement for Clipboard actions
• Audit / Block / Override enforcement for Drag & Drop actions

 

Hi @Arunesh_Chandra 

 

The WIP doesn't seem to work for us. After installing Edge (Chromium "beta") yesterday, I was able to fully access our WIP protected SharePoint site, without needing to add anything to the Intune App Protection settings. However, when downloading a file from a document library in the protected SharePoint site, it downloaded as "personal" file ownership, which is obviously concerning. 

 

I then added both the App Locker XML files, as per your post and I can see that Edge (Chromium) is showing as "enlightened, permissive" under the Enterprise Context in the Task Manager. However, it didn't make a difference in terms of protecting downloaded files from protected sites and it also doesn't show the briefcase icon in the browser.

 

Just to mention, the (old) Edge browser correctly shows the briefcase of the mentioned SharePoint site, as well protects the file when downloaded. Any other browser e.g. Chrome, would access the site in monitor mode and be prevented from downloading the file in the first place.

 

Any suggestions on what I could be doing wrong or when this will be resolved? I'm using Edge (Chromium) Version 79.0.309.18 (Official build) beta (64-bit).

 

Thanks,

 

Georg

@Arunesh_Chandra Thanks for the info.  I had already added Edge to the WIP policy but not using the applocker XML.  I have just switched over to that now.

 

Is there any way to enable the feature flags by policy?  We would like to start piloting and it would be nice to be able to set that flag automatically rather than have the users do it themselves.

 

Thanks

Mark.

Can you please confirm that you have ENABLED the WIP flag i.e. by navigating to edge://flags/#edge-dataprotection in the Edge (Chromium) browser?

@Naren- 

 

Thanks. I hadn't. It seems to work now. 

 

I'm guessing this will be enabled by default once in GA and that users won't be able to simply disable? Would otherwise defeat the purpose of enforcing WIP a bit.

 

Is there a way to use Intune to change the setting at this moment in time, i.e. if I have any users downloading the beta that the WIP would be enabled? Thanks 

Are there any news regarding WIP in the new Edge? I haven't found WIP in the admx template in Intune. Do I have to set the flag through cmd-options?

Any news on how to activate the flag #edge-dataprotection from Intune?

 

Regards

@Philip Büchler 

I created a ps1 script to add the flag to the "Local State" file.

 

#Iniciamos Edge para crear el perfil
#We started Edge to create the profile
& "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

#Matar proceso Edge
#Kill Edge process
taskkill /im msedge.exe* /f

#Vamos hasta el perfil de Edge
#Let's go to Edge's profile
cd "$env:LOCALAPPDATA/Microsoft/Edge/User Data"

#Buscamos y reemplazamos para añadir el flag de WIP
#Search and replace to add the WIP flag
(Get-Content 'Local State').replace('"last_redirect_origin":""', '"enabled_labs_experiments":["edge-dataprotection@1"],"last_redirect_origin":""') | Set-Content 'Local State'

 

@Arunesh_Chandra 

 

I've just installed the "stable" version of the new Edge on a user's Windows 10 device (using Intune) and noticed that it now doesn't, by default, have WIP enabled. I was able to just download a file from a WIP protected SharePoint site and it saved it under Downloads as "personal". 

 

I would have expected that the new Edge would also have had this enabled by default. Now Microsoft is rolling out  the new browser and the data isn't protected? 

 

Would appreciate if you could advise.

 

Thanks,

 

Georg 

@Georg Brandner With the help of the PowerShell script of @Jose Castillo Soriano , and the canary version I was able to have it behave the way I would expect (setting the flag and respecting WIP config): 

 

 

@Philip Büchler 

 

Thanks Philip. The problem is that we also have Windows 10 devices that are Workplace joined (not AAD) and PowerShell scripts don't work for those when using the Intune PowerShell option. The only workaround that I know for some of this is to create MSI files and change the Registry that way.

 

What I find shocking is that WIP works out of the box enabled with the old Edge but seemingly not for the new Edge. There should not even be an option for the user to disable this. It should be on by default, same as the old Edge. And if not, then they should at least have an administrative template setting in Intune to manage this. I now have users can download the new Edge browser and bypass WIP. Microsoft should not be releasing half-finished products as "stable". Enough of a rant.

 

Not sure if anyone knows of another way to force WIP to be enabled for the new Edge for standalone Intune with workplace and AAD joined Win 10 devices?

 

Thanks! 

Completely with you. I just try to check workarounds for eventual pilots, so we have an idea what other issues might come up in our org.

The stable version doesn't even respect WIP when the flag is activated and the briefcase symbol confirms the policy. Not to mention the possibility for users to simply turn of the flag, reclassify content and turn it back on.

I sometimes get the feeling, that WIP is not a very broadly used feature. There is such little documentation or blog/twitter hype around it.
Agree with you guys, the #edge-dataprotection should be enabled or at least we should be able to control it for AAD registered or AAD joined devices.

@lightupdifire @Georg Brandner @Philip Büchler 

 

Hello all, 

 

WIP support is a work in progress at the moment. Edge 82 stable will have the full support turned on by default. Today the latest Dev channel has the full support with matches the old Edge functionality. 

Please try it with the following on a Dev channel build and let us know how it goes.

Browser Policy reference - NonRemovableProfileEnabled (enables the flag)

or manually enabling edge://flags/#edge-dataprotection

 

Thanks @Arunesh_Chandra 

 

Good to hear that it's being looked at. I am still very surprised that Microsoft can release a new product into GA (even Dev channel) with such a gaping data protection hole.

 

Do you know when the Edge 82 stable will be available?

 

Thanks and regards,

 

Georg 

@Georg Brandner Edge 82 is scheduled to be out by end of April. 

 

We wanted to build the right functionality as some of the user experience was little different from the legacy Edge due to multiple profiles. And since legacy Edge is still a supported browser, we decided not to rush it out. 

 

Any feedback or bugs reports on WIP functionality in the Dev channel would be appreciated - it will help us improve it before we promote it to stable. 

 

Thanx for your interest and support.

Arunesh

 

Thanks @Arunesh_Chandra

 

I'm afraid I can't follow your logic. The old Edge browser may still be supported but it gets replaced once the new one is installed and Microsoft is actively getting users to upgrade. I would also imagine that all new Windows 10 devices come standard with the new Edge browser?

 

The correct decision would have been to have all security related features in place before going GA. Now I can't prevent (old) Edge from being used as it's the only browser that supports WIP but at the same time any user that has the latest version just bypasses WIP by default (every downloaded file is marked "personal" and not "work"). I can't even restrict access based on Edge version, as any user that's downloaded the latest version of Edge doesn't have the previous one installed and so wouldn't be able to then access any work data using a browser (if I were to restrict access based on Edge version). 

 

As an interim solution, can you please create a .MSI file for us that enables dataprotection and can then be deployed to Intune managed devices or have the dataprotection flag option as an Administrative Template option in Intune? 

@Georg BrandnerI understand your concerns!

 

Here's some guidance on how you can control the install of Chromium-based Edge while keeping the legacy Edge still on the device.

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit

 

Also, WIP support will be available before new Windows 10 devices will come standard with the new Edge browser.  At the moment WIP support is for evaluation only, it is available behind a flag in all Edge 81 builds. You can download the .msi from https://www.microsoft.com/en-us/edge/business/download

Thanks @Arunesh_Chandra 

 

I was hoping that you could provide me with (create) a MSI file that then enables the dataprotection flag? So not the browser installation file but just a small MSI file that changes the flag from disabled to enabled. I would then use Intune to deploy to devices.

 

Regards 

1 best response

Accepted Solutions
best response confirmed by hkusulja (MVP)
Solution

@markthomas 

Edge (Chromium based) support for WIP is under development and hence available behind a feature flag (edge://flags/#edge-dataprotection)

 

Make sure you apply this WIP Enterprise AppLocker policy before you start. 

 

As of now the following WIP integration functionalities are available to pilot:
• File protection on the device when downloaded from a work location
• Audit / Block / Override enforcement for File Uploads
• Briefcase visual indicator available on the address bar when browsing work locations
• Browsing to work locations from other profiles automatically redirects to the Work Profile (associated with the Azure AD Identity)
• IE Mode supports full WIP integration

Coming soon:
• Audit / Block / Override enforcement for Clipboard actions
• Audit / Block / Override enforcement for Drag & Drop actions

 

View solution in original post