Updated April 2023
With the recent Windows announcement to end support for Windows Information Protection (WIP), Microsoft Intune will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we’ll also be removing support for WIP without enrollment scenario by the end of calendar year 2022.
Note: Devices receiving WIP policies with Intune enrollment will continue to be supported until the feature is removed from Windows (or an additional communication is issued). Stay tuned to this blog for updates.
As mentioned in the Windows blog (Announcing sunset for Windows Information Protection), Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.
If you’re currently using WIP, we recommend leveraging Microsoft Purview DLP and Information Protection to achieve the most robust data protection for your cross-platform and cross-cloud needs.
Managing WIP without enrollment will be decommissioned by the end of 2022. We will decommission tenants in the following order starting in December:
We are actively messaging to customers through the Message Center to specify which of the three buckets they fall into above. We are finding most customers who have policies deployed have very few devices checking in and receiving WIP policy. If you don’t see messages in your message center, and believe you are impacted, please reach out to Microsoft Support.
Note: If you have different configurations of WIP without enrollment policy you will receive notifications for each scenario that applies to your environment.
The general timeline is as follows:
Important: Once the device is unregistered, users may see a notification indicating an account has been removed, “mddprov account has removed your workplace account…from your device.” You can safely disregard this message.
While the scenario is named Windows Information Protection without enrollment, devices are registered to our mobile application management (MAM) infrastructure. When we use the term ‘deregeristing’ in the unmanaged context, we are referring to deregeristing devices from the MAM infrastructure by removing the endpoints.
Important: We are not unenrolling devices from mobile device management as part of this process. Only devices that are registered to the endpoint to distribute WIP policy to unmanaged devices are impacted. |
We have seen low usage of WIP across enterprise and commercial customers. Most of this usage is from devices that are not receiving any effective policy or have not configured the necessary settings to enforce WIP Protection. To validate if you have WIP configured in your environment, do the following:
Note: As mentioned above, we are ending support for WIP policies listed “Without enrollment”. Follow the steps below to remove WIP from devices receiving those polices.
WIP can be easily disabled through Intune proactively. This will ensure that your organization and users are not impacted by end of support activities in the future. When you disable the feature, WIP automatically removes protection from most files.
To remove Windows Information Protection, you have the following options:
For more information, see How to disable Windows Information Protection (WIP).
While WIP was designed to be used for a single user per device (see Limitations while using Windows Information Protection (WIP)), we wanted to mention what to do when removing WIP for a device with multiple users:
Devices with multiple users – We’ve seen scenarios where protection is not automatically removed for users that did not ‘initiate protection’. In this scenario, a user (User A) is targeted with WIP policy for unenrolled devices. User A is WIP enrolled and enforced. User B logs onto the device and accesses resources that are protected (either by Protected Domain or Cloud Resources, etc). These files are protected by WIP, based on the configuration for User A. When WIP is disabled for User A, User B’s files remain protected and accessible.
How to resolve: Once protection is disabled, User B can easily remove protection by right clicking on the file and changing the file ownership. Although the protection is in place, the file remains accessible to User B.
If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.
Post updates:
10/12/22: with timeline and additional clarity.
04/3/23: updated for clarity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.