With the recent Windows announcement to end support for Windows Information Protection (WIP), Microsoft Intune will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we’ll also be removing support for WIP without enrollment scenario by the end of calendar year 2022.
Note: Devices receiving WIP policies with Intune enrollment will continue to be supported until the feature is removed from Windows (or an additional communication is issued). Stay tuned to this blog for updates.
Why are we ending support for Windows Information Protection?
As mentioned in the Windows blog (Announcing sunset for Windows Information Protection), Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.
If you’re currently using WIP, we recommend leveraging Microsoft Purview DLP and Information Protection to achieve the most robust data protection for your cross-platform and cross-cloud needs.
What is the timeline for the without enrollment scenario?
Managing WIP without enrollment will be decommissioned by the end of 2022. We will decommission tenants in the following order starting in December:
Devices receiving no effective policies – These are devices that are actively registered and polling Intune for policy, but policy has not been defined.
Devices that are disabling WIP – These are devices that are actively registered and polling for policy, but that policy is disabling WIP (the platform default).
Devices that are configuring WIP – These are devices that are actively registered and polling for policy and that policy is configuring WIP on the endpoints.
What is the timeline and how will I know when this happens to me?
We are actively messaging to customers through the Message Center to specify which of the three buckets they fall into above. We are finding most customers who have policies deployed have very few devices checking in and receiving WIP policy. If you don’t see messages in your message center, and believe you are impacted, please reach out to Microsoft Support.
Note: If you have different configurations of WIP without enrollment policy you will receive notifications for each scenario that applies to your environment.
The general timeline is as follows:
November 1st (or soon after) we will restrict creating new WIP ‘without enrollment’ policies from the Microsoft Intune admin center.
Starting in December 2022, we will begin deregistration for devices utilizing WIP ‘without enrollment’. Refer to the Message Center for when this will occur for your organization. We plan on completing the deregistration in the following order:
Devices receiving no effective policies.
Devices receiving ‘disable WIP’ Policy.
Devices receiving policy to configure WIP.
Important: Once the device is unregistered, users may see a notification indicating an account has been removed, “mddprov account has removed your workplace account…from your device.” You can safely disregard this message.
Why are you deregistering devices, I thought this was for the ‘without enrollment scenario’?
While the scenario is named Windows Information Protection without enrollment, devices are registered to our mobile application management (MAM) infrastructure. When we use the term ‘deregeristing’ in the unmanaged context, we are referring to deregeristing devices from the MAM infrastructure by removing the endpoints.
Important: We are not unenrolling devices from mobile device management as part of this process. Only devices that are registered to the endpoint to distribute WIP policy to unmanaged devices are impacted.
How do I know if I have WIP enabled on my devices?
We have seen low usage of WIP across enterprise and commercial customers. Most of this usage is from devices that are not receiving any effective policy or have not configured the necessary settings to enforce WIP Protection. To validate if you have WIP configured in your environment, do the following:
In the left navigation, go to Apps > App protection policies.
Under the Platform column, WIP policies are listed as “Windows Information Protection” and have either “With enrollment” or “Without enrollment” listed in the Management type column.
Note: As mentioned above, we are ending support for WIP policies listed “Without enrollment”. Follow the steps below to remove WIP from devices receiving those polices.
What do I do to disable WIP?
WIP can be easily disabled through Intune proactively. This will ensure that your organization and users are not impacted by end of support activities in the future. When you disable the feature, WIP automatically removes protection from most files.
To remove Windows Information Protection, you have the following options:
(Recommended) Remove the WIP Policy (Unassign) – Removing an existing “enable” policy will remove the intent to deploy WIP from those devices. When that intent is removed, a device will remove protection for files and the configuration for WIP.
Change your current policy to “Off” – If you’re currently deploying a WIP policy for enrolled or unenrolled devices, you can simply switch the intent of that policy to “Off”. When devices check-in after receiving this intent, they will proceed to unprotect files previously protected by WIP.
Create a ”disable” policy – You can create a separate ”disable” policy for WIP (both enrolled and unenrolled) and deploy that to your organization. You can stage the rollout by complimenting your existing enablement policy and moving entities from being targeted with Enable to the disable policy. Note: Use this option if you are using Configuration Manager to disable WIP.
Devices with multiple users – We’ve seen scenarios where protection is not automatically removed for users that did not ‘initiate protection’. In this scenario, a user (User A) is targeted with WIP policy for unenrolled devices. User A is WIP enrolled and enforced. User B logs onto the device and accesses resources that are protected (either by Protected Domain or Cloud Resources, etc). These files are protected by WIP, based on the configuration for User A. When WIP is disabled for User A, User B’s files remain protected and accessible.
How to resolve: Once protection is disabled, User B can easily remove protection by right clicking on the file and changing the file ownership. Although the protection is in place, the file remains accessible to User B.
If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.