Support tip: End of support guidance for Windows Information Protection

Published Jul 22 2022 11:09 AM 4,077 Views

With the recent Windows announcement to end support for Windows Information Protection (WIP), Microsoft Endpoint Manager will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we’ll also be removing support for WIP without enrollment scenario by the end of calendar year 2022.

Note: Devices receiving WIP policies with Intune enrollment will continue to be supported until the feature is removed from Windows (or an additional communication is issued). Stay tuned to this blog for updates.

 

Why are we ending support for Windows Information Protection?

As mentioned in the Windows blog (Announcing sunset for Windows Information Protection), Windows Information Protection (WIP), previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.

 

If you’re currently using WIP, we recommend leveraging Microsoft Purview DLP and Information Protection to achieve the most robust data protection for your cross-platform and cross-cloud needs.

 

How do I know if I have WIP enabled on my devices?

We have seen low usage of WIP across enterprise and commercial customers. Most of this usage is from devices that are not receiving any effective policy or have not configured the necessary settings to enforce WIP Protection. To validate if you have WIP configured in your environment, do the following:

  1. Navigate to Microsoft Endpoint Manager admin center.
  2. In the left navigation, go to Apps > App protection policies.
  3. Under the Platform column, WIP policies are listed as “Windows Information Protection” and have either “With enrollment” or “Without enrollment” listed in the Management type column.

Note: As mentioned above, we are ending support for WIP policies listed “Without enrollment”. Follow the steps below to remove WIP from devices receiving those polices.

 

What do I do to disable WIP?

WIP can be easily disabled through Microsoft Endpoint Manager proactively. This will ensure that your organization and users are not impacted by end of support activities in the future. When you disable the feature, WIP automatically removes protection from most files.

 

To remove Windows Information Protection, you have the following options:

  1. (Recommended) Remove the WIP Policy (Unassign) – Removing an existing “enable” policy will remove the intent to deploy WIP from those devices. When that intent is removed, a device will remove protection for files and the configuration for WIP.
  2. Change your current policy to “Off” – If you’re currently deploying a WIP policy for enrolled or unenrolled devices, you can simply switch the intent of that policy to “Off”. When devices check-in after receiving this intent, they will proceed to unprotect files previously protected by WIP.
  3. Create a ”disable” policy – You can create a separate ”disable” policy for WIP (both enrolled and unenrolled) and deploy that to your organization. You can stage the rollout by complimenting your existing enablement policy and moving entities from being targeted with Enable to the disable policy. Note: Use this option if you are using Configuration Manager to disable WIP.

For more information, see How to disable Windows Information Protection (WIP).

 

Are there any special scenarios I need to account for when disabling WIP?

While WIP was designed to be used for a single user per device (see Limitations while using Windows Information Protection (WIP)), we wanted to mention what to do when removing WIP for a device with multiple users:

 

Devices with multiple users – We’ve seen scenarios where protection is not automatically removed for users that did not ‘initiate protection’. In this scenario, a user (User A) is targeted with WIP policy for unenrolled devices. User A is WIP enrolled and enforced. User B logs onto the device and accesses resources that are protected (either by Protected Domain or Cloud Resources, etc). These files are protected by WIP, based on the configuration for User A. When WIP is disabled for User A, User B’s files remain protected and accessible.

 

How to resolve: Once protection is disabled, User B can easily remove protection by right clicking on the file and changing the file ownership. Although the protection is in place, the file remains accessible to User B.

 

If you have any questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

7 Comments
Version history
Last update:
‎Jul 22 2022 11:09 AM
Updated by: