Is it possible restrict save files only to OneDrive through Windows Information Protection?

%3CLINGO-SUB%20id%3D%22lingo-sub-2651046%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20restrict%20save%20files%20only%20to%20OneDrive%20through%20Windows%20Information%20Protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2651046%22%20slang%3D%22en-US%22%3E%3CP%3EDears%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20implemented%20Windows%20Information%20Protection%20through%20Intune%20App%20protection%20policy%20on%20Windows%2010%20Operating%20System%20and%20are%20able%20to%20block%20cut%2Fcopy%20paste%20data%20from%20Work%20apps%20to%20personal%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20restrict%20saving%2Fcopying%20files%20only%20to%20OneDrive%20(OneDrive%20sync%20folder%20on%20the%20laptop%20hard%20disk%20and%20not%20on%20any%20other%20location%20on%20the%20local%20hard%20disk%20or%20USB%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2651046%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2651205%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20restrict%20save%20files%20only%20to%20OneDrive%20through%20Windows%20Information%20Protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2651205%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20wondering%2C%20but%20why%20do%20you%20want%20to%20prevent%20it%3F%20If%20you%20implemented%20wip%2C%20your%20files%20will%20be%20marked%20as%20corporate..%20so%20they%20won't%20be%20able%20to%20be%20opened%20from%20another%20account%2Fdevice.%20(if%20policy%20set%20to%20block)%3CBR%20%2F%3E%3CBR%20%2F%3EJust%20wondering%20about%20the%20idea%20behind%20it%20so%20I%20can%20give%20a%20good%20advice%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2651485%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20restrict%20save%20files%20only%20to%20OneDrive%20through%20Windows%20Information%20Protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2651485%22%20slang%3D%22en-US%22%3EHi%20Rudy%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20your%20support.%20It%20is%20one%20of%20the%20requirements%20of%20the%20business.%20They%20want%20to%20keep%20the%20data%20only%20on%20Onedrive.%20We%20tried%20copying%20the%20work%20file%20to%20another%20device%20and%20we%20are%20able%20to%20copy%20and%20open%20the%20work%20file%20from%20another%20tenant%20user%20account.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20I%20have%20read%20the%20following%20important%20point%20from%20the%20below%20URL%20%22While%20WIP%20can%20stop%20accidental%20data%20leaks%20from%20honest%20employees%2C%20it%20is%20not%20intended%20to%20stop%20malicious%20insiders%20from%20removing%20enterprise%20data.%22%20Does%20it%20mean%20WIP%20cannot%20be%20used%20to%20block%20copying%2Frestrict%20files%20to%20local%20hard%20disks%20and%20USB%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fwindows-information-protection%2Fprotect-enterprise-data-using-wip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fwindows-information-protection%2Fprotect-enterprise-data-using-wip%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2653054%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20restrict%20save%20files%20only%20to%20OneDrive%20through%20Windows%20Information%20Protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2653054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172390%22%20target%3D%22_blank%22%3E%40RAJAKUMAR%20SELVARAJ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWip%20is%20not%20meant%20to%20%22block%22%20data%20copy%20to%20USB%20but%20encrypting%20the%20org%20data.%3C%2FP%3E%3CP%3EWhen%20a%20document%20is%20marked%20as%20corporate%20and%20you%20try%20to%20copy%20to%20an%20USB%20media%20you%20will%20be%20prompted%20if%20everything%20is%20configured%20correctly..%20If%20you%20didn't%20configured%20the%20allow%20override%20the%26nbsp%3B%20%22copy%20as%20personal%22%20is%20not%20available%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20sure%20the%20document%20you%20opened%20in%20another%20tenant%20is%20a%20wip%20protected%20file%3F%20I%20am%20not%20a%20fanboy%20of%20wip%20but%20I%20can't%20imagine%20a%20encrypted%20wip%20document%20is%20able%20to%20be%20opened%20by%20a%20non%20authorized%20user%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_1-1629131058022.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303560i0BDC372FA84865F4%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_1-1629131058022.png%22%20alt%3D%22Rudy_Ooms_1-1629131058022.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EAnd%20there%20are%20more%20options%20available%20to%20block%20USB%20media%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F07%2Fo-removable-storage-where-art-thou%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EO%20Removable%20Storage%2C%20Where%20Art%20Thou%3F%20-%20Intune%20Device%20Control%20(call4cloud.nl)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2654883%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20restrict%20save%20files%20only%20to%20OneDrive%20through%20Windows%20Information%20Protection%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2654883%22%20slang%3D%22en-US%22%3EThanks%2C%20Rudy.%20I%20have%20attached%20the%20hard%20disk%20to%20another%20PC%20and%20the%20files%20didn't%20open%20%22User%20does%20not%20have%20access%20privileges%22%3C%2FLINGO-BODY%3E
Occasional Contributor

Dears,

 

We have implemented Windows Information Protection through Intune App protection policy on Windows 10 Operating System and are able to block cut/copy paste data from Work apps to personal apps.

 

Is it possible to restrict saving/copying files only to OneDrive (OneDrive sync folder on the laptop hard disk and not on any other location on the local hard disk or USB? 

 

6 Replies
Hi,

Just wondering, but why do you want to prevent it? If you implemented wip, your files will be marked as corporate.. so they won't be able to be opened from another account/device. (if policy set to block)

Just wondering about the idea behind it so I can give a good advice
Hi Rudy,

Thanks for your support. It is one of the requirements of the business. They want to keep the data only on Onedrive. We tried copying the work file to another device and we are able to copy and open the work file from another tenant user account.

Also, I have read the following important point from the below URL "While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data." Does it mean WIP cannot be used to block copying/restrict files to local hard disks and USB?

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protect...

@RAJAKUMAR SELVARAJ 

 

Wip is not meant to "block" data copy to USB but encrypting the org data.

When a document is marked as corporate and you try to copy to an USB media you will be prompted if everything is configured correctly.. If you didn't configured the allow override the  "copy as personal" is not available

 

Are you sure the document you opened in another tenant is a wip protected file? I am not a fanboy of wip but I can't imagine a encrypted wip document is able to be opened by a non authorized user

 

 

Rudy_Ooms_1-1629131058022.png

 

 

And there are more options available to block USB media

 

O Removable Storage, Where Art Thou? - Intune Device Control (call4cloud.nl)

 

Thanks, Rudy. I have attached the hard disk to another PC and the files didn't open "User does not have access privileges"
But that's a good thing right? because it's a build in feature in cause you need to recover some files ? And just like MS is telling is protect that certificate! :)