Migrating from Windows Information Protection to Microsoft Purview

Introduction

In July 2022 we announced the sunsetting  here: Announcing the sunset of Windows Information Protection (WIP) - Microsoft Community Hub of Windows Information Protection (WIP). The last version of windows to ship with WIP will be Win11 24H2.

Why are we doing this?

Windows Information Protection, previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared.

What scenarios are in scope?

WIP provided customers with the following key capabilities:

• Extend data protection to managed and unmanaged devices
• Protect enterprise data at rest when it's stored on a protected device
• Restrict which apps, removable drives, printers, network shares, and sites are allowed or restricted from copying, accessing, and storing sensitive data
• Classify data based upon the app or site where it was created, copied, or downloaded.
• Granular controls to designate different levels of data access restrictions
• Remote wipe sensitive data at rest

How does deprecation impact WIP users?

WIP as an offering is no longer under active feature development. The sunset process will follow the standard Windows client feature lifecycle, which shows which existing features and capabilities are supported and for what timelines. This was announced in July here.

Following this deprecation announcement, the Microsoft Endpoint Manager team announced ending support for WIP without enrollment scenario by EOY 2022, which only impacts unmanaged devices. The announcement by the Microsoft Endpoint Manager team is here. Please visit the Microsoft Endpoint Manager announcement for the latest on the decommissioning of MEM’s support for the ‘unenrolled’ scenario.

How should you respond to the deprecation notice?
If you are using WIP without enrollment, Microsoft will be communicating with you directly about the impact to your devices and the timelines for that impact. Please keep an eye on the message center for the latest updates.

Microsoft Endpoint Manager will continue to support WIP with enrollment (managed devices) scenarios for the duration of the OS lifecycle (until 2026) and will continue to offer options to enroll both corporate and personal devices for management (and subsequently to receive WIP policy).

How do I start planning for this change?

Refer to this chart for a breakdown of WIP capabilities and how they map to Purview:

Leverage Endpoint DLP to define work vs non-work data boundaries

To prevent users from egressing data via activities such as printing, copying to USB drives, network shares, or uploading to sensitive domains, you can define groups of unsanctioned devices such as printers and USB removeable drives or domains such as dropbox.com. Learn more here: Configure endpoint DLP settings - Microsoft Purview (compliance) | Microsoft Learn.

Defining apps/URLs as corporate or work, or enterprise network, and defining an action to enforce data that moves out of those domains

This example will use WIP’s Network Boundary and Allowed App configuration as examples.

Network boundary configuration in WIP:

Allowed Apps configuration in WIP:

For this scenario of sensitive business sites and apps we will use DLP policies and define sensitive service domain groups and restricted app groups to ensure protection of data. Data is in this organization is stored in SharePoint and OneDrive within Microsoft 365.

To prevent external sharing of sensitive items from SharePoint and OneDrive we will create a DLP policy to address this. This table below covers some common variations and how to configure the policy.

For files stored on the device (either Windows 10/11 or MacOS) itself, we will protect data egress with an Endpoint DLP policy.

Within DLP settings, we can define the set of Restricted App groups and Sensitive Service Domains. These groups are able to have their own enforcement mode in the policy configuration.

With our App Allowlist feature coming in Q1 2024, admins can choose to only allow a group of known apps, and block all other apps.

To begin configuring the Endpoint DLP policy:

1. Create and scope a policy that is applied only to the Devices location.
2. Create a rule that uses the content condition that is triggered by any of our sensitive data classifiers, in this case we will use Credit Card Number as an example.
3. In the action, select Audit or Restrict activities on devices.
4. Select the user activities you want to monitor or restrict and the actions you want Microsoft Purview to take in response to those activities. These actions can include:
   • Upload to a restricted cloud service domain. Here we will use the domain groups created earlier to set a unique enforcement for those groups, as well as the overall enforcement mode.
   • 
   • Paste to supported browsers
   • Copy to clipboard
   • Copy to removeable USB device
   • Copy to Network DrivePrint
   • Copy to unallowed Bluetooth app
   • Copy or move using RDP

5. In addition to the overall enforcement action, more granular exceptions can be configured based on either corporate network presence or VPN groups. VPN groups can be configured in the Endpoint DLP settings page.

6. File activities for apps in restricted app groups can also be used to define enforcement modes unique from the enforcement overall for defined app groups from Settings page.

Labeling from source

Default SharePoint document library labels: When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority. This can be used to replicate the Personal / Work boundary functions of WIP. The label can then be used as a condition in any DLP policy.

Labeling protection for unmanaged devices

In BYOD use cases where the Endpoint client can be offboarded by the user, an additional layer of protection should be applied to data with Labeling with Encryption.

When you create a sensitivity label, you can restrict access to content that the label will be applied to. When a document, email, or meeting invite is encrypted, access to the content is restricted, so that it:

• Can be decrypted only by users authorized by the label's encryption settings.
• Remains encrypted no matter where it resides, inside or outside your organization, even if the file's renamed.
• Is encrypted both at rest (for example, in a OneDrive account) and in transit (for example, email as it traverses the internet).

This encryption setting can be applied to any sensitivity label.

To learn more visit Apply encryption using sensitivity labels | Microsoft Learn

Conditional Access + session controls using Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps offers the ability to protect sensitive content in your SaaS apps through Conditional Access App Control. It uses a reverse proxy architecture and integrates with your Identity Provider. It enables user app access and sessions to be monitored and controlled in real time based on access and session policies. You can configure access and session policies to either enforce labels or block actions on managed devices like download, cut, copy, print of sensitive documents on, for example, unmanaged devices. To see all protection actions that can be employed with access and session policies see How Conditional Access App Control Works.

Using Windows MAM

Another solution that is designed to extend protection and configuration to unmanaged devices is MAM for Windows.  Windows MAM supports targeted management for org accounts and data within enabled apps on unmanaged devices through the following features:

• Application Configuration Policies allow administrators to pre-define app specific settings for the org account.  Example: Set homepage or favorites in Edge.
• Application Protection Policies enable administrators to control data protection and health checks for org data in the client application.  Example: Allow or block copy and paste of org data.
• Windows Defender Threat Defense integrates with the MAM health checks and allows administrators to configure automatic actions (block/wipe) based on the client device risk evaluated by the Windows Security Center.  Example: Immediately wipe all Org data if high risk malware is detected.
• App Protection Conditional Access

The first application to adopt MAM for Windows is Microsoft Edge and is available as of CY2023. Because it is a browser, Microsoft Edge will offer broad, MAM protected, access to org resources, including M365 web apps, SaaS apps and customer internet and intranet sites.

Leverage Tenant Restrictions to manage how SaaS and LOB applications are accessed

To prevent users from egressing data within LOB applications and across SaaS applications through work and personal identities, we recommend turning on:s

• Device Restrictions (link) to control LOB access and behavior on managed devices
• Tenant Restrictions (aka TRv2) to control the list of tenants that users on your network are permitted to access. Azure AD only grants access to permitted tenants - all other tenants are blocked, even ones that your users may be guests in.

For more detailed information and instructions see: Use tenant restrictions to manage access to SaaS apps - Microsoft Entra | Microsoft Learn and Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn.

You can also clearly define isolation policies between sanctioned LOB applications that are allowed to access sensitive corporate data vs those non-LOB applications that are blocked – e.g. allow Outlook, and block notepad+. You have the ability to prevent users from adding non-work accounts to sanctioned LOB applications – e.g. lock down Outlook to corporate identity only. https://learn.microsoft.com/en-us/mem/intune/configuration/email-settings-configure?tabs=outlook-and...

Will my existing WIP policies continue to work after the deprecation?

Yes, if you are on the Windows build with WIP policies will continue to work, however, new policies cannot be created.

I need more help, who can I reach out to?
Depending on your size and the complexity of your environment, you have a few options:

• Reach out to your Microsoft account team.
• Reach out to Microsoft FastTrack and request help with the migration.
• Reach out to Microsoft Support with specific questions.
• Reach out to Microsoft MVPs who specialize in Information Protection.
• Use the Information Protection Yammer group to reach out directly to the product group and leverage the community for answers. Viva Engage: Microsoft Information Protection Team (yammer.com)

Get started

Get started today with Microsoft Purview DLP by turning on endpoint DLP as it is built into Windows 10 and 11 and does not require an on-premises infrastructure setup or agents on endpoint devices. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial!