Windows Information Protection

Use this profile configuration to assign a Windows Information Protection policy to your devices. Only one Windows Information Protection profile configuration can be assigned and installed on a device. Additional Windows Information Protection profile configurations assigned to a device will be ignored.

Settings

Use the options on the Settings tab of the WIP profile configuration to control the behaviour of WIP on your devices.


Protection Level	Select one of the following options to set the protection level for your enterprise data. Block: Prevents Enterprise Data from leaving Enforced applications or networks. Override: Allows device user to share protected data. However, user is notified that the shared data is protected and all overrides are logged. Silent: Allows device user to share protected data without notification. All actions are logged. Off: Allows device user to share protected data without notification and no actions are logged.
Other Settings: Allow user to decrypt data created or edited by Enforced Applications	When enabled, device users can decrypt any data created or edited by enforced applications by entering the file's Properties and deselecting the appropriate checkboxes.
Other Settings: Revoke encryption keys on device unenrollment	When enabled, the device user's local encryption keys are revoked when the device is unenrolled.
Other Settings: Allow encrypted data and Store apps to appear in Windows search	When enabled, Windows Search can search and index encrypted corporate data and Store applications.
Data Recovery Certificate (Important in Case of Data Loss)	Allows you to recover encrypted data that might be lost if an account is locked or becomes inaccessible, by verifying your right to access that information. Note: It is recommended that you use a Data Recovery Agent (DRA) template from ADCS.

Applications

Use the Applications tab to specify which applications have access to enterprise data on your devices.

Use the list of Available Applications to configure which applications can open your enterprise data. Available applications are divided into two sections: Predefined Legacy Applications (*.msi) or Predefined Modern Applications (*.appx). Applications with a lightbulb icon are Enlightened Applications. Enlightened applications can differentiate between corporate and personal data and only encrypt corporate data. Unenlightened applications consider all data corporate and encrypt everything. Exempt applications are allowed to access enterprise data without encrypting it.

Use the arrows to add applications to the Enforced Applications list. While an application is selected in the Available Application list, click the single right-pointing arrow to move it into the Enforced Applications list. Once an application is in the Enforced Applications list you can chose its behaviour. Double-click on Allow to open a drop-down with the following options:

Allow: Applies your WIP policy to this application
Block: Blocks the application from accessing your enterprise data
Exempt: Exempts the applications from your WIP policy, allowing it to access enterprise data without encryption. This option is primarily for applications that may have compatibility issues with WIP but are necessary for your company's productivity. Use this option carefully as exemption from WIP increases the chances of a data leak from your applications.

Networks

Use this tab to set boundaries for the Windows Information Protection profile configuration. Each of the three network setting types (IP Address Range, Network Domain, and Protected Domain) must be configured, and you can configure multiple values for each type.


Add	Opens the Add Network Setting dialog box in which you can select, and specify values for, the network setting type you want to add.
Edit	Opens the Edit Network Setting dialog box in which you can edit the values of the selected network setting. You can also double-click a network setting in the list to edit it.
Delete	Deletes the selected network setting.

Network Domain

Enter the network domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name. All traffic to the network domains on this list will be protected. You can add multiple network domains.


Network Type	The network type you are configuring. This field is read-only when you are editing an existing network type.
Location	Enter a fully qualified domain name.

IP Address Range

Enter the range of IP addresses where enterprise data is accessible to your device users. Device users cannot access enterprise data while they are outside this range. You can add multiple IP address ranges.


Network Type	The network type you are configuring. This field is read-only when you are editing an existing network type.
Type	Select an internet protocol version: IPv4 or IPv6.
Starting Address	Enter the starting address for your IP address range.
Ending Address	Enter the ending address for your IP address range.

Protected Domain

Enter the Protected Domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name.


Network Type	The network type you are configuring. This field is read-only when you are editing an existing network type.
Location	Enter a fully qualified domain name.