Windows Information Protection License Requirements

1.1 You can select the protection level of Windows Information Protection Mode. After disabling WIP, an attempt is made to decrypt all files marked with WIP on locally connected drives. Note that your previous decryption and policy information is not automatically reapplied when you re-enable the current protection. You can set your WIP policy to use 1 of the 4 protection and management modes: the other thing you need to know about WIP is that this protection is large-scale. You can`t apply it to some company documents and you can`t apply it to others. It applies to endpoints, not to individual data as such. And there are only two possible states for data on a WIP-protected endpoint: the data is either inside the fence (company) or outside (personal). Override notifies users when they attempt to perform an unauthorized action, but the user can still perform the action. If the user ignores the alert, WIP records this information and includes it in its audit log. Information protection and governance is an area in which Microsoft has invested heavily in recent years. Many new features are constantly being displayed, such as. B native support for privacy labels in Microsoft 365 apps for business, formable classifiers, guidelines for automatically tagging privacy labels, and more.

Among all the changes, one constant is that tenant administrators often don`t know what licensing requirements are required to protect data. Let us try to find out what the situation is. Privacy and security requirements have evolved, especially with remote work, the growth of front-line employees, and the rapid adoption of BYOD and a perimeterless work culture. Windows laptops and desktops are very popular in the company as well as in the field of personal use. The security of corporate data on BYO PCs (windows computers and employee-owned laptops) is at risk if these devices are operated outside of the company`s networks and infrastructure. This is where the Microsoft Windows information protection policy comes into play when backing up corporate data. The standard set of information protection and governance features in Office 365 E3 includes: The basic idea of WIP is not only to protect company data on employee devices, but also to diversify company data and personal data on employee devices and selectively apply privacy policies to company data. This ensures that if the company`s data is protected while maintaining the company`s security posture, it does not compromise the employee`s personal data. Given the number of features and plans available in this area, the licensing issue can be quite complex.

Microsoft publishes guidance to help tenant administrators and license coordinators understand when premium licenses are required to cover security and compatibility features. A useful Microsoft 365 compatibility comparison table (Figure 1) is also available to show which license covers each feature. The table also identifies gaps in terms of desirable features that are not covered by licenses owned by a tenant. Once administrators have decided which applications and which users can access which data, they must select a level of protection to apply to the data. WIP offers four levels of protection: Automatic processing usually means that some form of automatic policy enforcement is involved. For example, you can provide auto-tagging policies to apply privacy labels or retention labels to documents and emails. Office 365 E5 covers these policies as well as the advanced OME and customer key for Office 365. Sometimes Microsoft`s definition of automatic is a bit tense. For example, if you set a default retention label for a SharePoint Online document library so that new documents created in the library receive the set label, it is automatic and therefore requires an E5 license.

In some cases, a feature may not apply the specified licensing requirement. This may be due to the fact that the required code is not yet available. The code may appear soon. In all cases, a customer must have licenses to use the features. It`s a bad place when the features the company depends on suddenly stop working because Microsoft updates its license application code. Formerly known as Enterprise Data Protection, Windows Information Protection (WIP) debuted in the Windows 10 Anniversary Update. In addition to separating business and personal data, WIP allows IT administrators to determine which users and applications have access to which data, and what users can do with corporate data. For example, IT can prevent users from copying corporate data from a trusted application and pasting it into an untrusted application. You can also prevent users from moving data to removable drives or sending it to cloud-based tools such as Dropbox. Applications such as Microsoft Word work with WIP to preserve your privacy on local files and removable media. These applications are called business-conscious.

For example, if an employee opens current encrypted content from Word, edits the content, and then tries to save the edited version under a different name, Word automatically applies the current work to the new document. Windows Information Protection (WIP), formerly known as Enterprise Data Protection (EDP), helps protect against this potential data loss without otherwise compromising the employee experience. WIP also helps protect corporate apps and data from accidental data leaks on company-owned devices and personal devices that employees bring to work without the need for changes to your environment or other apps. Another data protection technology, Azure Rights Management, also works with WIP to extend data protection for data leaving the device.B, such as when attachments are sent from an enterprise-ready version of a Rights Management email client. However, for advanced features such as Bring Your Own Key (BYOK), Hold Your Own Key (HYOK), or Double Key Encryption (DKE), you need a premium license such as Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection and Governance. These licenses also cover scenarios such as using S/MIME with privacy flags, classifying data in SharePoint Online, and using privacy labels with Power BI. The scope of WIP is much more limited than an information protection label applied to a document. A document with a privacy label (or Azure Information Protection label) can remain protected even if it has been shared and uploaded to an external/non-business location.

The recipient could be asked to authenticate, and they would also be bound by the restrictions that the label imposes on their identity. Silent essentially runs in the background and tracks users` actions without stopping them. This option still prevents users from seeing information that they do not have permission to view. Hello, thank you very much for this series of articles – very useful. Being able to manage our data on users` personal Windows 10 devices is exactly what we want to do. I set this up in a test environment and it works well when we add the work account to Windows 10 and register the device as a registered device. However, if we do not register the device, the user can simply access all our data without control. How can we combine this WIP-WE and prevent unregistered devices from accessing our data?.

Read more ยป Hello Alex, what do you think about using WIP and Adobe Reader DC? Because it`s an unexplained application, Adobe Reader DC doesn`t seem to be able to distinguish between corporate data and personal data. and therefore cannot work with WIP design? According to this article from Microsoft, Adobe Reader DC may work with Microsoft Information Protection, but not with Windows Information Protection: techcommunity.microsoft.com/t5/azure-information-protection/general-availability-of-adobe-acrobat-reader-integration-with/ba-p/298396 This is a very different feature set from WIP. .