Block sharing of corporate data with Windows Information Protection (Microsoft Endpoint DLP)

How do you ensure that corporate data either text or a file can’t leave a corporate (managed) PC? Three scenarios come to mind with this:

  • User attempts to copy a corporate file to a USB storage device
  • User attempts to upload a corporate file as an attachment to a personal email service
  • User attempts to copy text out of a corporate file and paste into a non-corporate app (i.e. personal email)

These business challenges can be solved using Microsoft Intune and Windows Information Protection. Let’s take a look at how to configure this capability.

Prerequisites for this particular lab:

  • Windows 10 Pro (or Enterprise) version 1607 or later
  • Microsoft Intune (and Azure Active Directory Premium)
  • A Windows 10 Pro computer joined to Azure Active Directory (and managed by Intune)
  • Review the documentation for Windows Information Protection
  • User in Office 365 licensed for Azure AD Premium
  • Security Group in Azure AD the test user is a member of

Create Intune App Protection Policy

From within the Azure Portal, navigate to Microsoft Intune -> Client Apps -> App Protection Policies and click Create Policy:

Name your policy WIP Test Policy, select Windows 10 as the platform, and for Enrollment State select With Enrollment and click Create

Assign the Intune App Protection Policy to a Security Group

Click on the policy you just created and select Assignments. On the flyout on the right hand side of the screen, find a Security Group your test user is a member of and click Select then click Save

Configure Protected Apps

Click on the Protected Apps section under Manage then click Add apps:

This is where you can add apps that are protected by Windows Information Protection (WIP). At the top of the Add Apps blade, ensure the drop down menu reads Recommended Apps then select the following apps. When finished, click OK

  • OneDrive
  • Teams
  • Edge
  • Office Pro Plus
  • IE11

Then click Save

Configure Required Settings

Click on the Required Settings section on the left side in the Intune App Protection blade. Next, click Block under Windows Information Protection Mode and then click Save (leave corporate identity at it’s default value).

About these values:

BlockWIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.
Allow OverridesWIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see How to collect Windows Information Protection (WIP) audit event logs.
SilentWIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
Off (not recommended)WIP is turned off and doesn’t help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

Configure the enterprise data protection icon

On the left side click Advanced Settings on the Intune App Protection blade. scroll down and in the middle of the page under Show the enterprise data protection icon click On and then click Save. This will display the following icon in apps/sites that are protected by WIP:

Note: There are many other items as you can see that can be configured. For purposes of this demo and blog – we will not configure the others and will save that for future blogs and videos.

Set Mobility Policy in Azure Active Directory (AAD)

From within the Azure Portal navigate to the Azure Active Directory blade and click on Mobility (MDM and MAM):

Click on Microsoft Intune and set the MDM and MAM user scope to All and click Restore deafult MDM URLs for both MDM and MAM then click Save. This will allow Intune to manage any Windows computer joined to AAD.

Join a test PC to Azure Active Directory

Create a virtual machine running Windows 10 Pro 1607 or above, or a physical PC – and join it to Azure Active Directory either using OOBE or the Settings app in Windows 10 by navigating to Accounts -> Access Work or School -> Join Azure Active Directory

Login to Azure AD Joined PC as Test User

With your test user account, login to the test PC as the test user (

Confirm the briefcase icon is displayed for corporate data in an app

Launch the Microsoft Edge browser (as it is one of the protected apps you added) and browse to the SharePoint site of your Office 365 tenant (e.g. Note in the address bar the briefcase icon – this indicates the app is being protected by Windows Information Protection

Confirm data is protected upon download from a protected app

From within the SharePoint site, navigate to the document library and download a file of your choosing.

Open Windows Explorer and find the file you just downloaded. Note the file has the brown briefcase icon on it (it will be small) in addition the File Ownership attribute will be set to your organization’s domain indicating it’s an organizational owned file (versus personal)

Since OneDrive was added as another protected app, opening OneDrive you can see the briefcase icon is on all files (and on the OneDrive icon on the left in Explorer) indicating all the data is being protected by Windows Information Protection.

Test Windows Information Protection Policy – Exfiltrate the file

Browse to a non-protected app such as a personal email site (e.g. Gmail) and attempt to attach the file to a new email message:

When you attempt to attach the file, you will receive the following message indicating the action was blocked:

Keep the email open for the next test…

Test Windows Information Protection Policy – copy sensitive text

Open the file you just downloaded and that is protected, and highlight text in the file, right click and select Copy

Go back to the personal email and in the body of the email, right click and select Paste. You will be notified that your action has been blocked:

Test Windows Information Protection Policy – copy to USB storage

Insert a USB storage device into the test PC (or mount it remotely using RDP if a virtual machine). Attempt to move the protected file to the USB drive and you will be prompted with the following:

Click Copy as work protected then you will be prompted with the following indicating the action is blocked:

Here’s a quick video demoing the capability to block file transfer to USB storage devices


As you can see, Windows Information Protection can be extremely powerful in solving for specific business challenges where sensitive data must be kept on a managed PC and cannot be allowed to leave the environment. If you have any questions, please let me know!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s