Windows Information Protection (WIP)
The Windows Information Protection (WIP) settings configure enforcement settings, enterprise network information, and enterprise protected apps settings on a Windows device.
| Policy setting | Description | Supported devices |
|---|---|---|
| Enforce Windows information protection | Choose whether to enforce information protection on the Windows device. |
|
| Enforcement settings | ||
| Enforcement level | Choose the type of enforcement to apply on the device:
|
|
| Enforce protection under lock screen | If this setting is enabled, data on the device is encrypted even if the device is locked.
Note: If this policy is enabled, the device must use a PIN for other Windows Information Protection
(WIP) policies to take effect.
|
Windows Phone 10+ |
| Show icon overlays over protected data | If this setting is enabled, the briefcase type of icon overlays for files and apps that are protected from WIP. |
|
| Revoke data protected on unenrollment | If this setting is enabled, encryption keys are revoked after MDM control is removed from the device. This setting restricts access to protected data after a device is unenrolled from MDM. |
|
| Data recovery certificate | Enter a base64-encoded recovery-policy blob:
|
|
| Enterprise network information | ||
| Enterprise primary domain | Specify the default domain for the Windows user interface. Enter
%domain% to use enrollment information for the user domain. The domain
information must be specified in canonical form such as xyz.com. Note: The
domain name in the user's email address (%email%) and the domain that is listed
for this setting must match exactly for the WIP policy to be applied successfully.
|
|
| Other enterprise protected domains | Specify the other DNS suffixes that are used in your environment. All traffic to fully-qualified domains in this list is protected. |
|
| Enterprise network domain names | Specify the intranet domains that comprise the boundaries of the enterprise. Data to and from these locations is considered safe and is protected. Enter the comma-separated list of servers in canonical form such as contoso.com,fabrikam.com. |
|
| Enterprise cloud resources | Specify the cloud domains that are treated as enterprise resources. For each cloud resource, specify a proxy server from the Enterprise Internal Proxy Servers list to route specific traffic for the cloud resource. For suggested settings for an enterprise cloud, see https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip. |
|
| Enterprise neutral resources | Specify the list of comma-separated domain names that are work or personal resources. For suggested settings for enterprise neutral resources, see https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip. |
|
| Enterprise proxy servers | Lists the external facing proxy servers and ports where internet traffic is routed such as proxy.contoso.com:80, proxy2.contoso.com:443. Do not include servers that are used for WIP-protected traffic. |
|
| Enterprise internal proxy servers | Lists the proxy servers and ports where traffic is routed to access enterprise cloud resources such as contoso.internalproxy1.com, contoso.internalproxy2.com. You must include servers that are used for WIP-protected traffic. |
|
| Enterprise IP ranges | Specify the comma-separated list of IPv4 and IPv6 ranges that define the computers in the enterprise network. Data from these computers is considered enterprise data and is protected. |
|
| Enterprise proxy server list is authoritative | If this setting is enabled, the enterprise proxy server is the authoritative server. |
|
| Enterprise proxy ranges are authoritative | If this setting is enabled, the enterprise proxy ranges are considered authoritative. |
|
| Enterprise protected apps | ||
| Configure protected universal apps (allowlist) | Configures universal apps that are allowed and protected by WIP. Specify the app name,
publisher name, app version (minimum), and app version (maximum) for all the universal apps that are
allowed. Note: Use * in the app name to allow all apps for a publisher.
|
|
| Configure protected universal apps (blocklist) | Configures universal apps that are blocked and not protected by WIP. Specify the app name,
publisher name, app version (minimum), and app version (maximum) for all the universal apps that are
blocked. Note: Use * in the app name to block all apps for a publisher.
|
|
| Configure protected desktop apps (allowlist) | Configures desktop apps that are allowed and protected by WIP. Specify the app name, publisher name, app version (minimum), and app version (maximum) for all desktop apps that are allowed. |
|
| Configure protected desktop apps (blocklist) | Configures desktop apps that are blocked and not protected by WIP. Specify the app name, publisher name, app version (minimum), and app version (maximum) for all desktop apps that are blocked. |
|
Note: For more information about obtaining the app name and the publisher name, see Using the Windows App Management Admin Tool to obtain Windows app IDs.