Windows Information Protection Policies using Intune Troubleshooting Tips

Let’s understand Windows Information Protection policies using Intune. Also, I share troubleshooting tips through registry entries and event logs. Intune app protection policies can be implemented using Windows 10 Windows Information Protection (WIP) feature.

WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 devices. In this post, you learn how to build WIP policies using Intune for MDM enrolled Windows 10 devices.

WIP is just an accidental data leakage protection feature which is inbuild to Windows 10 operating system. As per Microsoft recommendation, WIP should be used along with other data/device protection solutions to have complete protection of data.

• Bitlocker
• Windows Information Protection (WIP)
• Azure Information Protection

Intune App Protection using Intune

Target Apps & Required Settings for WIP Policies

Advanced Settings

Event Logs – WIP Policy Flow

Basic WIP Policies

• MDM PolicyManager: Set Policy (EDPEnforcementLevel) in Area (DataProtection) is Evaluator policy. Add Evaluator (EnterpriseDataProtection) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.
• MDM PolicyManager: Set policy int, Policy: (EDPEnforcementLevel), Area: (DataProtection), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), Int: (0x3), Enrollment Type: (0x6), Scope: (0x0).

Required Settings

• MDM PolicyManager: Set policy string, Policy: (EnterpriseNetworkDomainNames), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy string, Policy: (EnterpriseCloudResources), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set Policy (EnterpriseProtectedDomainNames) in Area (DataProtection) is Evaluator policy. Add Evaluator (EnterpriseDataProtection) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.
• MDM PolicyManager: Set policy string, Policy: (EnterpriseProtectedDomainNames), Area: (DataProtection), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (howtomanagedevices.onmicrosoft.com), Enrollment Type: (0x6), Scope: (0x0).

WIP Advance Settings – Event Logs

• MDM PolicyManager: Set policy string, Policy: (EnterpriseProxyServers), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy string, Policy: (EnterpriseInternalProxyServers), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy string, Policy: (EnterpriseIPRange), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy string, Policy: (NeutralResources), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy int, Policy: (EnterpriseProxyServersAreAuthoritative), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy int, Policy: (EnterpriseIPRangesAreAuthoritative), Area: (NetworkIsolation), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set Policy (EDPShowIcons) in Area (DataProtection) is Evaluator policy. Add Evaluator (EnterpriseDataProtection) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.
• MDM PolicyManager: Set policy int, Policy: (EDPShowIcons), Area: (DataProtection), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).
• MDM PolicyManager: Set policy int, Policy: (AllowIndexingEncryptedStoresOrItems), Area: (Search), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0).

• MDM PolicyManager: Dedicated notification (WNF): (0xA3BCD075, 0x13920028) published for Policy: (AllowIndexingEncryptedStoresOrItems).
• Windows Information Protection dependency check result: Dependency Name: (EDPPolicy), State: (EdpOff), IsDependencySatisfied: (0x1), Result: (0x1).
• Windows Information Protection dependency check result: Dependency Name: (AppLocker), State: (EdpOff), IsDependencySatisfied: (0x0), Result: (0x0).

Results Windows Information Protection Intune Policy

• MDM Evaluator Scenario Evaluate Result: Scenario: (EDP), Previous State: (EdpOff), Last Dependency: (NULL), Final State: (EdpOff), Result: (The operation completed successfully.).
• Windows Information Protection configuration changed: Previous State: (EdpOff), Current State: (EdpOn), Result: (The operation completed successfully.).
• Windows Information Protection configuration changed: Previous State: (EdpOnPending), Current State: (EdpOn), Result: (The operation completed successfully.).

Registry Entries for WIP Intune Policies

Let’s find out the registry Entries: for WIP policies. Hopefully these information might help you to troubleshooting Windows information protection policies using Intune.

Data Protection Settings of WIP

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\DataProtection

“EDPEnforcementLevel”=dword:00000003
“EnterpriseProtectedDomainNames”=”howtomanagedevices.onmicrosoft.com”
“EnterpriseProtectedDomainNames_LastWrite”=dword:00000001
“EDPShowIcons”=dword:00000001

WIP Network Isolation settings on Windows 10

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\NetworkIsolation

• “EnterpriseNetworkDomainNames”=””
• “EnterpriseNetworkDomainNames_LastWrite”=dword:00000001
• “EnterpriseCloudResources”=””
• “EnterpriseCloudResources_LastWrite”=dword:00000001
• “EnterpriseProxyServers”=””
• “EnterpriseProxyServers_LastWrite”=dword:00000001
• “EnterpriseInternalProxyServers”=””
• “EnterpriseInternalProxyServers_LastWrite”=dword:00000001
• “EnterpriseIPRange”=””
• “EnterpriseIPRange_LastWrite”=dword:00000001
• “NeutralResources”=””
• “NeutralResources_LastWrite”=dword:00000001
• “EnterpriseProxyServersAreAuthoritative”=dword:00000000
• “EnterpriseProxyServersAreAuthoritative_LastWrite”=dword:00000001
• “EnterpriseIPRangesAreAuthoritative”=dword:00000000
• “EnterpriseIPRangesAreAuthoritative_LastWrite”=dword:00000001

WIP Search Settings

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\Device\Search

• “AllowIndexingEncryptedStoresOrItems”=dword:00000001

Video Recording

• 📌How to troubleshoot Windows Information Protection?
• 📌How Windows Information Protection can prevent data leakage?
• 📌 How to enable Windows Information Protection Policy on Windows 10 MDM enrolled devices?
• 📌 What is private domain Windows Information Protection mode – Block
• 📌 What is Corporate identity – howtomanagedevices.onmicrosoft.com configuration for WIP

Resources

• How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM Intune
• Windows Information Protection | WIP Learn with Joy Part #1 | Intune
• Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune