In-Depth

Windows Information Protection is among many new security features introduced in last years Windows 10 Anniversary Update release, bringing data loss prevention to the OS.

Among the numerous security improvements Microsoft added to Windows 10 last summer, administrators can now create policies in the OS aimed at reducing data leakage. Windows Information Protection (WIP) brings data loss prevention (DLP) capabilities, mobile device management (MDM) and other security tools to the OS for the first time. Microsoft added WIP, a feature known as endpoint data protection (EDP) prior to its release, with the Windows 10 Anniversary Update.

Any organization considering a Windows 10 migration should evaluate WIP, especially if your organization has done little to prevent data leakage.

Its no secret how easy it is for an employee to copy files onto a USB drive or to a personal online cloud service such as iCloud, Google Drive, Dropbox, and OneDrive, or even social media sites including Facebook, LinkedIn, and Twitter. Despite the ease of doing so, many organizations do little to prevent it. WIP is one easy way to do so, whether you have Office 365 or an MDM tool.

WIP isnt a replacement for BitLocker disk encryption, which protects data on behalf of the user. But BitLocker doesnt stop an authorized user from intentionally or inadvertently decrypting and moving files. WIP lets administrators invoke copy and paste protection, segment personal from corporate data, provision policies, and selectively wipe corporate data. Data coming in from an enterprise network node is automatically protected by WIP. Once WIP is configured, business data can only be stored on approved devices or even within approved applications.

A Key WIP Requirement There is a catch. To create policies using WIP, administrators must use System Center Configuration Manager (SCCM) or Intune, the Microsoft cloud-based management tool, available with either a standalone subscription or though the Microsoft Enterprise Mobility + Security (EMS) bundle. Microsoft claims more than 30 million EMS subscriptions, suggesting Intune is widely used, making WIP accessible to administrators rolling out the latest version of Windows 10. Using Intune, Ill describe how to create polices using the WIP capabilities and to what extent, if any, these features are unique to those deploying Windows 10.

Configuring WIP WIP is configured using policies to enable the selections that match the needs of an organization (see Figure 1).

To configure a WIP policy, complete the following steps:

Windows Store apps require publisher and product name, while desktop apps require publisher, product name, binary name and version number -- the dialog box will change depending on the item type chosen for the rule.

All of these options for desktop applications support Wild card values. For AppLocker policy files, an XML file must be specified for upload.

See original here:

Prevent Data Leakage with Windows Information Protection - Redmondmag.com