Data leaks are a real threat in today’s workplace. Employees use both company and personal devices, often outside the office. How can you keep business data safe without making work harder? Windows Information Protection (WIP) is Microsoft’s answer. Let’s explore what it is, why it matters, and how to set it up.
What Is Windows Information Protection?
Windows Information Protection, or WIP, is a set of security policies built into Windows 10 and later. It helps organizations protect business data on both company-owned and personal devices. WIP separates work data from personal data, encrypts sensitive files, and controls how apps handle business information. This means you can keep your company’s secrets safe—even on devices you don’t fully control.
WIP works by tagging business data, encrypting it, and restricting how it can be shared. It’s designed to prevent accidental leaks, like copying work files to a personal email or cloud drive. WIP can be managed through tools like Microsoft Intune, Configuration Manager, or other mobile device management (MDM) solutions.
Why Use Windows Information Protection?
The rise of remote work and bring-your-own-device (BYOD) policies has made data security more complex. Employees often use personal laptops or phones for work. This increases the risk of sensitive data leaking through email, social media, or public cloud storage.
WIP addresses these risks by:
Separating work and personal data: Employees can use the same device for both, but only work data is protected and controlled.
Encrypting business files: Data from company sources is automatically encrypted, even if saved locally or to removable drives.
Controlling app access: Only approved apps can open or share business data. You can block or allow certain actions, like copying data to personal apps.
Remote data removal: If a device is lost or an employee leaves, you can wipe business data without touching personal files.
WIP is flexible. It works with both “enlightened” apps (which know how to handle work and personal data separately, like Microsoft Office) and “unenlightened” apps (which treat all data as business data when protected).
How to Enable Windows Information Protection?
Enabling WIP is the first step to protecting your data. You need Windows 10 version 1607 or later, and a management tool like Microsoft Intune or another MDM solution.
Here’s how to enable WIP using Microsoft Intune:
1. Sign in to the Microsoft Intune admin center.
Go to the Microsoft Intune portal with your admin credentials.
2. Create a new WIP policy.
Select Apps, then App protection policies. Click Create policy.
3. Choose the platform and settings.
Set the Platform to Windows 10. Choose With enrollment if devices are managed, or Without enrollment for app-level protection.
4. Name your policy.
Enter a clear name and description so you can identify the policy later.
5. Assign the policy to users or groups.
Under Assignments, select the user groups that should get this policy.
6. Save and deploy.
Click Create to save the policy. The policy will be pushed to assigned devices.
Once enabled, WIP starts protecting business data on those devices. You can check the status in the Intune dashboard.
How to Configure Policies for Windows Information Protection?
After enabling WIP, you need to fine-tune how it works. This means setting up rules for which apps can access business data, what actions are allowed, and how data is encrypted.
Here’s how to configure WIP policies in Intune:
1. Define protected and exempt apps.
In your WIP policy, go to Allowed apps. Add “enlightened” apps (like Microsoft Word) that can handle both work and personal data. Add “unenlightened” apps if needed, but remember they treat all data as business data.
Under Exempt apps, list any apps that should not be restricted by WIP.
2. Set enforcement mode.
Choose how strict WIP should be:
Block: Prevents sharing business data with personal apps.
Allow overrides: Warns users but lets them override, with actions logged.
Silent: Logs actions but does not block.
Off: Disables WIP (not recommended).
3. Configure network boundaries.
Define your company’s domains, cloud resources, and IP ranges under Network boundaries. This tells WIP which data sources are business-related.
4.Set data recovery options.
You can add a Data Recovery Agent (DRA) certificate to help recover encrypted files if needed.
5.Customize user experience.
Decide if users can mark files as personal or work,and whetherto show the WIP icon on protected files.
6.Save and apply the policy.
Review your settings, then click Save. The policy will update on all assigned devices.
With these settings, WIP will encrypt business data, control app access, and help prevent leaks—while leaving personal data untouched.
How to Backup Physical Windows with Vinchin Backup & Recovery?
To further safeguard your critical information alongside Windows Information Protection measures on platforms such as Windows servers or desktops,consider implementing an enterprise-grade backup strategy. Vinchin Backup & Recovery stands out as a professional solution supporting most mainstream operating systems—including Windows, Ubuntu, RHEL,SLES, Rocky Linux, Oracle Linux, Debian, and more—making it ideal for diverse IT environments where robust backup of physical machines is essential.
Vinchin Backup & Recovery delivers real-time protection via Continuous Data Protection (CDP), continuously replicating system changes onto standby machines while monitoring heartbeat signals; upon primary machine failure, it automatically fails over operations,and once restored, synchronizes all updates back seamlessly. Vinchin Backup & Recovery enables configuration of advanced backup strategies including forever incremental backups, data compression/deduplication, multi-thread transmission, bare-metal recovery,and instant restore/migration of disks—ensuring efficient storage utilization, speedy recovery times,and minimal disruption during incidents. Backing up a physical Windows machine with Vinchin Backup & Recovery involves an intuitive four-step process through its web console:
1.Select the Windows machine to backup.
2.Select backup storage.
3.Select backup strategies.
4.Submit the job.
Vinchin Backup & Recovery enjoys global recognition among enterprises for reliability,ease-of-use, and high customer satisfaction. Redeem your free 60-day full-featured trial now—click below for immediate download!
Windows Information Protection FAQs
Q1: How can I check if WIP is active on a device?
A1: Open File Explorer, right-click a file, and check for the “File ownership” column or WIP briefcase icon.
Q2: Can I remove WIP from a device without deleting personal data?
A2: Yes, enrolling out from MDM removes WIP protection from business content but leaves user files untouched.
Q3: What happens if a user tries copying corporate info into a non-approved app?
A3: Depending on enforcement mode, WIP blocks/warns/logs attempts accordingly per configured rules.
Q4: How do I recover encrypted files if hardware fails?
A4: Use your DRA certificate together with backups created by Vinchin Backup & Recovery for decryption/restoration purposes.
Q5: Can removable drives also benefit from protection?
A5: Yes, business content copied onto USB drives remains encrypted/protected under active policies.
Conclusion
Windows Information Protection helps you keep business data safe on any Windows device without getting in users’ way. With proper setup, you’ll prevent leaks,enforce app controls, and recover quickly after disasters. For complete peace of mind, pair WIP with Vinchin Backup & Recovery—try its powerful features free for 60 days today!
