Differences between Windows Information Protection (WIP) and that “other” Information Protection (AIP)Alex Fields
I received a really interesting question from a reader this week, and another person had asked me the same question when I was at Ignite recently, speaking on the security features in Microsoft 365 Business. So I think it makes sense to put this article out there, to help folks understand the difference between document labeling (E.g. Azure Information Protection or Sensitivity Labels) and Windows Information Protection (WIP) which is a feature included with Intune.
Data classification using either AIP labels or the new Sensitivity labels in Office does basically the same thing:
- Applies markings to documents such as header/footer/watermark
- Protects documents using encryption
- Applies permissions like restricting the ability to Save as or Print
This is a very different set of capabilities from WIP. I know, it’s confusing, right? Because both of them are called “Something” Information Protection. How much information protection do I need?!
The purpose of WIP, which is an Endpoint DLP solution, is to draw corporate boundaries through an endpoint (such as a Windows 10 laptop or desktop computer). When I think of Endpoint DLP solutions, I literally visualize a fence on the computer being drawn around the data and apps that belong to the company. Everyone outside the fence–all the “other” apps and locations do not get to mix and play with the resources inside the fence.
This is especially useful with BYOD devices, or devices that have a lot of mixed business/personal use. For example, if users have personal storage apps or locations on the device–like a personal OneDrive or DropBox account–those are considered non-corporate and therefore WIP can be used to block saving corporate data into these locations.
WIP is limited to specific endpoints, labels are not
WIP is much more limited in scope than an information protection label that is applied to a document. A document that is stamped with a Sensitivity label (or Azure Information Protection label) can remain protected, even if it were shared and downloaded to an outside/non-corporate location. The recipient could be required to authenticate and they would also be held to whatever restrictions are imposed by the label for their identity.
WIP has no ability to do that–you can’t use it to apply permissions to content, and it is not “transferable” to any other place–it’s just a fence that we can use to corral the corporate data on that endpoint specifically.
Why is that useful you might ask? Well, WIP is your best friend when a device needs to be wiped of its corporate data (without touching the personal stuff). It can also prevent accidental oversharing to locations that are not under your control.
The other thing to realize about WIP is that this protection is wholesale. You can’t apply it to some corporate documents and not others. It applies to endpoints, not individual pieces of data per se. And there are only two possible states for data on an endpoint that is protected by WIP: the data is either inside the fence (corporate) or outside it (personal).
Whereas there are many possible labels that can grant all types of permission on one document vs. another using Azure Information Protection or Sensitivity labels. Some labels may allow external collaboration, while others would be strictly confidential (internal only). Some labels may restrict the ability to export data or print, while others would allow full modify and export actions. Again, that granularity of control (which follows the data around no matter where it goes) is not something that belongs to the list of capabilities within WIP.
Hopefully that provides some clarity around whether you would use each tool and when. Personally I like WIP if your plan is to allow BYOD Windows 10 Devices. If not, and you are 100% corporate, then just require Device compliance using Conditional access. If the user were to leave the company, the understanding is that you would wipe the device. The whole device. If you need to wipe only corporate data from a device, WIP can be good for that.
By the way, I would still require device compliance in that case anyway, because you need to protect all of your endpoints whether they are BYOD or not, and you get richer features in WIP if the device is enrolled for MDM.
While some will use WIP and some will ignore it (which is fine) I think that every organization should be taking a hard look at Azure Information Protection and the newer “Sensitivity labels” in Office. They are incredibly powerful, and make a lot of sense moving into the future, versus traditional “container-based” access control lists, etc.
I will have some general guidance on this soon–my plan is to outline a very simple setup that I think many orgs could “get started” with, and build on from there with regard to Sensitivity labels.
Thank you Alex for this article. Clears up the confusion for me. One question: Is it best that my existing customers all move totally to Sensitivity Labels and that new customers just start with Sensitivity Labels and not touch AIP?
The main benefit to the AIP client is the ability to use labeling in Windows File Explorer; Sensitivity labels will be integrated throughout all the Office apps by default and will not require a client, which is certainly of benefit. But the client still gives us a bit more as of today…
Hi Alex, Could you please share the link where you speak about Office 365 Unified Labelling client?
Hm, I’m not sure I know what is being asked for here–I do have some articles on AIP and unified labeling, and there are links to MSFT content regarding the client also?
Hi Alex, what are your thoughts about using WIP and Adobe Reader DC? Being an unenlightened app, it appears Adobe Reader DC cannot distinguish between corporate and personal data; and hence cannot work with the design of WIP? Per this Microsoft article, Adobe Reader DC can work with Microsoft Information Protection but not with Windows Information Protection: https://techcommunity.microsoft.com/t5/azure-information-protection/general-availability-of-adobe-acrobat-reader-integration-with/ba-p/298396
WIP does have some limitations, yes. So when WIP protects a non-enlightened app then all data in that app is considered corporate. The biggest advantage I would say of WIP is just being able to wipe data remotely from the device. The blocking of copy/paste/save honestly causes more user frustration for a pretty slight gain, especially with the treatment of non-enlightened apps, so the most common deployment I see is “silent” mode. Not many opting for Block or Allow override.
Hi Alex, I like your articles – relevant and succinct. Speaking of WIP, AIP, and conditional access, is there a way to restrict copy/paste when accessing Exchange Online from a web browser? Thanks!
Assuming you only allowed web access from managed device & managed browser such as Edge, and assuming you have WIP enabled, then it would be possible. But if you need to allow non-managed devices or browsers then it would still be difficult to fully prevent such activity. You can implement block web download for EXO, but I don’t think that covers copy/paste…