• Home
  • Blog
  • Question
  • Differences between Windows Information Protection (WIP) and that “other” Information Protection (AIP)

Differences between Windows Information Protection (WIP) and that “other” Information Protection (AIP)

Back to Blog
14Nov2019

Differences between Windows Information Protection (WIP) and that “other” Information Protection (AIP)

I received a really interesting question from a reader this week, and another person had asked me the same question when I was at Ignite recently, speaking on the security features in Microsoft 365 Business. So I think it makes sense to put this article out there, to help folks understand the difference between document labeling (E.g. Azure Information Protection or Sensitivity Labels) and Windows Information Protection (WIP) which is a feature included with Intune.

Data classification using either AIP labels or the new Sensitivity labels in Office does basically the same thing:

  • Applies markings to documents such as header/footer/watermark
  • Protects documents using encryption
  • Applies permissions like restricting the ability to Save as or Print

This is a very different set of capabilities from WIP. I know, it’s confusing, right? Because both of them are called “Something” Information Protection. How much information protection do I need?!

The purpose of WIP, which is an Endpoint DLP solution, is to draw corporate boundaries through an endpoint (such as a Windows 10 laptop or desktop computer). When I think of Endpoint DLP solutions, I literally visualize a fence on the computer being drawn around the data and apps that belong to the company. Everyone outside the fence–all the “other” apps and locations do not get to mix and play with the resources inside the fence.

This is especially useful with BYOD devices, or devices that have a lot of mixed business/personal use. For example, if users have personal storage apps or locations on the device–like a personal OneDrive or DropBox account–those are considered non-corporate and therefore WIP can be used to block saving corporate data into these locations.

WIP is limited to specific endpoints, labels are not

WIP is much more limited in scope than an information protection label that is applied to a document. A document that is stamped with a Sensitivity label (or Azure Information Protection label) can remain protected, even if it were shared and downloaded to an outside/non-corporate location. The recipient could be required to authenticate and they would also be held to whatever restrictions are imposed by the label for their identity.

WIP has no ability to do that–you can’t use it to apply permissions to content, and it is not “transferable” to any other place–it’s just a fence that we can use to corral the corporate data on that endpoint specifically.

Why is that useful you might ask? Well, WIP is your best friend when a device needs to be wiped of its corporate data (without touching the personal stuff). It can also prevent accidental oversharing to locations that are not under your control.

The other thing to realize about WIP is that this protection is wholesale. You can’t apply it to some corporate documents and not others. It applies to endpoints, not individual pieces of data per se. And there are only two possible states for data on an endpoint that is protected by WIP: the data is either inside the fence (corporate) or outside it (personal).

Whereas there are many possible labels that can grant all types of permission on one document vs. another using Azure Information Protection or Sensitivity labels. Some labels may allow external collaboration, while others would be strictly confidential (internal only). Some labels may restrict the ability to export data or print, while others would allow full modify and export actions. Again, that granularity of control (which follows the data around no matter where it goes) is not something that belongs to the list of capabilities within WIP.

In summary

Hopefully that provides some clarity around whether you would use each tool and when. Personally I like WIP if your plan is to allow BYOD Windows 10 Devices. If not, and you are 100% corporate, then just require Device compliance using Conditional access. If the user were to leave the company, the understanding is that you would wipe the device. The whole device. If you need to wipe only corporate data from a device, WIP can be good for that.

By the way, I would still require device compliance in that case anyway, because you need to protect all of your endpoints whether they are BYOD or not, and you get richer features in WIP if the device is enrolled for MDM.

While some will use WIP and some will ignore it (which is fine) I think that every organization should be taking a hard look at Azure Information Protection and the newer “Sensitivity labels” in Office. They are incredibly powerful, and make a lot of sense moving into the future, versus traditional “container-based” access control lists, etc.

I will have some general guidance on this soon–my plan is to outline a very simple setup that I think many orgs could “get started” with, and build on from there with regard to Sensitivity labels.

Question , , 8 Comments
Share:

Comments (8)

  • Rich Lusk Reply

    Thank you Alex for this article. Clears up the confusion for me. One question: Is it best that my existing customers all move totally to Sensitivity Labels and that new customers just start with Sensitivity Labels and not touch AIP?

    November 15, 2019 at 11:53 am
    • Alex Reply

      The main benefit to the AIP client is the ability to use labeling in Windows File Explorer; Sensitivity labels will be integrated throughout all the Office apps by default and will not require a client, which is certainly of benefit. But the client still gives us a bit more as of today…

      November 16, 2019 at 6:41 pm
  • Vasile Jichin Reply

    Hi Alex, Could you please share the link where you speak about Office 365 Unified Labelling client?
    Thank you,
    Kind regards,
    Vasile

    March 13, 2020 at 2:35 pm
    • Alex Reply

      Hm, I’m not sure I know what is being asked for here–I do have some articles on AIP and unified labeling, and there are links to MSFT content regarding the client also?

      March 19, 2020 at 3:32 pm
  • John Reply

    Hi Alex, what are your thoughts about using WIP and Adobe Reader DC? Being an unenlightened app, it appears Adobe Reader DC cannot distinguish between corporate and personal data; and hence cannot work with the design of WIP? Per this Microsoft article, Adobe Reader DC can work with Microsoft Information Protection but not with Windows Information Protection: https://techcommunity.microsoft.com/t5/azure-information-protection/general-availability-of-adobe-acrobat-reader-integration-with/ba-p/298396

    April 18, 2020 at 6:43 am
    • Alex Reply

      WIP does have some limitations, yes. So when WIP protects a non-enlightened app then all data in that app is considered corporate. The biggest advantage I would say of WIP is just being able to wipe data remotely from the device. The blocking of copy/paste/save honestly causes more user frustration for a pretty slight gain, especially with the treatment of non-enlightened apps, so the most common deployment I see is “silent” mode. Not many opting for Block or Allow override.

      April 20, 2020 at 11:23 am
  • John Reply

    Hi Alex, I like your articles – relevant and succinct. Speaking of WIP, AIP, and conditional access, is there a way to restrict copy/paste when accessing Exchange Online from a web browser? Thanks!

    April 18, 2020 at 7:10 am
    • Alex Reply

      Assuming you only allowed web access from managed device & managed browser such as Edge, and assuming you have WIP enabled, then it would be possible. But if you need to allow non-managed devices or browsers then it would still be difficult to fully prevent such activity. You can implement block web download for EXO, but I don’t think that covers copy/paste…

      April 20, 2020 at 11:26 am

Leave a Reply

Back to Blog

Related Posts

Limitations with MDB Standalone
02Jun

What are the limitations with Microsoft Defender for Business Standalone?

Most of my readers will already be familiar with Microsoft Defender for Business (MDB), which is included with Microsoft 365 Business Premium. And a majority of those will be deploying MDB as one part of a broader security solution which includes other services within the... read more
10Apr

What is the biggest opportunity for IT Service Providers and Consultants today, in light of COVID-19?

I got this question from a reader named Rob the other day. The full question is actually a bit more detailed and revealed a lot more about the author of the question--so I've only included an abridged version that pulls out the heart of the... read more
29Jan

Devices or Users: When to target which policy type in Microsoft Endpoint Manager (Intune)

A new reader question came across my desk the other day. In truth, it is not the first time I have answered this question, but I realized that I could probably repeat myself less if I simply write an article and publish it. The question... read more
14Jul

U.K. Cyber Essentials Simple Assessment Tool

I recently came across the U.K.'s Cyber Essentials, as published by the National Cyber Security Centre (NCSC). Not two days after I learned about this simple control framework while on a conference call spanning several time zones with friends from around the world, that I... read more
15Jun

Implementing the ACSC Essential 8 with Microsoft 365

I have had this request on my backburner for a while, and I finally got around to knocking it out: from a reader in the Land Down Under--Australia! Update: Microsoft has a much-improved set of Learn articles on the Essential Eight, with detailed guidance on implementing... read more
28Jun

Does Microsoft backup my data in Office 365? Do I need more or additional backup?

A new reader question came in, and frankly it's one that I hear a lot. I'm sure I have smatterings referring to this issue in other articles, but this one should stand to clear up the questions once and for all--this will be something I... read more
28Dec

Reader Question: Can I sync my Network Drives to Teams?

Dear Alex, I wish to know if its possible to sync files/folders on my Network Server to teams. I have read a few documentations but all seems to be just for own PCs and not for Server/network drives. Yours is the closest I could see.... read more
21Jan

Understanding file server migrations to Microsoft 365

In my opinion, there is only one viable migration path to move data from old file servers to Microsoft 365: it has to be a user-engaged migration. IT people always ask me about tools--stuff like the SharePoint migration tool or Microsoft's recent acquisition of mover.io,... read more
Moving to Microsoft 365 means getting to know your data (and your business)
02Apr

Moving to Microsoft 365 means getting to know your data (and your business)

Through my website's contact form, I still hear about botched migrations to Microsoft 365 on a regular basis. This is usually due to exactly one problem: ignorance about the process, as well as ignorance about the datasets being migrated, as well as ignorance about the... read more
Making sense of the many DLP options in Microsoft 365
18May

Making sense of the many DLP options for Microsoft 365

One of my readers wrote to me recently about an article that I penned a couple of years ago, on the topic of Data Loss Prevention in Microsoft 365. They pointed out that my breakdown was a bit dated now, and that the Microsoft universe... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me