Configure Windows Information Protection

Built into Windows 10 are tools that allow businesses to protect data, contain data, and prevent data leakage when it is shared both internally and externally (outside of the organization). The key pillars of information protection are displayed in Figure 4-53.

Figure 4-53 The four information protection needs

Windows Information Protection is the inclusion of many of these needs being incorporated directly into the information protection stack within Windows. Windows 10 caters for Device Protection with BitLocker, which protects your data while it’s at rest on the device, even if the device is lost or stolen. If the hard drive is removed from the device, all data is encrypted and unreadable.

The separation of data allows administrators to identify personal versus corporate data. With Microsoft Intune, it is possible to separate data into these categories and securely wipe business data from a device remotely, on demand. The same is also possible within the Windows 10 operating system.

Windows 10 also contains capabilities to prevent business data from leaking from the organization (for example, posting data from a corporate Word document to a non-corporate location, such as Facebook or Twitter). You can now make sure that only authorized apps have access to business data and employ Copy and Paste restrictions where needed.

The last pillar requirement is to help ensure that business data can be shared with others within and outside their organization in a secure way. An example of this would be allowing corporate documents to be emailed to authorized colleagues, with controls on who can view or edit the document and with the ability to revoke permissions as needed.

If you have a Microsoft 365 subscription, you can use policies in Intune to remotely manage WIP. An example of WIP in action using Intune would be to enforce a Windows 10 device compliance policy to require that BitLocker be used and reported through the Windows Health Attestation Service.