Skip Navigation

Windows 10
Windows
 Information Protection profile settings

Windows 10
Windows
 Information Protection profile setting
Description
Windows
 Information Protection settings
This setting specifies whether 
Windows
 Information Protection is enabled and the level of enforcement. When this setting is set to "Off," data is not encrypted and audit logging is turned off. When this setting is set to "Silent," data is encrypted and any attempts to share protected data are logged. When this setting is set to "Override," data is encrypted, the user is prompted when they attempt to share protected data, and any attempts to share protected data are logged. When this setting is set to "Block," data is encrypted, users cannot share protected data, and any attempts to share protected data are logged. 
Possible values:
  • Off
  • Silent
  • Override
  • Block
The default value is "Off."
Enterprise protected domain names
This setting specifies the work network domain names that your organization uses for its user identities. You can separate multiple domains with pipes (|). The first domain is used as a string to tag files that are protected by apps that use WIP.
For example, 
example.com|example.net
.
Data recovery certificate file (.der, .cer)
This setting specifies the data recovery certificate file. The file that you specify must be a PEM encoded or DER encoded certificate with a .der or .cer file extension.
You use the data recovery certificate file to recover files that were locally protected on a device. For example, if your organization wants to recover data protected by WIP from a device.
For information on creating a data recovery certificate, see the 
Microsoft Windows
 Information Protection documentation
.
Remove the 
Windows
 Information Protection settings when a device is removed from 
BlackBerry UEM
This setting specifies whether to revoke WIP settings when a device is deactivated. When WIP settings are revoked, the user can no longer access protected files.
Show 
Windows
 Information Protection overlays on protected files and apps that can create enterprise content
This setting specifies whether an overlay icon is shown on file and app icons to indicate whether a file or app is protected by WIP. 
Work network IP range
This setting specifies the range of IP addresses at work to which an app protected with WIP can share data.
Use a dash to denote a range of addresses. Use a comma to separate addresses. 
Work network IP ranges are authoritative
This setting specifies if only the work network IP ranges are accepted as part of the work network. When this setting is enabled, no attempts are made to discover other work networks.
By default, the option is not selected.
Enterprise internal proxy servers
This setting specifies the internal proxy servers that are used when connecting to work network locations. These proxy servers are only used when connecting to the domain listed in the Enterprise cloud resources setting.
Enterprise cloud resources
This setting specifies the list of enterprise resource domains hosted in the cloud that need to be protected. Data from these resources are considered enterprise data and protected.
Cloud resources domain
This setting specifies the domain name.
Paired proxy
This setting specifies a proxy that is paired with a cloud resource. Traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on port 80).
A proxy server used for this purpose must also be configured in the Enterprise internal proxy servers field.
Enterprise proxy servers
This setting specifies the list of internet proxy servers.
Enterprise proxy servers are authoritative
This setting specifies whether the client should accept the configured list of proxies and not try to detect other enterprise proxies.
Neutral resources
This setting specifies the domains that can be used for work or personal resources.
Enterprise network domain names 
This setting specifies a comma-separated list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. 
For example, 
example.com,example.net
.
Desktop app payload code
Specify the desktop app keys and values used to configure application launch restrictions on 
Windows 10
 devices. You must use the keys defined by 
Microsoft
 for the payload type that you want to configure.
To specify the apps, copy the XML code from the AppLocker policy .xml file and paste it in this field. When you copy the text, copy only the elements as shown in the following code sample:
<RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="0c9781aa-bf9f-4352-b4ba-64c25f36f558" Name="WordMobile" Description=" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Word" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>
For more information about using AppLocker, see the 
Microsoft
 AppLocker documentation
.
Universal 
Windows
 Platform app payload code
Specify the Universal 
Windows
 Platform app keys and values used to configure WIP on 
Windows 10
 devices. You must use the keys defined by 
Microsoft
 for the payload type that you want to configure.
To specify the apps, copy the XML code from the AppLocker policy .xml file and paste it in this field. When you copy the text, copy only the elements as shown in the following code sample:
<RuleCollection Type="Exe" EnforcementMode="Enabled> <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="ddd0bc90-dada-4002-9e2f-0fc68e1f6af0" Name="WORDPAD.EXE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="WORDPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="c8360d06-f651-4883-abdd-9c3a95a415ff" Name="NOTEPAD.EXE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="NOTEPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>
For more information about using AppLocker, see the 
Microsoft
 AppLocker documentation
.
Associated VPN profile
This setting specifies the VPN profile that a device uses to connect to a VPN when using an app protected by WIP. 
This setting is valid only if "Use a VPN profile" is selected for the "Secure connection used with WIP." 
Collect device audit logs
This setting specifies whether to collect device audit logs.