Fine-tune Windows Information Protection (WIP) with WIP Learning
Applies to:
- Windows 10, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The App learning report and the Website learning report. Both reports can be accessed from Microsoft Azure Intune.
The App learning report monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with "Block" mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
In the Website learning report, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
Sign in to the Microsoft Intune admin center.
Select Apps > Monitor > App protection status > Reports.
Select either App learning report for Windows Information Protection or Website learning report for Windows Information Protection.
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
You can use Device Health to adjust your WIP protection policy. See Using Device Health to learn more.
If you want to configure your environment for Windows Analytics: Device Health, see Get Started with Device Health for more information.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can Monitor the health of devices with Device Health.
In Device Health click the app you want to add to your policy and copy the WipAppId.
For example, if the app is Google Chrome, the WipAppId is:
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
In the steps below, you separate the WipAppId by back slashes into the PUBLISHER, PRODUCT NAME, and FILE fields.
In Intune, click App protection policies and then choose the app policy you want to add an application to.
Click Protected apps, and then click Add Apps.
In the Recommended apps drop down menu, choose either Store apps or Desktop apps, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
In NAME (optional), type the name of the app, and then in PUBLISHER (required), paste the publisher information that you copied in step 1 above.
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
the text before the first back slash is the publisher:
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US
Type the name of the product in PRODUCT NAME (required) (this will probably be the same as what you typed for NAME).
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
the text between the first and second back slashes is the product name:
GOOGLE CHROME
Copy the name of the executable (for example, snippingtool.exe) and paste it in FILE (required).
For example, if the WipAppId is
O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108
the text between the second and third back slashes is the file:
CHROME.EXE
Type the version number of the app into MIN VERSION in Intune (alternately, you can specify the max version, but one or the other is required), and then select the ACTION: Allow or Deny
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with Silent or Allow overrides while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, Block. For more information about WIP modes, see: Protect enterprise data using WIP: WIP-modes
Note
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see Editing Windows IT professional documentation.