Create windowsInformationProtectionPolicy
Namespace: microsoft.graph
Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Create a new windowsInformationProtectionPolicy object.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementConfiguration.ReadWrite.All, DeviceManagementApps.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | DeviceManagementConfiguration.ReadWrite.All, DeviceManagementApps.ReadWrite.All |
HTTP Request
POST /deviceAppManagement/windowsInformationProtectionPolicies
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Request body
In the request body, supply a JSON representation for the windowsInformationProtectionPolicy object.
The following table shows the properties that are required when you create the windowsInformationProtectionPolicy.
| Property | Type | Description |
|---|---|---|
| displayName | String | Policy display name. Inherited from managedAppPolicy |
| description | String | The policy's description. Inherited from managedAppPolicy |
| createdDateTime | DateTimeOffset | The date and time the policy was created. Inherited from managedAppPolicy |
| lastModifiedDateTime | DateTimeOffset | Last time the policy was modified. Inherited from managedAppPolicy |
| roleScopeTagIds | String collection | List of Scope Tags for this Entity instance. Inherited from managedAppPolicy |
| id | String | Key of the entity. Inherited from managedAppPolicy |
| version | String | Version of the entity. Inherited from managedAppPolicy |
| enforcementLevel | windowsInformationProtectionEnforcementLevel | WIP enforcement level.See the Enum definition for supported values Inherited from windowsInformationProtection. Possible values are: noProtection, encryptAndAuditOnly, encryptAuditAndPrompt, encryptAuditAndBlock. |
| enterpriseDomain | String | Primary enterprise domain Inherited from windowsInformationProtection |
| enterpriseProtectedDomainNames | windowsInformationProtectionResourceCollection collection | List of enterprise domains to be protected Inherited from windowsInformationProtection |
| protectionUnderLockConfigRequired | Boolean | Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured Inherited from windowsInformationProtection |
| dataRecoveryCertificate | windowsInformationProtectionDataRecoveryCertificate | Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent(DRA) certificate for encrypting file system(EFS) Inherited from windowsInformationProtection |
| revokeOnUnenrollDisabled | Boolean | This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 1 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Inherited from windowsInformationProtection |
| rightsManagementServicesTemplateId | Guid | TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access Inherited from windowsInformationProtection |
| azureRightsManagementServicesAllowed | Boolean | Specifies whether to allow Azure RMS encryption for WIP Inherited from windowsInformationProtection |
| iconsVisible | Boolean | Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app Inherited from windowsInformationProtection |
| protectedApps | windowsInformationProtectionApp collection | Protected applications can access enterprise data and the data handled by those applications are protected with encryption Inherited from windowsInformationProtection |
| exemptApps | windowsInformationProtectionApp collection | Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. Inherited from windowsInformationProtection |
| enterpriseNetworkDomainNames | windowsInformationProtectionResourceCollection collection | This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to Inherited from windowsInformationProtection |
| enterpriseProxiedDomains | windowsInformationProtectionProxiedDomainCollection collection | Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy Inherited from windowsInformationProtection |
| enterpriseIPRanges | windowsInformationProtectionIPRangeCollection collection | Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to Inherited from windowsInformationProtection |
| enterpriseIPRangesAreAuthoritative | Boolean | Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. Default is false Inherited from windowsInformationProtection |
| enterpriseProxyServers | windowsInformationProtectionResourceCollection collection | This is a list of proxy servers. Any server not on this list is considered non-enterprise Inherited from windowsInformationProtection |
| enterpriseInternalProxyServers | windowsInformationProtectionResourceCollection collection | This is the comma-separated list of internal proxy servers. For example, "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the EnterpriseProxiedDomains policy to force traffic to the matched domains through these proxies Inherited from windowsInformationProtection |
| enterpriseProxyServersAreAuthoritative | Boolean | Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. Default is false Inherited from windowsInformationProtection |
| neutralDomainResources | windowsInformationProtectionResourceCollection collection | List of domain names that can used for work or personal resource Inherited from windowsInformationProtection |
| indexingEncryptedStoresOrItemsBlocked | Boolean | This switch is for the Windows Search Indexer, to allow or disallow indexing of items Inherited from windowsInformationProtection |
| smbAutoEncryptedFileExtensions | windowsInformationProtectionResourceCollection collection | Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary Inherited from windowsInformationProtection |
| isAssigned | Boolean | Indicates if the policy is deployed to any inclusion groups or not. Inherited from windowsInformationProtection |
| revokeOnMdmHandoffDisabled | Boolean | New property in RS2, pending documentation |
| mdmEnrollmentUrl | String | Enrollment url for the MDM |
| windowsHelloForBusinessBlocked | Boolean | Boolean value that sets Windows Hello for Business as a method for signing into Windows. |
| pinMinimumLength | Int32 | Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. |
| pinUppercaseLetters | windowsInformationProtectionPinCharacterRequirements | Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. Default is NotAllow. Possible values are: notAllow, requireAtLeastOne, allow. |
| pinLowercaseLetters | windowsInformationProtectionPinCharacterRequirements | Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. Default is NotAllow. Possible values are: notAllow, requireAtLeastOne, allow. |
| pinSpecialCharacters | windowsInformationProtectionPinCharacterRequirements | Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~. Default is NotAllow. Possible values are:notAllow, requireAtLeastOne, allow`. |
| pinExpirationDays | Int32 | Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. This node was added in Windows 10, version 1511. Default is 0. |
| numberOfPastPinsRemembered | Int32 | Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. Default is 0. |
| passwordMaximumAttemptCount | Int32 | The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. Range is an integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. |
| minutesOfInactivityBeforeDeviceLock | Int32 | Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Range is an integer X where 0 <= X <= 999. |
| daysWithoutContactBeforeUnenroll | Int32 | Offline interval before app data is wiped (days) |
Response
If successful, this method returns a 201 Created response code and a windowsInformationProtectionPolicy object in the response body.
Example
Request
Here is an example of the request.
POST https://graph.microsoft.com/beta/deviceAppManagement/windowsInformationProtectionPolicies
Content-type: application/json
Content-length: 4365
{
"@odata.type": "#microsoft.graph.windowsInformationProtectionPolicy",
"displayName": "Display Name value",
"description": "Description value",
"roleScopeTagIds": [
"Role Scope Tag Ids value"
],
"version": "Version value",
"enforcementLevel": "encryptAndAuditOnly",
"enterpriseDomain": "Enterprise Domain value",
"enterpriseProtectedDomainNames": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"protectionUnderLockConfigRequired": true,
"dataRecoveryCertificate": {
"@odata.type": "microsoft.graph.windowsInformationProtectionDataRecoveryCertificate",
"subjectName": "Subject Name value",
"description": "Description value",
"expirationDateTime": "2016-12-31T23:57:57.2481234-08:00",
"certificate": "Y2VydGlmaWNhdGU="
},
"revokeOnUnenrollDisabled": true,
"rightsManagementServicesTemplateId": "abf7b16f-b16f-abf7-6fb1-f7ab6fb1f7ab",
"azureRightsManagementServicesAllowed": true,
"iconsVisible": true,
"protectedApps": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionStoreApp",
"displayName": "Display Name value",
"description": "Description value",
"publisherName": "Publisher Name value",
"productName": "Product Name value",
"denied": true
}
],
"exemptApps": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionStoreApp",
"displayName": "Display Name value",
"description": "Description value",
"publisherName": "Publisher Name value",
"productName": "Product Name value",
"denied": true
}
],
"enterpriseNetworkDomainNames": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseProxiedDomains": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionProxiedDomainCollection",
"displayName": "Display Name value",
"proxiedDomains": [
{
"@odata.type": "microsoft.graph.proxiedDomain",
"ipAddressOrFQDN": "Ip Address Or FQDN value",
"proxy": "Proxy value"
}
]
}
],
"enterpriseIPRanges": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionIPRangeCollection",
"displayName": "Display Name value",
"ranges": [
{
"@odata.type": "microsoft.graph.ipRange"
}
]
}
],
"enterpriseIPRangesAreAuthoritative": true,
"enterpriseProxyServers": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseInternalProxyServers": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseProxyServersAreAuthoritative": true,
"neutralDomainResources": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"indexingEncryptedStoresOrItemsBlocked": true,
"smbAutoEncryptedFileExtensions": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"isAssigned": true,
"revokeOnMdmHandoffDisabled": true,
"mdmEnrollmentUrl": "https://example.com/mdmEnrollmentUrl/",
"windowsHelloForBusinessBlocked": true,
"pinMinimumLength": 0,
"pinUppercaseLetters": "requireAtLeastOne",
"pinLowercaseLetters": "requireAtLeastOne",
"pinSpecialCharacters": "requireAtLeastOne",
"pinExpirationDays": 1,
"numberOfPastPinsRemembered": 10,
"passwordMaximumAttemptCount": 11,
"minutesOfInactivityBeforeDeviceLock": 3,
"daysWithoutContactBeforeUnenroll": 0
}
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 4537
{
"@odata.type": "#microsoft.graph.windowsInformationProtectionPolicy",
"displayName": "Display Name value",
"description": "Description value",
"createdDateTime": "2017-01-01T00:02:43.5775965-08:00",
"lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00",
"roleScopeTagIds": [
"Role Scope Tag Ids value"
],
"id": "6397be61-be61-6397-61be-976361be9763",
"version": "Version value",
"enforcementLevel": "encryptAndAuditOnly",
"enterpriseDomain": "Enterprise Domain value",
"enterpriseProtectedDomainNames": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"protectionUnderLockConfigRequired": true,
"dataRecoveryCertificate": {
"@odata.type": "microsoft.graph.windowsInformationProtectionDataRecoveryCertificate",
"subjectName": "Subject Name value",
"description": "Description value",
"expirationDateTime": "2016-12-31T23:57:57.2481234-08:00",
"certificate": "Y2VydGlmaWNhdGU="
},
"revokeOnUnenrollDisabled": true,
"rightsManagementServicesTemplateId": "abf7b16f-b16f-abf7-6fb1-f7ab6fb1f7ab",
"azureRightsManagementServicesAllowed": true,
"iconsVisible": true,
"protectedApps": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionStoreApp",
"displayName": "Display Name value",
"description": "Description value",
"publisherName": "Publisher Name value",
"productName": "Product Name value",
"denied": true
}
],
"exemptApps": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionStoreApp",
"displayName": "Display Name value",
"description": "Description value",
"publisherName": "Publisher Name value",
"productName": "Product Name value",
"denied": true
}
],
"enterpriseNetworkDomainNames": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseProxiedDomains": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionProxiedDomainCollection",
"displayName": "Display Name value",
"proxiedDomains": [
{
"@odata.type": "microsoft.graph.proxiedDomain",
"ipAddressOrFQDN": "Ip Address Or FQDN value",
"proxy": "Proxy value"
}
]
}
],
"enterpriseIPRanges": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionIPRangeCollection",
"displayName": "Display Name value",
"ranges": [
{
"@odata.type": "microsoft.graph.ipRange"
}
]
}
],
"enterpriseIPRangesAreAuthoritative": true,
"enterpriseProxyServers": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseInternalProxyServers": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"enterpriseProxyServersAreAuthoritative": true,
"neutralDomainResources": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"indexingEncryptedStoresOrItemsBlocked": true,
"smbAutoEncryptedFileExtensions": [
{
"@odata.type": "microsoft.graph.windowsInformationProtectionResourceCollection",
"displayName": "Display Name value",
"resources": [
"Resources value"
]
}
],
"isAssigned": true,
"revokeOnMdmHandoffDisabled": true,
"mdmEnrollmentUrl": "https://example.com/mdmEnrollmentUrl/",
"windowsHelloForBusinessBlocked": true,
"pinMinimumLength": 0,
"pinUppercaseLetters": "requireAtLeastOne",
"pinLowercaseLetters": "requireAtLeastOne",
"pinSpecialCharacters": "requireAtLeastOne",
"pinExpirationDays": 1,
"numberOfPastPinsRemembered": 10,
"passwordMaximumAttemptCount": 11,
"minutesOfInactivityBeforeDeviceLock": 3,
"daysWithoutContactBeforeUnenroll": 0
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for