Not many people have heard of Microsoft’s new Enterprise Data Protection (EDP) feature that is coming with Windows 10 later this year. EDP has been lit up in the Windows 10 insider build since January and the policies have been around in Intune Standalone for about the same amount of time. Today we’re going to show you how to effectively deploy them.

First, let’s talk about what EDP is, Microsoft has a great link here that we’ll source some content from.

Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.

EDP provides:

  • Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices.
  • Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
  • Additional data protection for existing line-of-business apps without a need to update the apps.
  • Ability to wipe corporate data from devices while leaving personal data alone.
  • Use of audit reports for tracking issues and remedial actions.
  • Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
  • Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
  • Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources here.

EDP (as I understand) will be a Windows 10 Enterprise ONLY feature, however I believe it is in all of the current Insider builds (need to confirm). The following scenarios are currently supported:

  • You can encrypt enterprise data on employee-owned and corporate-owned devices.
  • You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
  • You can select specific apps that can access enterprise data, called “privileged apps” that are clearly recognizable to employees. You can also block non-privileged apps from accessing enterprise data.
  • Your employees won’t have their work interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.

Let’s start configuring!

First let’s go into the Intune Standalone portal and find our Windows 10 EDP template

040116_2140_DeployEnter1.png

Let’s give it a name and take a look at what we need in order to protect apps

040116_2140_DeployEnter2.png

It looks like for a UWA, we need a Publisher Name and Product Name

040116_2140_DeployEnter3.png

The easiest way to get this is to run the following PowerShell command:

Get-AppxPackage | select name, publisher

It will return a list that looks something like this (you can use these as a reference as well :))

Microsoft.NET.Native.Framework.1.1 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Framework.1.1 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Framework.1.0 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Framework.1.0 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Runtime.1.0 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Runtime.1.0 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Runtime.1.1 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.VCLibs.120.00 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Framework.1.2 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.VCLibs.140.00 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.BioEnrollment CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.AAD.BrokerPlugin CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.CloudExperienceHost CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.ShellExperienceHost CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
windows.immersivecontrolpanel CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.Cortana CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.AccountsControl CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.LockApp CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.MicrosoftEdge CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.AssignedAccessLockApp CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.ContentDeliveryManager CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.ParentalControls CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.SecondaryTileExperience CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsFeedback CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.XboxGameCallableUI CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.XboxIdentityProvider CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Windows.ContactSupport CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Windows.MiracastView CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Windows.PrintDialog CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Windows.PurchaseDialog CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
windows.devicesflow CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Runtime.1.1 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Appconnector CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.SkypeApp CN=Skype Software Sarl, O=Microsoft Corporation, L=Luxembourg, S=Luxembourg, C=LU
Microsoft.VCLibs.120.00 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Facebook.Facebook CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8
Microsoft.ZuneMusic CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
A97ECD55.KYOCERAPrintCenter CN=C217ADB1-F397-44E2-B8F9-DB39EB3A98D2
Microsoft.ConnectivityStore CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NET.Native.Framework.1.2 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WinJS.2.0 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.RemoteDesktop CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.3DBuilder CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.SurfaceHub CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsSoundRecorder CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsAlarms CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsMaps CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsCalculator CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
AD2F1837.HPPrinterControl CN=ED346674-0FA1-4272-85CE-3187C9C86E26
Microsoft.Messaging CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
C236C1D5.join.meViewer CN=2F918A87-E2C3-4DC5-B864-F73729390BC6
Microsoft.VCLibs.140.00.Debug CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.VCLibs.120.00.Debug.Universal CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsPhone CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
6c50058f-a364-41ea-8e2f-9b66a412c0ee CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.XboxApp CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
396655e2-5c06-4e9e-be80-a825f8ac98d6 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.VCLibs.140.00 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CmModernAppv.01 CN=Microsoft Corporation (Internal Use Only), O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsCamera CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.NetworkSpeedTest CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.People CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.ZuneVideo CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Windows.Photos CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.BingSports CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
53028HelgeMagnusKeck.WiFiTool CN=B9580ECC-C477-45A8-9E55-2DE68B1D7DDB
Microsoft.BingWeather CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.BingNews CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.BingFinance CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Office.Word CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Office.PowerPoint CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Office.Excel CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Office.OneNote CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Reader CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.WindowsStore CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.CompanyPortal CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.Office.Sway CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.MicrosoftSolitaireCollection CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.MicrosoftPowerBIForWindows CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
9E2F88E3.Twitter CN=2079F891-4F1B-4C35-9488-2582FB598793
Microsoft.CommsPhone CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
microsoft.windowscommunicationsapps CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.MicrosoftOfficeHub CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Microsoft.VCLibs.120.00.Universal CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
C384BBF6.Uber.Win10 CN=2B58EB00-F3D8-4F95-AE13-B8302186FDEC
4DF9E0F8.Netflix CN=52120C15-ACFA-47FC-A7E3-4974DBA79445
Microsoft.Getstarted CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
king.com.CandyCrushSodaSaga CN=F80C3B33-B9E8-4F23-AB15-B97C700EFF2F

We’re going to go ahead and grab the Excel UWA first to test

Microsoft.Office.Excel CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Let’s populate the proper fields

040116_2140_DeployEnter4.png

If you want to protect a desktop app, you’ll need to dig up a few more pieces

NOTE: Big thanks to Ronny De Jong for making it easy to find here!

Get-AppLockerFileInformation -Directory “C:\program files (x86)\Microsoft Office\Root\Office16” -recurse -FileType Exe | where {$_.path -like “*Excel.exe”} | fl

040116_2140_DeployEnter5.png

Now we’ll fill in our Desktop app data here

040116_2140_DeployEnter6.png

I’ve gone ahead and done this for all of the Office Mobile apps

040116_2140_DeployEnter7.png

Now, we’ll choose what protection mode we want. In our case, we want to allow the users to share corporate data into personal locations, but we want to know about it and be able to audit it. In this case, we’ll select Override

  • Block. EDP looks for inappropriate data sharing and stops the employee from completing the action.
  • Override. EDP looks for inappropriate data sharing, letting employees know whether they do something inappropriate. However, this protection mode lets the employee override the policy and share the data anyway, while logging the action to your audit log.
  • Audit. EDP runs silently, logging inappropriate data sharing, without blocking anything.
  • Off. EDP isn’t active and doesn’t protect your data.

040116_2140_DeployEnter8.png

Then we need to define our Network locations

040116_2140_DeployEnter9.png

We then need to define the boundaries for the known networks so we know where these apps can access corporate data on the network.

In my test O365/EMS tenant, we are just going to define the Network Domain, Azure AD, SharePoint and the Primary domain.

040116_2140_DeployEnter10.png 040116_2140_DeployEnter11.png

And finally, we can enable some of the further EMS settings, which we’ll test further later.

040116_2140_DeployEnter12.png

Now once we have the mobile apps deployed on our Windows 10 VM and the policies refresh (or you do so manually), you should see a nice new “Protected” icon on your protected apps.

040116_2140_DeployEnter13.png

040116_2140_DeployEnter14.png

Let’s actually see what that does.

First, I’m going to go ahead and start a new document and protect it.

040116_2140_DeployEnter15.png

Let’s save it locally as a protected document

040116_2140_DeployEnter16.png

You can now see a nice icon over the file indicated it’s protected

040116_2140_DeployEnter17.png

Let’s open it up, you can see it now shows protected

040116_2140_DeployEnter18.png

Let’s copy that text in the protected doc

040116_2140_DeployEnter19.png

And try to paste into a personal app, like the search in my Edge browser.

You can see it prompts, but allows me to overwrite!

040116_2140_DeployEnter20.png 040116_2140_DeployEnter21.png

And we can see that it’s been written to the event log to be audited!

040116_2140_DeployEnter22.png

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>