How to set up Windows Information Protection (WIP) in Windows 10 and 11

Last update: 27/05/2025
Author Isaac
  • WIP allows you to separate and protect personal and corporate data on devices Windows.
  • Protection policies control which applications can access and modify company data.
  • WIP's flexible configuration adapts to the needs and security level of each organization.

Configuring Windows Information Protection (WIP)

Currently, the information protection Corporate data is a key priority for organizations using Windows devices, especially given the increasing mobility and the mixing of personal and business data on computers. Windows Information Protection (WIP) It emerges as an effective solution for securing data, limiting its use, and applying policies that prevent information leakage, even when employees work from remote locations or combine their personal and work lives on the same device.

This article is intended to help you Understand, configure, and get the most out of Windows Information Protection on computers with Windows 10 or Windows 11, whether you manage a large business environment or simply need to efficiently protect your organization's sensitive information. Here you'll find clear explanations, detailed steps and practical recommendations, integrating all the relevant information offered by the main manufacturers and experts in the field.

What is Windows Information Protection?

WIP is a built-in feature in Windows 10 and later systems. Designed to protect corporate data against the risk of leakage or theft by applying automatic policies to applications and files, both within and outside the corporate network. Through policies created by the organization, the which applications can access, create, and modify company data, clearly differentiating between personal and professional, even on a single device.

This feature is the evolution of the old one Enterprise Data Protection (EDP), and easily integrates both the Management mobile devices (MDM) and mobile application management (MAM), allowing granular control over data traffic, file access and remote information management.

What is WIP for and who should use it?

La Data Protection WIP is especially recommended in companies where employees:

  • They use personal and corporate devices to work and store sensitive data.
  • They need to clearly distinguish between personal and company files.
  • They require access to business resources from different locations and networks.
  • It's important to be able to selectively delete work data without affecting the user's personal information.
  • wish audit usage and behavior about protected data or prevent it from being shared outside of secure applications.

WIP adds an additional layer of protection even when data is transferred to other devices or media (e.g. keys USB) and ensures that the company's information remain encrypted and controlled at all times.

Essential components of WIP and how it works

To understand how WIP works, you need to know some key concepts:

  • Protection directives: The rules that the organization dictates to determine what data is protected, how, and with what applications.
  • Allowed or whitelisted applications: You are alone apps, registered by the administrator, can access and operate on the protected files.
  • Applications denied: These applications do not have access to business data.
  • Exempt applications: They can read company information, but cannot modify it or create new data.
  • File protection and clipboard: WIP controls whether the user can copy and paste protected data to personal applications and vice versa.
  • Encryption and selective erasure: If the user unsubscribes or deletes the app, all business information can be remotely deleted from the device.
Enable Smart App Control in Windows 11-7
Related article:
Smart App Control in Windows 11: A step-by-step guide to understanding and enabling this protection

Deployment models and user experiences

WIP can be applied using both MDM (Mobile Device Management) , the MAM (Mobile Application Management)In a typical scenario:

  • Employees enroll their device in the company's management solution, such as Microsoft Intune o System Center Configuration Manager (SCCM).
  • The administrator implements a WIP policy that defines what applications the organization manages and how the data is controlled.
  • If the user does not enroll their device in MDM, but uses specific apps subject to MAM, they will still receive the policy for those apps.
  Unlock Disabled iPhone Using iCloud, Restoration & DFU Mode

User experience can vary greatly depending on the configured levels of demand in the WIP policy:

  • Silent: WIP works in the background, simply logging all unauthorized data sharing attempts without blocking any actions. Ideal for auditing.
  • Warning (Override): The user receives a warning if they attempt to share business data in an insecure manner, but they can ignore the warning and complete the action. All actions are logged.
  • Blocking: The strictest mode. Completely prevents users from sharing protected data outside of authorized applications and environments.

The administrator can decide at any time what experience you want to give the user and adapt the level of protection to the context of the company or the type of information managed.

Essential configuration elements in a WIP policy

To carry out a Effective implementation of Windows Information Protection, there are several key parameters that need to be configured:

  • List of protected domains: Defines the corporate domains that will be considered company domains by the system.
  • IP Ranges: Specifies which IP ranges are part of the corporate secure network; essential for differentiating between work and personal locations.
  • Proxy servers: List of servers used for business resources, thus ensuring secure access to information in the cloud.
  • Cloud Resources: Define which domains or cloud resources WIP policies will apply to, managing traffic and access to critical data.
  • Data Recovery Certificate: Allows the organization to decrypt protected files in case of emergency or recovery.
  • Key Revocation Settings: Determines whether unenrolling a device revokes encryption keys and blocks access to protected data.

In addition, WIP can show overlay icons on protected files, applications and resources, facilitating visual identification for users.

Step-by-step WIP setup on Windows devices

WIP configuration is typically done through centralized management solutions, either through MDM, MAM, or using AppLocker XML files to define app lists. The basic steps are:

  1. Planning and defining policies: Determine what information will be protected, which applications will be allowed, and the desired level of protection.
  2. Creating the recovery certificate: It is essential to generate and securely store the certificate that will allow the company to recover encrypted data if necessary. This can be done, for example, by running the command cipher /r:ESFDRA on a Windows computer, which generates password-protected .cer and .pfx files.
  3. Configuring policies in the management console: Depending on the solution you choose (Intune, Citrix XenMobile, BlackBerry UEM, etc.), access the policy panel and define parameters such as domains, IP ranges, cloud resources, and proxy servers.
  4. Application Assignment: Use AppLocker or the platform's own system to include or exclude apps. Apps listed as allowed will be able to create, edit, and read company data; apps that are denied will be excluded completely, and those that are exempt will only be able to view the information.
  5. Device Distribution and Registration: Users register their devices in the system and automatically receive protection settings.
  6. Testing and validation: It's critical to test that the policy works as expected: that personal and business files are properly differentiated, and that the protection doesn't interfere with normal device use.
  Tips for restoring an iPhone from a Mac backup

This structure allows total control over sensitive information and helps keep company data safe in different work scenarios, including teleworking and BYOD (Bring Your Own Device).

Particular cases and advanced use scenarios

Some popular applications, such as dropbox Business, are compatible with WIP. If the app is included in the policy's allowlist, all files synced to the business account will be automatically protected.

On the other hand, WIP does not integrate with personal accounts, so only computer or business accounts can benefit from this protection. Additionally, if the policy blocks file syncing to unauthorized domains, that information won't be downloaded or made available to unauthorized users, ensuring confidentiality even if access is attempted from outside the business environment.

For developers and companies that create custom appsIt is important to keep the following in mind:

  • If the app is used for both personal and business purposes, it is advisable enable it to intelligently distinguish both types of data, using the WIP APIs provided by Microsoft.
  • If it is a purely enterprise application, it can be declared directly as enterprise-enabled.
  • For traditional desktop apps, it's not always necessary to enable WIP, but it's a good idea to test whether they're working properly under the policy, avoiding accidentally encrypting the user's personal files.

Practical examples of XML configuration of allowed and denied applications

Permissions can be assigned to applications in detail using XML structures like those used by Microsoft AppLocker or the Citrix and BlackBerry management consoles. For example, rules can be defined for:

  • Allow all files from a given executable path.
  • Specifically deny certain programs, such as WordPad, from running based on the publisher name and location.
  • Selectively allow applications like Notepad.

An example of a rule would be:

... ... ...

These settings allow total customization which tools can interact with company files, automatically blocking the use of those that may pose a vulnerability or are not approved.

  How to Remove the PIN in Windows 11 Easily and Safely

Maintenance tips and best practices with WIP

To achieve a successful implementation, it is advisable to take into account the following tips:

  • Periodically review the list of allowed and denied applications. Technology advances rapidly and new versions or software not initially planned may appear.
  • Make sure your recovery certificate is kept up-to-date and secure. It is the only way to recover protected data if serious problems occur or access to a device is lost.
  • Communicate to users the usage policies and the consequences of attempting to share data outside of authorized channels. Training is key to avoiding mistakes and accidental leaks.
  • Use audit reports to detect anomalous behavior patterns or possible attempts at data exfiltration.
  • Adapts protection levels based on context, user profile, and data sensitivity. Not all areas of the company require the same level of lockdown, and an overly restrictive policy can affect productivity.

Proper management and updating of WIP policies ensures that Windows devices are always protected, even in complex scenarios such as remote work, shared equipment, or integration with cloud and network solutions. storage external. To learn more about different aspects of device management and resource protection, you can consult our section on Diagnostics and Event Viewer in Windows 11.

By properly applying the functionalities of Windows Information Protection, businesses achieve a balance between security and usability, allowing employees to work productively and securely, with the peace of mind that vital business information remains under control at all times.