Citrix Endpoint Management

Windows Information Protection device policy

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), is a Windows technology that protects against the potential leakage of enterprise data. Data leakage can occur through sharing of enterprise data to non-enterprise protected apps, between apps, or outside of the organization network. For more information, see Protect your enterprise data using Windows Information Protection (WIP).

You can create a device policy in Endpoint Management to specify the apps that require Windows Information Protection at the enforcement level you set. The Windows Information Protection policy is for supervised Phone, Tablet, and Desktop running Windows 10 (version 1607 or later) or Windows 11.

Endpoint Management includes some common apps and you can add others. You specify for the policy an enforcement level that affects the user experience. For example, you can:

  • Block any inappropriate data sharing.

  • Warn about inappropriate data sharing and allow users to override the policy.

  • Run WIP silently while logging and permitting inappropriate data sharing.

To exclude apps from Windows Information Protection, define the apps in Microsoft AppLocker XML files and then import those files into Endpoint Management.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

Windows Phone and Windows Desktop/Tablet settings

Device Policies configuration screen

  • Desktop App (Windows 10 and Windows 11 Desktops), Store App (Windows 10 Phones, Windows 10 and Windows 11 Tablets): Endpoint Management includes some common apps, as shown in the sample above. You can edit or remove those apps as needed.

    To add other apps: In the Desktop App or Store App table, click Add and provide the app information.

    Allowed apps can read, create, and update enterprise data. Denied apps can’t access enterprise data. Exempt apps can read enterprise data but can’t create or modify the data.

    • AppLocker XML file: Microsoft provides a list of Microsoft apps that have known compatibility issues with WIP. To exclude those apps from WIP, click Browse to upload the list. Endpoint Management combines the uploaded AppLocker XML file and the configured desktop and store apps in the policy sent to the device. For more information, see Recommended block list for Windows Information Protection.

    • Enforcement level: Select an option to specify how you want Windows Information Protection to protect and manage data sharing. Defaults to Off.

      • 0-Off: WIP is off and doesn’t protect or audit your data.

      • 1-Silent: WIP runs silently, logs inappropriate data sharing, and doesn’t block anything. You can access logs through Reporting CSP.

      • 2-Override: WIP warns users about potentially unsafe data sharing. Users can override warnings and share the data. This mode logs actions, including user overrides, to your audit log.

      • 3-Block: WIP prevents users from completing potentially unsafe data sharing.

    • Protected domain names: The domains that your enterprise uses for its user identities. This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. The first domain in the list is the primary corporate identity used in the Windows UI. Use pipes (|) to separate list items. For example:|

    • Data recovery certificate: Click Browse and then select a recovery certificate to use for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for the encrypting file system (EFS), only delivered through MDM instead of Group Policy. If a recovery certificate isn’t available, create it. For information, see “Create a data recovery certificate” in this section.

    • Network domain names: A list of domains that comprise the boundaries of the enterprise. WIP protects all traffic to the fully qualified domains in this list. This setting, with the IP range setting, detects whether a network endpoint is enterprise or personal on private networks. Use commas to separate list items. For example:,

    • IP range: A list of the enterprise IPv4 and IPv6 ranges that define the computers in the enterprise network. WIP considers these locations as a safe destination for enterprise data sharing. Use commas to separate list items. For example:,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff

    • Automatically detect IP ranges: If On, prevents Windows from detecting IP ranges automatically. Defaults to Off.

    • Proxy servers: A list of the proxy servers that the enterprise can use for corporate resources. This setting is required if you use a proxy in your network. Without a proxy server, enterprise resources might be unavailable when a client is behind a proxy. For example, resources might be unavailable from certain Wi-Fi hotspots at hotels and restaurants. Use semicolons (;) to separate list items. For example:;

    • Internal proxy servers: A list of the proxy servers that your devices go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. Don’t include in this list any of the servers in the Proxy servers setting, which are used for non-WIP-protected traffic. Use semicolons (;) to separate list items. For example:;

    • Cloud resources: A list of cloud resources protected by WIP. For each cloud resource, you can also optionally specify a proxy server in the Proxy servers list to route traffic for this cloud resource. All traffic routed through the Proxy servers is treated as enterprise traffic. Use pipes (|) to separate list items. For example:|

    • Enable protection under lock: Windows 10 Phone only. If On, the Passcode device policy is also required. Otherwise, the Windows Information Protection policy deployment fails. Also, if this policy is On, the setting Protection under lock appears. Default is Off.

    • Protection under lock: Windows 10 Phone only. Specifies whether to encrypt enterprise data using a key that’s protected by an employee PIN on a locked device. Apps can’t read corporate data on a locked device. Defaults to On.

    • Revoke WIP certificate on unenroll: Specifies whether to revoke local encryption keys from a user device when it’s unenrolled from Windows Information Protection. After the encryption keys are revoked, a user can’t access encrypted corporate data. If Off, the keys aren’t revoked and the user continues to have access to protected files after unenrollment. Defaults to On.

    • Show overlay icons: Specifies whether to include the Windows Information Protection icon overlay on corporate files in Explorer and enterprise only app tiles in the Start menu. Defaults to Off.

Create a data recovery certificate

A data recover certificate is required to enable the Windows Information Protection policy.

  1. On the machine where the Endpoint Management console is running, open a command prompt and navigate to a folder (other than Windows\System32) where you want to create a certificate.

  2. Run this command:

    cipher /r:ESFDRA

  3. When prompted, enter a password to protect the private key file.

    The cipher command creates a .cer and a .pfx file.

  4. In the Endpoint Management console, go to Settings > Certificates and import the .cer file, which applies to both Windows 10 and Windows 11 tablets and Windows 10 phones.

User experience

When Windows Information Protection is in effect, apps and files include an icon:

Example of Windows Information Protection icon

Example of Windows Information Protection icon

If a user copies or saves a protected file to a non-protected location, the following notification appears, depending on the enforcement level configured.

Example of notification

Windows Information Protection device policy