none
Windows Information protection Policy not applying RRS feed

  • Question

  • Dear all,

    we are currently testing WIP via the new Azure based Intune Portal in a very strange customer scenario:

    The customer has the Win10 clients Azure AD joined in a different tenant from where the Office 365 Pro Plus installation is licensed.

    Therefore we want to include both company identity domains in the company identity setting:

    That's always failing when saving the settings? 

    The result is that the WIP policys aren't applied? Is this not working with this situation of using two tenants (one for Azure AD join and Intune MDM) and one for licensing O365 Pro Plus?

    Next question is why we can't select "with enrollment"? MDM is configured with the Intune enrollment URLs and devices are shown in Intune?

    Any suggestions?

    Thanks. 

    Wednesday, May 10, 2017 2:43 PM

All replies

  • Hi,

        Yes, you should use one tenant that includes both Intune MDM and Office 365 subscription. Because the WIP policies are user targeted, the users in one tenant (directory) cannot be applied via the WIP policies deployed in another directory.

        >>"Next question is why we can't select "with enrollment"? MDM is configured with the Intune enrollment URLs and devices are shown in Intune?"

        Same as I, not sure what is the cause. This option means you can implement WIP policies to devices (only win10 1703 or later) without enrollment.

    Regards,

    Jimmy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, May 11, 2017 12:03 PM
    Moderator
  • WIP policy isnt applied because for MDM enrollment , it needs to be configured in the old intune portal. The documentation has been updated - https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune

    Your screenshot is "Without enrollment" which means it needs to be enrolled in MAM (not MDM). For this scenario see See https://blogs.technet.microsoft.com/cbernier/2017/05/19/windows-information-protection-explained-windows-10-creators-update/

    Tuesday, May 23, 2017 2:00 AM
  • Hi,

        The Intune Azure portal also has the notification which prompts your to set MAM URL in AAD now as below:

    Regards,

    Jimmy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 23, 2017 4:23 AM
    Moderator
  • Hi,

    you're absolutely correct, however customer wants to use "with enrollment" but the Setting is always greyed out?

    The device is shown as MDM managed?

    Why it's impossible to change the enrollment state although Intune is correctly configured as MDM Provider and devices shown as MDM managed?

    I know that "without enrollment" is possible with creators update 1703, but customer wants to enroll devices?

    Is this Information confirmed from MS that WIP policys still Needs to be configured in the old Portal?? They announced WIP configuration in the new Portal and recommended configuration in the new Portal a few weeks ago?

    thanks and regards,

    ckuever

    Tuesday, May 23, 2017 11:00 AM
  •   >>"you're absolutely correct, however customer wants to use "with enrollment" but the Setting is always greyed out?"

    With enrollment can only be configured in the old Intune portal at this stage. (manage.microsoft.com). The new Intune preview portal in portal.azure.com can only configure "Without enrollment" which means MAM enrolled.

      >>"Why it's impossible to change the enrollment state although Intune is correctly configured as MDM Provider and devices shown as MDM managed?"

    Microsoft haven't moved the "with enrollment" over to the new portal yet. They have changed back the documentation which said you could configure "with enrollment" in the new portal back to the old Intune portal. 


    Tuesday, May 23, 2017 10:22 PM
  • Hi,

    you're absolutely correct, however customer wants to use "with enrollment" but the Setting is always greyed out?

    You can configure the WIP policy in the new Intune portal now "With Enrollment". It shouldn't be greyed out now.
    Monday, June 12, 2017 3:37 AM