none
Issues applying Windows Information Protection policies RRS feed

  • Question

  • Hi,

    I have setup a Windows Information Protection policy, and applied it to a test group. Unfortunately it appears that the policy isn't being applied (I don't see any of the Work/Personal options).

    I followed the steps as outlined here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-wip-policy-using-intune 

    In Event Viewer, I can see the following entries:

    Log Name:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

    Source:DeviceManagement-Enterprise-Diagnostics-Provider

    EventID:820

    Message: MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireRetrieveHealthCertificateOnBoot), int value: (0x1) Result:(0x80004005) Unspecified error.

    Log Name:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

    Source:DeviceManagement-Enterprise-Diagnostics-Provider

    EventID:809

    Message: MDM PolicyManager: Set policy int, Policy: (RequireRetrieveHealthCertificateOnBoot), Area: (Security), EnrollmentID requesting set: (8A15585F-7A4C-434E-9CDC-B3C578CD0CD9), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80004005) Unspecified error.

    Log Name:Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

    Source:DeviceManagement-Enterprise-Diagnostics-Provider

    EventID:400

    Message: MDM PolicyManager: Set policy int, Policy: (RequireRetrieveHealthCertificateOnBoot), Area: (Security), EnrollmentID requesting set: (8A15585F-7A4C-434E-9CDC-B3C578CD0CD9), Current User: (Device), Int: (0x1), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80004005) Unspecified error.

    I suspect it doesn't like my DRA certificate, that I created using these steps: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate

    Does anyone have any ideas or experience with WIP policies?


    Kieran Jacobsen @kjacobsen http://PoshSecurity.com

    Wednesday, January 4, 2017 12:23 AM

All replies

  • Hi,

        The errors you provide seem that have nothing to do with WIP. The WIP policy is only valid to win10 1607 devices, have you checked for that? 

        Also you can take a look at the blog post about how to configure and WIP policy here:

    https://blogs.technet.microsoft.com/jeffgilb/2016/11/30/windows-information-protection-intune-part-i/

    Regards,

    Jimmy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 4, 2017 9:58 AM
    Moderator
  • Hi Jimmy,

    I think you are on to something. I am spinning up some more test machines to confirm.


    Kieran Jacobsen @kjacobsen http://PoshSecurity.com

    Wednesday, January 4, 2017 11:34 PM
  • Bump!

    Same thing happening on our end with newly configured tenants and Windows 10 Enterprise 1067 client PCs.  Yes, we have followed Jeff Gilbert's posts over the past several months and Thank You to Jeff for guiding us through the process of understanding varying types of device enrollment.  Without those posts, I don't believe we would have been able to get WIP up and running last Fall.  Sorry to report that it's not working anymore.

    We have it narrowed down to a specific time when WIP policies began to fail deployment.  Sometime in late December 2016, when Intune groups were migrated into Azure Active Directory, we could no longer deploy WIP policies to Windows 10 Enterprise 1607 client PCs. We are able to see the groups that we create in AAD to appear in the classic Intune console, and can select them for deployment but the policies never make it down.  I too see those same 3 errors that Kieran mentioned above.

    Any help is greatly appreciated!

    Tuesday, February 28, 2017 12:34 AM
  • I suspect it was an issue around the order of events, but a new virtual machine didn't seem to have the issue.

    Support suggested that I needed to MDM enroll as well, however my other virtual machines don't support that theory.

    In the end, we closed the support case as we have put the project on hold for a while.


    Kieran Jacobsen @kjacobsen http://PoshSecurity.com

    Wednesday, March 8, 2017 5:42 AM
  • Yes Kieran - it may be an order of events issue. 

    We were able to get WIP working again by starting over and carefully setting Intune as the MDM authority and then going directly to Policies to create a single WIP policy only

    We suspect that a Windows Phone 8.1 and Up configuration policy for was somehow preventing the WIP policy from deploying successfully to the client, however there was nothing listed under Policy Conflicts indicating an issue.

    • Edited by GSM at SCT Wednesday, March 8, 2017 9:21 PM
    Wednesday, March 8, 2017 9:20 PM
  • Hi,

    I'm running in the exact same problem when I try to set up WIP on Win10 (Enterprise, build 1607). My intune tenant come from the partner-demo environment ("demos.Microsoft.com" tenant that I got access to in order to prepare some demo materials...)

    it already comes with a number of WIP policies pre-configured (as part of the demo)

    any suggestions to work around this and get this fixed? Any help is highly appreciated :-)

    Raf Cox

    (www.thesecurityfactory.be)


    Raf

    Thursday, March 23, 2017 6:01 PM