Remotely selective wipe WIP without enrollment devices

This week week a relatively short blog post about the ability to remotely selective wipe Windows Information Protection Without Enrollment (WIP-WE) devices. Almost two years ago I already wrote about app protection for Windows 10 (back than referred to as MAM-WE). That was the first piece of the without-enrollment-puzzle for Windows 10 devices. The second piece of that puzzle is just recently introduced, and is the subject of this post, which is the ability to remotely selective wipe those WIP-WE devices. In my opinion the third and yet still missing piece of that puzzle would be conditional access (require a managed app). Hopefully we can complete that puzzle soon. In this post I’ll show the remote action to selectively wipe a WIP-WE device, followed by pieces of the end-user experience.

Remote action

WIP-WE allows organizations to protect their corporate data on Windows 10 devices without the need for full MDM enrollment. Once documents are protected with a WIP-WE policy, the protected data can be remotely selectively wiped by a Microsoft Intune administrator. The following steps walk through the process of sending a remote wipe request to a Windows 10 device, to make sure that all protected corporate data will become unusable.

1 Open the Azure portal and navigate to Microsoft Intune > Client apps > App selective wipe to open the Client apps – App selective wipe blade;
2 On the Client apps – App selective wipe blade, click Create wipe request to open the Create wipe request blade;
3a

WIPWE-RequestOn Create wipe request blade, provide the following information and click Create:

  • User: See step 3b for more details;
  • Device: See step 3c for more details;
3b

WIPWE-UserOn the User blade, search for the specific user and click Select:

Note: This can be any user available in Azure AD.

3c

WIPWE-DeviceOn the Select Device blade, select the specific device(s) and click Select:

Note: This will only show the available devices for the selected user.

WIPWE-Success

Note: The permissions required to perform this wipe action, are Managed apps > Wipe.

End-user experience

Now let’s have a look at the end-user experience. I won’t go in to details about the min-enrollment that should be performed, as I’ve shown that before. What I do want to show is the name of the management account, below on the left, as that name is also displayed in the unenrollment message. Below on the right is the message that the end-user will receive once the remotely selective wipe is triggered. It will clearly show that the workplace account is removed. Personally I think that this message could use some adjustments to better explain the impact.

WIPWE-Enrolled WIPWE-Message

The unenrollment directly impacts the end-user experience. It doesn’t remove the locally saved corporate data, but it does revoke the encryption keys. That effectively removes the access to the locally saved corporate data. Below on the right is a locally saved corporate document, while the user is still enrolled. Below on the right is that locally saved corporate document, after being remotely selective wiped. Imagine how powerful this will become once we can require a managed device, or a managed app, in conditional access, for Windows 10 devices.

WIPWE-Encrypted WIPWE-EncryptedRevoked

Note: Make sure that the advanced setting Revoke encryption keys on unenroll is set to On. That’s the only way to actually revoke the access to the encrypted files.

More information

Fore more information regarding WIP, the current limitations of WIP and the creation of WIP-WE policies, please refer to the following articles: