Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

This time I want to write a blog post about MAM on an unmanaged Windows 10 device. I saw some questions about this functionality on the World Wide Web and mostly was the question based on the support of Windows 10 editions, like Pro and Home edition. That was for me the trigger to try this feature with Microsoft Intune and Windows 10 Home Edition.

What does Windows Information Protection do?

Windows 10 has since the release of 1607 new feature called Windows Information Protection (WIP). WIP will be used for protecting corporate data within an app or desktop application.  This will prevent data loss on a BYOD device. WIP works also on a managed Windows 10 device, so it’s not only depending on a BYOD concept.  What WIP does is making a container which will be used for corporate data only. Because of this will separate WIP the personal data from the corporate data. Within WIP you can, as IT admin, make policy to prevent data loss. This can be done by Microsoft Intune, but also with Group Policy (GPO).  Within the policy, you can allow or block copy/paste corporate data to an unmanaged app or desktop application. The user cannot accidentally paste sensitive corporate data in his or her personal email or website. WIP will block this action.

More information on

Alrighty then, let’s begin!

Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what means Mobile Application Management Without Enrollment. To test WIP we have to download Office from on the unmanaged Windows 10 device.

Download Office from

Click on the Run button to start the download and installation.

Office is installing.

The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.

We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.

Click Add a policy.

Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.

Click on the button Add apps.

Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.

Change the option from recommended apps to Desktop apps.

Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

Click on the Ok button. Now do the same for Outlook.

These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.

Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to an unprotected app, like Notepad. Click on the Ok button.

Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this Click on the Ok button (twice) and then on the create button to create the policy.

Click on the created app. Click on Assignments to assign the group.

It’s time to test this policy on an unmanaged Windows 10 Device.

Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.

Click on Office 365.

Enter here the password. Click on Sign in.

Maybe the user must verify his login. Click Next.

Click Yes.

Click Create PIN.

Enter here the PIN, don’t use a simple PIN, like 1234 or 8888.

Click Next.

Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.

Deselect Set up Outlook Mobile and click on the Ok button.

Outlook is configured and ready to use. Click on the button Accept and start Outlook

Open Word. Type some text and go to the menu to save this document.

Save this document on a corporate storage, like OneDrive or SharePoint.

So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.

You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.

This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.

You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.

And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.

This is how WIP in Internet Explorer looks like.

If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:

This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device is with Windows 10 Home Edition. I want to be sure if WIP also works on a Home Edition device. So, I have used the Home edition for this blog post.


So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge, and Internet Explorer. This is how Windows Information Protection works on a Windows 10 device.

This is it. Thanks for reading my blog post about MAM-WE in combination with Windows Information Protection. If you have any questions or comments about MAM-WE and WIP or maybe Microsoft Intune related, don’t hesitate to contact me by email or by posting a comment here below. I am also active on social media and some community forums, like Technet forum, Yammer, and Techcommunity.

Good luck! Take care now, bye bye then…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.