This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 69%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Hi
If we let user to register BYOD Windows 10/11 devices, is there a way to secure the corporate data on that device?
Meaning that user could not copy files from corporate OneDrive folders to personal folders in that device or save Office files, opened from corporate OneDrive folders with for example Word, to personal file locations and so on.
I would appreciate some advice about securing corporate data in BYOD windows 10/11 devices. What can we do and what we can't do.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 54%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Yes you can. You would require Intune to accomplish this. You can create data boundaries so that documents and files can be viewed, and tracked but not saved. You would also have the option to wipe any corporate data while leaving the users personal data in tact.
@IMK Thanks for posting in our Q&A.
For this issue, Windows Information Protection will make it.
https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip#why-use-wip
You can refer to the following article to create a WIP policy with intune:
https://learn.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create
When the apps are added in the protected apps list, the data in these apps are corporate data, WIP will encrypt the data on the device.
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@IMK I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
So, do I create these data boundaries using WIP?
@IMK Thanks for your update.
For data boundaries, you can refer to the following article. It only determines where apps can access enterprise data.
https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#choose-where-apps-can-access-enterprise-data
Based on my understanding, it is not a required setting.
If you add the OneDrive app in protected apps and set the "Windows Information Protection mode" to "Block" in the app protection policy, the data included in OneDrive are all enterprise data. When you try to copy the enterprise data to personal file, it will be blocked. You can refer to the pocture in the following link:
https://www.anoopcnair.com/windows-information-protection-the-concepts-1/
Note: Non-Microsoft link, just for the reference.
It couldn't prevent the enterprise data file saving to where. However, when the enterprise data file is saved to other locations, the file can be encrypted. It will not show the content of the data file.