List of Microsoft Apps for Windows Information Protection (WIP)
Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past
Applies to:
Windows 10, version 1607 and later
Windows 10 Mobile, version 1607 and later
Windows 10 Desktop - Find App PFN
Find a Package Family Name (PFN) for per-app VPN - Configuration Manager | Microsoft Docs
Find a PFN if the app is not installed on a computer Find a package family name (PFN) for per-app VPN - Configuration Manager | Microsoft Learn
- Go to Microsoft Apps
- Enter the name of the app in the search bar. In our example, search for OneNote.
- Click the link to the app. Note that the URL that you access has a series of letters at the end. In our example, the URL looks like this: OneNote for Windows 10 - Official app in the Microsoft Store
- In a different tab, paste the following URL, https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products//applockerdata, replacing with the app id you obtained from Microsoft Apps - that series of letters at the end of the URL in step 3. In our example, example of OneNote, you’d paste: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata.
- In Edge, the information you want is displayed; in Internet Explorer, click Open to see the information. The PFN value is given on the FIRST LINE. Here’s how the results look for our example:
{ “packageFamilyName”: “Microsoft.Office.OneNote_8wekyb3d8bbwe”, “packageIdentityName”: “Microsoft.Office.OneNote”, “windowsPhoneLegacyId”: “ca05b3ab-f157-450c-8c49-a1f127f5e71d”, “publisherCertificateName”: “CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US” }
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
Enlightened versus unenlightened apps
Apps can be enlightened or unenlightened:
Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
Unenlightened apps consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
Windows Desktop shows it as always running in enterprise mode.
Windows Save As experiences only allow you to save your files as enterprise.
WIP-work only apps are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions.
List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
Microsoft Edge
-
Internet Explorer 11
-
Microsoft People
-
Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook
-
OneDrive app
-
OneDrive sync client (OneDrive.exe, the next generation sync client)
-
Microsoft Photos
-
Groove Music
-
Notepad
-
Microsoft Paint
-
Microsoft Movies & TV
-
Microsoft Messaging
-
Microsoft Remote Desktop
List of WIP-work only apps from Microsoft
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
- Skype for Business
Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the Publisher name, Product or File name, and App Type info for both Microsoft Intune and System Center Configuration Manager.
Microsoft.MicrosoftEdge
App Type: Universal app
PFN:
Microsoft.People
App Type: Universal app
PFN: “Microsoft.People_8wekyb3d8bbwe”
Microsoft.Office.Word
App Type: Universal app
PFN:
Microsoft.Office.Excel
App Type: Universal app
PFN:
Microsoft.Office.PowerPoint
App Type: Universal app
PFN:
Microsoft.Office.OneNote
App Type: Universal app
PFN:
Outlook Mail and Calendar
Product Name: microsoft.windowscommunicationsapps
PFN: “microsoft.windowscommunicationsapps_8wekyb3d8bbwe”
- Office 365 ProPlus Office 365 ProPlus apps are set up as a suite. You must use the O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files) to turn the suite on for WIP.
- We don’t recommend setting up Office by using individual paths or publisher rules.
Microsoft Photos
Microsoft.Windows.Photos
App Type: Universal app
PFN:
Groove Music
Microsoft.ZuneMusic
App Type: Universal app
PFN:
Microsoft Movies & TV
Microsoft.ZuneVideo
App Type: Universal app
PFN:
Microsoft Messaging
Microsoft.Messaging
App Type: Universal app
PFN:
IE11
Binary Name: iexplore.exe
App Type: Desktop app
PFN:
OneDrive Sync Client
Binary Name: onedrive.exe
App Type: Desktop app
PFN:
OneDrive app
Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
App Type: Universal app
PFN:
Notepad
Binary Name: notepad.exe
App Type: Desktop app
PFN:
Microsoft Paint
Binary Name: mspaint.exe
App Type: Desktop app
PFN:
Microsoft Remote Desktop
Binary Name: mstsc.exe
App Type: Desktop app
PFN: