The new Teams and Outlook have been here for a while now, if you happen to have Windows Information Protection configured and haven’t made any changes to your policies then you may have already started to get complaints from users that are unable to use the new versions. This is a quick post to explain what you need to do to configure Windows Information Protection (WIP) to allow these apps to function and access your corporate data.

Note: Windows Information Protection is being retired by Microsoft and won’t be included in newer versions of Windows. It does however still function in its “with enrolment” variant for now. The official replacement is Purview Data Loss Prevention but this does come with additional licensing cost and not an exact parity in terms of functionality with WIP. Take this as a reminder that if you heavily rely on this functionality to start looking at the alternatives now.

Why it doesn't work and what to do 

Typically for new desktop applications we’d grab the name of the executable, the publisher and product name then add these into WIP as a desktop app, but if you’ve tried this then you’ll know that it doesn’t work for the new Outlook or Teams. This is because they’re not traditional desktop apps, they are instead AppX packages meaning they are more akin to Microsoft Store apps even though they may not have originated from the store.

For these types of apps, we can retrieve the required information by using PowerShell. Note: if you don't know the package name you are interested in you can first use the following command to get a list of all the installed package names which you can then browse to find the correct one:

Get-AppxPackage | select Name

The commands we need for both the new Outlook and Teams are below:

Get-AppXPackage -Name Microsoft.OutlookForWindows
Get-AppxPackage -Name MSTeams

Here’s the result of running the Outlook one:

From here we can take the necessary information for WIP, namely the top two lines; “Name” and “Publisher”.

We can then go to Intune and add a store app, with the following field mappings to the data we have retrieved:

1. The “Name” in Intune is purely descriptive so can be anything you like

2. The “Product Name” field in Intune must contain the “Name” field of the AppX package

3. Publisher is straightforward and maps directly to Publisher

It should look like this:

Now we can save the policy, sync a device within scope and check the result. Once it’s taken affect you'll be able to use the new applications as intended.

For those curious we can check what context the application is acting in, be that personal or corporate via task manager. To do this:

1. Open Task Manager and Select the “Details” tab

2. Right click the column headings and “Select Columns”

3. From here add “Enterprise Context” as shown below:
   

We can now see for each individual process, what context it is running in and it’ll even tell us whether the app is enlightened or not. Below you can see the new Outlook (olk.exe) is unenlightened but running in the enterprise context therefore treating all data it uses as corporate.

And that's it for this blog, as noted at the top, if you are using this, really consider your plan for transitioning away from WIP, it won't be here forever!