< Back
New-DeviceAppManagement_WindowsInformationProtectionPolicies
Post
NAME New-DeviceAppManagement_WindowsInformationProtectionPolicies
SYNOPSIS
Creates a "microsoft.graph.windowsInformationProtectionPolicy" object.
SYNTAX
New-DeviceAppManagement_WindowsInformationProtectionPolicies [-assignments <object[]>]
[-azureRightsManagementServicesAllowed <bool>] [-createdDateTime <DateTimeOffset>] [-dataRecoveryCertificate
<object>] [-daysWithoutContactBeforeUnenroll <int>] [-description <string>] [-displayName <string>]
[-enforcementLevel <string>] [-enterpriseDomain <string>] [-enterpriseInternalProxyServers <object[]>]
[-enterpriseIPRanges <object[]>] [-enterpriseIPRangesAreAuthoritative <bool>] [-enterpriseNetworkDomainNames
<object[]>] [-enterpriseProtectedDomainNames <object[]>] [-enterpriseProxiedDomains <object[]>]
[-enterpriseProxyServers <object[]>] [-enterpriseProxyServersAreAuthoritative <bool>] [-exemptAppLockerFiles
<object[]>] [-exemptApps <object[]>] [-iconsVisible <bool>] [-indexingEncryptedStoresOrItemsBlocked <bool>]
[-isAssigned <bool>] [-lastModifiedDateTime <DateTimeOffset>] [-mdmEnrollmentUrl <string>]
[-minutesOfInactivityBeforeDeviceLock <int>] [-neutralDomainResources <object[]>] [-numberOfPastPinsRemembered
<int>] [-passwordMaximumAttemptCount <int>] [-pinExpirationDays <int>] [-pinLowercaseLetters <string>]
[-pinMinimumLength <int>] [-pinSpecialCharacters <string>] [-pinUppercaseLetters <string>]
[-protectedAppLockerFiles <object[]>] [-protectedApps <object[]>] [-protectionUnderLockConfigRequired <bool>]
[-revokeOnMdmHandoffDisabled <bool>] [-revokeOnUnenrollDisabled <bool>] [-rightsManagementServicesTemplateId
<Guid>] [-smbAutoEncryptedFileExtensions <object[]>] [-version <string>] [-windowsHelloForBusinessBlocked <bool>]
[<CommonParameters>]
New-DeviceAppManagement_WindowsInformationProtectionPolicies -ODataType <string> [-assignments <object[]>]
[-azureRightsManagementServicesAllowed <bool>] [-createdDateTime <DateTimeOffset>] [-dataRecoveryCertificate
<object>] [-daysWithoutContactBeforeUnenroll <int>] [-description <string>] [-displayName <string>]
[-enforcementLevel <string>] [-enterpriseDomain <string>] [-enterpriseInternalProxyServers <object[]>]
[-enterpriseIPRanges <object[]>] [-enterpriseIPRangesAreAuthoritative <bool>] [-enterpriseNetworkDomainNames
<object[]>] [-enterpriseProtectedDomainNames <object[]>] [-enterpriseProxiedDomains <object[]>]
[-enterpriseProxyServers <object[]>] [-enterpriseProxyServersAreAuthoritative <bool>] [-exemptAppLockerFiles
<object[]>] [-exemptApps <object[]>] [-iconsVisible <bool>] [-indexingEncryptedStoresOrItemsBlocked <bool>]
[-isAssigned <bool>] [-lastModifiedDateTime <DateTimeOffset>] [-mdmEnrollmentUrl <string>]
[-minutesOfInactivityBeforeDeviceLock <int>] [-neutralDomainResources <object[]>] [-numberOfPastPinsRemembered
<int>] [-passwordMaximumAttemptCount <int>] [-pinExpirationDays <int>] [-pinLowercaseLetters <string>]
[-pinMinimumLength <int>] [-pinSpecialCharacters <string>] [-pinUppercaseLetters <string>]
[-protectedAppLockerFiles <object[]>] [-protectedApps <object[]>] [-protectionUnderLockConfigRequired <bool>]
[-revokeOnMdmHandoffDisabled <bool>] [-revokeOnUnenrollDisabled <bool>] [-rightsManagementServicesTemplateId
<Guid>] [-smbAutoEncryptedFileExtensions <object[]>] [-version <string>] [-windowsHelloForBusinessBlocked <bool>]
[<CommonParameters>]
DESCRIPTION
Adds a "microsoft.graph.windowsInformationProtectionPolicy" object to the "windowsInformationProtectionPolicies"
collection.
Windows information protection for apps running on devices which are not MDM enrolled.
Graph call: POST ~/deviceAppManagement/windowsInformationProtectionPolicies
PARAMETERS
-revokeOnMdmHandoffDisabled <bool>
The "revokeOnMdmHandoffDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
New property in RS2, pending documentation
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-mdmEnrollmentUrl <string>
The "mdmEnrollmentUrl" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Enrollment url for the MDM
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-windowsHelloForBusinessBlocked <bool>
The "windowsHelloForBusinessBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinMinimumLength <int>
The "pinMinimumLength" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest
number you can configure for this policy setting is 4. The largest number you can configure must be less than
the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinUppercaseLetters <string>
The "pinUppercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinLowercaseLetters <string>
The "pinLowercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinSpecialCharacters <string>
The "pinSpecialCharacters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid
special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; < =
> ? @ [ \\ ] ^ _ ` { | } ~. Default is NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinExpirationDays <int>
The "pinExpirationDays" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the
user to change it. The largest number you can configure for this policy setting is 730. The lowest number you
can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
This node was added in Windows 10, version 1511. Default is 0.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-numberOfPastPinsRemembered <int>
The "numberOfPastPinsRemembered" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that specifies the number of past PINs that can be associated to a user account that can't be
reused. The largest number you can configure for this policy setting is 50. The lowest number you can
configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not
required. This node was added in Windows 10, version 1511. Default is 0.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-passwordMaximumAttemptCount <int>
The "passwordMaximumAttemptCount" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device
wipe functionality. Range is an integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-minutesOfInactivityBeforeDeviceLock <int>
The "minutesOfInactivityBeforeDeviceLock" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device
to become PIN or password locked. Range is an integer X where 0 <= X <= 999.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-daysWithoutContactBeforeUnenroll <int>
The "daysWithoutContactBeforeUnenroll" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Offline interval before app data is wiped (days)
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enforcementLevel <string>
The "enforcementLevel" property, of type "microsoft.graph.windowsInformationProtectionEnforcementLevel".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
WIP enforcement level.See the Enum definition for supported values
Valid values: 'noProtection', 'encryptAndAuditOnly', 'encryptAuditAndPrompt', 'encryptAuditAndBlock'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseDomain <string>
The "enterpriseDomain" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Primary enterprise domain
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProtectedDomainNames <object[]>
The "enterpriseProtectedDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of enterprise domains to be protected
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectionUnderLockConfigRequired <bool>
The "protectionUnderLockConfigRequired" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dataRecoveryCertificate <object>
The "dataRecoveryCertificate" property, of type
"microsoft.graph.windowsInformationProtectionDataRecoveryCertificate".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as
the data recovery agent(DRA) certificate for encrypting file system(EFS)
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-revokeOnUnenrollDisabled <bool>
The "revokeOnUnenrollDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If
set to 1 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to
protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup
subsequently.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-rightsManagementServicesTemplateId <Guid>
The "rightsManagementServicesTemplateId" property, of type "Edm.Guid".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about
who has access to RMS-protected file and how long they have access
Required? false
Position? named
Default value 00000000-0000-0000-0000-000000000000
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-azureRightsManagementServicesAllowed <bool>
The "azureRightsManagementServicesAllowed" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether to allow Azure RMS encryption for WIP
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-iconsVisible <bool>
The "iconsVisible" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app
tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of
the WIP icon in the title bar of a WIP-protected app
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectedApps <object[]>
The "protectedApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Protected applications can access enterprise data and the data handled by those applications are protected
with encryption
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-exemptApps <object[]>
The "exemptApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Exempt applications can also access enterprise data, but the data handled by those applications are not
protected. This is because some critical enterprise applications may have compatibility problems with
encrypted data.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseNetworkDomainNames <object[]>
The "enterpriseNetworkDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains
that is sent to a device will be considered enterprise data and protected These locations will be considered a
safe destination for enterprise data to be shared to
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxiedDomains <object[]>
The "enterpriseProxiedDomains" property, of type
"microsoft.graph.windowsInformationProtectionProxiedDomainCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to
these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the
cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A
proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseIPRanges <object[]>
The "enterpriseIPRanges" property, of type "microsoft.graph.windowsInformationProtectionIPRangeCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those
computers will be considered part of the enterprise and protected. These locations will be considered a safe
destination for enterprise data to be shared to
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseIPRangesAreAuthoritative <bool>
The "enterpriseIPRangesAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find
other subnets. Default is false
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxyServers <object[]>
The "enterpriseProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is a list of proxy servers. Any server not on this list is considered non-enterprise
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseInternalProxyServers <object[]>
The "enterpriseInternalProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the comma-separated list of internal proxy servers. For example, "157.54.14.28, 157.54.11.118,
10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to
specific resources on the Internet. They are considered to be enterprise network locations. The proxies are
only leveraged in configuring the EnterpriseProxiedDomains policy to force traffic to the matched domains
through these proxies
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxyServersAreAuthoritative <bool>
The "enterpriseProxyServersAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work
proxies. Default is false
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-neutralDomainResources <object[]>
The "neutralDomainResources" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of domain names that can used for work or personal resource
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-indexingEncryptedStoresOrItemsBlocked <bool>
The "indexingEncryptedStoresOrItemsBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This switch is for the Windows Search Indexer, to allow or disallow indexing of items
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-smbAutoEncryptedFileExtensions <object[]>
The "smbAutoEncryptedFileExtensions" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an
SMB share within the corporate boundary
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-isAssigned <bool>
The "isAssigned" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Indicates if the policy is deployed to any inclusion groups or not.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectedAppLockerFiles <object[]>
The "protectedAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input protected apps through xml files
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-exemptAppLockerFiles <object[]>
The "exemptAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input exempt apps through xml files
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-assignments <object[]>
The "assignments" property, of type "microsoft.graph.targetedManagedAppPolicyAssignment".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Navigation property to list of security groups targeted for policy.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-displayName <string>
The "displayName" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Policy display name.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-description <string>
The "description" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The policy's description.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-createdDateTime <DateTimeOffset>
The "createdDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The date and time the policy was created.
Required? false
Position? named
Default value 1/1/0001 12:00:00 AM +00:00
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-lastModifiedDateTime <DateTimeOffset>
The "lastModifiedDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Last time the policy was modified.
Required? false
Position? named
Default value 1/1/0001 12:00:00 AM +00:00
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-version <string>
The "version" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Version of the entity.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-ODataType <string>
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
Required? true
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-@odata.type <string>
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
This is an alias of the ODataType parameter.
Required? true
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Boolean
The "revokeOnMdmHandoffDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
New property in RS2, pending documentation
System.String
The "mdmEnrollmentUrl" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Enrollment url for the MDM
System.Boolean
The "windowsHelloForBusinessBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
System.Int32
The "pinMinimumLength" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest
number you can configure for this policy setting is 4. The largest number you can configure must be less than
the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
System.String
The "pinUppercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.String
The "pinLowercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.String
The "pinSpecialCharacters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid
special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; < =
> ? @ [ \\ ] ^ _ ` { | } ~. Default is NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.Int32
The "pinExpirationDays" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the
user to change it. The largest number you can configure for this policy setting is 730. The lowest number you
can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
This node was added in Windows 10, version 1511. Default is 0.
System.Int32
The "numberOfPastPinsRemembered" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that specifies the number of past PINs that can be associated to a user account that can't be
reused. The largest number you can configure for this policy setting is 50. The lowest number you can
configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not
required. This node was added in Windows 10, version 1511. Default is 0.
System.Int32
The "passwordMaximumAttemptCount" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device
wipe functionality. Range is an integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
System.Int32
The "minutesOfInactivityBeforeDeviceLock" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device
to become PIN or password locked. Range is an integer X where 0 <= X <= 999.
System.Int32
The "daysWithoutContactBeforeUnenroll" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Offline interval before app data is wiped (days)
System.String
The "enforcementLevel" property, of type "microsoft.graph.windowsInformationProtectionEnforcementLevel".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
WIP enforcement level.See the Enum definition for supported values
Valid values: 'noProtection', 'encryptAndAuditOnly', 'encryptAuditAndPrompt', 'encryptAuditAndBlock'
System.String
The "enterpriseDomain" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Primary enterprise domain
System.Object[]
The "enterpriseProtectedDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of enterprise domains to be protected
System.Boolean
The "protectionUnderLockConfigRequired" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured
System.Object
The "dataRecoveryCertificate" property, of type
"microsoft.graph.windowsInformationProtectionDataRecoveryCertificate".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as
the data recovery agent(DRA) certificate for encrypting file system(EFS)
System.Boolean
The "revokeOnUnenrollDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If
set to 1 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to
protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup
subsequently.
System.Guid
The "rightsManagementServicesTemplateId" property, of type "Edm.Guid".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about
who has access to RMS-protected file and how long they have access
System.Boolean
The "azureRightsManagementServicesAllowed" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether to allow Azure RMS encryption for WIP
System.Boolean
The "iconsVisible" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app
tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of
the WIP icon in the title bar of a WIP-protected app
System.Object[]
The "protectedApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Protected applications can access enterprise data and the data handled by those applications are protected
with encryption
System.Object[]
The "exemptApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Exempt applications can also access enterprise data, but the data handled by those applications are not
protected. This is because some critical enterprise applications may have compatibility problems with
encrypted data.
System.Object[]
The "enterpriseNetworkDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains
that is sent to a device will be considered enterprise data and protected These locations will be considered a
safe destination for enterprise data to be shared to
System.Object[]
The "enterpriseProxiedDomains" property, of type
"microsoft.graph.windowsInformationProtectionProxiedDomainCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to
these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the
cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A
proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy
System.Object[]
The "enterpriseIPRanges" property, of type "microsoft.graph.windowsInformationProtectionIPRangeCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those
computers will be considered part of the enterprise and protected. These locations will be considered a safe
destination for enterprise data to be shared to
System.Boolean
The "enterpriseIPRangesAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find
other subnets. Default is false
System.Object[]
The "enterpriseProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is a list of proxy servers. Any server not on this list is considered non-enterprise
System.Object[]
The "enterpriseInternalProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the comma-separated list of internal proxy servers. For example, "157.54.14.28, 157.54.11.118,
10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to
specific resources on the Internet. They are considered to be enterprise network locations. The proxies are
only leveraged in configuring the EnterpriseProxiedDomains policy to force traffic to the matched domains
through these proxies
System.Boolean
The "enterpriseProxyServersAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work
proxies. Default is false
System.Object[]
The "neutralDomainResources" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of domain names that can used for work or personal resource
System.Boolean
The "indexingEncryptedStoresOrItemsBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This switch is for the Windows Search Indexer, to allow or disallow indexing of items
System.Object[]
The "smbAutoEncryptedFileExtensions" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an
SMB share within the corporate boundary
System.Boolean
The "isAssigned" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Indicates if the policy is deployed to any inclusion groups or not.
System.Object[]
The "protectedAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input protected apps through xml files
System.Object[]
The "exemptAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input exempt apps through xml files
System.Object[]
The "assignments" property, of type "microsoft.graph.targetedManagedAppPolicyAssignment".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Navigation property to list of security groups targeted for policy.
System.String
The "displayName" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Policy display name.
System.String
The "description" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The policy's description.
System.DateTimeOffset
The "createdDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The date and time the policy was created.
System.DateTimeOffset
The "lastModifiedDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Last time the policy was modified.
System.String
The "version" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Version of the entity.
System.String
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
OUTPUTS
RELATED LINKS
GitHub Repository https://github.com/Microsoft/Intune-PowerShell-SDK
SYNOPSIS
Creates a "microsoft.graph.windowsInformationProtectionPolicy" object.
SYNTAX
New-DeviceAppManagement_WindowsInformationProtectionPolicies [-assignments <object[]>]
[-azureRightsManagementServicesAllowed <bool>] [-createdDateTime <DateTimeOffset>] [-dataRecoveryCertificate
<object>] [-daysWithoutContactBeforeUnenroll <int>] [-description <string>] [-displayName <string>]
[-enforcementLevel <string>] [-enterpriseDomain <string>] [-enterpriseInternalProxyServers <object[]>]
[-enterpriseIPRanges <object[]>] [-enterpriseIPRangesAreAuthoritative <bool>] [-enterpriseNetworkDomainNames
<object[]>] [-enterpriseProtectedDomainNames <object[]>] [-enterpriseProxiedDomains <object[]>]
[-enterpriseProxyServers <object[]>] [-enterpriseProxyServersAreAuthoritative <bool>] [-exemptAppLockerFiles
<object[]>] [-exemptApps <object[]>] [-iconsVisible <bool>] [-indexingEncryptedStoresOrItemsBlocked <bool>]
[-isAssigned <bool>] [-lastModifiedDateTime <DateTimeOffset>] [-mdmEnrollmentUrl <string>]
[-minutesOfInactivityBeforeDeviceLock <int>] [-neutralDomainResources <object[]>] [-numberOfPastPinsRemembered
<int>] [-passwordMaximumAttemptCount <int>] [-pinExpirationDays <int>] [-pinLowercaseLetters <string>]
[-pinMinimumLength <int>] [-pinSpecialCharacters <string>] [-pinUppercaseLetters <string>]
[-protectedAppLockerFiles <object[]>] [-protectedApps <object[]>] [-protectionUnderLockConfigRequired <bool>]
[-revokeOnMdmHandoffDisabled <bool>] [-revokeOnUnenrollDisabled <bool>] [-rightsManagementServicesTemplateId
<Guid>] [-smbAutoEncryptedFileExtensions <object[]>] [-version <string>] [-windowsHelloForBusinessBlocked <bool>]
[<CommonParameters>]
New-DeviceAppManagement_WindowsInformationProtectionPolicies -ODataType <string> [-assignments <object[]>]
[-azureRightsManagementServicesAllowed <bool>] [-createdDateTime <DateTimeOffset>] [-dataRecoveryCertificate
<object>] [-daysWithoutContactBeforeUnenroll <int>] [-description <string>] [-displayName <string>]
[-enforcementLevel <string>] [-enterpriseDomain <string>] [-enterpriseInternalProxyServers <object[]>]
[-enterpriseIPRanges <object[]>] [-enterpriseIPRangesAreAuthoritative <bool>] [-enterpriseNetworkDomainNames
<object[]>] [-enterpriseProtectedDomainNames <object[]>] [-enterpriseProxiedDomains <object[]>]
[-enterpriseProxyServers <object[]>] [-enterpriseProxyServersAreAuthoritative <bool>] [-exemptAppLockerFiles
<object[]>] [-exemptApps <object[]>] [-iconsVisible <bool>] [-indexingEncryptedStoresOrItemsBlocked <bool>]
[-isAssigned <bool>] [-lastModifiedDateTime <DateTimeOffset>] [-mdmEnrollmentUrl <string>]
[-minutesOfInactivityBeforeDeviceLock <int>] [-neutralDomainResources <object[]>] [-numberOfPastPinsRemembered
<int>] [-passwordMaximumAttemptCount <int>] [-pinExpirationDays <int>] [-pinLowercaseLetters <string>]
[-pinMinimumLength <int>] [-pinSpecialCharacters <string>] [-pinUppercaseLetters <string>]
[-protectedAppLockerFiles <object[]>] [-protectedApps <object[]>] [-protectionUnderLockConfigRequired <bool>]
[-revokeOnMdmHandoffDisabled <bool>] [-revokeOnUnenrollDisabled <bool>] [-rightsManagementServicesTemplateId
<Guid>] [-smbAutoEncryptedFileExtensions <object[]>] [-version <string>] [-windowsHelloForBusinessBlocked <bool>]
[<CommonParameters>]
DESCRIPTION
Adds a "microsoft.graph.windowsInformationProtectionPolicy" object to the "windowsInformationProtectionPolicies"
collection.
Windows information protection for apps running on devices which are not MDM enrolled.
Graph call: POST ~/deviceAppManagement/windowsInformationProtectionPolicies
PARAMETERS
-revokeOnMdmHandoffDisabled <bool>
The "revokeOnMdmHandoffDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
New property in RS2, pending documentation
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-mdmEnrollmentUrl <string>
The "mdmEnrollmentUrl" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Enrollment url for the MDM
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-windowsHelloForBusinessBlocked <bool>
The "windowsHelloForBusinessBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinMinimumLength <int>
The "pinMinimumLength" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest
number you can configure for this policy setting is 4. The largest number you can configure must be less than
the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinUppercaseLetters <string>
The "pinUppercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinLowercaseLetters <string>
The "pinLowercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinSpecialCharacters <string>
The "pinSpecialCharacters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid
special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; < =
> ? @ [ \\ ] ^ _ ` { | } ~. Default is NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-pinExpirationDays <int>
The "pinExpirationDays" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the
user to change it. The largest number you can configure for this policy setting is 730. The lowest number you
can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
This node was added in Windows 10, version 1511. Default is 0.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-numberOfPastPinsRemembered <int>
The "numberOfPastPinsRemembered" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that specifies the number of past PINs that can be associated to a user account that can't be
reused. The largest number you can configure for this policy setting is 50. The lowest number you can
configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not
required. This node was added in Windows 10, version 1511. Default is 0.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-passwordMaximumAttemptCount <int>
The "passwordMaximumAttemptCount" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device
wipe functionality. Range is an integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-minutesOfInactivityBeforeDeviceLock <int>
The "minutesOfInactivityBeforeDeviceLock" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device
to become PIN or password locked. Range is an integer X where 0 <= X <= 999.
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-daysWithoutContactBeforeUnenroll <int>
The "daysWithoutContactBeforeUnenroll" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Offline interval before app data is wiped (days)
Required? false
Position? named
Default value 0
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enforcementLevel <string>
The "enforcementLevel" property, of type "microsoft.graph.windowsInformationProtectionEnforcementLevel".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
WIP enforcement level.See the Enum definition for supported values
Valid values: 'noProtection', 'encryptAndAuditOnly', 'encryptAuditAndPrompt', 'encryptAuditAndBlock'
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseDomain <string>
The "enterpriseDomain" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Primary enterprise domain
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProtectedDomainNames <object[]>
The "enterpriseProtectedDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of enterprise domains to be protected
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectionUnderLockConfigRequired <bool>
The "protectionUnderLockConfigRequired" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-dataRecoveryCertificate <object>
The "dataRecoveryCertificate" property, of type
"microsoft.graph.windowsInformationProtectionDataRecoveryCertificate".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as
the data recovery agent(DRA) certificate for encrypting file system(EFS)
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-revokeOnUnenrollDisabled <bool>
The "revokeOnUnenrollDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If
set to 1 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to
protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup
subsequently.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-rightsManagementServicesTemplateId <Guid>
The "rightsManagementServicesTemplateId" property, of type "Edm.Guid".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about
who has access to RMS-protected file and how long they have access
Required? false
Position? named
Default value 00000000-0000-0000-0000-000000000000
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-azureRightsManagementServicesAllowed <bool>
The "azureRightsManagementServicesAllowed" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether to allow Azure RMS encryption for WIP
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-iconsVisible <bool>
The "iconsVisible" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app
tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of
the WIP icon in the title bar of a WIP-protected app
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectedApps <object[]>
The "protectedApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Protected applications can access enterprise data and the data handled by those applications are protected
with encryption
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-exemptApps <object[]>
The "exemptApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Exempt applications can also access enterprise data, but the data handled by those applications are not
protected. This is because some critical enterprise applications may have compatibility problems with
encrypted data.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseNetworkDomainNames <object[]>
The "enterpriseNetworkDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains
that is sent to a device will be considered enterprise data and protected These locations will be considered a
safe destination for enterprise data to be shared to
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxiedDomains <object[]>
The "enterpriseProxiedDomains" property, of type
"microsoft.graph.windowsInformationProtectionProxiedDomainCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to
these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the
cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A
proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseIPRanges <object[]>
The "enterpriseIPRanges" property, of type "microsoft.graph.windowsInformationProtectionIPRangeCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those
computers will be considered part of the enterprise and protected. These locations will be considered a safe
destination for enterprise data to be shared to
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseIPRangesAreAuthoritative <bool>
The "enterpriseIPRangesAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find
other subnets. Default is false
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxyServers <object[]>
The "enterpriseProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is a list of proxy servers. Any server not on this list is considered non-enterprise
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseInternalProxyServers <object[]>
The "enterpriseInternalProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the comma-separated list of internal proxy servers. For example, "157.54.14.28, 157.54.11.118,
10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to
specific resources on the Internet. They are considered to be enterprise network locations. The proxies are
only leveraged in configuring the EnterpriseProxiedDomains policy to force traffic to the matched domains
through these proxies
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-enterpriseProxyServersAreAuthoritative <bool>
The "enterpriseProxyServersAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work
proxies. Default is false
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-neutralDomainResources <object[]>
The "neutralDomainResources" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of domain names that can used for work or personal resource
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-indexingEncryptedStoresOrItemsBlocked <bool>
The "indexingEncryptedStoresOrItemsBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This switch is for the Windows Search Indexer, to allow or disallow indexing of items
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-smbAutoEncryptedFileExtensions <object[]>
The "smbAutoEncryptedFileExtensions" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an
SMB share within the corporate boundary
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-isAssigned <bool>
The "isAssigned" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Indicates if the policy is deployed to any inclusion groups or not.
Required? false
Position? named
Default value False
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-protectedAppLockerFiles <object[]>
The "protectedAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input protected apps through xml files
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-exemptAppLockerFiles <object[]>
The "exemptAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input exempt apps through xml files
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-assignments <object[]>
The "assignments" property, of type "microsoft.graph.targetedManagedAppPolicyAssignment".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Navigation property to list of security groups targeted for policy.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-displayName <string>
The "displayName" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Policy display name.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-description <string>
The "description" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The policy's description.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-createdDateTime <DateTimeOffset>
The "createdDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The date and time the policy was created.
Required? false
Position? named
Default value 1/1/0001 12:00:00 AM +00:00
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-lastModifiedDateTime <DateTimeOffset>
The "lastModifiedDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Last time the policy was modified.
Required? false
Position? named
Default value 1/1/0001 12:00:00 AM +00:00
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-version <string>
The "version" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Version of the entity.
Required? false
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-ODataType <string>
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
Required? true
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-@odata.type <string>
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
This is an alias of the ODataType parameter.
Required? true
Position? named
Default value
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Boolean
The "revokeOnMdmHandoffDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
New property in RS2, pending documentation
System.String
The "mdmEnrollmentUrl" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Enrollment url for the MDM
System.Boolean
The "windowsHelloForBusinessBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
System.Int32
The "pinMinimumLength" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest
number you can configure for this policy setting is 4. The largest number you can configure must be less than
the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
System.String
The "pinUppercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.String
The "pinLowercaseLetters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. Default is
NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.String
The "pinSpecialCharacters" property, of type
"microsoft.graph.windowsInformationProtectionPinCharacterRequirements".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid
special characters for Windows Hello for Business PIN gestures include: ! " # $ % & ' ( ) * + , - . / : ; < =
> ? @ [ \\ ] ^ _ ` { | } ~. Default is NotAllow.
Valid values: 'notAllow', 'requireAtLeastOne', 'allow'
System.Int32
The "pinExpirationDays" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the
user to change it. The largest number you can configure for this policy setting is 730. The lowest number you
can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
This node was added in Windows 10, version 1511. Default is 0.
System.Int32
The "numberOfPastPinsRemembered" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Integer value that specifies the number of past PINs that can be associated to a user account that can't be
reused. The largest number you can configure for this policy setting is 50. The lowest number you can
configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not
required. This node was added in Windows 10, version 1511. Default is 0.
System.Int32
The "passwordMaximumAttemptCount" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device
wipe functionality. Range is an integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices.
System.Int32
The "minutesOfInactivityBeforeDeviceLock" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device
to become PIN or password locked. Range is an integer X where 0 <= X <= 999.
System.Int32
The "daysWithoutContactBeforeUnenroll" property, of type "Edm.Int32".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Offline interval before app data is wiped (days)
System.String
The "enforcementLevel" property, of type "microsoft.graph.windowsInformationProtectionEnforcementLevel".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
WIP enforcement level.See the Enum definition for supported values
Valid values: 'noProtection', 'encryptAndAuditOnly', 'encryptAuditAndPrompt', 'encryptAuditAndBlock'
System.String
The "enterpriseDomain" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Primary enterprise domain
System.Object[]
The "enterpriseProtectedDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of enterprise domains to be protected
System.Boolean
The "protectionUnderLockConfigRequired" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured
System.Object
The "dataRecoveryCertificate" property, of type
"microsoft.graph.windowsInformationProtectionDataRecoveryCertificate".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as
the data recovery agent(DRA) certificate for encrypting file system(EFS)
System.Boolean
The "revokeOnUnenrollDisabled" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If
set to 1 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to
protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup
subsequently.
System.Guid
The "rightsManagementServicesTemplateId" property, of type "Edm.Guid".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about
who has access to RMS-protected file and how long they have access
System.Boolean
The "azureRightsManagementServicesAllowed" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies whether to allow Azure RMS encryption for WIP
System.Boolean
The "iconsVisible" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app
tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of
the WIP icon in the title bar of a WIP-protected app
System.Object[]
The "protectedApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Protected applications can access enterprise data and the data handled by those applications are protected
with encryption
System.Object[]
The "exemptApps" property, of type "microsoft.graph.windowsInformationProtectionApp".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Exempt applications can also access enterprise data, but the data handled by those applications are not
protected. This is because some critical enterprise applications may have compatibility problems with
encrypted data.
System.Object[]
The "enterpriseNetworkDomainNames" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains
that is sent to a device will be considered enterprise data and protected These locations will be considered a
safe destination for enterprise data to be shared to
System.Object[]
The "enterpriseProxiedDomains" property, of type
"microsoft.graph.windowsInformationProtectionProxiedDomainCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to
these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the
cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A
proxy server used for this purpose must also be configured using the EnterpriseInternalProxyServers policy
System.Object[]
The "enterpriseIPRanges" property, of type "microsoft.graph.windowsInformationProtectionIPRangeCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those
computers will be considered part of the enterprise and protected. These locations will be considered a safe
destination for enterprise data to be shared to
System.Boolean
The "enterpriseIPRangesAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find
other subnets. Default is false
System.Object[]
The "enterpriseProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is a list of proxy servers. Any server not on this list is considered non-enterprise
System.Object[]
The "enterpriseInternalProxyServers" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This is the comma-separated list of internal proxy servers. For example, "157.54.14.28, 157.54.11.118,
10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to
specific resources on the Internet. They are considered to be enterprise network locations. The proxies are
only leveraged in configuring the EnterpriseProxiedDomains policy to force traffic to the matched domains
through these proxies
System.Boolean
The "enterpriseProxyServersAreAuthoritative" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work
proxies. Default is false
System.Object[]
The "neutralDomainResources" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
List of domain names that can used for work or personal resource
System.Boolean
The "indexingEncryptedStoresOrItemsBlocked" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
This switch is for the Windows Search Indexer, to allow or disallow indexing of items
System.Object[]
The "smbAutoEncryptedFileExtensions" property, of type
"microsoft.graph.windowsInformationProtectionResourceCollection".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an
SMB share within the corporate boundary
System.Boolean
The "isAssigned" property, of type "Edm.Boolean".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Indicates if the policy is deployed to any inclusion groups or not.
System.Object[]
The "protectedAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input protected apps through xml files
System.Object[]
The "exemptAppLockerFiles" property, of type "microsoft.graph.windowsInformationProtectionAppLockerFile".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Another way to input exempt apps through xml files
System.Object[]
The "assignments" property, of type "microsoft.graph.targetedManagedAppPolicyAssignment".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Navigation property to list of security groups targeted for policy.
System.String
The "displayName" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Policy display name.
System.String
The "description" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The policy's description.
System.DateTimeOffset
The "createdDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
The date and time the policy was created.
System.DateTimeOffset
The "lastModifiedDateTime" property, of type "Edm.DateTimeOffset".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Last time the policy was modified.
System.String
The "version" property, of type "Edm.String".
This property is on the "microsoft.graph.windowsInformationProtectionPolicy" type.
Version of the entity.
System.String
The value provided in a search result (i.e. GET on a collection) in the "@odata.type" property.
OUTPUTS
RELATED LINKS
GitHub Repository https://github.com/Microsoft/Intune-PowerShell-SDK