Windows-itpro-docs: Outlook supported but does not encrypt .ost or .pst files
This list includes 'Office 365 ProPlus apps, including... Outlook'. It appears that even with WIP enabled, Outlook does not mark the Outlook offline data file under %LOCALAPPDATA%\Microsoft\Outlook (*.ost) as a Work file, or .pst files that are opened in Outlook, and so it is not protected.
Is this expected beaviour? The file contains a complete copy of the entire mailbox.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: b5ed0150-0172-f3ad-3c7f-3a7141efbe64
- Version Independent ID: 6a978d2b-a0ff-1052-ce00-06f02f30cfa1
- Content: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10) - Microsoft 365 Security
- Content Source: windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- Product: w10
- Technology: windows
- GitHub Login: @DulceMontemayor
- Microsoft Alias: dansimp
ChrisAtMAF
All 6 comments
Hello @ChrisAtMAF,
Is this expected beaviour? - yes, Outlook is marked as enlightened because it can differentiate between corporate and personal data (for example, in case of attached files), not because it protects PST or OST files.
The file contains a complete copy of the entire mailbox. - as it is stated in this article, to protect the mailbox locally, you can use Outlook in Online mode (or use EFS).
Thank you
MaratMussabekov
on 21 Mar 2020
Hi,
One of the key features advertised for WIP is 'Remove access to enterprise data from enterprise-protected devices' so that 'you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.'. Are OST files therefore excluded from this protection? Meaning that it is possible to remove access to enterprise data from enterprise-protected devices, except for the OST file which contains the entire user mailbox?
Another key benefit of WIP is said to be 'Data encryption at rest'. 'WIP helps protect enterprise data on local files and on removable media.'. But what you imply above is that even when WIP is enabled, by default OST files (hence the entire user mailbox) are not encrypted at rest?
Can I suggest that if WIP does not do either of those things 'out of the box' for user mailbox data, nor can it be configured to, then perhaps it is not fit for use?
ChrisAtMAF
on 23 Mar 2020
Hello @ChrisAtMAF,
yes, that totally make sense, it would be logically correct to protect mailboxes, as most of the confidential data is stored in emails.
You can leave a feedback for WIP at https://microsoftintune.uservoice.com/forums/291681-ideas.
Thank you
MaratMussabekov
on 26 Mar 2020
Hi, it seems like this ought to be mentioned in your article Limitations while using Windows Information Protection (WIP) as this also mentions other occasions when WIP will not protect data.
Perhaps mentioning that when Outlook is in Cached Exchange Mode (the default) the email data in Outlook OST and PST files will still be accessible even after a remote device wipe, and the data will not be encrypted at rest on the device. The only workaround at present is to avoid the use of PST files and only use Outlook in Online Mode, or use encryption to protect OST and PST files manually.
ChrisAtMAF
on 27 Mar 2020
I have also left feedback for WIP as suggested here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/40034839-extend-wip-to-protect-outlook-mailbox-data
ChrisAtMAF
on 27 Mar 2020
@ChrisAtMAF - Thank you for submitting feedback.
From our understanding, the issue has been resolved based on this merged commit https://github.com/MicrosoftDocs/windows-itpro-docs/commit/90f70b5981d8c347cbe4ced42e1041dad36a0a3e.
Thank you for your contribution to make the docs better! Much appreciated!
mypil
on 4 Apr 2020
Related issues
Ludwig1770
·
3Comments
arcotek-ltd
·
3Comments
andrewpong
·
3Comments
ATR-Master
·
3Comments
iadgovuser1
·
3Comments