Changes to Microsoft's Conditional Exchange Policy & Windows Information Protection Policy
  • 27 Sep 2023
  • 3 Minutes to read
  • PDF

Changes to Microsoft's Conditional Exchange Policy & Windows Information Protection Policy

  • PDF

Article Summary

Microsoft recently announced the deprecation of Basic authentication for Exchange Online and Windows Information protection policy.

Scalefusion offers support for Conditional Exchange Access using Basic Authentication and supports the configuration for Windows Information Policy for Windows modern managed devices and since the deprecations by Microsoft effect the above functionalities offered by Scalefusion.

Please go through the document below on how these deprecations effect the device management and the actions that need to be taken by IT Admin.

Changes to Conditional Exchange Policy

Conditional Exchange Policy or Conditional Email Access (CEA) allows IT Admins to enforce that the users enroll their devices to Scalefusion MDM before they can access their Email. To provide for CEA, we use the Online Powershell commands for Exchange to control the access to user's mailboxes.

Now with Microsoft deprecating the basic authentication for Exchange Online, they effectively have deprecated the Powershell access via Basic authentication. This means that Scalefusion can no longer execute the powershell commands to control the users email access.

However, Microsoft has given an option to Opt-Out of Modern authentication and enable Basic authentication for certain services. While Scalefusion team is working on adding the support for Modern authentication and continue the support for this feature, we request you to perform the following steps to enable Basic authentication for Powershell.

Steps To Enable Basic Authentication for Powershell for Online Exchange

  1. Click on the Link below and login to Microsoft 365 Admin center.
    Run Diagnostics: Basic Auth in EXO
  2. Once you have logged in, you would see the following option pre-filled in the Support dialog. Click on Run Tests.
  3. Once the diagnostics are complete, you would be shown the list of services where Basic authentication has been disabled.

    Sometimes the results may be empty, or you may get a notification that "There are no issues found". In that case, please reload the page ad Rerun the tests to ensure that the Basic authentication has not been disabled for Exchange Online PowerShell.

  4. From the Protocol to Opt Out* dropdown, select Exchange Online PowerShell, acknowledge the checkbox and click Update.
  5. Once the changes have been updated it would take around 1 to 2 hrs. for the basic authentication to be reenabled. Scalefusion Dashboard will automatically Sync the information and apply the policies in the next sync cycle.
These changes impact/apply only if you are using Microsoft Exchange Online. If you are using Microsoft Exchange On-Premises or Icewarp Exchange servers, then there are no changes or no impacts.

Changes to Windows Information Policy

Windows Information Policy was a quick and efficient way for IT Admins to encrypt work data and chose/approve applications that can handle the work app data. However, Microsoft has announced that this policy will no longer be supported and deprecated in updates to the Windows OS.

There are no native/inbuilt alternatives that are provided, and Microsoft suggests using Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention. Both of these offerings have separate licensing requirements and require a minimum of E3 and above subscription.

As there is no alternative provided that is native to modern management, our RnD team is working on providing a solution using our Scalefusion MDM Agent for Windows. While our team investigates further options, we advise the IT Admins the following actions to avoid any unknown issues because of the policy.

Steps to Disable Windows Information Policy

  1. Sign in to Scalefusion Dashboard and find all the Windows profile where you have enabled the Windows Information Policy.
  2. In each of the Profile, turn offthe Configure Windows Information Protection and update/save the profile.
    1. This will send a push to all devices and the policy will be removed for all devices which are online. This will also remove the protection for files that were already encrypted when the device receives the policy.


Stagged Rollout Advise:
We advise you to turn off this policy in a staged before turning off the policy in all profiles. Please ensure that there is an alternate source for the documents that may have been encrypted as in case the files are not decrypted after removal of policy.

At Scalefusion we realize that some of these changes may disrupt your deployment strategy and we are committed to working on finding suitable alternatives wherever applicable, however in certain cases when the underlying OS or Platform deprecates the feature, we have to follow suit. If at any time you have any questions or suggestions, please reach out to our Support team at support@scalefusion.com







Was this article helpful?