From 15f8f4594de812d538a12f023364c2fa67a2a7b0 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 10:46:40 -0700 Subject: [PATCH 1/9] updating --- .../msix-app-ackaging-tool.md | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 windows/application-management/msix-app-ackaging-tool.md diff --git a/windows/application-management/msix-app-ackaging-tool.md b/windows/application-management/msix-app-ackaging-tool.md new file mode 100644 index 0000000000..f380710a6e --- /dev/null +++ b/windows/application-management/msix-app-ackaging-tool.md @@ -0,0 +1,64 @@ +--- +title: Repackage your existing win32 applications to the MSIX format. +description: Learn how to install and use the MSIX packaging tool. +keyboards: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 08/01/2018 +--- + +# Repackage existing win32 applications to the MSIX format + +The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). + +> Prerequisites: +- Participation in the Windows Insider Program +- Minimum Windows 10 build 17701 +- Admin privileges on your PC account +- A valid MSA alias (to access the app from the Store) + +## What's new +- Moved "Send Feedback" to a top-level page in settings for better visibility. +- "Settings" saves now persist across app launches. +- All pop ups now have a uniform size. + + +## Installing the MSIX Packaging Tool + +1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). +2. Open the product description page. +3. Click the install icon to begin installation. + +This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: + +- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. +- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. +- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. + +Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: + +- Some options in the Settings page, such as adding/removing VFS/VREG and defining a default save location. +- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). +- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. +- Command Line Interface support +- Conversion of App-V 4.x packages + +## How to file feedback + +Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. + +## Best practices + +- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. +- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. +- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. +- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. + +## Known bugs +1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. + From 78ee22dd58906b408798465633f9aa9c0332a91a Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 15:03:05 -0700 Subject: [PATCH 2/9] updating --- .../{msix-app-ackaging-tool.md => msix-app-packaging-tool.md} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename windows/application-management/{msix-app-ackaging-tool.md => msix-app-packaging-tool.md} (99%) diff --git a/windows/application-management/msix-app-ackaging-tool.md b/windows/application-management/msix-app-packaging-tool.md similarity index 99% rename from windows/application-management/msix-app-ackaging-tool.md rename to windows/application-management/msix-app-packaging-tool.md index f380710a6e..6e5fdc953a 100644 --- a/windows/application-management/msix-app-ackaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -16,6 +16,7 @@ ms.date: 08/01/2018 The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). > Prerequisites: + - Participation in the Windows Insider Program - Minimum Windows 10 build 17701 - Admin privileges on your PC account @@ -58,7 +59,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. -## Known bugs +## Known issues 1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. 2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. From 634804869be912ecb98ade4a25d25f66f94c0d55 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Thu, 2 Aug 2018 15:50:40 -0700 Subject: [PATCH 3/9] updating --- windows/application-management/msix-app-packaging-tool.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 6e5fdc953a..e48cb1bcec 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -25,6 +25,7 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft ## What's new - Moved "Send Feedback" to a top-level page in settings for better visibility. - "Settings" saves now persist across app launches. +- Changing default save location is now supported through Settings menu. - All pop ups now have a uniform size. @@ -60,6 +61,9 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. ## Known issues -1. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. -2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. +4. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. + From 2ec008a9fc1259b5b6d94958e3edc14d83c0fffa Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 07:55:27 -0700 Subject: [PATCH 4/9] editing what's new section --- .../msix-app-packaging-tool.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index e48cb1bcec..861d510bc9 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -23,10 +23,14 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft - A valid MSA alias (to access the app from the Store) ## What's new -- Moved "Send Feedback" to a top-level page in settings for better visibility. -- "Settings" saves now persist across app launches. -- Changing default save location is now supported through Settings menu. -- All pop ups now have a uniform size. +v1.2018.807.0 +- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. +- Fixed an issue where signing in with password protected certificates would fail in the tool. +- Fixed an issue where the tool was crashing when editing an existing MSIX package. +- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. +- Minor UI tweaks to add clarity. +- Minor updates to the logs for added clarity. + ## Installing the MSIX Packaging Tool @@ -43,7 +47,6 @@ This is an early preview build and not all features are supported. Here is what Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: -- Some options in the Settings page, such as adding/removing VFS/VREG and defining a default save location. - Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). - Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM. - Command Line Interface support @@ -64,6 +67,5 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge 1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. 2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. 3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. -4. Signing the package with Password protected certificates does not work. Please use a non-password protected password in the tool, or use Signtool (available from SDK) to sign your package for sideload testing. From 28685c2c11c2f12eb39b2cc39b0c77cf775b1ac2 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 07:59:41 -0700 Subject: [PATCH 5/9] editing metadata --- windows/application-management/msix-app-packaging-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 861d510bc9..75f8dc0b50 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -1,7 +1,7 @@ --- title: Repackage your existing win32 applications to the MSIX format. description: Learn how to install and use the MSIX packaging tool. -keyboards: ["MSIX", "application", "app", "win32", "packaging tool"] +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From 6fd6d731e20c23aea4e7e3baf7f05f336f637d69 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 08:02:30 -0700 Subject: [PATCH 6/9] edited toc to add msix page --- windows/application-management/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index e726c4d38f..b3f1796488 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -4,6 +4,7 @@ ## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) +### [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) From 3fd7aaf8217fcf02ac9a0da4f45f431f775f1703 Mon Sep 17 00:00:00 2001 From: MikeBlodge Date: Wed, 8 Aug 2018 08:45:28 -0700 Subject: [PATCH 7/9] updating the version number --- windows/application-management/msix-app-packaging-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 75f8dc0b50..cd0dce59af 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -23,7 +23,7 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft - A valid MSA alias (to access the app from the Store) ## What's new -v1.2018.807.0 +v1.2018.808.0 - Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. - Fixed an issue where signing in with password protected certificates would fail in the tool. - Fixed an issue where the tool was crashing when editing an existing MSIX package. From e047af48659220096c6ea857911f184cdd623895 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 8 Aug 2018 15:55:48 +0000 Subject: [PATCH 8/9] Merged PR 10440: Clarify purchase options for Billing and Global admin Add info about requirements for subscription-based software purchases in Store for Business. --- .../roles-and-permissions-microsoft-store-for-business.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 6dad7ccd03..22e03ceda8 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -10,7 +10,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 3/30/2018 +ms.date: 8/7/2018 --- # Roles and permissions in Microsoft Store for Business and Education @@ -31,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | | +| Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | | Acquire apps | X | X | | Distribute apps | X | X | +| Purchase subscription-based software | X | X |   - **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -43,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro ## Microsoft Store roles and permissions -Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. From 457954c4a2ed851db779eb4d23a4a3cb22801b37 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 8 Aug 2018 09:14:10 -0700 Subject: [PATCH 9/9] fixed hide overrides --- .../create-wip-policy-using-intune-azure.md | 8 ++++---- .../create-wip-policy-using-intune.md | 6 +++--- .../create-wip-policy-using-mam-intune-azure.md | 6 +++--- .../create-wip-policy-using-sccm.md | 6 +++--- .../deploy-wip-policy-using-intune.md | 2 +- .../protect-enterprise-data-using-wip.md | 6 +++--- .../wip-learning.md | 16 ++++++++-------- 7 files changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a988c9641..7adccd0ac3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.pagetype: security author: justinha ms.author: justinha ms.localizationpriority: medium -ms.date: 07/10/2018 +ms.date: 08/08/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). **To add your protection mode** -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index 1b084c9605..d75ea228ef 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 ms.localizationpriority: medium --- @@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**. |Mode |Description | |-----|------------| -|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index e5590cd3ed..4d7cafc461 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 08/08/2018 localizationpriority: medium --- @@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). @@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 1c8de7d581..e766991a5a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 08/08/2018 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with ## Manage the WIP-protection level for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). |Mode |Description | |-----|------------| -|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index fa52656359..26b5ff9472 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 08/08/2018 --- # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 1ad43ba3f3..6ebcf8b468 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 87c74dd9a0..7225edb78c 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -10,7 +10,7 @@ ms.sitesec: library ms.pagetype: security author: coreyp-at-msft ms.localizationpriority: medium -ms.date: 04/18/2018 +ms.date: 08/08/2018 --- # Fine-tune Windows Information Protection (WIP) with WIP Learning @@ -21,16 +21,16 @@ ms.date: 04/18/2018 With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. - +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. + 2. Choose **Intune** > **Mobile Apps**. - + 3. Choose **App protection status**. 4. Choose **Reports**. @@ -95,7 +95,7 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol 9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file