deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

Browse Source
This commit is contained in:
huaping yu 2019-03-11 10:43:04 -07:00
commit 0553ac53b0
10 changed files with 188 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browsers/edge/edge-technical-demos.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Edge training and demonstrations
ms.prod: browser-edge
layout: article
description: Get access to training and demonstrations for Microsoft Edge.
ms.prod: edge
ms.topic: article
ms.manager: elizapo
author: lizap

7
browsers/edge/microsoft-edge-forrester.md
View File

@ -1,15 +1,12 @@
---
title: Microsoft Edge - Forrester Total Economic Impact
title: Forrester Total Economic Impact - Microsoft Edge
description: Review the results of the Microsoft Edge study carried out by Forrester Research
ms.prod: browser-edge
layout: article
ms.prod: edge
ms.topic: article
ms.manager: elizapo
author: lizap
ms.author: elizapo
ms.localizationpriority: high
---
# Measuring the impact of Microsoft Edge - Total Economic Impact (TEI) of Microsoft Edge
Forrester Research measures the return on investment (ROI) of Microsoft Edge in its latest TEI report and survey. Browse and download these free resources to learn about the impact Microsoft Edge can have in your organization, including significant cost savings in reduced browser help desk tickets and improved browser security, to increased speed, performance, and user productivity.

4
browsers/edge/microsoft-edge.yml
View File

@ -33,7 +33,7 @@ sections:
- type: markdown
text: "
Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.<br>
<table><tr><td><img src='images/compat1.png' width='192' height='192'><br>**Test your site on Microsoft Edge**<br>Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.<br><a href='https://developer.microsoft.com/microsoft-edge/tools/remote/'>Test your site on Microsoft Edge for free on BrowserStack</a><br><a href='https://sonarwhal.com/'>Use sonarwhal to improve your website.</a></td><td><img src='images/compat2.png' width='192' height='192'><br>**Improve compatibility with Enterprise Mode**<br>With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility'>Use Enterprse mode to improve compatibility</a><br><a href='https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list'>Turn on Enterprise Mode and use a site list</a><br><a href='https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal'>Enterprise Site List Portal</a><br><a href='https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/04/25/the-ultimate-browser-strategy-on-windows-10/'>Ultimate browser strategy on Windows 10</a></td><td><img src='images/compat3.png' width='192' height='192'><br>**Web Application Compatibility Lab Kit**<br>The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.<br><a href='web-app-compat'>Find out more</a></td></tr>
<table><tr><td><img src='images/compat1.png' width='192' height='192'><br>**Test your site on Microsoft Edge**<br>Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.<br><a href='https://developer.microsoft.com/microsoft-edge/tools/remote/'>Test your site on Microsoft Edge for free on BrowserStack</a><br><a href='https://sonarwhal.com/'>Use sonarwhal to improve your website.</a></td><td><img src='images/compat2.png' width='192' height='192'><br>**Improve compatibility with Enterprise Mode**<br>With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility'>Use Enterprse mode to improve compatibility</a><br><a href='https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list'>Turn on Enterprise Mode and use a site list</a><br><a href='https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal'>Enterprise Site List Portal</a><br><a href='https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/04/25/the-ultimate-browser-strategy-on-windows-10/'>Ultimate browser strategy on Windows 10</a></td><td><img src='images/compat3.png' width='192' height='192'><br>**Web Application Compatibility Lab Kit**<br>The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.<br><a href='web-app-compat-toolkit'>Find out more</a></td></tr>
</table>
"
- title: Security
@ -49,7 +49,7 @@ sections:
- type: markdown
text: "
Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.<br>
<table><tr><td><img src='images/deploy-land.png' width='192' height='192'><br>**Deployment**<br>Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/'>Microsoft Edge deployment guide</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-faq'>Microsoft Edge FAQ</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/hardware-and-software-requirements'>System requirements and language support</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/available-policies'>Group Policy and MDM settings in Microsoft Edge</a><br><a href='https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-lab-kit'>Download the Web Application Compatibility Lab Kit</a><br><a href='https://www.microsoft.com/itpro/microsoft-edge/technical-demos'>Microsoft Edge training and demonstrations</a></td><td><img src='images/enduser-land.png' width='192' height='192'><br>**End user readiness**<br>Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.<br><a href='https://go.microsoft.com/fwlink/?linkid=825648'>Quick Start: Microsoft Edge (PDF, .98 MB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825661'>Find it faster with Microsoft Edge (PDF, 605 KB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825653'>Use Microsoft Edge to collaborate (PDF, 468 KB)</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/39'>Import bookmarks</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/18'>Password management</a><br><a href='https://myignite.microsoft.com/sessions/56630?source=sessions'>Microsoft Edge tips and tricks (video, 20:26)</a></td></tr>
<table><tr><td><img src='images/deploy-land.png' width='192' height='192'><br>**Deployment**<br>Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/'>Microsoft Edge deployment guide</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-faq'>Microsoft Edge FAQ</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/hardware-and-software-requirements'>System requirements and language support</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/available-policies'>Group Policy and MDM settings in Microsoft Edge</a><br><a href='https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit'>Download the Web Application Compatibility Lab Kit</a><br><a href='edge-technical-demos.md'>Microsoft Edge training and demonstrations</a></td><td><img src='images/enduser-land.png' width='192' height='192'><br>**End user readiness**<br>Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.<br><a href='https://go.microsoft.com/fwlink/?linkid=825648'>Quick Start: Microsoft Edge (PDF, .98 MB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825661'>Find it faster with Microsoft Edge (PDF, 605 KB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825653'>Use Microsoft Edge to collaborate (PDF, 468 KB)</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/39'>Import bookmarks</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/18'>Password management</a><br><a href='https://myignite.microsoft.com/sessions/56630?source=sessions'>Microsoft Edge tips and tricks (video, 20:26)</a></td></tr>
</table>
"
- title: Stay informed

4
browsers/edge/web-app-compat-toolkit.md
View File

@ -1,7 +1,7 @@
---
title: Web Application Compatibility lab kit
ms.prod: browser-edge
layout: article
description: Learn how to use the web application compatibility toolkit for Microsoft Edge.
ms.prod: edge
ms.topic: article
ms.manager: elizapo
author: lizap

2
windows/hub/windows-10-landing.yml
View File

@ -57,7 +57,7 @@ sections:
- type: markdown
text: "
Download recommended tools and get step-by-step guidance for in-place upgrades, dynamic provisioning, or traditional deployments.<br>
<table><tr><td><img src='images/deploy1.png' width='192' height='192'><br>**In-place upgrade**<br>The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager'>Upgrade to Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit'>Upgrade to Windows 10 with MDT</a></td><td><img src='images/deploy2.png' width='192' height='192'><br>**Traditional deployment**<br>Some organizations may still need to opt for an image-based deployment of Windows 10.<br><a href='https://docs.microsoft.com/en-us/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems'>Deploy Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit'>Deploy Windows 10 with MDT</a></td></tr><tr><td><img src='images/deploy3.png' width='192' height='192'><br>**Dynamic provisioning**<br>With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.<br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages'>Provisioning packages for Windows 10</a><br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package'>Build and apply a provisioning package</a><br><a href='https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd'>Customize Windows 10 start and the taskbar</a></td><td><img src='images/deploy4.png'><br>**Other deployment scenarios**<br>Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.<br><a href='https://docs.microsoft.com/education/windows/'>Windows deployment for education environments</a><br><a href='https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc'>Set up a shared or guest PC with Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/sideload-apps-in-windows-10'>Sideload apps in Windows 10</a></td></tr>
<table><tr><td><img src='images/deploy1.png' width='192' height='192'><br>**In-place upgrade**<br>The simplest way to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade.<br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager'>Upgrade to Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit'>Upgrade to Windows 10 with MDT</a></td><td><img src='images/deploy2.png' width='192' height='192'><br>**Traditional deployment**<br>Some organizations may still need to opt for an image-based deployment of Windows 10.<br><a href='https://docs.microsoft.com/en-us/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems'>Deploy Windows 10 with Configuration Manager</a><br><a href='https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit'>Deploy Windows 10 with MDT</a></td></tr><tr><td><img src='images/deploy3.png' width='192' height='192'><br>**Dynamic provisioning**<br>With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image.<br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages'>Provisioning packages for Windows 10</a><br><a href='https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package'>Build and apply a provisioning package</a><br><a href='https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd'>Customize Windows 10 start and the taskbar</a></td><td><img src='images/deploy4.png' width='192' height='192'><br>**Other deployment scenarios**<br>Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps.<br><a href='https://docs.microsoft.com/education/windows/'>Windows deployment for education environments</a><br><a href='https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc'>Set up a shared or guest PC with Windows 10</a><br><a href='https://docs.microsoft.com/windows/application-management/sideload-apps-in-windows-10'>Sideload apps in Windows 10</a></td></tr>
</table>
"
- title: Management and security

296
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -5,7 +5,6 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
manager: dansimp
@ -22,63 +21,62 @@ ms.date: 03/05/2019
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
## Alternative steps if you use MAM only (without device enrollment)
>[!NOTE]
>If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**). the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. MAM supports only one user per device.
This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
## Prerequisites
If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Configure the MDM or MAM provider
## Add a WIP policy
Follow these steps to add a WIP policy using Intune.
1. Sign in to the Azure portal.
2. Click **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
**To add a WIP policy**
1. Open Microsoft Intune and click **Client apps**.
![Configure MDM or MAM provider](images/mobility-provider.png)
![Open Client apps](images/open-mobile-apps.png)
## Create a WIP policy
2. In **Client apps**, click **App protection policies**.
1. Sign in to the Azure portal.
![App protection policies](images/app-protection-policies.png)
2. Open Microsoft Intune and click **Client apps** > **App protection policies** > **Create policy**.
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
![Open Client apps](images/create-app-protection-policy.png)
- **Description.** Type an optional description.
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Platform.** Choose **Windows 10**.
- **Name.** Type a name (required) for your new policy.
- **Enrollment state.** Choose **With enrollment**.
- **Description.** Type an optional description.
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
- **Platform.** Choose **Windows 10**.
>[!Important]
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
- **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
4. Click **Protected apps** and then click **Add apps**.
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
![Add protected apps](images/add-protected-apps.png)
4. Click **Protected apps** and then click **Add apps**.
You can add these types of apps:
![Add protected apps](images/add-protected-apps.png)
- [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
You can add these types of apps:
- [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
### Add recommended apps
To add **Recommended apps**, select each app you want to access your enterprise data, and then click **OK**.
The **Protected apps** blade updates to show you your selected apps.
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
![Microsoft Intune management console: Recommended apps](images/wip-azure-allowed-apps-with-apps.png)
![Microsoft Intune management console: Recommended apps](images/recommended-apps.png)
### Add Store apps
To add **Store apps**, type the app product name and publisher and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
Select **Store apps**, type the app product name and publisher, and click **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
- **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
@ -88,7 +86,7 @@ To add **Store apps**, type the app product name and publisher and click **OK**.
To add multiple Store apps, click the elipsis **…**.
If you don't know the Store app publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
If you don't know the Store app publisher or product name, you can find them by following these steps.
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
@ -111,7 +109,6 @@ If you don't know the Store app publisher or product name, you can find them for
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
@ -173,10 +170,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
</tr>
</table>
After youve entered the info into the fields, click **OK**.
>[!Note]
>To add multiple Desktop apps, click the elipsis **…**. When youre done, click **OK**.
To add another Desktop app, click the elipsis **…**. After youve entered the info into the fields, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
@ -185,6 +179,7 @@ If youre unsure about what to include for the publisher, you can run this Pow
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example:
```ps1
@ -202,9 +197,16 @@ Path Publisher
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
### Import a list of apps
For this example, were going to add an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time. The first example shows how to create a Packaged App rule for Store apps. The second example shows how to create an Executable rule by using a path for unsigned apps. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of protected apps using the AppLocker tool**
This section covers two examples of using an AppLocker XML file to the **Protected apps** list. Youll use this option if you want to add multiple apps at the same time.
- [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps)
- [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps)
For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
#### Create a Packaged App rule for Store apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
@ -277,7 +279,8 @@ For this example, were going to add an AppLocker XML file to the **Protected
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To create an Executable rule and xml file for unsigned apps**
## Create an Executable rule for unsigned apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, click **Application Control Policies** > **AppLocker** > **Executable Rules**.
@ -325,9 +328,7 @@ For this example, were going to add an AppLocker XML file to the **Protected
The file imports and the apps are added to your **Protected apps** list.
### Exempt apps from a WIP policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list**
If your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
1. In **Client apps - App protection policies**, click **Exempt apps**.
@ -354,14 +355,7 @@ After you've added the apps you want to protect with WIP, you'll need to apply a
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
**To add your protection mode**
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
@ -381,91 +375,159 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
**To change your corporate identity**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
1. From the **App policy** blade, click the name of your policy, and then click **Required settings**.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field. If you need to add domains, for example your email domains, you can do it in the **Advanced settings** area.
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
![Add protected domains](images/add-protected-domains.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include policy that defines your enterprise network locations.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!Important]
>Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
**To define where your protected apps can find and send enterprise data on you network**
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings**.
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
2. Click **Add network boundary** from the Network perimeter area.
### Cloud resources
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
3. Select the type of network boundary to add from the **Boundary type** box.
Separate multiple resources with the "|" delimiter.
If you dont use proxy servers, you must also include the "," delimiter just before the "|".
For example:
4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
```code
URL <,proxy>|URL <,proxy>
```
<table>
<tr>
<th>Boundary type</th>
<th>Value format</th>
<th>Description</th>
</tr>
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. <br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br><strong>Note</strong><br>To add subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example: To add all subdomains within Office.com, use ".office.com" (without the quotation marks).<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. <br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code><br><br><strong>Note</strong><br>To add subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example: To add all subdomains within Office.com, use ".office.com" (without the quotation marks).<br><br>When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access) by using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Protected domains</td>
<td>exchange.contoso.com,contoso.com,region.contoso.com</td>
<td>Specify the domains used for identities in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple domains, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Network domains</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Proxy servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Internal proxy servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>IPv4 ranges</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>IPv6 ranges</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<br><br>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
5. Repeat steps 1-4 to add any additional network boundaries.
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site.
In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
6. Decide if you want to Windows to look for additional network settings:
```code
URL <,proxy>|URL <,proxy>/*AppCompat*/
```
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
Value format with proxy:
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
```code
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
```
Value format without proxy:
```code
contoso.sharepoint.com|contoso.visualstudio.com
```
### Protected domains
Specify the domains used for identities in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
Separate multiple domains with the "," delimiter.
```code
exchange.contoso.com,contoso.com,region.contoso.com
```
### Network domains
Specify the DNS suffixes used in your environment.
All traffic to the fully-qualified domains appearing in this list will be protected.
Separate multiple resources with the "," delimiter.
```code
corp.contoso.com,region.contoso.com
```
### Proxy servers
Specify the proxy servers your devices will go through to reach your cloud resources.
Using this server type indicates that the cloud resources youre connecting to are enterprise resources.
This list shouldnt include any servers listed in your Internal proxy servers list.
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```code
proxy.contoso.com:80;proxy2.contoso.com:443
```
### Internal proxy servers
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.
This list shouldnt include any servers listed in your Proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```code
contoso.internalproxy1.com;contoso.internalproxy2.com
```
### IPv4 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your Network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isnt supported.
Separate multiple ranges with the "," delimiter.
**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
<br>10.0.0.1-10.255.255.254
### IPv6 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv6 value range within your intranet.
These addresses, used with your network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isnt supported.
Separate multiple ranges with the "," delimiter.
**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
### Neutral resources
Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
Separate multiple resources with the "," delimiter.
```code
sts.contoso.com,sts.contoso2.com
```
Decide if you want Windows to look for additional network settings:
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-domains.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/security/information-protection/windows-information-protection/images/mobility-provider.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/information-protection/windows-information-protection/images/recommended-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB