deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

update image and Acrolinx

Browse Source
This commit is contained in:
Aaron Czechowski 2022-07-20 11:40:23 -07:00
parent 47b141c70b
commit 09a1ae8b8c
2 changed files with 29 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
View File

@ -1,7 +1,7 @@
--- ---
title: How to disable Windows Information Protection (WIP) title: How to disable Windows Information Protection (WIP)
description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Configuration Manager. description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Endpoint Configuration Manager.
ms.date: 07/15/2022 ms.date: 07/21/2022
ms.prod: m365-security ms.prod: m365-security
ms.topic: how-to ms.topic: how-to
ms.localizationpriority: medium ms.localizationpriority: medium
@ -17,6 +17,7 @@ _Applies to:_
- Windows 10 - Windows 10
- Windows 11 - Windows 11
## Use Intune to disable WIP ## Use Intune to disable WIP
To disable Windows Information Protection (WIP) using Intune, you have the following options: To disable Windows Information Protection (WIP) using Intune, you have the following options:
@ -24,22 +25,23 @@ To disable Windows Information Protection (WIP) using Intune, you have the follo
### Option 1 - Unassign the WIP policy (preferred) ### Option 1 - Unassign the WIP policy (preferred)
When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign). When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
### Option 2 - Change current WIP policy to off ### Option 2 - Change current WIP policy to off
If youre currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check-in after this change, the devices will proceed to unprotect files previously protected by WIP. If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
1. Open Microsoft Intune and select **Apps** > **App protection policies** > 1. Open Microsoft Intune and select **Apps** > **App protection policies**.
In Client apps - App protection policies, select <> apps. Select the existing policy to turn off. 1. Select the existing policy to turn off, and then select the **Properties**.
1. From App protection policy, select the name of your policy, and then select the properties.
1. Edit **Required settings**. 1. Edit **Required settings**.
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png"::: :::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
1. Set **Windows Information Protection mode** to off. 1. Set **Windows Information Protection mode** to off.
1. After making this change, select **Review and Save**. 1. After making this change, select **Review and Save**.
1. Select **Save**. 1. Select **Save**.
> [!Note] > [!NOTE]
> **Another option is to create a disable policy that sets WIP to Off.** > **Another option is to create a disable policy that sets WIP to Off.**
>
> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once. > You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
### Revoke local encryption keys during the unenrollment process ### Revoke local encryption keys during the unenrollment process
@ -57,22 +59,23 @@ To remove Windows Information Protection (WIP) using Configuration Manager
>Don't just delete your existing WIP policy. For Configuration Manager there's only one option to create a new policy that turns WIP mode off. Otherwise the devices will remove the Configuration Manager policy but not change the WIP mode. >Don't just delete your existing WIP policy. For Configuration Manager there's only one option to create a new policy that turns WIP mode off. Otherwise the devices will remove the Configuration Manager policy but not change the WIP mode.
### Add a WIP policy ### Add a WIP policy
To disable WIP for your organization, first create a configuration item. To disable WIP for your organization, first create a configuration item.
1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. 1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
2. Select the **Create Configuration Item** button. 2. Select the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts. The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen-off.png) ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen-off.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**. 4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**.
5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**. 5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**. 6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
@ -82,7 +85,6 @@ Set the Windows Information Protection mode to Off.
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png"::: :::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
### Define your enterprise-managed identity domains ### Define your enterprise-managed identity domains
> [!TIP] > [!TIP]
@ -90,16 +92,18 @@ Set the Windows Information Protection mode to Off.
#### Add your corporate identity #### Add your corporate identity
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
Corporate identity must match the string in the original policy.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png) ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
> [!IMPORTANT]
> Corporate identity must match the string in the original policy.
### Choose where apps can access enterprise data ### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
Add additional network locations your apps can access by selecting **Add**. Add other network locations your apps can access by selecting **Add**.
The **Add or edit corporate network definition** box appears. Add the required fields. The **Add or edit corporate network definition** box appears. Add the required fields.
In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
@ -107,12 +111,13 @@ In the required **Upload a Data Recovery Agent (DRA) certificate to allow recove
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png) ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
### Deploy the WIP policy ### Deploy the WIP policy
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about deployment options, see:
- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines) After you've created your WIP policy, deploy it to your organization's devices. For more information about deployment options, see the following articles:
- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections) - [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines) - [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
- Move devices from old collection to new collection - [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
- Move devices from the old collection to new collection.

BIN
windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB