deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

update image and Acrolinx

Browse Source
This commit is contained in:
Aaron Czechowski 2022-07-20 11:40:23 -07:00
parent 47b141c70b
commit 09a1ae8b8c
2 changed files with 29 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
View File

@ -1,7 +1,7 @@
---
title: How to disable Windows Information Protection (WIP)
description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Configuration Manager.
ms.date: 07/15/2022
description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Endpoint Configuration Manager.
ms.date: 07/21/2022
ms.prod: m365-security
ms.topic: how-to
ms.localizationpriority: medium
@ -17,6 +17,7 @@ _Applies to:_
- Windows 10
- Windows 11
## Use Intune to disable WIP
To disable Windows Information Protection (WIP) using Intune, you have the following options:
@ -24,22 +25,23 @@ To disable Windows Information Protection (WIP) using Intune, you have the follo
### Option 1 - Unassign the WIP policy (preferred)
When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
### Option 2 - Change current WIP policy to off
If youre currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check-in after this change, the devices will proceed to unprotect files previously protected by WIP.
If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
1. Open Microsoft Intune and select **Apps** > **App protection policies** >
In Client apps - App protection policies, select <> apps. Select the existing policy to turn off.
1. From App protection policy, select the name of your policy, and then select the properties.
1. Open Microsoft Intune and select **Apps** > **App protection policies**.
1. Select the existing policy to turn off, and then select the **Properties**.
1. Edit **Required settings**.
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
:::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
1. Set **Windows Information Protection mode** to off.
1. After making this change, select **Review and Save**.
1. Select **Save**.
> [!Note]
> [!NOTE]
> **Another option is to create a disable policy that sets WIP to Off.**
>
> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
### Revoke local encryption keys during the unenrollment process
@ -57,6 +59,7 @@ To remove Windows Information Protection (WIP) using Configuration Manager
>Don't just delete your existing WIP policy. For Configuration Manager there's only one option to create a new policy that turns WIP mode off. Otherwise the devices will remove the Configuration Manager policy but not change the WIP mode.
### Add a WIP policy
To disable WIP for your organization, first create a configuration item.
1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
@ -82,7 +85,6 @@ Set the Windows Information Protection mode to Off.
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
### Define your enterprise-managed identity domains
> [!TIP]
@ -90,16 +92,18 @@ Set the Windows Information Protection mode to Off.
#### Add your corporate identity
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
Corporate identity must match the string in the original policy.
Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
> [!IMPORTANT]
> Corporate identity must match the string in the original policy.
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
Add additional network locations your apps can access by selecting **Add**.
Add other network locations your apps can access by selecting **Add**.
The **Add or edit corporate network definition** box appears. Add the required fields.
In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
@ -107,12 +111,13 @@ In the required **Upload a Data Recovery Agent (DRA) certificate to allow recove
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
### Deploy the WIP policy
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about deployment options, see:
- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
After you've created your WIP policy, deploy it to your organization's devices. For more information about deployment options, see the following articles:
- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections)
- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
- Move devices from old collection to new collection
- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
- Move devices from the old collection to new collection.

BIN
windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB