diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 1bf6c06da4..60a66db5c9 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -40,7 +40,7 @@ You can add apps to your Windows Information Protection (WIP) protected app list 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. >[!Note] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. @@ -67,8 +67,9 @@ You can add apps to your Windows Information Protection (WIP) protected app list ``` -15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.

-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. +15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**. + + After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. ## Add Desktop apps 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -91,7 +92,7 @@ After saving the policy, you’ll need to deploy it to your employee’s devices >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. >[!Note] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 6fd0497318..ab2695ebf7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -21,7 +21,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >[!IMPORTANT] ->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** @@ -71,7 +71,8 @@ The recovery process included in this topic only works for desktop devices. WIP Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. -**To quickly recover WIP-protected desktop data after unenrollment**
+**To quickly recover WIP-protected desktop data after unenrollment** + It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. >[!IMPORTANT] @@ -95,7 +96,8 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. -**To quickly recover WIP-protected desktop data in a cloud-based environment**
+**To quickly recover WIP-protected desktop data in a cloud-based environment** + If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. >[!IMPORTANT] @@ -135,5 +137,7 @@ If you use a cloud environment in your organization, you may still want to resto - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) -

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + +>[!Note] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md index c9977fec21..76abd68b76 100644 --- a/windows/keep-secure/deploy-wip-policy-using-intune.md +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -25,13 +25,15 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

-The added people move to the **Selected Groups** list on the right-hand pane. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. + + The added people move to the **Selected Groups** list on the right-hand pane. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

-The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**. + + The policy is deployed to the selected users' devices. >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 18106bc1bf..265ffe048d 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

-OR-

System Center Configuration Manager

-OR-

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. @@ -130,7 +130,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index a0c2aaf46e..a2d5c9f975 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -29,12 +29,12 @@ You can try any of the processes included in these scenarios, but you should foc Encrypt and decrypt files using File Explorer. - For desktop:

+ For desktop:

  1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
    Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
  2. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
    Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:

+ For mobile:

  1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
  2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
    Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
    3. @@ -44,11 +44,11 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. - For desktop:

    + For desktop:

    - For mobile:

    + For mobile:

    1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
    2. Open the same document and attempt to save it to a non-work-related location.
      WIP should stop you from saving the file to this location.
      3. @@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
      1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
        Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
      2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
        3. -
      3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

        4. +
      4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
      @@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc
      1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
      2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
        Both browsers should respect the enterprise and personal boundary.
        3. -
      3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
        IE11 shouldn't be able to access the sites.

        Note
        Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.

        4. +
      4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
        IE11 shouldn't be able to access the sites.

        Note
        Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
      @@ -151,7 +151,7 @@ You can try any of the processes included in these scenarios, but you should foc Unenroll client devices from WIP.