From 6fd5a0187152f2ed624d3e464c00cd5effcc8857 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Wed, 11 Sep 2019 14:01:44 +0300 Subject: [PATCH 1/4] Update credential-guard-manage.md Customer pointed out that while they were following steps outlined in the article, they ran into some errors. Validation revealed that step 3 in the feature installation procedure is outdated as of Windows 10 1607. Added a note about that --- .../credential-guard/credential-guard-manage.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index b8b2673d47..f1ac04eb7a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` +> [!NOTE] +> In Windows 10 1607 or later versions, Isolated User Mode feature has been integrated into the core Operating system, so running the above command step 3 is no longer necessary > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From 47670360a1d604cf8b6ad8bc223af22bd7941b02 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Thu, 12 Sep 2019 09:31:46 +0300 Subject: [PATCH 2/4] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f1ac04eb7a..20e0057677 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -87,7 +87,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` > [!NOTE] -> In Windows 10 1607 or later versions, Isolated User Mode feature has been integrated into the core Operating system, so running the above command step 3 is no longer necessary +> In Windows 10 1607 and later versions, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From e796b37f5601f860a5cbd2661430d22ad6949ad2 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Sat, 14 Sep 2019 09:44:52 +0300 Subject: [PATCH 3/4] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 20e0057677..239a1d56a5 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -87,7 +87,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` > [!NOTE] -> In Windows 10 1607 and later versions, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. +> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From 443c156df824878c9521d51b8cfee613ae47bd20 Mon Sep 17 00:00:00 2001 From: mestew Date: Wed, 8 Jan 2020 12:26:25 -0800 Subject: [PATCH 4/4] Add link for WIP limitations per CSS request. Rebrand of SCCM edits --- .../create-wip-policy-using-sccm.md | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 61ce1a5f3b..288347b3aa 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -1,9 +1,9 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) +description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,26 +15,29 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/13/2019 +ms.date: 01/09/2020 --- -# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager +# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager -System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. + +>[!TIP] +> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. **To create a configuration item for WIP** -1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. @@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -295,9 +298,9 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. +12. After you’ve created your XML file, you need to import it by using Configuration Manager. -**To import your Applocker policy file app rule using System Center Configuration Manager** +**To import your Applocker policy file app rule using Configuration Manager** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. @@ -506,3 +509,5 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) + +- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)