This command is selected by default.| - |**Load Noise Filter File**|Opens the **Open Noise Filter File** dialog box, in which you can load an existing noise filter (.xml) file.| - |**Export Noise Filter File**|Opens the **Save Noise Filter File** dialog box, in which you can save filter settings as a noise filter (.xml) file.| - |**Only Display Records with Application Name in StackTrace**|Filters out records that do not have the application name in the stack trace.
However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.| - |**Show More Details in StackTrace**|Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.| - |**Warn Before Deleting AppVerifier Logs**|Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.
This command is selected by default.| - |**Logging**|Provides the following logging-related options:
To maintain a manageable file size, we recommend that you do not select the option to show informational messages.| - - diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md deleted file mode 100644 index 1b714e4247..0000000000 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Available Data Types and Operators in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Available Data Types and Operators in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool provides a way to query your custom-compatibility databases. - -## Available Data Types - -Customized-compatibility databases in Compatibility Administrator contain the following data types. - -- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. - -- **String**. A series of alphanumeric characters manipulated as a group. - -- **Boolean**. A value of True or False. - -## Available Attributes - -The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. - -|Attribute|Description|Data type| -|--- |--- |--- | -|APP_NAME|Name of the application.|String| -|DATABASE_GUID|Unique ID for your compatibility database.|String| -|DATABASE_INSTALLED|Specifies if you have installed the database.|Boolean| -|DATABASE_NAME|Descriptive name of your database.|String| -|DATABASE_PATH|Location of the database on your computer.|String| -|FIX_COUNT|Number of compatibility fixes applied to a specific application.|Integer| -|FIX_NAME|Name of your compatibility fix.|String| -|MATCH_COUNT|Number of matching files for a specific, fixed application.|Integer| -|MATCHFILE_NAME|Name of a matching file used to identify a specific, fixed application.|String| -|MODE_COUNT|Number of compatibility modes applied to a specific, fixed application.|Integer| -|MODE_NAME|Name of your compatibility mode.|String| -|PROGRAM_APPHELPTYPE|Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.|Integer| -|PROGRAM_DISABLED|Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.|Boolean| -|PROGRAM_GUID|Unique ID for an application.|String| -|PROGRAM_NAME|Name of the application that you are fixing.|String| - -## Available Operators - -The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. - -|Symbol|Description|Data type|Precedence| -|--- |--- |--- |--- | -|>|Greater than|Integer or string|1| -|>=|Greater than or equal to|Integer or string|1| -|<|Less than|Integer or string|1| -|<=|Less than or equal to|Integer or string|1| -|<>|Not equal to|Integer or string|1| -|=|Equal to|Integer, string, or Boolean|1| -|HAS|A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.|Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.| -|BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.
The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.
The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.| -|ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.
The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.| -|CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.
The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.
You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.
The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.| -|CorrectFilePaths|This problem occurs when:
The fix modifies the file path names to point to a new location on the hard disk.
The fix corrects the file paths that are used by the uninstallation process of an application.
The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
You can control this fix further by typing the following command at the command prompt:
`DLL_Name;Flag_Type;Hexidecimal_Value`
Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.
The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
You can control this fix further by typing the following command at the command prompt:
`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
`MAJORVERSION.MINORVERSION.LETTER`
For example, 9.0.c.| -|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .| -|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.| -|Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.| -|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
The fix disables the fade animations functionality for unsupported applications.| -|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.| -|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.| -|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.| -|DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.| -|DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.| -|ElevateCreateProcess|The problem is indicated when:
The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.
The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.| -|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.
The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.
The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.
The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.| -|FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.
The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.
This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.
The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.| -|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).
The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.| -|FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.| -|ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.
The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.
The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.| -|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.| -|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.| -|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.| -|HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.
The fix uses zeros to clear out the heap allocation for an application.| -|IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.
The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.
The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.
The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
You can control this fix further by typing the following command at the command prompt:
`Exception1;Exception2`
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.
**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.
Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.| -|IgnoreFontQuality|The problem occurs when application text appears to be distorted.
The fix enables color-keyed fonts to properly work with anti-aliasing.| -|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.| -|IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.| -|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.| -|LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.| -|LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.
The fix intercepts the function call to create the object and replaces the word Global with Local.
The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.
The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.| -|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.
The fix reduces the security privilege levels on a specified set of files and folders.
The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.
The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.| -|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.
The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.| -|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.| -|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.| -|RedirectMP3Codec|This problem occurs when you can't play MP3 files.
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.| -|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.
This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.
You can't apply this fix to an .exe file that includes a manifest and provides a run level.| -|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.
The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
The fix retries the call and requests a more restricted set of rights that include the following items:
The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work
The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.
The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.
The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.
At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`
Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.
The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.| -|SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.| -|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.| -|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.| -|Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.| -|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.
The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
The fix flags the application to exclude it from detection by the GenericInstaller function.
The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`MessageString1 MessageString2`
Where MessageString1 and MessageString2 reflect the message strings that can pass.
The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`1055 1056 1069`
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).| -|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.
The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.
You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.
For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
-|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.
The fix enables the application to ignore the format error and continue to function properly.| -|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.| -|Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.| -|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.
All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.| -|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.
The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
**Important:** The application must have Administrator privileges for this fix to work.| -|WinSrv08R2RTM|| -|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.
The fix forces the application to follow these steps:
The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
You can control this fix further by typing the following command at the command prompt:
`Component1.dll;Component2.dll`
Where Component1.dll and Component2.dll reflect the components to be skipped.
The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.
The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.| -|XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.| - -## Compatibility Modes - -The following table lists the known compatibility modes. - -|Compatibility Mode Name|Description|Included Compatibility Fixes| -|--- |--- |--- | -|WinSrv03|Emulates the Windows Server 2003 operating system.|
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using **Programs and Features** in Control Panel.| - |**Export Mitigations as Windows Installer file**|Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.| \ No newline at end of file diff --git a/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg b/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg deleted file mode 100644 index 2ab0b3c13d..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg b/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg deleted file mode 100644 index a4a4f4f616..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg deleted file mode 100644 index a6b484d53c..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg deleted file mode 100644 index 07865c7c75..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg deleted file mode 100644 index 9357e6f3bb..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md deleted file mode 100644 index e7265156ef..0000000000 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Install/Uninstall Custom Databases (Windows 10) -description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. - -By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator. - -> [!IMPORTANT] -> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. - -In addition, you must deploy your databases to your organization's computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md). - - - -## Installing a Custom Database - - -Installing your custom-compatibility database enables you to fix issues with your installed applications. - -**To install a custom database** - -1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers. - -2. On the **File** menu, click **Install**. - - The Compatibility Administrator installs the database, which appears in the **Installed Databases** list. - - The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file. - -## Uninstalling a Custom Database - - -When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database. - -**To uninstall a custom database** - -1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers. - -2. On the **File** menu, click **Uninstall**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md deleted file mode 100644 index 6f9d7dae92..0000000000 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) -description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Managing Application-Compatibility Fixes and Custom Fix Databases - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. - -## In this section - -|Topic|Description| -|--- |--- | -|[Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)|As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.| -|[Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)|After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:| -|[Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)|This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.| - -## Related topics - -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md deleted file mode 100644 index a65742c0f2..0000000000 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) -description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Searching for Fixed Applications in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. - -The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md). - -## Searching for Previously Applied Compatibility Fixes - -> [!IMPORTANT] -> You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - -**To search for previous fixes** - -1. On the Compatibility Administrator toolbar, click **Search**. - -2. Click **Browse** to locate the directory location to search for .exe files. - -3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**. - -4. Click **Find Now**. - - The query runs, returning your results in the lower pane. - -## Viewing Your Query Results - -Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix. - -## Exporting Your Query Results - -You can export your search results to a text (.txt) file for later review or archival. - -**To export your search results** - -1. In the **Search for Fixes** dialog box, click **Export**. - -2. Browse to the location where you want to store your search result file, and then click **Save**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) \ No newline at end of file diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md deleted file mode 100644 index c7cd8de1b8..0000000000 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) -description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.topic: conceptual -ms.subservice: itpro-deploy -ms.date: 10/28/2022 ---- - -# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. - -For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases. - -> [!IMPORTANT] -> You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - -## Querying by Using the Program Properties Tab - -You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application. - -**To query by using the Program Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. In the **Look in** drop-down list, select the appropriate database type to search. -3. Type the location of the application you are searching for into the **Search for the Application** field. - - This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator. - -4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file. - - You must designate the executable name that was given when the compatibility fix was added to the database. - -5. Optionally, select the check box for one of the following types of compatibility fix: - - - **Compatibility Modes** - - **Compatibility Fixes** - - **Application Helps** - - > [!IMPORTANT] - > If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear. - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Properties Tab - - -You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode. - -**To query by using the Fix Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Fix Properties** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field. - - >[!NOTE] - >You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters - -5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**. - - >[!IMPORTANT] - >Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear. - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Description Tab - -You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text. - -**To query by using the Fix Description tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Fix Description** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords. - - >[!IMPORTANT] - >You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria. - -5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list. -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Advanced Tab - -You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria. - -**To query by using the Advanced tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Advanced** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**. - - The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results. - -5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**. - - The **DATABASE\_NAME =** clause appears in the **WHERE** box. - -6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**. - - You must surround your clause criteria text with quotation marks (") for the clause to function properly. - -7. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Exporting Your Search Results - - -You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes. - -**To export your results** - -1. After you have completed your search by using the Query tool, click **Export**. - - The **Save results to a file** dialog box appears. - -2. Browse to the location where you intend to store the search results file, and then click **Save**. - -## Related topics - -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md deleted file mode 100644 index 53428226ac..0000000000 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Showing Messages Generated by the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Showing Messages Generated by the SUA Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. - -**To show the messages that the SUA tool has generated** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, in the SUA tool, click the **App Info** tab. - -3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. - -|View menu command|Description| -|--- |--- | -|**Error Messages**|When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
This command is selected by default.| -|**Warning Messages**|When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.| -|**Information Messages**|When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.| -|**Detailed Information**|When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.| \ No newline at end of file diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md deleted file mode 100644 index 3933f9c2d5..0000000000 --- a/windows/deployment/planning/sua-users-guide.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: SUA User's Guide (Windows 10) -description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# SUA User's Guide - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. - -You can use SUA in either of the following ways: - -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis. - -- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. - -## In this section - -|Topic|Description| -|--- |--- | -|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.| -|[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| \ No newline at end of file diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md deleted file mode 100644 index 6c189c6d79..0000000000 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Tabs on the SUA Tool Interface (Windows 10) -description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Tabs on the SUA Tool Interface - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. - -The following table provides a description of each tab on the user interface for the SUA tool. - -|Tab name|Description| -|--- |--- | -|App Info|Provides the following information for the selected application:
For example, this tab might show an attempt to write to a file that only administrators can typically access.| -|Registry|Provides information about access to the system registry.
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.| -|INI|Provides information about WriteProfile API issues.
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from **Standard** to **Scientific**, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.| -|Token|Provides information about access-token checking.
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.| -|Privilege|Provides information about permissions.
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.| -|Name Space|Provides information about creation of system objects.
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.| -|Other Objects|Provides information related to applications accessing objects other than files and registry keys.| -|Process|Provides information about process elevation.
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.| - diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md deleted file mode 100644 index fcc32044a3..0000000000 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Testing Your Application Mitigation Packages (Windows 10) -description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Testing Your Application Mitigation Packages - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. - -## Testing Your Application Mitigation Packages - -Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment. - -**To test your mitigation strategies** - -1. Perform the following steps for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your test environment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment. - -2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your pilot deployment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment. - -## Reporting the Compatibility Mitigation Status to Stakeholders - -After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings. - -- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment. - -- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues. - -- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -## Resolving Outstanding Compatibility Issues - -At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods. - -- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool. - - > [!NOTE] - > For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md). - -- Run the application in a virtual environment. - - Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system. - -- Resolve application compatibility by using non-Microsoft tools. - - If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues. - -- Outsource the application compatibility mitigation. - - If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company. - -## Related topics -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md deleted file mode 100644 index 6fa5f46c8c..0000000000 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Understanding and Using Compatibility Fixes (Windows 10) -description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.topic: conceptual -ms.subservice: itpro-deploy -ms.date: 10/28/2022 ---- - -# Understanding and Using Compatibility Fixes - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application. - -## How the Compatibility Fix Infrastructure Works - -The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix. - -The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure. - - - -Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure. - - - ->[!NOTE] ->For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API. - -## Design Implications of the Compatibility Fix Infrastructure - -There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure. - -- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes. - -- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code. - -- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues. - - > [!NOTE] - > Some antivirus, firewall, and anti-spyware code runs in kernel mode. - -## Determining When to Use a Compatibility Fix - -The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix. - -### Scenario 1 - -**The compatibility issue exists on an application which is no longer supported by the vendor.** - -As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue. - -### Scenario 2 - -**The compatibility issue exists on an internally created application.** - -While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment. - -### Scenario 3 - -**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.** - -In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released. - -## Determining Which Version of an Application to Fix - -You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application. - -## Support for Compatibility Fixes - -Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself. - -You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes. - -## Related topics - -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md deleted file mode 100644 index d938b218f9..0000000000 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Using the Compatibility Administrator Tool (Windows 10) -description: This section provides information about using the Compatibility Administrator tool. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Using the Compatibility Administrator Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about using the Compatibility Administrator tool. - -## In this section - -|Topic|Description| -|--- |--- | -|[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)|The Compatibility Administrator tool provides a way to query your custom-compatibility databases.| -|[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)|With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.| -|[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)|You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.| -|[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)|The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.| -|[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)|Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.| -|[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)|The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.| -|[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)|The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.| -|[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)|You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.| -|[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)|The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.| \ No newline at end of file diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md deleted file mode 100644 index d9152b5782..0000000000 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Using the Sdbinst.exe Command-Line Tool (Windows 10) -description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Using the Sdbinst.exe Command-Line Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2016 -- Windows Server 2012 -- Windows Server 2008 R2 - -Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. - -After you deploy and store the customized databases on each of your local computers, you must register the database files. -Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. - -## Command-Line Options for Deploying Customized Database Files - -Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: - -```console -Microsoft Windows [Version 10.0.14393] -(c) 2016 Microsoft Corporation. All rights reserved. - -C:\Windows\system32>Sdbinst.exe /? -Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" - - -? - print this help text. - -p - Allow SDBs containing patches. - -q - Quiet mode: prompts are auto-accepted. - -u - Uninstall. - -g {guid} - GUID of file (uninstall only). - -n "name" - Internal name of file (uninstall only). - -C:\Windows\system32>_ -``` - -The command-line options use the following conventions: - -Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] - -The following table describes the available command-line options. - -|Option|Description| -|--- |--- | -|-?|Displays the Help for the Sdbinst.exe tool.
For example,
`sdbinst.exe -?`|
-|-p|Allows SDBs' installation with Patches.
For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`|
-|-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
For example,
`sdbinst.exe -q`|
-|-u *filepath*|Does an uninstallation of the specified database.
For example,
`sdbinst.exe -u C:\example.sdb`|
-|-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).
For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`|
-|-n *"name"*|Specifies the customized database to uninstall by file name.
For example,
`sdbinst.exe -n "My_Database"`|
-
-## Related articles
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
deleted file mode 100644
index c67a5ba90a..0000000000
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Using the SUA Tool (Windows 10)
-description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.date: 10/28/2022
-ms.topic: conceptual
-ms.subservice: itpro-deploy
----
-
-# Using the SUA Tool
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-
-The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
-
-In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
-
-In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
-
-## Testing an Application by Using the SUA Tool
-
-Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
-
-The following flowchart shows the process of using the SUA tool.
-
-
-
-**To collect UAC-related issues by using the SUA tool**
-
-1. Close any open instance of the SUA tool or SUA Wizard on your computer.
-
- If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
-
-2. Run the Standard User Analyzer.
-
-3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
-
-4. Clear the **Elevate** check box, and then click **Launch**.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. Exercise the aspects of the application for which you want to gather information about UAC issues.
-
-6. Exit the application.
-
-7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
-
-**To review and apply the recommended mitigations**
-
-1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
-
-2. Review the recommended compatibility fixes.
-
-3. Click **Apply**.
-
- The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
-
-## Related topics
-[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-
-[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-
-[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-
-[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
deleted file mode 100644
index 5107afeb74..0000000000
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Using the SUA wizard (Windows 10)
-description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.date: 10/28/2022
-ms.topic: conceptual
-ms.subservice: itpro-deploy
----
-
-# Using the SUA wizard
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.
-
-For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Testing an Application by Using the SUA wizard
-
-Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard.
-
-The following flowchart shows the process of using the SUA wizard.
-
-
-
-**To test an application by using the SUA wizard**
-
-1. On the computer where the SUA wizard is installed, sign in by using a non-administrator account.
-
-2. Run the Standard User Analyzer wizard.
-
-3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
-
-4. Click **Launch**.
-
- If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. In the application, exercise the functionality that you want to test.
-
-6. After you finish testing, exit the application.
-
- The SUA wizard displays a message that asks whether the application ran without any issues.
-
-7. Click **No**.
-
- The SUA wizard shows a list of potential remedies that you might use to fix the application.
-
-8. Select the fixes that you want to apply, and then click **Launch**.
-
- The application appears again, with the fixes applied.
-
-9. Test the application again, and after you finish testing, exit the application.
-
- The SUA wizard displays a message that asks whether the application ran without any issues.
-
-10. If the application ran correctly, click **Yes**.
-
- The SUA wizard closes the issue as resolved on the local computer.
-
- If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Related articles
-[SUA User's Guide](sua-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
deleted file mode 100644
index cf1a19004e..0000000000
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
-description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.topic: conceptual
-ms.subservice: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Viewing the Events Screen in Compatibility Administrator
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
-
->[!IMPORTANT]
->The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
-
- **To open the Events screen**
-
-- On the **View** menu, click **Events**.
-
-## Handling Multiple Copies of Compatibility Fixes
-
-Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
-
-If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
-
-## Related topics
-[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
deleted file mode 100644
index 8e5e27c8df..0000000000
--- a/windows/deployment/s-mode.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Pro in S mode
-description: Overview of Windows Pro and Enterprise in S mode.
-ms.localizationpriority: high
-ms.service: windows-client
-manager: aaroncz
-author: frankroj
-ms.author: frankroj
-ms.topic: conceptual
-ms.date: 04/26/2023
-ms.subservice: itpro-deploy
----
-
-# Windows Pro in S mode
-
-S mode is a configuration that's available on all Windows Editions, and it's enabled at the time of manufacturing. Windows can be switched out of S mode at any time, as shown in the picture below. However, the switch is a one-time operation, and can only be undone by a wipe and reload of the operating system.
-
-:::image type="content" source="images/smodeconfig.png" alt-text="Table listing the capabilities of S mode across the different Windows editions.":::
-
-## S mode key features
-
-### Microsoft-verified security
-
-With Windows in S mode, you'll find your favorite applications in the Microsoft Store, where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware.
-
-### Performance that lasts
-
-Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. You'll enjoy a smooth, responsive experience, whether you're streaming videos, opening apps, or being productive on the go.
-
-### Choice and flexibility
-
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
-
-:::image type="content" source="images/s-mode-flow-chart.png" alt-text="Switching out of S mode flow chart.":::
-
-## Deployment
-
-Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
-
-Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Microsoft Entra tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
-
-For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
-
-## Keep line of business apps functioning with Desktop Bridge
-
-[Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating the apps, you can distribute them through an MDM solution like Microsoft Intune.
-
-## Repackage Win32 apps into the MSIX format
-
-The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively, and obtain an MSIX package that you can deploy through and MDM solution like Microsoft Intune. The MSIX Packaging Tool is another way to get your apps ready to run on Windows in S mode.
-
-## Related links
-
-- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
-- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
-- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Microsoft Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/)
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
index 1d7ec557b6..013dcffe27 100644
--- a/windows/deployment/update/windows-update-security.md
+++ b/windows/deployment/update/windows-update-security.md
@@ -10,7 +10,7 @@ ms.author: mstewart
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/28/2023
+ms.date: 08/15/2024
---
# Windows Update security
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
deleted file mode 100644
index f4b7f66792..0000000000
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Switch to Windows 10 Pro/Enterprise from S mode
-description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.localizationpriority: medium
-ms.service: windows-client
-ms.topic: conceptual
-ms.date: 11/23/2022
-ms.subservice: itpro-deploy
----
-
-# Switch to Windows 10 Pro or Enterprise from S mode
-
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
-
-Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
-|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
-| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
-| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Not by this method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Home |
-| | Home | Not by any method | Not by any method | Not by any method |
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-
-> [!IMPORTANT]
-> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-## Switch one device through the Microsoft Store
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
-
-Note these differences affecting switching modes in various releases of Windows 10:
-
-- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-
-1. Sign into the Microsoft Store using your Microsoft account.
-
-2. Search for "S mode".
-
-3. In the offer, select **Buy**, **Get**, or **Learn more.**
-
-You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
-
-## Switch one or more devices by using Microsoft Intune
-
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
-
-1. Start Microsoft Intune.
-
-2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
-
-3. Follow the instructions to complete the switch.
-
-## Block users from switching
-
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
-
-## S mode management with CSPs
-
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
-
-## Related articles
-
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 407041507f..a678f8d182 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -42,14 +42,13 @@
href: deploy/windows-autopatch-register-devices.md
- name: Windows Autopatch groups overview
href: deploy/windows-autopatch-groups-overview.md
- items:
- - name: Manage Windows Autopatch groups
- href: deploy/windows-autopatch-groups-manage-autopatch-groups.md
- name: Post-device registration readiness checks
href: deploy/windows-autopatch-post-reg-readiness-checks.md
- name: Manage
href:
items:
+ - name: Manage Windows Autopatch groups
+ href: manage/windows-autopatch-manage-autopatch-groups.md
- name: Customize Windows Update settings
href: manage/windows-autopatch-customize-windows-update-settings.md
- name: Windows feature updates
@@ -62,8 +61,6 @@
items:
- name: Windows quality update end user experience
href: manage/windows-autopatch-windows-quality-update-end-user-exp.md
- - name: Windows quality update signals
- href: manage/windows-autopatch-windows-quality-update-signals.md
- name: Windows quality update communications
href: manage/windows-autopatch-windows-quality-update-communications.md
- name: Manage driver and firmware updates
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 3b2702240b..705c158639 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -46,7 +46,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| Step | Description |
| ----- | ----- |
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group
A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| -| Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| +| Scenario #1 | You assign Microsoft Entra groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| +| Scenario #2 | You create new [Custom Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| > [!NOTE] > Global releases don't show up in the Windows feature updates release management blade. @@ -124,7 +124,7 @@ The differences in between the global and the default Windows feature update pol | Default Windows feature update policy | Global Windows feature update policy | | ----- | ----- | -|-The **Create Configuration Item Wizard** starts. - -  - -3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**. - - - **Settings for devices managed with the Configuration Manager client:** Windows 10 - - -OR- - - - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10 - -5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**. - -  - -6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**. - -  - -The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. - -## Add app rules to your policy - -During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. - ->[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-### Add a store app rule to your policy
-For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-
-1. From the **App rules** area, select **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
-
-3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-
-1. Go to the [Microsoft Store](https://apps.microsoft.com/) website, and find your app. For example, Microsoft OneNote.
-
- > [!NOTE]
- > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in [Add an AppLocker policy file](#add-an-applocker-policy-file) in this article.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is `https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl`, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata`, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ```json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- > [!IMPORTANT]
- > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
- >
- > For example:
- >
- > ```json
- > {
- > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- > }
- > ```
-
-### Add a desktop app rule to your policy
-
-For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app to your policy**
-
-1. From the **App rules** area, select **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
-
-3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
-
-4. Pick **Desktop App** from the **Rule template** drop-down list.
-
- The box changes to show the desktop app rule options.
-
-5. Pick the options you want to include for the app rule (see table), and then select **OK**.
-
- |Option|Manages|
- |--- |--- |
- |All fields left as "*"|All files signed by any publisher. (Not recommended.)|
- |**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
- |**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
-
-If you're unsure about what to include for the publisher, you can run this PowerShell command:
-
-```powershell
-Get-AppLockerFileInformation -Path " After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
-
-:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png":::
-
-## Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->[!IMPORTANT]
->Every WIP policy should include policy that defines your enterprise network locations. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
-
-## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn off WIP, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
-
-## Next steps
-
-After you decide to use WIP in your environment, [create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md).
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
deleted file mode 100644
index fc9dfc237c..0000000000
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Recommended URLs for Windows Information Protection
-description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/25/2019
----
-
-# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically.
-
-## Recommended Enterprise Cloud Resources
-
-This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
-
-|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
- This is the XML file that AppLocker creates for Microsoft Photos.
-
- ```xml
-
->Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
-
-**To define where your protected apps can find and send enterprise data on your network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
- The **Add or edit corporate network definition** box appears.
-
-2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
- 
-
- - **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
-
- For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise.
-
- If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
-
- **Format examples**:
-
- - **With proxy**: `contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com`
-
- - **Without proxy**: `contoso.sharepoint.com|contoso.visualstudio.com`
-
- >[!Important]
- > In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
-
- - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected.
-
- This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
-
- If you have multiple resources, you must separate them using the "," delimiter.
-
- **Format examples**: `corp.contoso.com,region.contoso.com`
-
- - **Proxy servers**: Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
- This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
-
- If you have multiple resources, you must separate them using the ";" delimiter.
-
- **Format examples**: `proxy.contoso.com:80;proxy2.contoso.com:443`
-
- - **Internal proxy servers**: Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
- This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
-
- If you have multiple resources, you must separate them using the ";" delimiter.
-
- **Format examples**: `contoso.internalproxy1.com;contoso.internalproxy2.com`
-
- - **Enterprise IPv4 Range (Required)**: Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
-
- If you have multiple ranges, you must separate them using the "," delimiter.
-
- **Format examples**:
-
- - **Starting IPv4 Address:** `3.4.0.1`
- - **Ending IPv4 Address:** `3.4.255.254`
- - **Custom URI:** `3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254`
-
- - **Enterprise IPv6 Range**: Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
-
- If you have multiple ranges, you must separate them using the "," delimiter.
-
- **Format examples**:
-
- - **Starting IPv6 Address:** `2a01:110::`
- - **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
- - **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
-
- - **Neutral Resources**: Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection.
-
- If you have multiple resources, you must separate them using the "," delimiter.
-
- **Format examples**: `sts.contoso.com,sts.contoso2.com`
-
-3. Add as many locations as you need, and then select **OK**.
-
- The **Add or edit corporate network definition** box closes.
-
-4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
-
- :::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png":::
-
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
-
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
-
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
-
-5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
-
- 
-
- After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
-
- For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
-
-## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
-
-
-
-**To set your optional settings**
-1. Choose to set any or all of the optional settings:
-
- - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
-
- - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
-
- - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
-
- - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
- - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-
- - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
-
- - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
-
-2. After you pick all of the settings you want to include, select **Summary**.
-
-## Review your configuration choices in the Summary screen
-After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
-
-**To view the Summary screen**
-- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy.
-
- 
-
- A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page.
-
-## Deploy the WIP policy
-After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles:
-
-- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
-
-- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
-
-## Related articles
-
-- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-
-- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
deleted file mode 100644
index c73eda005f..0000000000
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ /dev/null
@@ -1,605 +0,0 @@
----
-title: Create a WIP policy in Intune
-description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: how-to
-ms.date: 07/15/2022
----
-
-# Create a Windows Information Protection policy in Microsoft Intune
-
-[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
-
-## Differences between MDM and MAM for WIP
-
-You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
-
-- MAM has more **Access** settings for Windows Hello for Business.
-- MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
-- A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
-- MAM supports only one user per device.
-- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
-- Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
-- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Microsoft Entra ID. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
-
-
-## Prerequisites
-
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Microsoft Entra ID. MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
-
-## Configure the MDM or MAM provider
-
-1. Sign in to the Azure portal.
-
-2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
-
-3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
-
- 
-
-## Create a WIP policy
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
-
- 
-
-3. In the **App policy** screen, select **Add a policy**, and then fill out the fields:
-
- - **Name.** Type a name (required) for your new policy.
-
- - **Description.** Type an optional description.
-
- - **Platform.** Choose **Windows 10**.
-
- - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
-
- 
-
-4. Select **Protected apps** and then select **Add apps**.
-
- 
-
- You can add these types of apps:
-
- - [Recommended apps](#add-recommended-apps)
- - [Store apps](#add-store-apps)
- - [Desktop apps](#add-desktop-apps)
-
->[!NOTE]
->An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.
-
-### Add recommended apps
-
-Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and select **OK**.
-
-
-
-### Add Store apps
-
-Select **Store apps**, type the app product name and publisher, and select **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
-
-- **Name**: Microsoft Power BI
-- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
-- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
-
-
-
-To add multiple Store apps, select the ellipsis `…`.
-
-If you don't know the Store app publisher or product name, you can find them by following these steps.
-
-1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
-
-2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is `https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1`, and you'd copy the ID value, `9nblgggzlxn1`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata`, where `9nblgggzlxn1` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ```json
- {
- "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
-
- >[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
- >
- > For example:
- >
- > ```json
- > {
- > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- > }
-
-
-
-### Add Desktop apps
-
-To add **Desktop apps**, complete the following fields, based on what results you want returned.
-
-|Field|Manages|
-|--- |--- |
-|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)|
-|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
-|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.|
-|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.|
-|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
-|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
-|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.|
-
-To add another Desktop app, select the ellipsis `…`. After you've entered the info into the fields, select **OK**.
-
-
-
-If you're unsure about what to include for the publisher, you can run this PowerShell command:
-
-```powershell
-Get-AppLockerFileInformation -Path "
- This is the XML file that AppLocker creates for Microsoft Dynamics 365.
-
- ```xml
-
-
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
-
-2. Select **Save**.
-
-## Define your enterprise-managed corporate identity
-Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-
-Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
-
-**To change your corporate identity**
-
-1. From **App policy**, select the name of your policy, and then select **Required settings**.
-
-2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field.
-
- 
-
-3. To add domains, such your email domain names, select **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
-
- 
-
-## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
-
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
-To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
-
-
-
-Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then select **OK**.
-
-### Cloud resources
-
-Specify the cloud resources to be treated as corporate and protected by WIP.
-For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
-All traffic routed through your Internal proxy servers is considered enterprise.
-
-Separate multiple resources with the "|" delimiter.
-For example:
-
-```console
-URL <,proxy>|URL <,proxy>
-```
-
-Personal applications can access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
-
-To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
-
-In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site.
-In this case, Windows blocks the connection by default.
-To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
-For example:
-
-```console
-URL <,proxy>|URL <,proxy>|/*AppCompat*/
-```
-
-When you use this string, we recommend that you also turn on [Microsoft Entra Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
-
-Value format with proxy:
-
-```console
-contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
-```
-
-Value format without proxy:
-
-```console
-contoso.sharepoint.com|contoso.visualstudio.com|contoso.onedrive.com,
-```
-
-### Protected domains
-
-Specify the domains used for identities in your environment.
-All traffic to the fully qualified domains appearing in this list will be protected.
-Separate multiple domains with the "|" delimiter.
-
-```console
-exchange.contoso.com|contoso.com|region.contoso.com
-```
-
-### Network domains
-
-Specify the DNS suffixes used in your environment.
-All traffic to the fully qualified domains appearing in this list will be protected.
-Separate multiple resources with the "," delimiter.
-
-```console
-corp.contoso.com,region.contoso.com
-```
-
-### Proxy servers
-
-Specify the proxy servers your devices will go through to reach your cloud resources.
-Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
-This list shouldn't include any servers listed in your Internal proxy servers list.
-Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
-Separate multiple resources with the ";" delimiter.
-
-```console
-proxy.contoso.com:80;proxy2.contoso.com:443
-```
-
-### Internal proxy servers
-
-Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
-This list shouldn't include any servers listed in your Proxy servers list.
-Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
-Separate multiple resources with the ";" delimiter.
-
-```console
-contoso.internalproxy1.com;contoso.internalproxy2.com
-```
-
-### IPv4 ranges
-
-Specify the addresses for a valid IPv4 value range within your intranet.
-These addresses, used with your Network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn't supported.
-
-Separate multiple ranges with the "," delimiter.
-
-**Starting IPv4 Address:** 3.4.0.1
-**Ending IPv4 Address:** 3.4.255.254
-**Custom URI:** 3.4.0.1-3.4.255.254,
-10.0.0.1-10.255.255.254
-
-### IPv6 ranges
-
-Starting with Windows 10, version 1703, this field is optional.
-
-Specify the addresses for a valid IPv6 value range within your intranet.
-These addresses, used with your network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn't supported.
-
-Separate multiple ranges with the "," delimiter.
-
-**Starting IPv6 Address:** `2a01:110::`
-**Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
-**Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,'
'fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
-
-### Neutral resources
-
-Specify your authentication redirection endpoints for your company.
-These locations are considered enterprise or personal, based on the context of the connection before the redirection.
-Separate multiple resources with the "," delimiter.
-
-```console
-sts.contoso.com,sts.contoso2.com
-```
-
-Decide if you want Windows to look for more network settings:
-
-- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for more proxy servers in your immediate network.
-
-- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for more IP ranges on any domain-joined devices connected to your network.
-
-
-
-## Upload your Data Recovery Agent (DRA) certificate
-After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
-
->[!Important]
->Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
-
-**To upload your DRA certificate**
-1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
-
- **Advanced settings** shows.
-
-2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
-
- 
-
-## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
-
-
-**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
-- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-
-- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
-
-**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
-
-- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Also, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
-
-- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
-
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
-
-- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files.
-
- If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access.
-
-- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
-
- > [!NOTE]
- > Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
-
-**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
-
-- **On.** Starts Windows Search Indexer to index encrypted files.
-
-- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
-
-## Encrypted file extensions
-
-You can restrict which files are protected by WIP when they're downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
-
-
-
-## Related articles
-
-- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-
-- [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms)
-
-- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](overview-create-wip-policy.md)
-
-- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
-
-- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
deleted file mode 100644
index 0269f73fe5..0000000000
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
-description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/05/2019
-ms.reviewer:
----
-
-# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-
-## To deploy your WIP policy
-
-1. On the **App protection policies** pane, click your newly created policy, click **Assignments**, and then select groups to include or exclude from the policy.
-
-2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
-
- The policy is deployed to the selected users' devices.
-
- 
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-## Related topics
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
deleted file mode 100644
index 1660b49f10..0000000000
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
-description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
-ms.reviewer:
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 05/02/2019
----
-
-# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
-
-## Enlightened versus unenlightened apps
-Apps can be enlightened or unenlightened:
-
-- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
-- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
-
- - Windows Desktop shows it as always running in enterprise mode.
-
- - Windows **Save As** experiences only allow you to save your files as enterprise.
-
-- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
-
-## List of enlightened Microsoft apps
-Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
-- Microsoft 3D Viewer
-
-- Microsoft Edge
-
-- Internet Explorer 11
-
-- Microsoft People
-
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
-- Microsoft 365 Apps for enterprise apps, including Word, Excel, PowerPoint, OneNote, and Outlook
-
-- OneDrive app
-
-- OneDrive sync client (OneDrive.exe, the next generation sync client)
-
-- Microsoft Photos
-
-- Groove Music
-
-- Notepad
-
-- Microsoft Paint
-
-- Microsoft Movies & TV
-
-- Microsoft Messaging
-
-- Microsoft Remote Desktop
-
-- Microsoft To Do
-
-> [!NOTE]
-> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
-
-## List of WIP-work only apps from Microsoft
-Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
-
-- Skype for Business
-
-- Microsoft Teams (build 1.3.00.12058 and later)
-
-## Adding enlightened Microsoft apps to the allowed apps list
-
-> [!NOTE]
-> As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
-
-You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Configuration Manager.
-
-
-| Product name | App info |
-|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Microsoft 3D Viewer | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoft3DViewer
**App Type:** Universal app |
-| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
-| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
-| Excel Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
-| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
-| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
-| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.
We don't recommend setting up Office by using individual paths or publisher rules. |
-| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
-| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
-| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
-| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app |
-| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
-| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
-| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
-| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
-| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** fixmapi.exe
**App Type:** Desktop app |
-| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Todos
**App Type:** Store app |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
deleted file mode 100644
index f98f1a7125..0000000000
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: General guidance and best practices for Windows Information Protection (WIP)
-description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# General guidance and best practices for Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
-|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
-|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
deleted file mode 100644
index f30aaac954..0000000000
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: How to disable Windows Information Protection (WIP)
-description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Configuration Manager.
-ms.date: 07/21/2022
-ms.topic: how-to
-author: lizgt2000
-ms.author: lizlong
-ms.reviewer: aaroncz
-manager: aaroncz
----
-
-# How to disable Windows Information Protection (WIP)
-
-[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-## Use Intune to disable WIP
-
-To disable Windows Information Protection (WIP) using Intune, you have the following options:
-
-### Option 1 - Unassign the WIP policy (preferred)
-
-When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
-
-### Option 2 - Change current WIP policy to off
-
-If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Open Microsoft Intune and select **Apps** > **App protection policies**.
-1. Select the existing policy to turn off, and then select the **Properties**.
-1. Edit **Required settings**.
- :::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
-1. Set **Windows Information Protection mode** to off.
-1. After making this change, select **Review and Save**.
-1. Select **Save**.
-
-> [!NOTE]
-> **Another option is to create a disable policy that sets WIP to Off.**
->
-> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
-
-### Revoke local encryption keys during the unenrollment process
-
-Determine whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
-- Yes, or not configured. Revokes local encryption keys from a device during unenrollment.
-- No (recommended). Stop local encryption keys from being revoked from a device during unenrollment.
-
-## Use Configuration Manager to disable WIP
-
-To disable Windows Information Protection (WIP) using Configuration Manager, create a new configuration item that turns off WIP. Configure that new object for your environment to match the existing policy, except for disabling WIP. Then deploy the new policy, and move devices into the new collection.
-
-> [!WARNING]
-> Don't just delete your existing WIP policy. If you delete the old policy, Configuration Manager stops sending further WIP policy updates, but also leaves WIP enforced on the devices. To remove WIP from your managed devices, follow the steps in this section to create a new policy to turn off WIP.
-
-### Create a WIP policy
-
-To disable WIP for your organization, first create a configuration item.
-
-1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
-
-2. Select the **Create Configuration Item** button.
- The **Create Configuration Item Wizard** starts.
-
- 
-
-3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**.
-
-5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
-
-6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
-
-The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page.
-
-> [!TIP]
-> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
-
-#### Turn off WIP
-
-Of the four options to specify the restriction mode, select **Off** to turn off Windows Information Protection.
-
-:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
-
-#### Specify the corporate identity
-
-Paste the value of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
-
-
-> [!IMPORTANT]
-> This corporate identity value must match the string in the original policy. Copy and paste the string from your original policy that enables WIP.
-
-#### Specify the corporate network definition
-
-For the **Corporate network definition**, select **Add** to specify the necessary network locations. The **Add or edit corporate network definition** box appears. Add the required fields.
-
-> [!IMPORTANT]
-> These corporate network definitions must match the original policy. Copy and paste the strings from your original policy that enables WIP.
-
-#### Specify the data recovery agent certificate
-
-In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. This certificate should be the same as the original policy that enables WIP.
-
-
-
-### Deploy the WIP policy
-
-After you've created the new policy to turn off WIP, deploy it to your organization's devices. For more information about deployment options, see the following articles:
-
-- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
-
-- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
-
-- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
-
-- Move devices from the old collection to new collection.
diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png
deleted file mode 100644
index 12d4f6eefd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png b/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png
deleted file mode 100644
index 31f979f9f1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png b/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png
deleted file mode 100644
index 8522b463a7..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png
deleted file mode 100644
index c702a0acff..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png
deleted file mode 100644
index 848ff120a2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png
deleted file mode 100644
index 345093afc8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png b/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png
deleted file mode 100644
index b33322202c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/exempt-apps.png b/windows/security/information-protection/windows-information-protection/images/exempt-apps.png
deleted file mode 100644
index 59b0ebd268..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/exempt-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png
deleted file mode 100644
index eefe2c57d4..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png
deleted file mode 100644
index 3f6a79c8d6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png
deleted file mode 100644
index 901c861793..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
deleted file mode 100644
index 29f08e03f0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png
deleted file mode 100644
index 42da98610a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png
deleted file mode 100644
index 38ba06d474..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png
deleted file mode 100644
index e5cb84a44e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png
deleted file mode 100644
index 56b27c2387..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
deleted file mode 100644
index d794b8976c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png
deleted file mode 100644
index 492f3fc50a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png
deleted file mode 100644
index 280a0531dc..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/path-condition.png b/windows/security/information-protection/windows-information-protection/images/path-condition.png
deleted file mode 100644
index 6aaf295bcc..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/path-condition.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png
deleted file mode 100644
index 658cbb343b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png
deleted file mode 100644
index 141e7a1819..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/select-path.png b/windows/security/information-protection/windows-information-protection/images/select-path.png
deleted file mode 100644
index 0fd5274d45..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/select-path.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
deleted file mode 100644
index 50440a4fc8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png
deleted file mode 100644
index 709ff73d25..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png
deleted file mode 100644
index 74497fd6ab..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png
deleted file mode 100644
index 1f5d20dffa..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
deleted file mode 100644
index 0ced278421..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
deleted file mode 100644
index e399d8aa66..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
deleted file mode 100644
index 0ac48ca032..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
deleted file mode 100644
index c924430a97..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
deleted file mode 100644
index 4b5e707aec..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
deleted file mode 100644
index 1d1aff1a0c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
deleted file mode 100644
index 34c89b37a9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
deleted file mode 100644
index 59e2071bd8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
deleted file mode 100644
index 7fff387ab2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
deleted file mode 100644
index 9fbe37d56d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
deleted file mode 100644
index 785925efdf..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
deleted file mode 100644
index 01489c8059..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
deleted file mode 100644
index 752ea852ce..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
deleted file mode 100644
index 734f23b46c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
deleted file mode 100644
index 6f5e80d670..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
deleted file mode 100644
index 6cd571b404..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
deleted file mode 100644
index 5da4686e3f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
deleted file mode 100644
index 89c1eae2a8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
deleted file mode 100644
index 49613b5587..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
deleted file mode 100644
index b2fc9ee966..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
deleted file mode 100644
index 8af8967001..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
deleted file mode 100644
index 940d60acf1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
deleted file mode 100644
index bee8ddfb1a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png
deleted file mode 100644
index f1cf7c107d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
deleted file mode 100644
index cc58cdb34a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png
deleted file mode 100644
index ab05d9607a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
deleted file mode 100644
index 2d6cadb5c6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
deleted file mode 100644
index f3d12e7f2f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
deleted file mode 100644
index 5cae0416bd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
deleted file mode 100644
index c09ff3cfc3..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png
deleted file mode 100644
index 8ec000d2a7..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png
deleted file mode 100644
index 09539d6773..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png
deleted file mode 100644
index 2393cc7eca..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png
deleted file mode 100644
index 926a3c4473..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-select-column.png b/windows/security/information-protection/windows-information-protection/images/wip-select-column.png
deleted file mode 100644
index d4e8a9e7a0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-select-column.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png b/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png
deleted file mode 100644
index d69e829d65..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
deleted file mode 100644
index 783f627a5c..0000000000
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Limitations while using Windows Information Protection (WIP)
-description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: conceptual
-ms.date: 04/05/2019
----
-
-# Limitations while using Windows Information Protection (WIP)
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
-
-- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- - **How it appears**:
- - If you're using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
- - If you're not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
-
- - **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
-
- We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
-
-- **Limitation**: Direct Access is incompatible with Windows Information Protection.
- - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn't a corporate network resource.
- - **Workaround**: We recommend that you use VPN for client access to your intranet resources.
-
- > [!NOTE]
- > VPN is optional and isn't required by Windows Information Protection.
-
-- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
- - **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
-
-- **Limitation**: Cortana can potentially allow data leakage if it's on the allowed apps list.
- - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- - **Workaround**: We don't recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
-
-
-
-- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user's content can be revoked during the unenrollment process.
- - **Workaround**: Have only one user per managed device.
- - If this scenario occurs, it may be possible to mitigate. Once protection is disabled, a second user can remove protection by changing the file ownership. Although the protection is in place, the file remains accessible to the user.
-
-- **Limitation**: Installers copied from an enterprise network file share might not work properly.
- - **How it appears**: An app might fail to properly install because it can't read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
- - **Workaround**: To fix this, you can:
- - Start the installer directly from the file share.
-
- OR
-
- - Decrypt the locally copied files needed by the installer.
-
- OR
-
- - Mark the file share with the installation media as "personal". To do this, you'll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you'll need to put the file server on the Enterprise Proxy Server list.
-
-- **Limitation**: Changing your primary Corporate Identity isn't supported.
- - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
-
-- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
- - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
-
- > [!NOTE]
- > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
-
-- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- - **How it appears**:
- - Data copied from the WIP-managed device is marked as **Work**.
- - Data copied to the WIP-managed device is not marked as **Work**.
- - Local **Work** data copied to the WIP-managed device remains **Work** data.
- - **Work** data that is copied between two apps in the same session remains ** data.
-
- - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
-
-- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
-
-- **Limitation**: ActiveX controls should be used with caution.
- - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren't protected by using Windows Information Protection.
- - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
-
- For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
-
-- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
- - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- - **Workaround**: Format drive for NTFS, or use a different drive.
-
-- **Limitation**: Windows Information Protection isn't turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- - AppDataRoaming
- - Desktop
- - StartMenu
- - Documents
- - Pictures
- - Music
- - Videos
- - Favorites
- - Contacts
- - Downloads
- - Links
- - Searches
- - SavedGames
-
-
-
- - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Configuration Manager.
- - **Workaround**: Don't set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
-
- If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
-
- For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
-
-- **Limitation**: Only enlightened apps can be managed without device enrollment
- - **How it appears**: If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps.
-
- Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.
-
- - **Workaround**: If all apps need to be managed, enroll the device for MDM.
-
-- **Limitation**: By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
- - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
-
-- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
- - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
-
- 1. Close the notebook in OneNote.
- 2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
- 3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
-
- Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the "Open in app" button.
-
-- **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.
- - **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
- - **Workaround**: It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
-
-> [!NOTE]
->
-> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
->
-> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
deleted file mode 100644
index c849026e4b..0000000000
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
-description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 05/25/2022
----
-
-# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
-
-|Task|Description|
-|----|-----------|
-|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
-|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
-|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
-|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
-|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
-|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.|
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
deleted file mode 100644
index 25099e224a..0000000000
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
-description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. It lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-
-## In this section
-
-|Article |Description |
-|------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Configuration Manager helps you create and deploy your WIP policy. And, lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
deleted file mode 100644
index 794a46361f..0000000000
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune
-description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/11/2019
----
-
-# Create a Windows Information Protection (WIP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy. It also lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-
-## In this section
-
-|Article |Description |
-|------|------------|
-|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
deleted file mode 100644
index 4135a203b8..0000000000
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Protect your enterprise data using Windows Information Protection
-description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: overview
-ms.date: 07/15/2022
----
-
-# Protect your enterprise data using Windows Information Protection (WIP)
-
-[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Azure Rights Management, another data protection technology, also works alongside WIP. It extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
-
->[!IMPORTANT]
->While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more information about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
-
-## Video: Protect enterprise data from being accidentally copied to the wrong place
-
-> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
-
-## Prerequisites
-You'll need this software to run Windows Information Protection in your enterprise:
-
-|Operating system | Management solution |
-|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Configuration Manager
-OR-
Your current company-wide third party mobile device management (MDM) solution. For info about third party MDM solutions, see the documentation that came with your product. If your third party MDM doesn't have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
-
-## What is enterprise data control?
-Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security. Another extreme is when people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
-
-As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. So, access controls are a great start, they're not enough.
-
-In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
-
-### Using data loss prevention systems
-To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
-- **A set of rules about how the system can identify and categorize the data that needs to be protected.** For example, a rule set might contain a rule that identifies credit card numbers and another rule that identifies Social Security numbers.
-
-- **A way to scan company data to see whether it matches any of your defined rules.** Currently, Microsoft Exchange Server and Exchange Online provide this service for email in transit, while Microsoft SharePoint and SharePoint Online provide this service for content stored in document libraries.
-
-- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview Data Loss Prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-
-Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created. This behavior can lead employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. Perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow. It can stop some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
-
-### Using information rights management systems
-To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
-
-After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
-
-### And what about when an employee leaves the company or unenrolls a device?
-Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would erase all of the corporate data from the device, along with any other personal data on the device.
-
-## Benefits of WIP
-Windows Information Protection provides:
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-
-- Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
-
-- Use of audit reports for tracking issues and remedial actions.
-
-- Integration with your existing management system (Microsoft Intune, Microsoft Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
-
-## Why use WIP?
-Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn't using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
- - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
-
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn't paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
- - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
-
- You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
-
- - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could have overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
-
- - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
-
- Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
-
- - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn't on your protected apps list, employees won't be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-
- - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't.
-
-- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or if a device is stolen. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
- >[!NOTE]
- >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Configuration Manager.
Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
-
-## How WIP works
-Windows Information Protection helps address your everyday challenges in the enterprise. Including:
-
-- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-
-- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-
-- Helping to maintain the ownership and control of your enterprise data.
-
-- Helping control the network and data access and data sharing for apps that aren't enterprise aware
-
-### Enterprise scenarios
-Windows Information Protection currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-
-- You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
-
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn't required.
-
-### WIP-protection modes
-Enterprise data is automatically encrypted after it's loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-
-Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don't have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it's personally owned.
-
->[!NOTE]
->For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
-You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
-
-|Mode|Description|
-|----|-----------|
-|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.|
-|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would have been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.
(Replace "contoso" with your domain name(s)|
-|-----------------------------|---------------------------------------------------------------------|
-|Sharepoint Online |- `contoso.sharepoint.com`
- `contoso-my.sharepoint.com`
- `contoso-files.sharepoint.com` |
-|Viva Engage |- `www.yammer.com`
- `yammer.com`
- `persona.yammer.com` |
-|Outlook Web Access (OWA) |- `outlook.office.com`
- `outlook.office365.com`
- `attachments.office.net` |
-|Microsoft Dynamics |`contoso.crm.dynamics.com` |
-|Visual Studio Online |`contoso.visualstudio.com` |
-|Power BI |`contoso.powerbi.com` |
-|Microsoft Teams |`teams.microsoft.com` |
-|Other Office 365 services |- `tasks.office.com`
- `protection.office.com`
- `meet.lync.com`
- `project.microsoft.com` |
-
-You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
-
-For Office 365 endpoints, see [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges).
-Office 365 endpoints are updated monthly.
-Allow the domains listed in section number 46 "Allow Required" and add also add the apps.
-Note that apps from officeapps.live.com can also store personal data.
-
-When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add an entry for a second-level domain and use a wildcard such as .svc.ms.
-
-
-## Recommended Neutral Resources
-We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
-
-- `login.microsoftonline.com`
-- `login.windows.net`
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
deleted file mode 100644
index 30c94d76be..0000000000
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: Testing scenarios for Windows Information Protection (WIP)
-description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-ms.reviewer:
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/05/2019
----
-
-# Testing scenarios for Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-
-## Testing scenarios
-You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
-
->[!IMPORTANT]
->If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
-
-- **Encrypt and decrypt files using File Explorer**:
-
- 1. Open File Explorer, right-click a work document, and then click **Work** from the **File Ownership** menu.
-
- Make sure the file is encrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then clicking **Details** from the **Compress or Encrypt attributes** area. The file should show up under the heading, **This enterprise domain can remove or revoke access:** `*
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
+| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected. **[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 |
@@ -104,7 +105,7 @@ The features in this article are no longer being actively developed, and might b
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
-|Sync your settings (updated: July, 30, 2024) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. As part of this change, we will stop supporting the Device Syncing Settings and App Data report. All other **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: - Windows 11 - Windows 10, version 21H2, or later | 1709 |
+|Sync your settings (updated: July, 30, 2024) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. As part of this change, we will stop supporting the Device Syncing Settings and App Data report. All other **Sync your settings** options will continue to work provided your clients are running an up-to-date version of: - Windows 11 - Windows 10, version 21H2, or later | 1709 |
|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index d51e184c00..586828841b 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -60,7 +60,9 @@
"Stacyrch140",
"garycentric",
"dstrome",
- "beccarobins"
+ "beccarobins",
+ "padmagit77",
+ "aditisrivastava07"
],
"searchScope": [
"Windows 10"
@@ -71,4 +73,4 @@
"dest": "win-whats-new",
"markdownEngineName": "markdig"
}
-}
\ No newline at end of file
+}
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 911043127c..f19e236cd4 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -16,7 +16,7 @@ metadata:
ms.author: aaroncz
manager: aaroncz
ms.date: 07/01/2024
- localization_priority: medium
+ ms.localizationpriority: medium
landingContent:
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 315ac95603..9c94a7e808 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -82,10 +82,7 @@ With the increase of employee-owned devices in the enterprise, there's also an i
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
-
-[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
+[Learn more about Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
### Windows Defender
@@ -107,7 +104,7 @@ With the growing threat from more sophisticated targeted attacks, a new security
### VPN security
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Microsoft Entra ID, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 6e5084a543..9f16b31604 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -158,9 +158,9 @@ Improvements have been added to Windows Information Protection and BitLocker.
Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection.
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure).
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/collect-wip-audit-event-logs).
This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234).
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 62733bd8d1..a348f85ad3 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -60,7 +60,7 @@ To upgrade directly to Windows 11, eligible Windows 10 devices must meet both of
> [!NOTE]
>
> - S mode is only supported on the Home edition of Windows 11.
-> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode).
+> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/previous-versions/windows/it-pro/windows-10/deployment/s-mode/switch-edition-from-s-mode).
> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later.
## Feature-specific requirements