deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'release-win11-24h2' of https://github.com/MicrosoftDocs/windows-docs-pr into 24h2-wn-8631988

Browse Source
This commit is contained in:
Meghan Stewart 2024-08-19 08:35:45 -07:00
commit 24caf10f18
126 changed files with 389 additions and 4563 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
.openpublishing.redirection.json
View File

@ -5077,7 +5077,7 @@
},
{
"source_path": "windows/keep-secure/app-behavior-with-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/app-behavior-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/app-behavior-with-wip",
"redirect_document_id": false
},
{
@ -5727,7 +5727,7 @@
},
{
"source_path": "windows/keep-secure/collect-wip-audit-event-logs.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/collect-wip-audit-event-logs",
"redirect_document_id": false
},
{
@ -6037,7 +6037,7 @@
},
{
"source_path": "windows/keep-secure/create-and-verify-an-efs-dra-certificate.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate",
"redirect_document_id": false
},
{
@ -6052,7 +6052,7 @@
},
{
"source_path": "windows/keep-secure/create-edp-policy-using-sccm.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr",
"redirect_document_id": false
},
{
@ -6097,7 +6097,7 @@
},
{
"source_path": "windows/keep-secure/create-wip-policy-using-sccm.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr",
"redirect_document_id": false
},
{
@ -6547,12 +6547,12 @@
},
{
"source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/enlightened-microsoft-apps-and-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_document_id": false
},
{
@ -7917,12 +7917,12 @@
},
{
"source_path": "windows/keep-secure/guidance-and-best-practices-edp.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/guidance-and-best-practices-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_document_id": false
},
{
@ -8177,7 +8177,7 @@
},
{
"source_path": "windows/keep-secure/limitations-with-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/limitations-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/limitations-with-wip",
"redirect_document_id": false
},
{
@ -8282,7 +8282,7 @@
},
{
"source_path": "windows/keep-secure/mandatory-settings-for-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/mandatory-settings-for-wip",
"redirect_document_id": false
},
{
@ -8662,12 +8662,12 @@
},
{
"source_path": "windows/keep-secure/overview-create-edp-policy.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/overview-create-wip-policy",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/overview-create-wip-policy.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/overview-create-wip-policy",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy",
"redirect_document_id": false
},
{
@ -8837,12 +8837,12 @@
},
{
"source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/protect-enterprise-data-using-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
@ -8867,7 +8867,7 @@
},
{
"source_path": "windows/keep-secure/recommended-network-definitions-for-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip",
"redirect_document_id": false
},
{
@ -9232,12 +9232,12 @@
},
{
"source_path": "windows/keep-secure/testing-scenarios-for-edp.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/testing-scenarios-for-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_document_id": false
},
{
@ -9522,7 +9522,7 @@
},
{
"source_path": "windows/keep-secure/using-owa-with-wip.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/using-owa-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/using-owa-with-wip",
"redirect_document_id": false
},
{
@ -9757,12 +9757,12 @@
},
{
"source_path": "windows/keep-secure/wip-app-enterprise-context.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/wip-app-enterprise-context",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/wip-app-enterprise-context",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/wip-enterprise-overview.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
@ -10997,7 +10997,7 @@
},
{
"source_path": "windows/plan/act-technical-reference.md",
"redirect_url": "/windows/deployment/planning/compatibility-administrator-users-guide",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-administrator-users-guide",
"redirect_document_id": false
},
{
@ -11042,12 +11042,12 @@
},
{
"source_path": "windows/plan/applying-filters-to-data-in-the-sua-tool.md",
"redirect_url": "/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/applying-filters-to-data-in-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/plan/available-data-types-and-operators-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/available-data-types-and-operators-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11082,17 +11082,17 @@
},
{
"source_path": "windows/plan/compatibility-administrator-users-guide.md",
"redirect_url": "/windows/deployment/planning/compatibility-administrator-users-guide",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-administrator-users-guide",
"redirect_document_id": false
},
{
"source_path": "windows/plan/compatibility-fix-database-management-strategies-and-deployment.md",
"redirect_url": "/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-fix-database-management-strategies-and-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/plan/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md",
"redirect_url": "/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-fixes-for-windows-8-windows-7-and-windows-vista",
"redirect_document_id": false
},
{
@ -11112,12 +11112,12 @@
},
{
"source_path": "windows/plan/creating-a-custom-compatibility-fix-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-a-custom-compatibility-fix-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/plan/creating-a-custom-compatibility-mode-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-a-custom-compatibility-mode-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11127,7 +11127,7 @@
},
{
"source_path": "windows/plan/creating-an-apphelp-message-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-an-apphelp-message-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11202,7 +11202,7 @@
},
{
"source_path": "windows/plan/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11222,7 +11222,7 @@
},
{
"source_path": "windows/plan/fixing-applications-by-using-the-sua-tool.md",
"redirect_url": "/windows/deployment/planning/fixing-applications-by-using-the-sua-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/fixing-applications-by-using-the-sua-tool",
"redirect_document_id": false
},
{
@ -11242,7 +11242,7 @@
},
{
"source_path": "windows/plan/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11267,7 +11267,7 @@
},
{
"source_path": "windows/plan/managing-application-compatibility-fixes-and-custom-fix-databases.md",
"redirect_url": "/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/managing-application-compatibility-fixes-and-custom-fix-databases",
"redirect_document_id": false
},
{
@ -11317,12 +11317,12 @@
},
{
"source_path": "windows/plan/searching-for-fixed-applications-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/searching-for-fixed-applications-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/plan/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -11367,7 +11367,7 @@
},
{
"source_path": "windows/plan/showing-messages-generated-by-the-sua-tool.md",
"redirect_url": "/windows/deployment/planning/showing-messages-generated-by-the-sua-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/showing-messages-generated-by-the-sua-tool",
"redirect_document_id": false
},
{
@ -11382,12 +11382,12 @@
},
{
"source_path": "windows/plan/sua-users-guide.md",
"redirect_url": "/windows/deployment/planning/sua-users-guide",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/sua-users-guide",
"redirect_document_id": false
},
{
"source_path": "windows/plan/tabs-on-the-sua-tool-interface.md",
"redirect_url": "/windows/deployment/planning/tabs-on-the-sua-tool-interface",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/tabs-on-the-sua-tool-interface",
"redirect_document_id": false
},
{
@ -11402,7 +11402,7 @@
},
{
"source_path": "windows/plan/testing-your-application-mitigation-packages.md",
"redirect_url": "/windows/deployment/planning/testing-your-application-mitigation-packages",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/testing-your-application-mitigation-packages",
"redirect_document_id": false
},
{
@ -11427,7 +11427,7 @@
},
{
"source_path": "windows/plan/understanding-and-using-compatibility-fixes.md",
"redirect_url": "/windows/deployment/planning/understanding-and-using-compatibility-fixes",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/understanding-and-using-compatibility-fixes",
"redirect_document_id": false
},
{
@ -11442,27 +11442,27 @@
},
{
"source_path": "windows/plan/using-the-compatibility-administrator-tool.md",
"redirect_url": "/windows/deployment/planning/using-the-compatibility-administrator-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-compatibility-administrator-tool",
"redirect_document_id": false
},
{
"source_path": "windows/plan/using-the-sdbinstexe-command-line-tool.md",
"redirect_url": "/windows/deployment/planning/using-the-sdbinstexe-command-line-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sdbinstexe-command-line-tool",
"redirect_document_id": false
},
{
"source_path": "windows/plan/using-the-sua-tool.md",
"redirect_url": "/windows/deployment/planning/using-the-sua-tool",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/plan/using-the-sua-wizard.md",
"redirect_url": "/windows/deployment/planning/using-the-sua-wizard",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sua-wizard",
"redirect_document_id": false
},
{
"source_path": "windows/plan/viewing-the-events-screen-in-compatibility-administrator.md",
"redirect_url": "/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/viewing-the-events-screen-in-compatibility-administrator",
"redirect_document_id": false
},
{
@ -12377,22 +12377,22 @@
},
{
"source_path": "windows/threat-protection/windows-information-protection/app-behavior-with-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/app-behavior-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/app-behavior-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/collect-wip-audit-event-logs",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
@ -12402,7 +12402,7 @@
},
{
"source_path": "windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
@ -12417,12 +12417,12 @@
},
{
"source_path": "windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
@ -12432,57 +12432,57 @@
},
{
"source_path": "windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/limitations-with-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/limitations-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/limitations-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/mandatory-settings-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/overview-create-wip-policy-sccm.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/overview-create-wip-policy.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/overview-create-wip-policy",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/using-owa-with-wip.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/using-owa-with-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/using-owa-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/wip-app-enterprise-context",
"redirect_document_id": false
},
{

122
.openpublishing.redirection.windows-deployment.json
View File

@ -127,7 +127,7 @@
},
{
"source_path": "windows/deployment/planning/act-technical-reference.md",
"redirect_url": "/windows/deployment/planning/compatibility-administrator-users-guide",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-administrator-users-guide",
"redirect_document_id": false
},
{
@ -1370,6 +1370,126 @@
"redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/available-data-types-and-operators-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/compatibility-administrator-users-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-administrator-users-guide",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-fix-database-management-strategies-and-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-a-custom-compatibility-fix-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-a-custom-compatibility-mode-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/creating-an-apphelp-message-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/managing-application-compatibility-fixes-and-custom-fix-databases",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/searching-for-fixed-applications-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/testing-your-application-mitigation-packages.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/testing-your-application-mitigation-packages",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/understanding-and-using-compatibility-fixes.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/understanding-and-using-compatibility-fixes",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/using-the-compatibility-administrator-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-compatibility-administrator-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sdbinstexe-command-line-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/viewing-the-events-screen-in-compatibility-administrator",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/compatibility-fixes-for-windows-8-windows-7-and-windows-vista",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/applying-filters-to-data-in-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/fixing-applications-by-using-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/showing-messages-generated-by-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/sua-users-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/sua-users-guide",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/tabs-on-the-sua-tool-interface.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/tabs-on-the-sua-tool-interface",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/using-the-sua-tool.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sua-tool",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/planning/using-the-sua-wizard.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/compatibility/using-the-sua-wizard",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-10-pro-in-s-mode.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/s-mode/switch-edition-from-s-mode",

110
.openpublishing.redirection.windows-security.json
View File

@ -852,27 +852,27 @@
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_document_id": false
},
{
@ -9185,6 +9185,106 @@
"redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/app-behavior-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/collect-wip-audit-event-logs",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/how-to-disable-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/how-to-disable-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/limitations-with-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/limitations-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/mandatory-settings-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/testing-scenarios-for-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/using-owa-with-wip.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/using-owa-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/wip-app-enterprise-context",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/wip-learning.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/wip-learning",
"redirect_document_id": false
},
{
"source_path": "windows/security/application-security/application-control/windows-defender-application-control/deployment/LOB-win32-apps-on-s.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/deployment/s-mode/wdac-allow-lob-win32-apps",

2
.openpublishing.redirection.windows-whats-new.json
View File

@ -42,7 +42,7 @@
},
{
"source_path":"windows/whats-new/edp-whats-new-overview.md",
"redirect_url":"/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip",
"redirect_document_id":false
},
{

4
windows/client-management/implement-server-side-mobile-application-management.md
View File

@ -9,7 +9,7 @@ ms.date: 07/08/2024
Windows Information Protection (WIP) is a lightweight solution for managing company data access and security on personal devices. WIP support is built into Windows.
[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
[!INCLUDE [Deprecate Windows Information Protection](mdm/includes/wip-deprecation.md)]
## Integration with Microsoft Entra ID
@ -23,7 +23,7 @@ Regular non administrator users can enroll to MAM.
## Understand Windows Information Protection
WIP takes advantage of [built-in policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
WIP takes advantage of [built-in policies](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, WPJ limits enforcement of WIP policies to [enlightened apps](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.
To make applications WIP-aware, app developers need to include the following data in the app resource file.

123
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -1,12 +1,13 @@
---
title: EnterpriseDataProtection CSP
description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.date: 08/09/2017
---
# EnterpriseDataProtection CSP
[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
@ -18,12 +19,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!NOTE]
> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP) and the APIs that support WIP. Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282).
>
> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities.
The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!NOTE]
> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
@ -32,8 +28,8 @@ While Windows Information Protection has no hard dependency on VPN, for best res
To learn more about Windows Information Protection, see the following articles:
- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
- [Create a Windows Information Protection (WIP) policy](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following example shows the EnterpriseDataProtection CSP in tree format.
@ -52,13 +48,16 @@ EnterpriseDataProtection
----Status
```
<a href="" id="--device-vendor-msft-enterprisedataprotection"></a>**./Device/Vendor/MSFT/EnterpriseDataProtection**
## <a href="" id="--device-vendor-msft-enterprisedataprotection"></a> `./Device/Vendor/MSFT/EnterpriseDataProtection`
The root node for the CSP.
<a href="" id="settings"></a>**Settings**
### <a href="" id="settings"></a> Settings
The root node for the Windows Information Protection (WIP) configuration settings.
<a href="" id="settings-edpenforcementlevel"></a>**Settings/EDPEnforcementLevel**
#### <a href="" id="settings-edpenforcementlevel"></a> Settings/EDPEnforcementLevel
Set the WIP enforcement level.
> [!NOTE]
@ -66,15 +65,16 @@ Set the WIP enforcement level.
The following list shows the supported values:
- 0 (default) Off / No protection (decrypts previously protected data).
- 1 Silent mode (encrypt and audit only).
- 2 Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 Hides overrides (encrypt, prompt but hide overrides, and audit).
- 0 (default) - Off / No protection (decrypts previously protected data).
- 1 - Silent mode (encrypt and audit only).
- 2 - Allow override mode (encrypt, prompt and allow overrides, and audit).
- 3 - Hides overrides (encrypt, prompt but hide overrides, and audit).
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-enterpriseprotecteddomainnames"></a>**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes (&quot;|&quot;). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
#### <a href="" id="settings-enterpriseprotecteddomainnames"></a> Settings/EnterpriseProtectedDomainNames
A list of domains used by the enterprise for its user identities separated by pipes (`|`). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
@ -89,7 +89,8 @@ Here are the steps to create canonical domain names:
Supported operations are Add, Get, Replace, and Delete. Value type is string.
<a href="" id="settings-allowuserdecryption"></a>**Settings/AllowUserDecryption**
#### <a href="" id="settings-allowuserdecryption"></a> Settings/AllowUserDecryption
Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences.
> [!IMPORTANT]
@ -97,17 +98,18 @@ Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the us
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
- 0 - Not allowed.
- 1 (default) - Allowed.
Most restricted value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate**
#### <a href="" id="settings-datarecoverycertificate"></a> Settings/DataRecoveryCertificate
Specifies a recovery certificate that can be used for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
> [!Note]
> [!NOTE]
> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.
DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP.
@ -115,37 +117,37 @@ The binary blob is the serialized version of following structure:
```cpp
//
//  Recovery Policy Data Structures
// Recovery Policy Data Structures
//
typedef struct _RECOVERY_POLICY_HEADER {
USHORT      MajorRevision;
USHORT      MinorRevision;
ULONG       RecoveryKeyCount;
USHORT MajorRevision;
USHORT MinorRevision;
ULONG RecoveryKeyCount;
} RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
typedef struct _RECOVERY_POLICY_1_1    {
RECOVERY_POLICY_HEADER  RecoveryPolicyHeader;
RECOVERY_KEY_1_1        RecoveryKeyList[1];
}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
typedef struct _RECOVERY_POLICY_1_1 {
RECOVERY_POLICY_HEADER RecoveryPolicyHeader;
RECOVERY_KEY_1_1 RecoveryKeyList[1];
} RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0)
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1 (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_0 (0)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1 (1)
///////////////////////////////////////////////////////////////////////////////
//                                                                            /
//  RECOVERY_KEY Data Structure                                               /
//                                                                            /
// /
// RECOVERY_KEY Data Structure /
// /
///////////////////////////////////////////////////////////////////////////////
//
// Current format of recovery data.
//
typedef struct _RECOVERY_KEY_1_1   {
ULONG               TotalLength;
typedef struct _RECOVERY_KEY_1_1 {
ULONG TotalLength;
EFS_PUBLIC_KEY_INFO PublicKeyInfo;
} RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
@ -180,7 +182,7 @@ typedef struct _EFS_PUBLIC_KEY_INFO {
//
// The following fields contain offsets based at the
// beginning of the structure.  Each offset is to
// beginning of the structure. Each offset is to
// a NULL terminated WCHAR string.
//
@ -205,16 +207,16 @@ typedef struct _EFS_PUBLIC_KEY_INFO {
struct {
ULONG CertificateLength;       // in bytes
ULONG Certificate;             // offset from start of structure
ULONG CertificateLength; // in bytes
ULONG Certificate; // offset from start of structure
} CertificateInfo;
struct {
ULONG ThumbprintLength;        // in bytes
ULONG CertHashData;            // offset from start of structure
ULONG ThumbprintLength; // in bytes
ULONG CertHashData; // offset from start of structure
} CertificateThumbprint;
};
@ -238,17 +240,19 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
#### <a href="" id="settings-revokeonunenroll"></a> Settings/RevokeOnUnenroll
This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
- 0 Don't revoke keys.
- 1 (default) Revoke keys.
- 0 - Don't revoke keys.
- 1 (default) - Revoke keys.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
#### <a href="" id="settings-revokeonmdmhandoff"></a> Settings/RevokeOnMDMHandoff
Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys.
@ -256,25 +260,29 @@ Added in Windows 10, version 1703. This policy controls whether to revoke the Wi
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-rmstemplateidforedp"></a>**Settings/RMSTemplateIDForEDP**
#### <a href="" id="settings-rmstemplateidforedp"></a> Settings/RMSTemplateIDForEDP
TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
<a href="" id="settings-allowazurermsforedp"></a>**Settings/AllowAzureRMSForEDP**
#### <a href="" id="settings-allowazurermsforedp"></a> Settings/AllowAzureRMSForEDP
Specifies whether to allow Azure RMS encryption for Windows Information Protection.
- 0 (default) Don't use RMS.
- 1 Use RMS.
- 0 (default) - Don't use RMS.
- 1 - Use RMS.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
#### <a href="" id="settings-smbautoencryptedfileextensions"></a> Settings/SMBAutoEncryptedFileExtensions
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.
<a href="" id="settings-edpshowicons"></a>**Settings/EDPShowIcons**
#### <a href="" id="settings-edpshowicons"></a> Settings/EDPShowIcons
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
@ -283,7 +291,8 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="status"></a>**Status**
### <a href="" id="status"></a> Status
A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
@ -310,8 +319,8 @@ Bits 2 and 4 are reserved for future use.
Supported operation is Get. Value type is integer.
## Related topics
## Related articles
[Configuration service provider reference](index.yml)
[Protect your enterprise data using Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)

0
windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md → windows/client-management/mdm/includes/wip-deprecation.md
View File

57
windows/deployment/TOC.yml
View File

@ -1,3 +1,4 @@
items:
- name: Deploy and update Windows client
href: index.yml
items:
@ -490,62 +491,6 @@
- name: USMT Resources
href: usmt/usmt-resources.md
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide
items:
- name: Overview
href: planning/sua-users-guide.md
- name: Use the SUA Wizard
href: planning/using-the-sua-wizard.md
- name: Use the SUA Tool
href: planning/using-the-sua-tool.md
- name: Tabs on the SUA Tool Interface
href: planning/tabs-on-the-sua-tool-interface.md
- name: Show Messages Generated by the SUA Tool
href: planning/showing-messages-generated-by-the-sua-tool.md
- name: Apply Filters to Data in the SUA Tool
href: planning/applying-filters-to-data-in-the-sua-tool.md
- name: Fix apps using the SUA Tool
href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
- name: Compatibility Administrator User's Guide
items:
- name: Overview
href: planning/compatibility-administrator-users-guide.md
- name: Use the Compatibility Administrator Tool
href: planning/using-the-compatibility-administrator-tool.md
- name: Available Data Types and Operators in Compatibility Administrator
href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- name: Search for Fixed Applications in Compatibility Administrator
href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- name: Create a Custom Compatibility Fix in Compatibility Administrator
href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- name: Create a Custom Compatibility Mode in Compatibility Administrator
href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- name: Create an AppHelp Message in Compatibility Administrator
href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- name: View the Events Screen in Compatibility Administrator
href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- name: Enable and Disable Compatibility Fixes in Compatibility Administrator
href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- name: Manage Application-Compatibility Fixes and Custom Fix Databases
items:
- name: Overview
href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- name: Understand and Use Compatibility Fixes
href: planning/understanding-and-using-compatibility-fixes.md
- name: Compatibility Fix Database Management Strategies and Deployment
href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- name: Test Your Application Mitigation Packages
href: planning/testing-your-application-mitigation-packages.md
- name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Add fonts in Windows
href: windows-missing-fonts.md
- name: Customize Windows PE boot images

24
windows/deployment/customize-boot-image.md
View File

@ -7,7 +7,7 @@ author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: conceptual
ms.date: 05/09/2024
ms.date: 08/16/2024
ms.subservice: itpro-deploy
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -25,6 +25,10 @@ The Windows PE (WinPE) boot images that are included with the Windows ADK have a
Microsoft recommends updating Windows PE boot images with the latest cumulative update for maximum security and protection. The latest cumulative updates may also resolve known issues. For example, the Windows PE boot image can be updated with the latest cumulative update to address the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
> [!TIP]
>
> The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
This walkthrough describes how to customize a Windows PE boot image including updating with the latest cumulative update, adding drivers, and adding optional components. Additionally this walkthrough goes over how customizations in boot images affect several different popular products that utilize boot images, such as Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS).
## Prerequisites
@ -78,6 +82,10 @@ This walkthrough describes how to customize a Windows PE boot image including up
1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"<year>-<month> cumulative update for windows <x>"` where `year` is the four-digit current year, `<month>` is the two-digit current month, and `<x>` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
> [!TIP]
>
> The boot images in the **ADK 10.1.25398.1 (September 2023)** are based off **Microsoft server operating system, version 22H2 for x64-based Systems**. Make sure to update the search term appropriately.
1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
1. Store the downloaded cumulative update in a known location for later use, for example `C:\Updates`.
@ -662,6 +670,10 @@ This step doesn't update or change the boot image. However, it makes sure that t
In particular, this step is needed when addressing the BlackLotus UEFI bootkit vulnerability as documented in [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://prod.support.services.microsoft.com/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d) and [CVE-2023-24932](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932).
> [!TIP]
>
> The boot images from the [ADK 10.1.26100.1 (May 2024)](/windows-hardware/get-started/adk-install) and later already contain the cumulative update to address the BlackLotus UEFI bootkit vulnerability.
> [!NOTE]
>
> **Microsoft Configuration Manager** and **Windows Deployment Services (WDS)** automatically extract the bootmgr boot files from the boot images when the boot images are updated in these products. They don't use the bootmgr boot files from the Windows ADK.
@ -902,7 +914,7 @@ For more information, see [Modify a Windows image using DISM: Unmounting an imag
## Step 13: Update boot image in products that utilize it (if applicable)
After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the product(s) that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images:
After the default `winpe.wim` boot image from the Windows ADK has been updated, additional steps usually need to take place in the products that utilize the boot image. The following links contain information on how to update the boot image for several popular products that utilize boot images:
- [Microsoft Configuration Manager](#updating-the-boot-image-in-configuration-manager)
- [Microsoft Deployment Toolkit (MDT)](#updating-the-boot-image-and-boot-media-in-mdt)
@ -1112,10 +1124,10 @@ For more information, see [wdsutil stop-server](/windows-server/administration/w
In the following boot image replacement scenario for WDS:
- The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK
- An existing boot image in WDS is being replaced with the updated boot image
- The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK.
- An existing boot image in WDS is being replaced with the updated boot image.
then follow these steps to update the boot image in WDS:
Follow these steps to update the boot image in WDS:
1. Replace the existing boot image in WDS with the modified boot image using the following command lines:
@ -1194,7 +1206,7 @@ In the following boot image scenario for WDS:
- The boot image modified as part of this guide is outside of the `<RemoteInstall>` folder. For example, the `winpe.wim` boot image that comes with the Windows ADK
- The updated boot image is being added as a new boot image in WDS
then follow these steps to add the boot image in WDS:
Follow these steps to add the boot image in WDS:
1. Add the updated boot image to WDS using the following command lines:

44
windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
View File

@ -1,44 +0,0 @@
---
title: Applying Filters to Data in the SUA Tool (Windows 10)
description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Applying Filters to Data in the SUA Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
**To apply filters to data in the SUA tool**
1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
2. After you finish testing, in the SUA tool, click a tab that shows issues that the SUA tool has found. All tabs except the **App Info** tab can show issues.
3. On the **Options** menu, click a command that corresponds to the filter that you want to apply. The following table describes the commands.
|Options menu command|Description|
|--- |--- |
|**Filter Noise**|Filters noise from the issues.<p>This command is selected by default.|
|**Load Noise Filter File**|Opens the **Open Noise Filter File** dialog box, in which you can load an existing noise filter (.xml) file.|
|**Export Noise Filter File**|Opens the **Save Noise Filter File** dialog box, in which you can save filter settings as a noise filter (.xml) file.|
|**Only Display Records with Application Name in StackTrace**|Filters out records that do not have the application name in the stack trace. <p>However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.|
|**Show More Details in StackTrace**|Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.|
|**Warn Before Deleting AppVerifier Logs**|Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.<p>This command is selected by default.|
|**Logging**|Provides the following logging-related options:<ul><li>Show or hide log errors.<li>Show or hide log warnings.<li>Show or hide log information.</ul><p>To maintain a manageable file size, we recommend that you do not select the option to show informational messages.|

76
windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
View File

@ -1,76 +0,0 @@
---
title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Available Data Types and Operators in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
## Available Data Types
Customized-compatibility databases in Compatibility Administrator contain the following data types.
- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
- **String**. A series of alphanumeric characters manipulated as a group.
- **Boolean**. A value of True or False.
## Available Attributes
The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
|Attribute|Description|Data type|
|--- |--- |--- |
|APP_NAME|Name of the application.|String|
|DATABASE_GUID|Unique ID for your compatibility database.|String|
|DATABASE_INSTALLED|Specifies if you have installed the database.|Boolean|
|DATABASE_NAME|Descriptive name of your database.|String|
|DATABASE_PATH|Location of the database on your computer.|String|
|FIX_COUNT|Number of compatibility fixes applied to a specific application.|Integer|
|FIX_NAME|Name of your compatibility fix.|String|
|MATCH_COUNT|Number of matching files for a specific, fixed application.|Integer|
|MATCHFILE_NAME|Name of a matching file used to identify a specific, fixed application.|String|
|MODE_COUNT|Number of compatibility modes applied to a specific, fixed application.|Integer|
|MODE_NAME|Name of your compatibility mode.|String|
|PROGRAM_APPHELPTYPE|Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.|Integer|
|PROGRAM_DISABLED|Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.|Boolean|
|PROGRAM_GUID|Unique ID for an application.|String|
|PROGRAM_NAME|Name of the application that you are fixing.|String|
## Available Operators
The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator.
|Symbol|Description|Data type|Precedence|
|--- |--- |--- |--- |
|>|Greater than|Integer or string|1|
|>=|Greater than or equal to|Integer or string|1|
|<|Less than|Integer or string|1|
|<=|Less than or equal to|Integer or string|1|
|<>|Not equal to|Integer or string|1|
|=|Equal to|Integer, string, or Boolean|1|
|HAS|A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.|Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME<div class="alert">Note: Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.</div><br/>Right-hand operand. String|1|
|OR|Logical OR operator|Boolean|2|
|AND|Logical AND operator|Boolean|2|
## Related topics
[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)

45
windows/deployment/planning/compatibility-administrator-users-guide.md
View File

@ -1,45 +0,0 @@
---
title: Compatibility Administrator User's Guide (Windows 10)
manager: aaroncz
ms.author: frankroj
description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows.
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Compatibility Administrator User's Guide
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides:
- Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues.
- Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases.
- A query tool that you can use to search for installed compatibility fixes on your local computers.
The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
![act compatibility admin flowchart.](images/dep-win8-l-act-compatadminflowchart.jpg)
> [!IMPORTANT]
> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
## In this section
|Topic|Description|
|--- |--- |
|[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)|This section provides information about using the Compatibility Administrator tool.|
|[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)|This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.|
|[Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)|Ensure that you deploy your customized database (.Sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including, by using a logon script, by using Group Policy, or by performing file copy operations.|

163
windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
View File

@ -1,163 +0,0 @@
---
title: Compatibility Fix Database Management Strategies and Deployment (Windows 10)
manager: aaroncz
ms.author: frankroj
description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database.
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Compatibility Fix Database Management Strategies and Deployment
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
To use fixes in application-compatibility mitigation strategy, define a strategy to manage your custom compatibility-fix database. Typically, you can use one of the two following approaches:
- Deploying your compatibility fixes as part of an application-installation package.
- Deploying your compatibility fixes through a centralized compatibility-fix database.
Microsoft provides general recommends the following remedies for improving the management of your custom compatibility-fix databases.
> [!NOTE]
> These recommendations are not based on irrespective of the approach you decide to use. The following are the general recommendations.
- **Define standards for when you will apply compatibility fixes**
Ensure that the standards and scenarios for using compatibility fixes are defined, based on your specific business and technology needs.
- **Define standards for your custom compatibility-fix databases**
Compatibility fixes must include a version check, so that mapping to particular applications becomes easy. Ensure that your compatibility fixes always, so that the fix won't be applied to newer versions of your applications.
- **Define your resources responsible for addressing questions and enforcing your standards**
Ensure you determine who will be responsible for staying current with the technology and standards that are related to your compatibility fixes and custom compatibility-fix databases. As your databases are managed over time, ensure that someone in your organization stays current with the relevant technology.
## Strategies for Deploying Your Compatibility Fixes
We recommend the usage of one of the two strategies to deploy your compatibility fixes into your organization. They are:
- Deploying your compatibility fixes as part of an application-installation package.
- Deploying your compatibility fixes through a centralized compatibility-fix database.
Determine which method best meets your organization's deployment needs.
### Deploying Fixes as Part of an Application-Installation Package
One strategy to deploy compatibility fixes is to create a custom compatibility-fix database that contains a single entry that is applied directly to the application-installation package. While this method is the most straightforward one for deployment, it has been shown that this method can become overly complex, especially if you are fixing a large number of applications.
If the following considerations apply to your organization, you should avoid this strategy and instead consider using a centralized compatibility-fix database, as described in the next section.
- **How many applications require compatibility fixes?**
Custom compatibility-fix databases are actual databases. Therefore, if you have 1000 applications to be fixed, it will take longer to open and query 1000 single-row databases for a match, instead of a single database with 1000 rows.
- **Will you be able to track which applications are installed on which computer?**
You might determine that your initial set of compatibility fixes isn't comprehensive, and that you must deploy an updated version of the compatibility-fix database to resolve the other issues. If you deployed the initial set by using the application-installation package, you'll be required to locate each client computer that is running the application and replace the compatibility fix.
### Deploying Fixes Through a Centralized Compatibility-Fix Database
The other recommended strategy for deploying compatibility fixes into your organization is to create and manage either a single custom compatibility-fix database, or else to create and manage several custom databases for large subsets of your organization. This strategy will help to enforce your company policy and to provide consistent updates for application fixes that you discover later.
This approach tends to work best for organizations that have a well-developed deployment infrastructure in place, with centralized ownership of the process. We recommend that you consider the following before using this approach:
- Does your organization have the tools required to deploy and update a compatibility-fix database for all of the affected computers?
If you intend to manage a centralized compatibility-fix database, you must verify that your organization has the required tools to deploy and update all of the affected computers in your organization.
- Do you have centralized resources that can manage and update the centralized compatibility-fix database?
Ensure that you've identified the appropriate owners for the deployment process, for the applications, and for the database updates, in addition to determining the process by which compatibility issues can be deployed to specific computers.
### Merging Centralized Compatibility-Fix Databases
If you decide to use the centralized compatibility-fix database deployment strategy, you can merge any of your individual compatibility-fix databases. This provision enables you to create a single custom compatibility-fix database that can be used to search for and determine whether Windows&reg; should apply a fix to a specific executable (.exe) file. We recommend merging your databases based on the following process.
**To merge your custom-compatibility databases**
1. Verify that your application-compatibility testers are performing their tests on computers with the latest version of your compatibility-fix database. For example, Custom DB1.
2. If the tester determines that an application requires an extra compatibility fix that isn't a part of the original compatibility-fix database, the tester must create a new custom compatibility database with all of the required information for that single fix, for example, Custom DB2.
3. The tester applies the new Custom DB2 information to the application and then tests for both the functionality and integration, to ensure that the compatibility issues are addressed.
4. After the application passes all of the required functionality and integration tests, the tester can send Custom DB2 to the team that manages the central compatibility-fix database.
5. The team that manages the centralized database opens Custom DB1 and uses the Compatibility Administrator to include the new compatibility fixes that were included in Custom DB2.
> [!NOTE]
> Custom DB1 contains a unique GUID that makes updating the database easier. For example, if you install a new version of the custom compatibility-fix database that uses the same GUID as the previous version, the computer will automatically uninstall the old version.
6. The centralized management team then redeploys the new version of Custom DB1 to all of the end users in your organization.
### Deploying Your Custom Compatibility-Fix Databases
Deploying your custom compatibility-fix database into your organization requires you to perform the following actions:
1. Store your custom compatibility-fix database (.sib file) in a location that is accessible to all of your organization's computers.
2. Use the Sdbinst.exe command-line tool to install the custom compatibility-fix database locally.
In order to meet the two requirements above, we recommend that you use one of the following two methods:
- **Using a Windows Installer package and a custom script**
You can package your .sib file and a custom deployment script into a file with the .msi extension, and then deploy the .msi file into your organization.
> [!IMPORTANT]
> Ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft&reg; Visual Basic&reg; Scripting Edition (VBScript), the custom action type would be:
>`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)`
- **Using a network share and a custom script**
You can store the .sib file on your network share, and then call to a script available on your specified computers.
> [!IMPORTANT]
> Ensure that you call the script at a time when it can receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
### Example Script for installation of .sib File based on .msi File
The following examples show an installation of a custom compatibility-fix database based on a .msi file.
```
'InstallSDB.vbs
Function Install
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "sdbinst.exe -q " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34), 0, true
WshShell.Run "cmd.exe /c " & CHR(34) & "del " & CHR(34) & "%ProgramFiles%\MyOrganizationSDB\MyOrg.sdb" & CHR(34) & CHR(34), 0
WshShell.Run "reg.exe delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{guidFromMyOrgsSdb}.sdb /f", 0
End Function
Function UnInstall
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "sdbinst.exe -q -u -g {guidFromMyOrgsSdb}", 0
End Function
```
### Initial Deployment and Updates
Application-compatibility is tested, from which issues are reported, even before a new Windows operating system is deployed. To handle these issues, include the custom compatibility-fix database, which includes all of your known issues, in your corporate image. Later, update your compatibility-fix database; provide the updates by using one of the two mechanisms that are described in the "Deploying Your Custom Compatibility Fix Databases" section.
## Related articles
[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)

162
windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
View File

@ -1,162 +0,0 @@
---
title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
description: Find released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
> [!IMPORTANT]
> The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version.
If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
## Compatibility Fixes
The following table lists the known released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
|Fix|Fix Description|
|--- |--- |
|8And16BitAggregateBlts|8/16-bit mitigation can cause performance issues in applications. This layer aggregates all the blt operations and improves performance.|
|8And16BitDXMaxWinMode|The 8/16-bit mitigation runs applications that use DX8/9 in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.|
|8And16BitGDIRedraw|This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.|
|AccelGdipFlush|This fix increases the speed of GdipFlush, which has perf issues in DWM.|
|AoaMp4Converter|This fix resolves a display issue for the AoA Mp4 Converter.|
|BIOSRead|This problem is indicated when an application can't access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.|
|BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.<p>The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](/previous-versions/windows/it-pro/windows-7/dd638336(v=ws.10)).</div>|
|ChangeFolderPathToXPStyle|This fix is required when an application can't return shell folder paths when it uses the **SHGetFolder** API.<p>The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.|
|ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.<p>The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.|
|CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.<p>The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.<p>You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](/previous-versions/windows/it-pro/windows-7/dd638375(v=ws.10)).</div>|
|CorrectCreateBrushIndirectHatch|This problem occurs when an access violation error message displays and the application fails when you select or crop an image.<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.|
|CorrectFilePaths|This problem occurs when: <ul><li>An application tries to write files to the hard disk and is denied access.</li><li>An application receives a file not found or path not found error message.</li></ul><p>The fix modifies the file path names to point to a new location on the hard disk.<div class="alert">**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you're applying it to a setup installation file.</div>|
|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.<p>The fix corrects the file paths that are used by the uninstallation process of an application.<div class="alert">**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you're applying it to a setup installation file.</div>|
|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and:<ul><li>A taskbar item blinks instead of an elevation prompt being opened, or when the application doesn't provide a valid HWND value when it calls the ShellExecute(Ex) function.<p>The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.<div class="alert">**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).</div>|
|CustomNCRender|This fix instructs DWM to not render the non-client area forcing the application to do its own NC rendering. This issue often gives windows an XP look.|
|DelayApplyFlag|This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.<p>You can control this fix further by typing the following command at the command prompt:<p>`DLL_Name;Flag_Type;Hexidecimal_Value`<br>Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.<div class="alert">**Note:** The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().</div>|
|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.<p>You can control this fix further by typing the following command at the command prompt:<p>`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:<ul><li>Deprecated_Service is the name of the deprecated service</li><li>App_Service is the name of the specific application service that is to be modified</li></ul>For example, NtLmSsp\WMI.<div class="alert">**Note:** If you don't provide an App_Service name, the deprecated service is removed from all newly created services.</div><div class="alert">**Note:** You can separate multiple entries with a forward slash (/).</div>|
|DirectXVersionLie|This problem occurs when an application fails because it doesn't find the correct version number for DirectX®.<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</div><p>You can control this fix further by typing the following command at the command prompt:<br>`MAJORVERSION.MINORVERSION.LETTER`<p>For example, 9.0.c.|
|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .|
|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.|
|Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.|
|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).</div>|
|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls don't function properly.<p>The fix disables the fade animations functionality for unsupported applications.|
|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.|
|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.|
|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.|
|DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.|
|DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.|
|ElevateCreateProcess|The problem is indicated when: <ul><li>installations</li><li>de-installations</li><li>updates</li></ul> fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.<p>The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).</div>|
|EmulateOldPathIsUNC|The problem occurs when an application fails because of an incorrect UNC path.<p>The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.|
|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.<p>The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).</div>|
|EmulateSorting|The problem occurs when an application experiences search functionality issues.<p>The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.<div class="alert">**Note:** For more detailed information about this e application fix, see [Using the EmulateSorting Fix](/previous-versions/windows/it-pro/windows-7/cc749209(v=ws.10)).</div>|
|EmulateSortingWindows61|The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.|
|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes can't end to allow the computer to complete its restart processes.<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).</div>|
|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.<p>The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.|
|FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.<p>The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.<div class="alert">**Note:** You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.</div>|
|FailRemoveDirectory|The problem occurs when an application uninstall process doesn't remove all of the application files and folders.<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.<p>The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.|
|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).<div class="alert">**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).</div>|
|FlushFile|This problem is indicated when a file is updated and changes don't immediately appear on the hard disk. Applications can't see the file changes.<p>The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.|
|FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.|
|ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.<p>The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766024(v=ws.10)).</div>|
|ForceInvalidateOnClose|The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.|
|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation isn't automatically applied.|
|FreestyleBMX|The fix resolves an application race condition that is related to window message order.|
|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it can't install to a user-specified location.<p>The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.|
|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.|
|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.|
|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.|
|HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.<p>The fix uses zeros to clear out the heap allocation for an application.|
|IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.<p>The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](/previous-versions/windows/it-pro/windows-7/cc722093(v=ws.10)).</div>|
|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems where ntdll is loaded above 4 GB.|
|IgnoreDirectoryJunction|The problem occurs when a read or access violation error message that displays when an application tries to find or open files.<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.<div class="alert">**Note:** Symbolic links appear to start in Windows Vista.</div>|
|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.<p>You can control this fix further by typing the following command at the command prompt:<p>`Exception1;Exception2`<br>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.<p>**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).</div>|
|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.<p>Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.|
|IgnoreFontQuality|The problem occurs when application text appears to be distorted.<p>The fix enables color-keyed fonts to properly work with anti-aliasing.|
|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).</div>|
|IgnoreMSOXMLMF|The problem occurs when an error message that states that the operating system can't locate the MSVCR80D.DLL file.<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.|
|IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.|
|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.|
|LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.|
|LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.<p>The fix intercepts the function call to create the object and replaces the word Global with Local.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the LocalMappedObject Fix](/previous-versions/windows/it-pro/windows-7/cc749287(v=ws.10)).</div>|
|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))</div>|
|ManageLinks|The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.|
|MirrorDriverWithComposition|The fix allows mirror drivers to work properly with acceptable performance with desktop composition.|
|MoveToCopyFileShim|The problem occurs when an application experiences security access issues during setup.<p>The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.|
|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.<p>The fix reduces the security privilege levels on a specified set of files and folders.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).</div>|
|PopCapGamesForceResPerf|The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.|
|PreInstallDriver|The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.|
|PreInstallSmarteSECURE|The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.|
|ProcessPerfData|The problem occurs because the application tried to read the process performance data registry value to determine if another instance of the application is running. This problem results in an Unhandled Exception error message.<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.<div class="alert">**Note:** This issue seems to occur most frequently with .NET applications.|
|PromoteDAM|The fix registers an application for power state change notifications.</div>|
|PropagateProcessHistory|The problem occurs when an application incorrectly fails to apply an application fix.<p>The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.|
|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.<p>The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.|
|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.|
|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.|
|RedirectMP3Codec|This problem occurs when you can't play MP3 files.<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.|
|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.<p>Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.<br>Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.<p>You can't apply this fix to an .exe file that includes a manifest and provides a run level.|
|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.<p>The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).</div>|
|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.<p>The fix retries the call and requests a more restricted set of rights that include the following items:<li>SC_MANAGER_CONNECT<li>SC_MANAGER_ENUMERATE_SERVICE<li>SC_MANAGER_QUERY_LOCK_STATUS<li>STANDARD_READ_RIGHTS<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).</div>|
|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).</div>|
|RunAsAdmin|The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.<p>The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsAdmin Fix](/previous-versions/windows/it-pro/windows-7/dd638315(v=ws.10)).</div>|
|RunAsHighest|The problem occurs when administrators can't view the read/write version of an application that presents a read-only view to standard users.<p>The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).</div>|
|RunAsInvoker|The problem occurs when an application isn't detected as requiring elevation.<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).</div>|
|SecuROM7|The fix repairs applications by using SecuROM7 for copy protection.|
|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.<p>**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).</div>|
|SetProtocolHandler|The fix registers an application as a protocol handler.<p>You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`<br>Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.<div class="alert">**Note:** Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().</div>|
|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.<p>The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.|
|SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.|
|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.<p>The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.<div class="alert">**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).</div>|
|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.<p>The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.|
|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.|
|Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.|
|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.<p>The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).</div>|
|SpecificNonInstaller|The problem occurs when an application that isn't an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.<p>The fix flags the application to exclude it from detection by the GenericInstaller function.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).</div>|
|SystemMetricsLie|The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.|
|TextArt|The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.|
|TrimDisplayDeviceNames|The fix trims the names returned by the EnumDisplayDevices API of the display devices.|
|UIPICompatLogging|The fix enables the logging of Windows messages from Internet Explorer and other processes.|
|UIPIEnableCustomMsgs|The problem occurs when an application doesn't properly communicate with other processes because customized Windows messages aren't delivered.<p>The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`MessageString1 MessageString2`<br>Where MessageString1 and MessageString2 reflect the message strings that can pass.<div class="alert">**Note:** You must separate multiple message strings by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).</div>|
|UIPIEnableStandardMsgs|The problem occurs when an application doesn't communicate properly with other processes because standard Windows messages aren't delivered.<p>The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`1055 1056 1069`<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.<div class="alert">**Note:** You can separate multiple messages with spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).</div>|
|VirtualizeDeleteFileLayer|The fix virtualizes DeleteFile operations for applications that try to delete protected files.|
|VirtualizeDesktopPainting|This fix improves the performance of several operations on the Desktop DC while using DWM.|
|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.<p>The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).|
|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.<p>The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).</div>|
|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.<p>The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.<p>You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.<br>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).</div>|
|WaveOutIgnoreBadFormat|When this problem occurs when an Unable to initialize sound device from your audio driver error occurs; the application then closes.<p>The fix enables the application to ignore the format error and continue to function properly.|
|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.|
|Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.|
|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.<p>All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.|
|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.<p>The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.<p>**Important:** The application must have Administrator privileges for this fix to work.|
|WinSrv08R2RTM||
|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.<p>The fix forces the application to follow these steps:<li>Open the Compatibility Administrator, and then select None for Operating System Mode.<li>On the Compatibility Fixes page, select WinXPSP2VersionLie, and then select Parameters.<li>The Options for /<fix_name/>; dialog box appears.<li>Type vbrun60.dll into the Module Name box, select Include, and then select Add.<li>Save the custom database.<div class="alert">**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).</div>|
|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.<p>The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.<p>You can control this fix further by typing the following command at the command prompt:<p>`Component1.dll;Component2.dll`<br>Where Component1.dll and Component2.dll reflect the components to be skipped.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).</div>|
|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.<p>The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.<div class="alert">**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).</div>|
|WRPRegDeleteKey|The problem occurs when an access denied error message that displays when the application tries to delete a registry key.<p>The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.|
|XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.|
## Compatibility Modes
The following table lists the known compatibility modes.
|Compatibility Mode Name|Description|Included Compatibility Fixes|
|--- |--- |--- |
|WinSrv03|Emulates the Windows Server 2003 operating system.|<li>Win2k3RTMVersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>GlobalMemoryStatus2 GB<li>RedirectMP3Codec<li>EnableLegacyExceptionHandlinginOLE<li>NoGhost<li>HardwareAudioMixer|
|WinSrv03Sp1|Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.|<li>Win2K3SP1VersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>EnableLegacyExceptionHandlinginOLE<li>RedirectMP3Codec<li>HardwareAudioMixer|

61
windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
View File

@ -1,61 +0,0 @@
---
title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Creating a Custom Compatibility Fix in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
> [!IMPORTANT]
> Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications.
## What is a Compatibility Fix?
A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API.
## Searching for Existing Compatibility Fixes
The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database.
> [!IMPORTANT]
> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
**To search for an existing application**
1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
2. Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages.
## Creating a New Compatibility Fix
If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database.
**To create a new compatibility fix**
1. In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**.
2. Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
3. Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**.
4. Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**.
5. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**.
By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

67
windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
View File

@ -1,67 +0,0 @@
---
title: Create a Custom Compatibility Mode (Windows 10)
description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Creating a Custom Compatibility Mode in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
## What Is a Compatibility Mode?
A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
## Searching for Existing Compatibility Modes
The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
> [!IMPORTANT]
> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
**To search for an existing application**
1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
2. Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
## Creating a New Compatibility Mode
If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
> [!IMPORTANT]
> A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
**To create a new compatibility mode**
1. In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
2. Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **&gt;**.
> [!IMPORTANT]
> If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
> If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for &lt;Compatibility\_Fix\_Name&gt;** dialog box appears, enabling you to update the parameter fields.
4. After you are done selecting the compatibility fixes to include, click **OK**.
The compatibility mode is added to your custom database.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

86
windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
View File

@ -1,86 +0,0 @@
---
title: Create AppHelp Message in Compatibility Administrator (Windows 10)
description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Creating an AppHelp Message in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
## Blocking Versus Non-Blocking AppHelp Messages
A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue.
A non-blocking AppHelp message doesn't prevent the application from starting, but provides a message to the user that includes information such as security issues, updates to the application, or changes to the location of network resources.
## Searching for Existing Compatibility Fixes
The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database.
> [!IMPORTANT]
> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
**To search for an existing application**
1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
2. Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes.
## Creating a New AppHelp Message
If you're unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
**To create a new AppHelp message**
1. In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you'll apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
2. Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
The wizard shows the known **Matching Information**, which is used for program identification.
3. Select any other criteria to use to match your applications to the AppHelp message, and then click **Next**.
By default, Compatibility Administrator selects the basic matching criteria for your application.
The wizard shows the **Enter Message Type** options.
4. Click one of the following options:
- **Display a message and allow this program to run**. This message is non-blocking, which means that you can alert the user that there might be a problem, but the application isn't prevented from starting.
- **Display a message and do not allow this program to run**. This message is blocking, which means that the application won't start. Instead, this message points the user to a location that provides more information about fixing the issue.
5. Click **Next**.
The wizard then shows the **Enter Message Information** fields.
6. Type the website URL and the message text to appear when the user starts the application, and then click **Finish**.
## Issues with AppHelp Messages and Computers Running Windows 2000
The following issues might occur with computers running Windows 2000:
- You might be unable to create a custom AppHelp message.
- The AppHelp message text used for system database entries might not appear.
- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

58
windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
View File

@ -1,58 +0,0 @@
---
title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Enabling and Disabling Compatibility Fixes in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
## Disabling Compatibility Fixes
Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application.
>[!IMPORTANT]
>Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
**To disable a compatibility fix within a database**
1. In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix.
The compatibility fix details appear in the right-hand pane.
2. On the **Database** menu, click **Disable Entry**.
**Important**
When you disable an entry, it will remain disabled even if you do not save the database file.
## Enabling Compatibility Fixes
You can enable your disabled compatibility fixes at any time.
**To enable a compatibility fix within a database**
1. In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix.
The compatibility fix details appear in the right-side pane.
2. On the **Database** menu, click **Enable Entry**.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

38
windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
View File

@ -1,38 +0,0 @@
---
title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Fixing Applications by Using the SUA Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
**To fix an application by using the SUA tool**
1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
2. After you finish testing, open the SUA tool.
3. On the **Mitigation** menu, click the command that corresponds to the action that you want to take. The following table describes the commands.
|Mitigation menu command|Description|
|--- |--- |
|**Apply Mitigations**|Opens the **Mitigate AppCompat Issues** dialog box, in which you can select the fixes that you intend to apply to the application.|
|**Undo Mitigations**|Removes the application fixes that you just applied.<p>This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using **Programs and Features** in Control Panel.|
|**Export Mitigations as Windows Installer file**|Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.|

BIN
windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

63
windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
View File

@ -1,63 +0,0 @@
---
title: Install/Uninstall Custom Databases (Windows 10)
description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
> [!IMPORTANT]
> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
In addition, you must deploy your databases to your organization's computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
## Installing a Custom Database
Installing your custom-compatibility database enables you to fix issues with your installed applications.
**To install a custom database**
1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers.
2. On the **File** menu, click **Install**.
The Compatibility Administrator installs the database, which appears in the **Installed Databases** list.
The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file.
## Uninstalling a Custom Database
When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database.
**To uninstall a custom database**
1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers.
2. On the **File** menu, click **Uninstall**.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

38
windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
View File

@ -1,38 +0,0 @@
---
title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Managing Application-Compatibility Fixes and Custom Fix Databases
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
## In this section
|Topic|Description|
|--- |--- |
|[Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)|As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.|
|[Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)|After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:|
|[Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)|This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.|
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)

60
windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
View File

@ -1,60 +0,0 @@
---
title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Searching for Fixed Applications in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md).
## Searching for Previously Applied Compatibility Fixes
> [!IMPORTANT]
> You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
**To search for previous fixes**
1. On the Compatibility Administrator toolbar, click **Search**.
2. Click **Browse** to locate the directory location to search for .exe files.
3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**.
4. Click **Find Now**.
The query runs, returning your results in the lower pane.
## Viewing Your Query Results
Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix.
## Exporting Your Query Results
You can export your search results to a text (.txt) file for later review or archival.
**To export your search results**
1. In the **Search for Fixes** dialog box, click **Export**.
2. Browse to the location where you want to store your search result file, and then click **Save**.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

143
windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
View File

@ -1,143 +0,0 @@
---
title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
> [!IMPORTANT]
> You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
## Querying by Using the Program Properties Tab
You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application.
**To query by using the Program Properties tab**
1. On the Compatibility Administrator toolbar, click **Query**.
2. In the **Look in** drop-down list, select the appropriate database type to search.
3. Type the location of the application you are searching for into the **Search for the Application** field.
This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator.
4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file.
You must designate the executable name that was given when the compatibility fix was added to the database.
5. Optionally, select the check box for one of the following types of compatibility fix:
- **Compatibility Modes**
- **Compatibility Fixes**
- **Application Helps**
> [!IMPORTANT]
> If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear.
6. Click **Find Now**.
The query runs and the results of the query are displayed in the lower pane.
## Querying by Using the Fix Properties Tab
You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode.
**To query by using the Fix Properties tab**
1. On the Compatibility Administrator toolbar, click **Query**.
2. Click the **Fix Properties** tab.
3. In the **Look in** drop-down list, select the appropriate database type to search.
4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field.
>[!NOTE]
>You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters
5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**.
>[!IMPORTANT]
>Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear.
6. Click **Find Now**.
The query runs and the results of the query are displayed in the lower pane.
## Querying by Using the Fix Description Tab
You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text.
**To query by using the Fix Description tab**
1. On the Compatibility Administrator toolbar, click **Query**.
2. Click the **Fix Description** tab.
3. In the **Look in** drop-down list, select the appropriate database type to search.
4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords.
>[!IMPORTANT]
>You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria.
5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list.
6. Click **Find Now**.
The query runs and the results of the query are displayed in the lower pane.
## Querying by Using the Advanced Tab
You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
**To query by using the Advanced tab**
1. On the Compatibility Administrator toolbar, click **Query**.
2. Click the **Advanced** tab.
3. In the **Look in** drop-down list, select the appropriate database type to search.
4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**.
The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results.
5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**.
The **DATABASE\_NAME =** clause appears in the **WHERE** box.
6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**.
You must surround your clause criteria text with quotation marks (") for the clause to function properly.
7. Click **Find Now**.
The query runs and the results of the query are displayed in the lower pane.
## Exporting Your Search Results
You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes.
**To export your results**
1. After you have completed your search by using the Query tool, click **Export**.
The **Save results to a file** dialog box appears.
2. Browse to the location where you intend to store the search results file, and then click **Save**.
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

39
windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
View File

@ -1,39 +0,0 @@
---
title: Showing Messages Generated by the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Showing Messages Generated by the SUA Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
**To show the messages that the SUA tool has generated**
1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md).
2. After you finish testing, in the SUA tool, click the **App Info** tab.
3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands.
|View menu command|Description|
|--- |--- |
|**Error Messages**|When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.<p>This command is selected by default.|
|**Warning Messages**|When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.|
|**Information Messages**|When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.|
|**Detailed Information**|When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.|

37
windows/deployment/planning/sua-users-guide.md
View File

@ -1,37 +0,0 @@
---
title: SUA User's Guide (Windows 10)
description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# SUA User's Guide
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
You can use SUA in either of the following ways:
- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis.
- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
## In this section
|Topic|Description|
|--- |--- |
|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.|
|[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.|

39
windows/deployment/planning/tabs-on-the-sua-tool-interface.md
View File

@ -1,39 +0,0 @@
---
title: Tabs on the SUA Tool Interface (Windows 10)
description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Tabs on the SUA Tool Interface
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
The following table provides a description of each tab on the user interface for the SUA tool.
|Tab name|Description|
|--- |--- |
|App Info|Provides the following information for the selected application:<li>Debugging information<li>Error, warning, and informational messages (if they are enabled)<li>Options for running the application|
|File|Provides information about access to the file system.<p>For example, this tab might show an attempt to write to a file that only administrators can typically access.|
|Registry|Provides information about access to the system registry.<p>For example, this tab might show an attempt to write to a registry key that only administrators can typically access.|
|INI|Provides information about WriteProfile API issues.<p>For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from **Standard** to **Scientific**, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.|
|Token|Provides information about access-token checking.<p>For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.|
|Privilege|Provides information about permissions.<p>For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.|
|Name Space|Provides information about creation of system objects.<p>For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.|
|Other Objects|Provides information related to applications accessing objects other than files and registry keys.|
|Process|Provides information about process elevation.<p>For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.|

82
windows/deployment/planning/testing-your-application-mitigation-packages.md
View File

@ -1,82 +0,0 @@
---
title: Testing Your Application Mitigation Packages (Windows 10)
description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Testing Your Application Mitigation Packages
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
## Testing Your Application Mitigation Packages
Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment.
**To test your mitigation strategies**
1. Perform the following steps for each of the applications for which you have developed mitigations.
1. Test the mitigation strategy in your test environment.
2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again.
At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment.
2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations.
1. Test the mitigation strategy in your pilot deployment.
2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again.
At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment.
## Reporting the Compatibility Mitigation Status to Stakeholders
After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings.
- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment.
- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues.
- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues.
- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues.
## Resolving Outstanding Compatibility Issues
At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods.
- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool.
> [!NOTE]
> For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md).
- Run the application in a virtual environment.
Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system.
- Resolve application compatibility by using non-Microsoft tools.
If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues.
- Outsource the application compatibility mitigation.
If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
## Related topics
[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)

88
windows/deployment/planning/understanding-and-using-compatibility-fixes.md
View File

@ -1,88 +0,0 @@
---
title: Understanding and Using Compatibility Fixes (Windows 10)
description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Understanding and Using Compatibility Fixes
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
## How the Compatibility Fix Infrastructure Works
The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix.
The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
![act app calls operating system through iat.](images/dep-win8-l-act-appcallosthroughiat.jpg)
Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
![act app redirect with compatibility fix.](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
>[!NOTE]
>For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
## Design Implications of the Compatibility Fix Infrastructure
There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure.
- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes.
- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code.
- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues.
> [!NOTE]
> Some antivirus, firewall, and anti-spyware code runs in kernel mode.
## Determining When to Use a Compatibility Fix
The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix.
### Scenario 1
**The compatibility issue exists on an application which is no longer supported by the vendor.**
As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue.
### Scenario 2
**The compatibility issue exists on an internally created application.**
While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment.
### Scenario 3
**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.**
In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released.
## Determining Which Version of an Application to Fix
You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application.
## Support for Compatibility Fixes
Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself.
You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
## Related topics
[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)

38
windows/deployment/planning/using-the-compatibility-administrator-tool.md
View File

@ -1,38 +0,0 @@
---
title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Using the Compatibility Administrator Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This section provides information about using the Compatibility Administrator tool.
## In this section
|Topic|Description|
|--- |--- |
|[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)|The Compatibility Administrator tool provides a way to query your custom-compatibility databases.|
|[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)|With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.|
|[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)|You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.|
|[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)|The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.|
|[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)|Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.|
|[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)|The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.|
|[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)|The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.|
|[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)|You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.|
|[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)|The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.|

68
windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
View File

@ -1,68 +0,0 @@
---
title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Using the Sdbinst.exe Command-Line Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations.
After you deploy and store the customized databases on each of your local computers, you must register the database files.
Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
## Command-Line Options for Deploying Customized Database Files
Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
```console
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Sdbinst.exe /?
Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
-? - print this help text.
-p - Allow SDBs containing patches.
-q - Quiet mode: prompts are auto-accepted.
-u - Uninstall.
-g {guid} - GUID of file (uninstall only).
-n "name" - Internal name of file (uninstall only).
C:\Windows\system32>_
```
The command-line options use the following conventions:
Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options.
|Option|Description|
|--- |--- |
|-?|Displays the Help for the Sdbinst.exe tool.<p>For example,<br>`sdbinst.exe -?`|
|-p|Allows SDBs' installation with Patches.<p>For example,<br>`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`|
|-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).<p>For example,<br>`sdbinst.exe -q`|
|-u *filepath*|Does an uninstallation of the specified database.<p>For example,<br>`sdbinst.exe -u C:\example.sdb`|
|-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).<p>For example,<br>`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`|
|-n *"name"*|Specifies the customized database to uninstall by file name.<p>For example,<br>`sdbinst.exe -n "My_Database"`|
## Related articles
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

77
windows/deployment/planning/using-the-sua-tool.md
View File

@ -1,77 +0,0 @@
---
title: Using the SUA Tool (Windows 10)
description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Using the SUA Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
## Testing an Application by Using the SUA Tool
Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
The following flowchart shows the process of using the SUA tool.
![act sua flowchart.](images/dep-win8-l-act-suaflowchart.jpg)
**To collect UAC-related issues by using the SUA tool**
1. Close any open instance of the SUA tool or SUA Wizard on your computer.
If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
2. Run the Standard User Analyzer.
3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
4. Clear the **Elevate** check box, and then click **Launch**.
If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
5. Exercise the aspects of the application for which you want to gather information about UAC issues.
6. Exit the application.
7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
**To review and apply the recommended mitigations**
1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
2. Review the recommended compatibility fixes.
3. Click **Apply**.
The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
## Related topics
[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)

75
windows/deployment/planning/using-the-sua-wizard.md
View File

@ -1,75 +0,0 @@
---
title: Using the SUA wizard (Windows 10)
description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.date: 10/28/2022
ms.topic: conceptual
ms.subservice: itpro-deploy
---
# Using the SUA wizard
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.
For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
## Testing an Application by Using the SUA wizard
Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard.
The following flowchart shows the process of using the SUA wizard.
![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg)
**To test an application by using the SUA wizard**
1. On the computer where the SUA wizard is installed, sign in by using a non-administrator account.
2. Run the Standard User Analyzer wizard.
3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
4. Click **Launch**.
If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application.
If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
5. In the application, exercise the functionality that you want to test.
6. After you finish testing, exit the application.
The SUA wizard displays a message that asks whether the application ran without any issues.
7. Click **No**.
The SUA wizard shows a list of potential remedies that you might use to fix the application.
8. Select the fixes that you want to apply, and then click **Launch**.
The application appears again, with the fixes applied.
9. Test the application again, and after you finish testing, exit the application.
The SUA wizard displays a message that asks whether the application ran without any issues.
10. If the application ran correctly, click **Yes**.
The SUA wizard closes the issue as resolved on the local computer.
If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md).
## Related articles
[SUA User's Guide](sua-users-guide.md)

41
windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
View File

@ -1,41 +0,0 @@
---
title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
ms.date: 10/28/2022
---
# Viewing the Events Screen in Compatibility Administrator
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
>[!IMPORTANT]
>The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
**To open the Events screen**
- On the **View** menu, click **Events**.
## Handling Multiple Copies of Compatibility Fixes
Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
## Related topics
[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)<br>
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

2
windows/security/identity-protection/credential-guard/considerations-known-issues.md
View File

@ -112,7 +112,7 @@ Once the device has connectivity to the domain controllers, DPAPI recovers the u
When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
## Known issues

50
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -1,50 +0,0 @@
---
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
---
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Don't use common controls for saving files.
- Don't use common controls for text boxes.
- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
> [!IMPORTANT]
> After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted. For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
## Unenlightened app behavior
This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
|App rule setting|Networking policy configuration|
|--- |--- |
|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can't access local Work files.<br/><br/>**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App can't access local Work files.|
|**Not required.** App connects to enterprise cloud resources, using a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li>No encryption is applied.<li>App can't access local Work files.|
|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>Auto-encryption is applied.<li>App can access local Work files.|
|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can access local Work files.|
## Enlightened app behavior
This table includes info about how enlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
|App rule setting|Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies|
|--- |--- |
|**Not required.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li> No encryption is applied.<li> App can't access local Work files.|
|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li> App protects work data and leaves personal data unprotected.<li> App can access local Work files.|
|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li> App protects work data and leaves personal data unprotected.<li> App can access local Work files.|
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

205
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -1,205 +0,0 @@
---
title: How to collect Windows Information Protection (WIP) audit event logs
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
---
# How to collect Windows Information Protection (WIP) audit event logs
**Applies to:**
- Windows 10, version 1607 and later
Windows Information Protection (WIP) creates audit events in the following situations:
- If an employee changes the File ownership for a file from **Work** to **Personal**.
- If data is marked as **Work**, but shared to a personal app or webpage. For example, through copying and pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants a personal app provides temporary access to a work file.
- If an app has custom audit events.
## Collect WIP audit logs by using the Reporting configuration service provider (CSP)
Collect the WIP audit logs from your employee's devices by following the guidance provided by the [Reporting configuration service provider (CSP)](/windows/client-management/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
>[!Note]
>The **Data** element in the response includes the requested audit logs in an XML-encoded format.
### User element and attributes
This table includes all available attributes for the **User** element.
|Attribute |Value type |Description |
|----------|-----------|------------|
|UserID |String |The security identifier (SID) of the user corresponding to this audit report. |
|EnterpriseID |String |The enterprise ID corresponding to this audit report. |
### Log element and attributes
This table includes all available attributes/elements for the **Log** element. The response can contain zero (0) or more **Log** elements.
|Attribute/Element |Value type |Description |
|----------|-----------|------------|
|ProviderType |String |This is always **EDPAudit**. |
|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
|TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:<ul><li>**CopyPaste.** Work data was pasted into a personal location or app.</li><li>**ProtectionRemoved.** Work data was changed to be unprotected.</li><li>**DragDrop.** Work data was dropped into a personal location or app.</li><li>**Share.** Work data was shared with a personal location or app.</li><li>**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).</li></ul> |
|Justification |String |Not implemented. This will always be either blank or NULL.<br><br>**Note**<br>Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
|DataInfo |String |Any additional info about how the work file changed:<ul><li>**A file path.** If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here.</li><li>**Clipboard data types.** If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the [Examples](#examples) section of this topic.</li></ul> |
|Action |Int |Provides info about what happened when the work data was shared to personal, including:<ul><li>**1.** File decrypt.</li><li>**2.** Copy to location.</li><li>**3.** Send to recipient.</li><li>**4.** Other.</li></ul> |
|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file that's been decrypted by an employee or uploaded to a personal website. |
|SourceApplicationName |String |The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname. |
|SourceName |String |A string provided by the app that's logging the event. It's intended to describe the source of the work data. |
|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.<br><br>**NULL**, **Personal**, or **blank** means there's no enterprise ID because the work data was shared to a personal location. Because we don't currently support multiple enrollments, you'll always see one of these values. |
|DestinationApplicationName |String |The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname. |
|DestinationName |String |A string provided by the app that's logging the event. It's intended to describe the destination of the work data. |
|Application |String |The AppLocker identity for the app where the audit event happened. |
### Examples
Here are a few examples of responses from the Reporting CSP.
#### File ownership on a file is changed from work to personal
```xml
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527">
<Policy>Protection removed</Policy>
<Justification>NULL</Justification>
<FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
```
#### A work file is uploaded to a personal webpage in Edge
```xml
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534">
<Policy>CopyPaste</Policy>
<Justification>NULL</Justification>
<SourceApplicationName>NULL</SourceApplicationName>
<DestinationEnterpriseID>NULL</DestinationEnterpriseID>
<DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
<DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
```
#### Work data is pasted into a personal webpage
```xml
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782">
<Policy>CopyPaste</Policy>
<Justification>NULL</Justification>
<SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
<DestinationEnterpriseID>NULL</DestinationEnterpriseID>
<DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
<DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
```
#### A work file is opened with a personal application
```xml
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469">
<Policy>NULL</Policy>
<Justification></Justification>
<Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object>
<Action>1</Action>
<SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
<DestinationEnterpriseID>Personal</DestinationEnterpriseID>
<DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
<Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
```
#### Work data is pasted into a personal application
```xml
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
<User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
<Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270">
<Policy>CopyPaste</Policy>
<Justification>NULL</Justification>
<SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
<DestinationEnterpriseID>NULL</DestinationEnterpriseID>
<DestinationApplicationName></DestinationApplicationName>
<DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
```
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.
**To view the WIP events in the Event Viewer**
1. Open Event Viewer.
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
## Collect WIP audit logs using Azure Monitor
You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.]()
**To view the WIP events in Azure Monitor**
1. Use an existing or create a new Log Analytics workspace.
2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive:
```console
Microsoft-Windows-EDP-Application-Learning/Admin
Microsoft-Windows-EDP-Audit-TCB/Admin
```
>[!NOTE]
>If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
3. Download Microsoft [Monitoring Agent](/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: `MMASetup-.exe /c /t:`
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
5. To deploy MSI via Intune, in installation parameters add: `/q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY> AcceptEndUserLicenseAgreement=1`
>[!NOTE]
>Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
6. After the agent is deployed, data will be received within approximately 10 minutes.
7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
***Example***
```console
Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
```
## Additional resources
- [How to deploy app via Intune](/intune/apps-add)
- [How to create Log workspace](/azure/azure-monitor/learn/quick-create-workspace)
- [How to use Microsoft Monitoring Agents for Windows](/azure/azure-monitor/platform/agents-overview)

162
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -1,162 +0,0 @@
---
title: Create an EFS Data Recovery Agent certificate
description: Follow these steps to create, verify, and perform a quick recovery by using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.reviewer: rafals
ms.topic: how-to
ms.date: 07/15/2022
---
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
<!-- 6010051 -->
_Applies to:_
- Windows 10
- Windows 11
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
>[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
## Manually create an EFS DRA certificate
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
```cmd
cipher /r:EFSRA
```
Where *EFSRA* is the name of the `.cer` and `.pfx` files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
>[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Configuration Manager](create-wip-policy-using-configmgr.md).
> [!NOTE]
> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
## Verify your data recovery certificate is correctly set up on a WIP client computer
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP.
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
```cmd
cipher /c filename
```
Where *filename* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
## Recover your data using the EFS DRA certificate in a test environment
1. Copy your WIP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using its password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
```cmd
cipher /d encryptedfile.extension
```
Where *encryptedfile.extension* is the name of your encrypted file. For example, `corporatedata.docx`.
## Recover WIP-protected after unenrollment
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once.
>[!IMPORTANT]
>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
```cmd
Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
```
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
![Robocopy in S mode.](images/robocopy-s-mode.png)
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
```cmd
Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
```
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
```cmd
cipher.exe /D "new_location"
```
3. Have your employee sign in to the unenrolled device, and type:
```cmd
Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
```
4. Ask the employee to lock and unlock the device.
The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location.
## Auto-recovery of encryption keys
Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Microsoft Entra identity.
The employee experience is based on signing in with a Microsoft Entra ID work account. The employee can either:
- Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu.
-OR-
- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Microsoft Entra ID** link, under **Alternate actions**.
>[!Note]
>To perform a Microsoft Entra Domain Join from the Settings page, the employee must have administrator privileges to the device.
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
### To test what the employee sees during the WIP key recovery process
1. Attempt to open a work file on an unenrolled device.
The **Connect to Work to access work files** box appears.
2. Click **Connect**.
The **Access work or school settings** page appears.
3. Sign-in to Microsoft Entra ID as the employee and verify that the files now open
## Related topics
- [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10))
- [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10))
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md)
- [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA)

64
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -1,64 +0,0 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Associate your WIP policy to your VPN policy using Intune
To associate your WIP policy with your organization's existing VPN policy, use the following steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
- **Platform**: Select **Windows 10 and later**
- **Profile**: Select **Templates** > **Custom**.
4. Select **Create**.
5. In **Basics**, enter the following properties:
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
6. Select **Next**.
7. In **Configuration settings**, enter the following properties:
- **Name**: Enter a name for your setting. For example, enter `EDPModeID`.
- **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`.
- **Data type**: Select `String`.
- **Value**: Type your fully qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
## Deploy your VPN policy using Microsoft Intune
After you've created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
1. On the **App policy** blade, select your newly created policy, select **User groups** from the menu that appears, and then select **Add user group**.
A list of user groups, made up of all of the security groups in your Microsoft Entra ID, appear in the **Add user group** blade.
2. Choose the group you want your policy to apply to, and then select **Select** to deploy the policy.
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

480
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -1,480 +0,0 @@
---
title: Create and deploy a WIP policy in Configuration Manager
description: Use Microsoft Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.reviewer: rafals
ms.topic: how-to
ms.date: 07/15/2022
---
# Create and deploy a Windows Information Protection policy in Configuration Manager
[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
<!-- 6010051 -->
_Applies to:_
- Windows 10
- Windows 11
Microsoft Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy
After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
>[!TIP]
> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
**To create a configuration item for WIP**
1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png)
2. Select the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
-OR-
- **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png)
6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png)
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
## Add app rules to your policy
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Microsoft Store](https://apps.microsoft.com/) website, and find your app. For example, Microsoft OneNote.
> [!NOTE]
> If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in [Add an AppLocker policy file](#add-an-applocker-policy-file) in this article.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is `https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl`, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata`, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
```json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
>
> For example:
>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> }
> ```
### Add a desktop app rule to your policy
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the desktop app rule options.
5. Pick the options you want to include for the app rule (see table), and then select **OK**.
|Option|Manages|
|--- |--- |
|All fields left as "*"|All files signed by any publisher. (Not recommended.)|
|**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
|**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
|**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
If you're unsure about what to include for the publisher, you can run this PowerShell command:
```powershell
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
```console
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
### Add an AppLocker policy file
For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](../../application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then select **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, select **Next**.
![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png)
6. On the **Publisher** page, select **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Photos.
![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, select **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then select **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
The policy is saved and you'll see a message that says one rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After you've created your XML file, you need to import it by using Configuration Manager.
**To import your Applocker policy file app rule using Configuration Manager**
1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Select the ellipsis (...) to browse for your AppLocker XML file, select **Open**, and then select **OK** to close the **Add app rule** box.
The file is imported and the apps are added to your **App Rules** list.
### Exempt apps from WIP restrictions
If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
3. Select **Exempt** from the **Windows Information Protection mode** drop-down list.
When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article.
4. Fill out the rest of the app rule info, based on the type of rule you're adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this article.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this article.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this article, using a list of exempted apps.
5. Select **OK**.
## Manage the WIP-protection level for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png":::
## Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!IMPORTANT]
>Every WIP policy should include policy that defines your enterprise network locations.<br>
>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on your network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
- **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
**Format examples**:
- **With proxy**: `contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com`
- **Without proxy**: `contoso.sharepoint.com|contoso.visualstudio.com`
>[!Important]
> In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
- **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter.
**Format examples**: `corp.contoso.com,region.contoso.com`
- **Proxy servers**: Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
**Format examples**: `proxy.contoso.com:80;proxy2.contoso.com:443`
- **Internal proxy servers**: Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.
**Format examples**: `contoso.internalproxy1.com;contoso.internalproxy2.com`
- **Enterprise IPv4 Range (Required)**: Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
**Format examples**:
- **Starting IPv4 Address:** `3.4.0.1`
- **Ending IPv4 Address:** `3.4.255.254`
- **Custom URI:** `3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254`
- **Enterprise IPv6 Range**: Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.
**Format examples**:
- **Starting IPv6 Address:** `2a01:110::`
- **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
- **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
- **Neutral Resources**: Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.
**Format examples**: `sts.contoso.com,sts.contoso2.com`
3. Add as many locations as you need, and then select **OK**.
The **Add or edit corporate network definition** box closes.
4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
:::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png":::
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, select **Summary**.
## Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles:
- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
## Related articles
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)

605
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -1,605 +0,0 @@
---
title: Create a WIP policy in Intune
description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.reviewer: rafals
ms.topic: how-to
ms.date: 07/15/2022
---
# Create a Windows Information Protection policy in Microsoft Intune
[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
<!-- 6010051 -->
_Applies to:_
- Windows 10
- Windows 11
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
## Differences between MDM and MAM for WIP
You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
- MAM has more **Access** settings for Windows Hello for Business.
- MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
- MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
- A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM supports only one user per device.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
- Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Microsoft Entra ID. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Prerequisites
Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Microsoft Entra ID. MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Configure the MDM or MAM provider
1. Sign in to the Azure portal.
2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
![Configure MDM or MAM provider.](images/mobility-provider.png)
## Create a WIP policy
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
![Open Client apps.](images/create-app-protection-policy.png)
3. In the **App policy** screen, select **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
- **Description.** Type an optional description.
- **Platform.** Choose **Windows 10**.
- **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
![Add a mobile app policy.](images/add-a-mobile-app-policy.png)
4. Select **Protected apps** and then select **Add apps**.
![Add protected apps.](images/add-protected-apps.png)
You can add these types of apps:
- [Recommended apps](#add-recommended-apps)
- [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps)
>[!NOTE]
>An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.
### Add recommended apps
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and select **OK**.
![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png)
### Add Store apps
Select **Store apps**, type the app product name and publisher, and select **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
- **Name**: Microsoft Power BI
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
![Add Store app.](images/add-a-protected-store-app.png)
To add multiple Store apps, select the ellipsis `…`.
If you don't know the Store app publisher or product name, you can find them by following these steps.
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is `https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1`, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata`, where `9nblgggzlxn1` is replaced with your ID value.
The API runs and opens a text editor with the app details.
```json
{
"packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
>
> For example:
>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> }
<!-- 01.06.2022 mandia: Commenting out, as these events are specific to Windows Phone.
> [!NOTE]
> Your PC and phone must be on the same wireless network.
1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
2. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
3. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
4. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
>
> For example:
>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> }
-->
### Add Desktop apps
To add **Desktop apps**, complete the following fields, based on what results you want returned.
|Field|Manages|
|--- |--- |
|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)|
|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.|
|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.|
|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.|
To add another Desktop app, select the ellipsis `…`. After you've entered the info into the fields, select **OK**.
![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
If you're unsure about what to include for the publisher, you can run this PowerShell command:
```powershell
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example:
```powershell
Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
```
In this example, you'd get the following info:
```console
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
Where `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the **Publisher** name and `WORDPAD.EXE` is the **File** name.
Regarding to how to get the Product Name for the Apps you wish to Add, contact the Windows Support Team to request the guidelines
### Import a list of apps
This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You'll use this option if you want to add multiple apps at the same time.
- [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps)
- [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps)
For more info about AppLocker, see the [AppLocker](../../application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md) content.
#### Create a Packaged App rule for Store apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. Expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png)
3. Right-click in the right side, and then select **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, select **Next**.
![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
![Screenshot of the Permissions tab with "Allow" and "Everyone" selected](images/wip-applocker-secpol-wizard-2.png)
6. On the **Publisher** page, choose **Select** from the **Use an installed packaged app as a reference** area.
![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Dynamics 365.
![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, select **Create**.
![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png)
9. Select **No** in the dialog box that appears, asking if you want to create the default rules. Don't create default rules for your WIP policy.
![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png)
10. On the left, right-click on **AppLocker**, and then select **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
The policy is saved and you'll see a message that says one rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
```xml
<?xml version="1.0"?>
<AppLockerPolicy Version="1">
<RuleCollection EnforcementMode="NotConfigured" Type="Appx">
<FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
<Conditions>
<FilePublisherCondition BinaryName="*" ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
<BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
</AppLockerPolicy>
```
12. After you've created your XML file, you need to import it by using Microsoft Intune.
## Create an Executable rule for unsigned apps
The executable rule helps to create an AppLocker rule to sign any unsigned apps. It enables adding the file path or the app publisher contained in the file's digital signature needed for the WIP policy to be applied.
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, select **Application Control Policies** > **AppLocker** > **Executable Rules**.
3. Right-click **Executable Rules** > **Create New Rule**.
![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png)
4. On the **Before You Begin** page, select **Next**.
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
6. On the **Conditions** page, select **Path** and then select **Next**.
![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we're using "C:\Program Files".
![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then select **Next**.
9. On the **Name** page, type a name and description for the rule and then select **Create**.
10. In the left pane, right-click **AppLocker** > **Export policy**.
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
The policy is saved and you'll see a message that says one rule was exported from the policy.
12. After you've created your XML file, you need to import it by using Microsoft Intune.
**To import a list of protected apps using Microsoft Intune**
1. In **Protected apps**, select **Import apps**.
![Import protected apps.](images/import-protected-apps.png)
Then import your file.
![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then select **Open**.
The file imports and the apps are added to your **Protected apps** list.
### Exempt apps from a WIP policy
If your app is incompatible with WIP, but still needs to be used with enterprise data, then you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
1. In **Client apps - App protection policies**, select **Exempt apps**.
![Exempt apps.](images/exempt-apps.png)
2. In **Exempt apps**, select **Add apps**.
When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data.
3. Fill out the rest of the app info, based on the type of app you're adding:
- [Add Recommended apps](#add-recommended-apps)
- [Add Store apps](#add-store-apps)
- [Add Desktop apps](#add-desktop-apps)
- [Import apps](#import-a-list-of-apps)
4. Select **OK**.
## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
1. From **App protection policy**, select the name of your policy, and then select **Required settings**.
![Microsoft Intune, Required settings shows Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png)
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
2. Select **Save**.
## Define your enterprise-managed corporate identity
Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
**To change your corporate identity**
1. From **App policy**, select the name of your policy, and then select **Required settings**.
2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field.
![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
3. To add domains, such your email domain names, select **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
![Add protected domains.](images/add-protected-domains.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png)
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then select **OK**.
### Cloud resources
Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
All traffic routed through your Internal proxy servers is considered enterprise.
Separate multiple resources with the "|" delimiter.
For example:
```console
URL <,proxy>|URL <,proxy>
```
Personal applications can access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site.
In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
```console
URL <,proxy>|URL <,proxy>|/*AppCompat*/
```
When you use this string, we recommend that you also turn on [Microsoft Entra Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
Value format with proxy:
```console
contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
```
Value format without proxy:
```console
contoso.sharepoint.com|contoso.visualstudio.com|contoso.onedrive.com,
```
### Protected domains
Specify the domains used for identities in your environment.
All traffic to the fully qualified domains appearing in this list will be protected.
Separate multiple domains with the "|" delimiter.
```console
exchange.contoso.com|contoso.com|region.contoso.com
```
### Network domains
Specify the DNS suffixes used in your environment.
All traffic to the fully qualified domains appearing in this list will be protected.
Separate multiple resources with the "," delimiter.
```console
corp.contoso.com,region.contoso.com
```
### Proxy servers
Specify the proxy servers your devices will go through to reach your cloud resources.
Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Internal proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console
proxy.contoso.com:80;proxy2.contoso.com:443
```
### Internal proxy servers
Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list.
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
```console
contoso.internalproxy1.com;contoso.internalproxy2.com
```
### IPv4 ranges
Specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your Network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isn't supported.
Separate multiple ranges with the "," delimiter.
**Starting IPv4 Address:** 3.4.0.1<br/>
**Ending IPv4 Address:** 3.4.255.254<br/>
**Custom URI:** 3.4.0.1-3.4.255.254,<br/>
10.0.0.1-10.255.255.254
### IPv6 ranges
Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv6 value range within your intranet.
These addresses, used with your network domain names, define your corporate network boundaries.
Classless Inter-Domain Routing (CIDR) notation isn't supported.
Separate multiple ranges with the "," delimiter.
**Starting IPv6 Address:** `2a01:110::`</br>
**Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`<br>
**Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,'<br>'fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
### Neutral resources
Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
Separate multiple resources with the "," delimiter.
```console
sts.contoso.com,sts.contoso2.com
```
Decide if you want Windows to look for more network settings:
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for more proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for more IP ranges on any domain-joined devices connected to your network.
![Microsoft Intune, Choose if you want Windows to search for more proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
>Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
**To upload your DRA certificate**
1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
**Advanced settings** shows.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png)
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png)
**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Also, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files.
If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access.
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
> [!NOTE]
> Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
- **On.** Starts Windows Search Indexer to index encrypted files.
- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
## Encrypted file extensions
You can restrict which files are protected by WIP when they're downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png)
## Related articles
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms)
- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](overview-create-wip-policy.md)
- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)

36
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -1,36 +0,0 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 03/05/2019
ms.reviewer:
---
# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
## To deploy your WIP policy
1. On the **App protection policies** pane, click your newly created policy, click **Assignments**, and then select groups to include or exclude from the policy.
2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

111
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -1,111 +0,0 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
ms.reviewer:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 05/02/2019
---
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
Apps can be enlightened or unenlightened:
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- Windows Desktop shows it as always running in enterprise mode.
- Windows **Save As** experiences only allow you to save your files as enterprise.
- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
- Microsoft 3D Viewer
- Microsoft Edge
- Internet Explorer 11
- Microsoft People
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Microsoft 365 Apps for enterprise apps, including Word, Excel, PowerPoint, OneNote, and Outlook
- OneDrive app
- OneDrive sync client (OneDrive.exe, the next generation sync client)
- Microsoft Photos
- Groove Music
- Notepad
- Microsoft Paint
- Microsoft Movies & TV
- Microsoft Messaging
- Microsoft Remote Desktop
- Microsoft To Do
> [!NOTE]
> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
## List of WIP-work only apps from Microsoft
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
- Skype for Business
- Microsoft Teams (build 1.3.00.12058 and later)
## Adding enlightened Microsoft apps to the allowed apps list
> [!NOTE]
> As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Configuration Manager.
| Product name | App info |
|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Microsoft 3D Viewer | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoft3DViewer<br>**App Type:** Universal app |
| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
| Excel Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.<br>We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app |
| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app |
| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br><b>Product Version:</b>Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app |
| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** fixmapi.exe<br>**App Type:** Desktop app |
| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Todos<br>**App Type:** Store app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

28
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -1,28 +0,0 @@
---
title: General guidance and best practices for Windows Information Protection (WIP)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.topic: conceptual
ms.date: 02/26/2019
---
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
## In this section
|Topic |Description |
|------|------------|
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

124
windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
View File

@ -1,124 +0,0 @@
---
title: How to disable Windows Information Protection (WIP)
description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Configuration Manager.
ms.date: 07/21/2022
ms.topic: how-to
author: lizgt2000
ms.author: lizlong
ms.reviewer: aaroncz
manager: aaroncz
---
# How to disable Windows Information Protection (WIP)
[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
<!-- 6010051 -->
_Applies to:_
- Windows 10
- Windows 11
## Use Intune to disable WIP
To disable Windows Information Protection (WIP) using Intune, you have the following options:
### Option 1 - Unassign the WIP policy (preferred)
When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
### Option 2 - Change current WIP policy to off
If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Open Microsoft Intune and select **Apps** > **App protection policies**.
1. Select the existing policy to turn off, and then select the **Properties**.
1. Edit **Required settings**.
:::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
1. Set **Windows Information Protection mode** to off.
1. After making this change, select **Review and Save**.
1. Select **Save**.
> [!NOTE]
> **Another option is to create a disable policy that sets WIP to Off.**
>
> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
### Revoke local encryption keys during the unenrollment process
Determine whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- Yes, or not configured. Revokes local encryption keys from a device during unenrollment.
- No (recommended). Stop local encryption keys from being revoked from a device during unenrollment.
## Use Configuration Manager to disable WIP
To disable Windows Information Protection (WIP) using Configuration Manager, create a new configuration item that turns off WIP. Configure that new object for your environment to match the existing policy, except for disabling WIP. Then deploy the new policy, and move devices into the new collection.
> [!WARNING]
> Don't just delete your existing WIP policy. If you delete the old policy, Configuration Manager stops sending further WIP policy updates, but also leaves WIP enforced on the devices. To remove WIP from your managed devices, follow the steps in this section to create a new policy to turn off WIP.
### Create a WIP policy
To disable WIP for your organization, first create a configuration item.
1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
2. Select the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen-off.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**.
5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page.
> [!TIP]
> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
#### Turn off WIP
Of the four options to specify the restriction mode, select **Off** to turn off Windows Information Protection.
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
#### Specify the corporate identity
Paste the value of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
> [!IMPORTANT]
> This corporate identity value must match the string in the original policy. Copy and paste the string from your original policy that enables WIP.
#### Specify the corporate network definition
For the **Corporate network definition**, select **Add** to specify the necessary network locations. The **Add or edit corporate network definition** box appears. Add the required fields.
> [!IMPORTANT]
> These corporate network definitions must match the original policy. Copy and paste the strings from your original policy that enables WIP.
#### Specify the data recovery agent certificate
In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. This certificate should be the same as the original policy that enables WIP.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
### Deploy the WIP policy
After you've created the new policy to turn off WIP, deploy it to your organization's devices. For more information about deployment options, see the following articles:
- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
- Move devices from the old collection to new collection.

BIN
windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 6.9 KiB

BIN
windows/security/information-protection/windows-information-protection/images/add-protected-domains.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 108 KiB

BIN
windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/security/information-protection/windows-information-protection/images/exempt-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/information-protection/windows-information-protection/images/import-protected-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.4 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/security/information-protection/windows-information-protection/images/mobility-provider.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/information-protection/windows-information-protection/images/path-condition.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/information-protection/windows-information-protection/images/recommended-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.5 KiB

BIN
windows/security/information-protection/windows-information-protection/images/select-path.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.5 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.2 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.6 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.8 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 121 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.4 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

Some files were not shown because too many files have changed in this diff Show More