diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 95fbce1223..bc18bb6319 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -236,213 +236,267 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) + +9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. + + ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. The policy is saved and you’ll see a message that says 1 rule was exported from the policy. **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. + This is the XML file that AppLocker creates for Microsoft Dynamics 365. ```xml - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + ``` + 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To import your Applocker policy file app rule using Microsoft Intune** -1. From the **App Rules** area, click **Add**. +**To import your list of Allowed apps using Microsoft Intune** + +1. From the **Allowed apps ** area, click **Import apps**. - The **Add App Rule** box appears. + The pane changes to let you add your import file. - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. +2. Browse to your exported AppLocker policy file, and then click **Open**. -3. Click **Allow** from the **Windows Information Protection mode** drop-down list. + The file imports and the apps are added to your **Allowed app** list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. - -4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - - The box changes to let you import your AppLocker XML policy file. - -5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - - The file is imported and the apps are added to your **App Rules** list. - -#### Exempt apps from WIP restrictions +#### Add exempt apps to your policy If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt a store app, a desktop app, or an AppLocker policy file app rule** -1. From the **App Rules** area, click **Add**. +**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** + +1. From the **App policy** pane, click the name of your policy, and then click **Exempt apps** from the menu that appears. - The **Add App Rule** box appears. + The **Exempt apps** pane appears, showing you any apps that are already included in the list for this policy. -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. +2. From the **Exempt apps** pane, click **Add apps**. -3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic. + +3. Fill out the rest of the app info, based on the type of app you’re adding: - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: + - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. - -5. Click **OK**. +4. Click **OK**. ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. -|Mode |Description | -|-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| +**To add your protection mode** -![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) +1. From the **App policy** pane, click the name of your policy, and then click **Required settings** from the menu that appears. + + The **Required settings** pane appears. + + ![Microsoft Intune, Required settings pane showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) + + |Mode |Description | + |-----|------------| + |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).| + |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| + |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| + +2. Click **Save**. ### Define your enterprise-managed corporate identity Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. -You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. +Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. -**To add your corporate identity** -- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. +**To change your corporate identity** - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) +1. From the **App policy** pane, click the name of your policy, and then click **Required settings** from the menu that appears. + + The **Required settings** pane appears. + +2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`. + + ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->[!IMPORTANT] ->Every WIP policy should include policy that defines your enterprise network locations.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>[!Important] +>Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. -**To define where your protected apps can find and send enterprise data on you network** +**To define where your allowed apps can find and send enterprise data on you network** -1. Add additional network locations your apps can access by clicking **Add**. +1. From the **App policy** pane, click the name of your policy, and then click **Advanced settings** from the menu that appears. + + The **Advanced settings** pane appears. - The **Add or edit corporate network definition** box appears. +2. Click **Add network boundary** from the Network perimeter area. -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. + The **Add network boundary** pane appears. + + ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) + +3. Select the type of network boundary to add from the **Boundary type** box. + +4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

- - + + - + - + - + - + - + - + - + - + - + - + - + - +
Network location typeFormatBoundary typeValue format Description
Enterprise Cloud ResourcesCloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
Enterprise Network Domain Names (Required)Network domain names corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

If you have multiple resources, you must separate them using the "," delimiter.
Enterprise Proxy ServersProxy servers proxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Proxy servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
Enterprise Internal Proxy ServersInternal proxy servers contoso.internalproxy1.com;contoso.internalproxy2.com Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
Enterprise IPv4 Range (Required, if not using IPv6)IPv4 ranges **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.
Enterprise IPv6 Range (Required, if not using IPv4)IPv6 ranges **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.
Neutral ResourcesNeutral resources sts.contoso.com,sts.contoso2.com Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.
-3. Add as many locations as you need, and then click **OK**. +5. Repeat steps 1-4 to add any additional network boundaries. - The **Add corporate network definition** box closes. +6. Decide if you want to Windows to look for additional network settings: -4. Decide if you want to Windows to look for additional network settings: - - ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) + ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. +### Upload your Data Recovery Agent (DRA) certificate +After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) +>[!Important] +>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic. - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. +**To upload your DRA certificate** +1. From the **App policy** pane, click the name of your policy, and then click **Advanced settings** from the menu that appears. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). + The **Advanced settings** pane appears. + +2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. + + ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) + +### Choose your optional WIP-related settings +After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. + +**To set your optional settings** + +1. Choose to set any or all optional settings: + + ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) + + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + - **On (recommended).** Turns on the feature and provides the additional protection. + + - **Off, or not configured.** Doesn't enable this feature. + + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + + - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + + - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. + + - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. + + - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. ### Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -451,46 +505,6 @@ Optionally, if you don’t want everyone in your organization to be able to shar >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. -### Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) - -**To set your optional settings** -1. Choose to set any or all of the optional settings: - - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **Yes (recommended).** Turns on the feature and provides the additional protection. - - - **No, or not configured.** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - - - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. - -2. Click **Save Policy**. - ## Related topics - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) diff --git a/windows/keep-secure/images/wip-applocker-default-rule-warning.png b/windows/keep-secure/images/wip-applocker-default-rule-warning.png new file mode 100644 index 0000000000..69bb85a8c9 Binary files /dev/null and b/windows/keep-secure/images/wip-applocker-default-rule-warning.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-1.png b/windows/keep-secure/images/wip-applocker-secpol-1.png index 402c31e298..709ff73d25 100644 Binary files a/windows/keep-secure/images/wip-applocker-secpol-1.png and b/windows/keep-secure/images/wip-applocker-secpol-1.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-create.png b/windows/keep-secure/images/wip-applocker-secpol-create.png new file mode 100644 index 0000000000..74497fd6ab Binary files /dev/null and b/windows/keep-secure/images/wip-applocker-secpol-create.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-export.png b/windows/keep-secure/images/wip-applocker-secpol-export.png new file mode 100644 index 0000000000..1f5d20dffa Binary files /dev/null and b/windows/keep-secure/images/wip-applocker-secpol-export.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-wizard-1.png b/windows/keep-secure/images/wip-applocker-secpol-wizard-1.png index 40c5cff286..0ced278421 100644 Binary files a/windows/keep-secure/images/wip-applocker-secpol-wizard-1.png and b/windows/keep-secure/images/wip-applocker-secpol-wizard-1.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-wizard-4.png b/windows/keep-secure/images/wip-applocker-secpol-wizard-4.png new file mode 100644 index 0000000000..c924430a97 Binary files /dev/null and b/windows/keep-secure/images/wip-applocker-secpol-wizard-4.png differ diff --git a/windows/keep-secure/images/wip-applocker-secpol-wizard-5.png b/windows/keep-secure/images/wip-applocker-secpol-wizard-5.png new file mode 100644 index 0000000000..4b5e707aec Binary files /dev/null and b/windows/keep-secure/images/wip-applocker-secpol-wizard-5.png differ diff --git a/windows/keep-secure/images/wip-azure-advanced-settings-efsdra.png b/windows/keep-secure/images/wip-azure-advanced-settings-efsdra.png new file mode 100644 index 0000000000..71594dd252 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-advanced-settings-efsdra.png differ diff --git a/windows/keep-secure/images/wip-azure-advanced-settings-network-autodetect.png b/windows/keep-secure/images/wip-azure-advanced-settings-network-autodetect.png new file mode 100644 index 0000000000..3b709bbc46 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-advanced-settings-network-autodetect.png differ diff --git a/windows/keep-secure/images/wip-azure-advanced-settings-network.png b/windows/keep-secure/images/wip-azure-advanced-settings-network.png new file mode 100644 index 0000000000..7daf9d9760 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-advanced-settings-network.png differ diff --git a/windows/keep-secure/images/wip-azure-advanced-settings-optional.png b/windows/keep-secure/images/wip-azure-advanced-settings-optional.png new file mode 100644 index 0000000000..9f1bc57abc Binary files /dev/null and b/windows/keep-secure/images/wip-azure-advanced-settings-optional.png differ diff --git a/windows/keep-secure/images/wip-azure-import-apps.png b/windows/keep-secure/images/wip-azure-import-apps.png new file mode 100644 index 0000000000..f9d257645a Binary files /dev/null and b/windows/keep-secure/images/wip-azure-import-apps.png differ diff --git a/windows/keep-secure/images/wip-azure-required-settings-corp-identity.png b/windows/keep-secure/images/wip-azure-required-settings-corp-identity.png new file mode 100644 index 0000000000..1481a21f0d Binary files /dev/null and b/windows/keep-secure/images/wip-azure-required-settings-corp-identity.png differ diff --git a/windows/keep-secure/images/wip-azure-required-settings-protection-mode.png b/windows/keep-secure/images/wip-azure-required-settings-protection-mode.png new file mode 100644 index 0000000000..4bbd91028f Binary files /dev/null and b/windows/keep-secure/images/wip-azure-required-settings-protection-mode.png differ