diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 128b8003b8..ab2695ebf7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -138,5 +138,6 @@ If you use a cloud environment in your organization, you may still want to resto - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) -**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>[!Note] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md index c9977fec21..76abd68b76 100644 --- a/windows/keep-secure/deploy-wip-policy-using-intune.md +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -25,13 +25,15 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

-The added people move to the **Selected Groups** list on the right-hand pane. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. + + The added people move to the **Selected Groups** list on the right-hand pane. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

-The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**. + + The policy is deployed to the selected users' devices. >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index 18106bc1bf..265ffe048d 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

-OR-

System Center Configuration Manager

-OR-

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. @@ -130,7 +130,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index a0c2aaf46e..a2d5c9f975 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -29,12 +29,12 @@ You can try any of the processes included in these scenarios, but you should foc Encrypt and decrypt files using File Explorer. - For desktop:

+ For desktop:

  1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
    Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
  2. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
    Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
- For mobile:

+ For mobile:

  1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
  2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
    Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
    3. @@ -44,11 +44,11 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. - For desktop:

    + For desktop:

    - For mobile:

    + For mobile:

    1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
    2. Open the same document and attempt to save it to a non-work-related location.
      WIP should stop you from saving the file to this location.
      3. @@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
      1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
        Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
      2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
        3. -
      3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

        4. +
      4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

        Note
        Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

        A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
      @@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc
      1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
      2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
        Both browsers should respect the enterprise and personal boundary.
        3. -
      3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
        IE11 shouldn't be able to access the sites.

        Note
        Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.

        4. +
      4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
        IE11 shouldn't be able to access the sites.

        Note
        Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
      @@ -151,7 +151,7 @@ You can try any of the processes included in these scenarios, but you should foc Unenroll client devices from WIP.