deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into PubOps-repo-health

Browse Source
This commit is contained in:
Gary Moore
2021-07-23 19:36:29 -07:00
committed by GitHub
parent 1464d375b9 82d2bb9e22
commit 546b3611c4
118 changed files with 1964 additions and 864 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/information-protection/encrypted-hard-drive.md
View File

@ -17,6 +17,7 @@ ms.date: 04/02/2019
**Applies to**
- Windows 10
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
@ -81,7 +82,7 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
## Configuring hardware-based encryption with Group Policy
There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd)
- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
@ -107,4 +108,4 @@ Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguratio
1. Open Disk Management (diskmgmt.msc)
2. Initialize the disk and select the appropriate partition style (MBR or GPT)
3. Create one or more volumes on the disk.
4. Use the BitLocker setup wizard to enable BitLocker on the volume.
4. Use the BitLocker setup wizard to enable BitLocker on the volume.

4
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.localizationpriority: high
author: dansimp
ms.author: dansimp
manager: dansimp
@ -96,4 +96,4 @@ Some things that you can check on the device are:
- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/)
- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/)
- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx)
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)
- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx)

3
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -156,9 +156,6 @@ Here are a few examples of responses from the Reporting CSP.
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
>[!NOTE]
>Windows 10 Mobile requires you to use the [Reporting CSP process](#collect-wip-audit-logs-by-using-the-reporting-configuration-service-provider-csp) instead.
**To view the WIP events in the Event Viewer**
1. Open Event Viewer.

2
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -25,8 +25,6 @@ ms.reviewer:
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)).<br><br>If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.

46
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -22,7 +22,6 @@ ms.date: 01/09/2020
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Microsoft Endpoint Configuration Manager
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
@ -96,7 +95,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
@ -129,35 +128,6 @@ If you don't know the publisher or product name, you can find them for both desk
> }
> ```
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>[!NOTE]
>Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
> [!IMPORTANT]
> The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
> For example:<p>
> ```json
> {
> "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
> }
> ```
### Add a desktop app rule to your policy
For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
@ -247,19 +217,19 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
@ -466,12 +436,6 @@ After you've decided where your protected apps can access enterprise data on you
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **Yes (recommended).** Turns on the feature and provides the additional protection.
- **No, or not configured.** Doesn't enable this feature.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.

10
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -124,10 +124,6 @@ If you don't know the Store app publisher or product name, you can find them by
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
<!-- Go Kamatsu says the following info about Windows Mobile can be removed after Windows Mobile EOL at end of 2019
-->
If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
> [!NOTE]
> Your PC and phone must be on the same wireless network.
@ -570,12 +566,6 @@ After you've decided where your protected apps can access enterprise data on you
![Advanced optional settings](images/wip-azure-advanced-settings-optional.png)
**Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **On.** Turns on the feature and provides the additional protection.
- **Off, or not configured.** Doesn't enable this feature.
**Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.

1
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -21,7 +21,6 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
This table provides info about the most common problems you might encounter while running WIP in your organization.

10
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -22,7 +22,6 @@ ms.date: 03/05/2019
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
@ -164,14 +163,7 @@ You can try any of the processes included in these scenarios, but you should foc
</ul>
</td>
</tr>
<tr>
<td>Verify that app content is protected when a Windows 10 Mobile phone is locked.</td>
<td>
<ul>
<li>Check that protected app data doesn&#39;t appear on the Lock screen of a Windows 10 Mobile phone.</li>
</ul>
</td>
</tr>
</table>