diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index ff58491fd1..a6d2e9d108 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -35,6 +35,7 @@ ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) +## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index ce380b474a..3276e429b0 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -15,7 +15,8 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc | New or changed topic | Description | |----------------------|-------------| | [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | -| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated | +| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated support statement for Office 2016 | +| [Windows 10 upgrade paths](windows-10-upgrade-paths.md) | New | ## May 2016 | New or changed topic | Description | diff --git a/windows/deploy/images/check_grn.png b/windows/deploy/images/check_grn.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/deploy/images/check_grn.png differ diff --git a/windows/deploy/images/x_blk.png b/windows/deploy/images/x_blk.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/deploy/images/x_blk.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index c6b8e27ed1..d4254111b1 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -23,6 +23,7 @@ Learn about deploying Windows 10 for IT professionals. |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | +|[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index 8b20a8f77c..cbc6ee73c5 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -15,17 +15,17 @@ author: greg-lindsay - Windows 10 - Windows 10 Mobile -With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). +With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). -The following table shows the methods you can use to upgrade editions of Windows 10. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise | |-------|-----------|-----------------|----------------|-----------------|----------------|--------| -| Using mobile device management (MDM) |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) | -| Using a provisioning package |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) | -| Using a command-line tool |![unsupported](images/crossmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) | -| Entering a product key manually |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) | -| Purchasing a license from the Windows Store |![supported](images/checkmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) |![unsupported](images/crossmark.png) | +| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) | +| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) | +| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | +| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) | +| Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) | **Note**
Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods. diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md new file mode 100644 index 0000000000..5ba3907e03 --- /dev/null +++ b/windows/deploy/windows-10-upgrade-paths.md @@ -0,0 +1,416 @@ +--- +title: Windows 10 upgrade paths (Windows 10) +description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +author: greg-lindsay +--- + +# Windows 10 upgrade paths +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +## Upgrade paths + +This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). + +>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. + +>**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths). + +✔ = Full upgrade is supported including personal data, settings, and applications.
+D = Edition downgrade; personal data is maintained, applications and settings are removed. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Windows 10 HomeWindows 10 ProWindows 10 Pro for EducationWindows 10 EducationWindows 10 EnterpriseWindows 10 MobileWindows 10 Mobile Enterprise
Windows 7
Starter
Home Basic
Home Premium
ProfessionalD
UltimateD
Enterprise
Windows 8
(Core)
ProfessionalD
Professional WMCD
Enterprise
Embedded Industry
Windows RT
Windows Phone 8
Windows 8.1
(Core)
Connected
ProfessionalD
Professional StudentD
Professional WMCD
Enterprise
Embedded Industry
Windows RT
Windows Phone 8.1
Windows 10
Home
ProfessionalD
EducationD
Enterprise
Mobile
Mobile Enterprise
+ +## Free upgrade paths + +Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions: +- The offer expires on July 29th, 2016. +- The offer applies to devices connected to the Internet with Windows Update enabled. +- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1. +- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile1. +- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.12. + +>1The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile). + +>2Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8. + +The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      FromTo
Windows 7
Windows 7 StarterWindows 10 Home
 Windows 7 Home Basic
 Windows 7 Home Premium
Windows 7 ProfessionalWindows 10 Pro
 Windows 7 Ultimate
Windows 8/8.1
Windows Phone 8.1Windows 10 Mobile
Windows 8/8.1Windows 10 Home
Windows 8/8.1 Pro ProfessionalWindows 10 Pro
 Windows 8/8.1 Pro for Students
+ +## Related Topics + +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) +  + +  + + + + + diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md index 7763b0502d..fc4c69a980 100644 --- a/windows/deploy/windows-upgrade-and-migration-considerations.md +++ b/windows/deploy/windows-upgrade-and-migration-considerations.md @@ -8,13 +8,13 @@ ms.sitesec: library author: greg-lindsay --- -# Windows Upgrade and Migration Considerations +# Windows upgrade and migration considerations Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration. -## Upgrade from a Previous Version of Windows +## Upgrade from a previous version of Windows You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete. -## Migrate Files and Settings +## Migrate files and settings Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves. For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349). @@ -29,13 +29,13 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. -## Upgrade and Migration Considerations +## Upgrade and migration monsiderations Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: -### Application Compatibility +### Application compatibility For more information about application compatibility in Windows, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349). -### Multilingual Windows Image Upgrades +### Multilingual Windows image upgrades When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English. If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed. @@ -43,7 +43,7 @@ If you are using a single-language Windows image that matches the system default ### Errorhandler.cmd When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run. -### Data Drive ACL Migration +### Data drive ACL migration During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files. Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature: @@ -57,7 +57,10 @@ Value: "DDACLSys_Disabled" = 1 This feature is disabled if this registry key value exists and is configured to `1`. ## Related topics -- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md) +[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md) +   diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md index cc29c76faa..f52da0a12c 100644 --- a/windows/whats-new/edp-whats-new-overview.md +++ b/windows/whats-new/edp-whats-new-overview.md @@ -16,76 +16,61 @@ author: eross-msft - Windows 10 Insider Preview - Windows 10 Mobile Preview -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. +With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. -Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared. +Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. ## Benefits of EDP EDP provides: -- Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices. -- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. -- Additional data protection for existing line-of-business apps without a need to update the apps. -- Ability to wipe corporate data from devices while leaving personal data alone. -- Use of audit reports for tracking issues and remedial actions. -- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company. -- Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys. -- Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490). +- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. + +- Additional data protection for existing line-of-business apps without a need to update the apps. + +- Ability to wipe corporate data from devices while leaving personal data alone. + +- Use of audit reports for tracking issues and remedial actions. + +- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company. ## Enterprise scenarios - EDP currently addresses these enterprise scenarios: -- You can encrypt enterprise data on employee-owned and corporate-owned devices. -- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. -- You can select specific apps that can access enterprise data, called "protected apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data. -- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. +- You can encrypt enterprise data on employee-owned and corporate-owned devices. -### Enterprise data security +- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. -As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isn’t actively using it. In this case, when the employee initially creates the content on a managed device he’s asked whether it’s a work document. If it's a work document, it becomes locally-protected as enterprise data. +- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data. -### Persistent data encryption +- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. -EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place. +## Why use EDP? +EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -### Remotely wiping devices of enterprise data -EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer. -In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. -### Protected apps and restrictions +- **Manage your enterprise documents, apps, and encryption modes.** -Using EDP you can control the set of apps that are made "protected apps", or apps that can access and use your enterprise data. After you add an app to your **Protected App** list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode. -As a note, your existing line-of-business apps don’t have to change to be included as protected apps. You simply have to include them in your list. + - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device. -### Great employee experiences + - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. -EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side. + - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode. + + You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list. -#### Using protected apps + - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. -Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem. + - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media. + + Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document. -#### Copying or downloading enterprise data + - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. -Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device. + - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. -#### Changing the EDP protection - -Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review - -### Deciding your level of data access - -EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action. - -### Helping prevent accidental data disclosure to public spaces - -EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the Protected Apps list, they also won’t be able to sync encrypted files to the user’s personal cloud. - -### Helping prevent accidental data disclosure to other devices - -EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device. + - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. ## Turn off EDP