deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Added new topic, removed one topic, and updated all accompanying info to account for changes

Browse Source
This commit is contained in:
LizRoss
2017-04-19 09:12:34 -07:00
parent 6b364f1548
commit 5ed558656d
4 changed files with 174 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/TOC.md
View File

@ -33,7 +33,6 @@
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
##### [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
##### [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
@ -42,6 +41,7 @@
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
### [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md)

134
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,134 +0,0 @@
---
title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune custom URI functionality (Windows 10)
description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: WIP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
ms.sitesec: library
author: eross-msft
localizationpriority: high
---
# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile
You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
>[!IMPORTANT]
>Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
## Add Store apps
1. Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of `Appx`, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
```
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Important]
>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
>[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<br><br>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of `EXE`, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
```
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)

1
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## March 2017
|New or changed topic |Description |
|---------------------|------------|
|[How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) |New |
|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. |
|[Deploy your Windows Information Protection (WIP) policy using Microsoft Intune](deploy-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703.

172
windows/keep-secure/collect-wip-audit-event-logs.md Normal file
View File

@ -0,0 +1,172 @@
---
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
description: How to collect and understand your Windows Information Protection audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices only).
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# How to collect Windows Information Protection (WIP) audit event logs
**Applies to:**
- Windows 10 and later
- Windows 10 Mobile and later
Windows Information Protection (WIP) creates audit events in the following situations:
- If an employee changes the File ownership for a file from **Work** to **Personal**.
- If data is marked as **Work**, but shared to a personal app or webpage. For example, through copying and pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants a personal app provides temporary access to a work file.
- If an app has custom audit events.
## Collect WIP audit logs by using the Reporting configuration service provider (CSP)
Collect the WIP audit logs from your employees devices by following the guidance provided by the [Reporting configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
>[!Note]
>The **Data** element in the response includes the requested audit logs in an XML-encoded format.
### User element and attributes
This table includes all available attributes for the **User** element.
|Attribute |Value type |Description |
|----------|-----------|------------|
|UserID |String |The security identifier (SID) of the user corresponding to this audit report. |
|EnterpriseID |String |The enterprise ID corresponding to this audit report. |
### Log element and attributes
This table includes all available attributes/elements for the **Log** element. The response can contain zero (0) or more **Log** elements.
|Attribute/Element |Value type |Description |
|----------|-----------|------------|
|ProviderType |String |This is always **EDPAudit**. |
|LogType |String |Includes:<ul><li>**DataCopied.** Work data is copied or shared to a personal location.</li><li>**ProtectionRemoved.** WIP protection is removed from a Work-defined file.</li><li>**ApplicationGenerated.** A custom audit log provided by an app.</li></ul>|
|TimeStamp |Int |Uses the [FILETIME structure](https://msdn.microsoft.com/library/windows/desktop/ms724284(v=vs.85).aspx) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:<ul><li>**CopyPaste.** Work data was pasted into a personal location or app.</li><li>**ProtectionRemoved.** Work data was changed to be unprotected.</li><li>**DragDrop.** Work data was dropped into a personal location or app.</li><li>**Share.** Work data was shared with a personal location or app.</li><li>**NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).</li></ul> |
|Justification |String |Not implemented. This will always be either blank or NULL.<br><br>**Note**<br>Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
|DataInfo |String |Any additional info about how the work file changed:<ul><li>**A file path.** If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here.</li><li>**Clipboard data types.** If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the [Examples](#examples) section of this topic.</li></ul> |
|Action |Int |Provides info about what happened when the work data was shared to personal, including:<ul><li>**1.** File decrypt.</li><li>**2.** Copy to location.</li><li>**3.** Send to recipient.</li><li>**4.** Other.</li></ul> |
|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file thats been decrypted by an employee or uploaded to a personal website. |
|SourceApplicationName |String |The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname. |
|SourceName |String |A string provided by the app thats logging the event. Its intended to describe the source of the work data. |
|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.<br><br>**NULL**, **Personal**, or **blank** means theres no enterprise ID because the work data was shared to a personal location. Because we dont currently support multiple enrollments, youll always see one of these values. |
|DestinationApplicationName |String |The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname. |
|DestinationName |String |A string provided by the app thats logging the event. Its intended to describe the destination of the work data. |
|Application |String |The AppLocker identity for the app where the audit event happened. |
### Examples
Here are a few examples of responses from the Reporting CSP.
#### File ownership on a file is changed from work to personal
```
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;Reporting Version="com.microsoft/2.0/MDM/Reporting"&gt;
&lt;User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"&gt;
&lt;Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527"&gt;
&lt;Policy&gt;Protection removed&lt;/Policy&gt;
&lt;Justification&gt;NULL&lt;/Justification&gt;
&lt;FilePath&gt;C:\Users\TestUser\Desktop\tmp\demo\Work document.docx&lt;/FilePath&gt;
&lt;/Log&gt;
&lt;/User&gt;
&lt;/Reporting&gt;</Data></Item></Results><Final/></SyncBody></SyncML>
```
#### A work file is uploaded to a personal webpage in Edge
```
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;Reporting Version="com.contoso/2.0/MDM/Reporting"&gt;
&lt;User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"&gt;
&lt;Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534"&gt;
&lt;Policy&gt;CopyPaste&lt;/Policy&gt;
&lt;Justification&gt;NULL&lt;/Justification&gt;
&lt;SourceApplicationName&gt;NULL&lt;/SourceApplicationName&gt;
&lt;DestinationEnterpriseID&gt;NULL&lt;/DestinationEnterpriseID&gt;
&lt;DestinationApplicationName&gt;mail.contoso.com&lt;/DestinationApplicationName&gt;
&lt;DataInfo&gt;C:\Users\TestUser\Desktop\tmp\demo\Work document.docx&lt;/DataInfo&gt;
&lt;/Log&gt;
&lt;/User&gt;
&lt;/Reporting&gt;</Data></Item></Results><Final/></SyncBody></SyncML>
```
#### Work data is pasted into a personal webpage
```
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;Reporting Version="com.contoso/2.0/MDM/Reporting"&gt;
&lt;User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"&gt;
&lt;Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782"&gt;
&lt;Policy&gt;CopyPaste&lt;/Policy&gt;
&lt;Justification&gt;NULL&lt;/Justification&gt;
&lt;SourceApplicationName&gt;O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000&lt;/SourceApplicationName&gt;
&lt;DestinationEnterpriseID&gt;NULL&lt;/DestinationEnterpriseID&gt;
&lt;DestinationApplicationName&gt;mail.contoso.com&lt;/DestinationApplicationName&gt;
&lt;DataInfo&gt;EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink&lt;/DataInfo&gt;
&lt;/Log&gt;
&lt;/User&gt;
&lt;/Reporting&gt;</Data></Item></Results><Final/></SyncBody></SyncML>
```
#### A work file is opened with a personal application
```
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;Reporting Version="com.contoso/2.0/MDM/Reporting"&gt;
&lt;User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"&gt;
&lt;Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469"&gt;
&lt;Policy&gt;NULL&lt;/Policy&gt;
&lt;Justification&gt;&lt;/Justification&gt;
&lt;Object&gt;C:\Users\TestUser\Desktop\tmp\demo\Work document.docx&lt;/Object&gt;
&lt;Action&gt;1&lt;/Action&gt;
&lt;SourceName&gt;O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2&lt;/SourceName&gt;
&lt;DestinationEnterpriseID&gt;Personal&lt;/DestinationEnterpriseID&gt;
&lt;DestinationName&gt;O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2&lt;/DestinationName&gt;
&lt;Application&gt;O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2&lt;/Application&gt;
&lt;/Log&gt;
&lt;/User&gt;
&lt;/Reporting&gt;</Data></Item></Results><Final/></SyncBody></SyncML>
```
#### Work data is pasted into a personal application
```
<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data>&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;Reporting Version="com.contoso/2.0/MDM/Reporting"&gt;
&lt;User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"&gt;
&lt;Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270"&gt;
&lt;Policy&gt;CopyPaste&lt;/Policy&gt;
&lt;Justification&gt;NULL&lt;/Justification&gt;
&lt;SourceApplicationName&gt;O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000&lt;/SourceApplicationName&gt;
&lt;DestinationEnterpriseID&gt;NULL&lt;/DestinationEnterpriseID&gt;
&lt;DestinationApplicationName&gt;&lt;/DestinationApplicationName&gt;
&lt;DataInfo&gt;EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink&lt;/DataInfo&gt;
&lt;/Log&gt;
&lt;/User&gt;
&lt;/Reporting&gt;</Data></Item></Results><Final/></SyncBody></SyncML>
```
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
>[!NOTE]
>Windows 10 Mobile requires you to use the [Reporting CSP process](#collect-wip-audit-logs-by-using-the-reporting-configuration-service-provider-csp) instead.
**To view the WIP events in the Event Viewer**
1. Open Event Viewer.
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.