deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

removing Win10 Mobile

Browse Source
This commit is contained in:
MandiOhlinger
2021-12-20 18:20:47 -05:00
parent 3eb651448e
commit 63f8fc68f9
22 changed files with 127 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.

3
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
Windows Information Protection (WIP) creates audit events in the following situations:

54
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -18,10 +18,10 @@ ms.reviewer:
---
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
@ -33,10 +33,12 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
<code>cipher /r:<i>EFSRA</i></code>
Where *EFSRA* is the name of the .cer and .pfx files that you want to create.
```cmd
cipher /r:EFSRA
```
Where *EFSRA* is the name of the `.cer` and `.pfx` files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
@ -58,7 +60,9 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
<code>cipher /c <i>filename</i></code>
```cmd
cipher /c filename
```
Where *filename* is the name of the file you created in Step 1.
@ -72,9 +76,11 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
<code>cipher /d <i>encryptedfile.extension</i></code>
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
```cmd
cipher /d encryptedfile.extension
```
Where *encryptedfile.extension* is the name of your encrypted file. For example, `corporatedata.docx`.
## Recover WIP-protected after unenrollment
@ -84,26 +90,34 @@ It's possible that you might revoke data from an unenrolled device only to later
>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have the employee sign in to the unenrolled device, open an elevated command prompt, and type:
<code>Robocopy "%localappdata%\Microsoft\EDP\Recovery" "<i>new_location</i>" * /EFSRAW</code>
```cmd
Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
```
Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
![Robocopy in S mode.](images/robocopy-s-mode.png)
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
<code>Robocopy "<i>drive_letter</i>:\System Volume Information\EDP\Recovery\" "<i>new_location</i>" * /EFSRAW</code>
```cmd
Robocopy "drive_letter:\System Volume Information\EDP\Recovery\" "new_location" * /EFSRAW
```
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
<code>cipher.exe /D "<i>new_location</i>"</code>
```cmd
cipher.exe /D "new_location"
```
3. Have your employee sign in to the unenrolled device, and type:
<code>Robocopy "<i>new_location</i>" "%localappdata%\Microsoft\EDP\Recovery\Input"</code>
```cmd
Robocopy "new_location" "%localappdata%\Microsoft\EDP\Recovery\Input"
```
4. Ask the employee to lock and unlock the device.
@ -127,7 +141,8 @@ The employee experience is based on sign in with an Azure AD work account. The e
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again.
**To test what the employee sees during the WIP key recovery process**
### To test what the employee sees during the WIP key recovery process
1. Attempt to open a work file on an unenrolled device.
The **Connect to Work to access work files** box appears.
@ -139,6 +154,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
3. Sign-in to Azure AD as the employee and verify that the files now open
## Related topics
- [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10))
- [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10))
@ -151,4 +167,4 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
>[!Note]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

53
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -17,53 +17,46 @@ ms.date: 02/26/2019
ms.reviewer:
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Endpoint Manager
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
- Windows 10, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Associate your WIP policy to your VPN policy by using Microsoft Intune
Follow these steps to associate your WIP policy with your organization's existing VPN policy.
## Associate your WIP policy to your VPN policy using Endpoint Manager
**To associate your policies**
To associate your WIP policy with your organization's existing VPN policy, use the following steps:
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
3. Enter the following properties:
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
- **Platform**: Select **Windows 10 and later**
- **Profile**: Select **Templates** > **Custom**.
![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png)
4. Select **Create**.
5. In **Basics**, enter the following properties:
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png)
6. Select **Next**.
7. In **Configuration settings**, enter the following properties:
4. In the **Custom OMA-URI Settings** blade, click **Add**.
- **Name**: Enter a name for your setting. For example, enter `EDPModeID`.
- **OMA-URI**: Enter `./Vendor/MSFT/VPNv2/YourVPNProfileName/EDPModeId`.
- **Data type**: Select `String`.
- **Value**: Type your fully-qualified domain that should be used by the OMA-URI setting. For example, enter `corp.contoso.com`.
5. In the **Add Row** blade, type:
For more information on these settings, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
- **Name.** Type a name for your setting, such as *EDPModeID*.
- **Description.** Type an optional description for your setting.
- **OMA-URI.** Type _./Vendor/MSFT/VPNv2/&lt;VPNProfileName&gt;/EDPModeId_ into the box.
- **Data type.** Select **String** from the dropdown box
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png)
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
7. Click **Create** to create the policy, including your OMA_URI info.
8. Select **Next**, and continue configuring the policy. For the specific steps and recommendations, see [Create a profile with custom settings in Intune](/mem/intune/configuration/custom-settings-configure).
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your Custom VPN policy**
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.

1
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -20,7 +20,6 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.

5
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -21,12 +21,11 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
- Windows 10, version 1607 and later
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your WIP policy**
## To deploy your WIP policy
1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy.

1
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -23,7 +23,6 @@ ms.date: 05/02/2019
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.

4
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -21,12 +21,12 @@ ms.date: 02/26/2019
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
## In this section
|Topic |Description |
|------|------------|
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |

1
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -21,7 +21,6 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.

4
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -20,12 +20,12 @@ ms.date: 02/26/2019
# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |

2
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -21,11 +21,11 @@ ms.date: 03/11/2019
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |

1
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -23,7 +23,6 @@ ms.date: 03/05/2019
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).

25
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -22,25 +22,25 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------|
|Sharepoint Online |<ul><li>contoso.sharepoint.com</li><li>contoso-my.sharepoint.com</li><li>contoso-files.sharepoint.com</li></ul> |
|Yammer |<ul><li>www.yammer.com</li><li>yammer.com</li><li>persona.yammer.com</li></ul> |
|Outlook Web Access (OWA) |<ul><li>outlook.office.com</li><li>outlook.office365.com</li><li>attachments.office.net</li></ul> |
|Microsoft Dynamics |contoso.crm.dynamics.com |
|Visual Studio Online |contoso.visualstudio.com |
|Power BI |contoso.powerbi.com |
|Microsoft Teams |teams.microsoft.com |
|Other Office 365 services |<ul><li>tasks.office.com</li><li>protection.office.com</li><li>meet.lync.com</li><li>project.microsoft.com</li></ul> |
|Sharepoint Online |- `contoso.sharepoint.com`<br/>- `contoso-my.sharepoint.com`<br/>- `contoso-files.sharepoint.com` |
|Yammer |- `www.yammer.com`<br/>- `yammer.com`<br/>- `persona.yammer.com` |
|Outlook Web Access (OWA) |- `outlook.office.com`<br/>- `outlook.office365.com`<br/>- `attachments.office.net` |
|Microsoft Dynamics |`contoso.crm.dynamics.com` |
|Visual Studio Online |`contoso.visualstudio.com` |
|Power BI |`contoso.powerbi.com` |
|Microsoft Teams |`teams.microsoft.com` |
|Other Office 365 services |- `tasks.office.com`<br/>- `protection.office.com`<br/>- `meet.lync.com`<br/>- `project.microsoft.com` |
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
@ -54,7 +54,6 @@ When multiple files are selected from SharePoint Online or OneDrive, the files a
## Recommended Neutral Resources
We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
<ul>
<li>login.microsoftonline.com</li>
<li>login.windows.net</li>
</ul>
- `login.microsoftonline.com`
- `login.windows.net`

6
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -21,7 +21,6 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@ -35,8 +34,3 @@ Because Outlook on the web can be used both personally and as part of your organ
>[!NOTE]
>These limitations dont apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employees mailbox as corporate data, regardless of how youve configured outlook.office.com in your network settings.

12
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -20,8 +20,7 @@ ms.reviewer:
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- Windows 10, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@ -53,10 +52,5 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
>**Important**<br>Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
> [!Important]
> Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.

11
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -21,8 +21,7 @@ ms.date: 02/26/2019
# Fine-tune Windows Information Protection (WIP) with WIP Learning
**Applies to:**
- Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
- Windows 10, version 1703 and later
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
@ -32,11 +31,9 @@ In the **Website learning report**, you can view a summary of the devices that h
## Access the WIP Learning reports
1. Open the [Azure portal](https://portal.azure.com/).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
1. Click **Client apps** > **App protection status** > **Reports**.
![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png)
@ -114,4 +111,4 @@ The information needed for the following steps can be found using Device Health,
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).