add wip deprecation notice

2025-05-12 13:27:23 +00:00 · 2022-07-15 15:18:13 -07:00 · 2022-07-15 15:18:13 -07:00 · 74d760d677
commit 74d760d677
parent 0c7cd54691
5 changed files with 182 additions and 168 deletions
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@ -1,22 +1,26 @@
 ---
-title: Make & verify an EFS Data Recovery Agent certificate (Windows 10)
+title: Create an EFS Data Recovery Agent certificate
 description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
 ms.prod: m365-security
 ms.localizationpriority: medium
-author: dansimp
+author: aczechowski
-ms.author: dansimp
+ms.author: aaroncz
-manager: dansimp
+manager: dougeby
 ms.reviewer: rafals
 ms.collection: M365-security-compliance
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 03/05/2019
+ms.date: 07/15/2022
 ms.reviewer: 
 ---
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
-**Applies to:**
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
 <!-- 6010051 -->
- Windows 10, version 1607 and later
+_Applies to:_
 - Windows 10
 - Windows 11
 If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
@ -159,7 +163,3 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
 - [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
 - [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA)
 >[!Note]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@ -1,24 +1,28 @@
 ---
-title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
+title: Create and deploy a WIP policy in Configuration Manager
-description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
+description: Use Microsoft Endpoint Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
 ms.reviewer: 
 ms.prod: m365-security
 ms.localizationpriority: medium
-author: dansimp
+author: aczechowski
-ms.author: dansimp
+ms.author: aaroncz
-manager: dansimp
+manager: dougeby
 ms.reviewer: rafals
 ms.collection: M365-security-compliance
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 01/09/2020
+ms.date: 07/15/2022
 ---
-# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
+# Create and deploy a Windows Information Protection policy in Configuration Manager
 **Applies to:**
- Windows 10, version 1607 and later
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
- Microsoft Endpoint Configuration Manager
+<!-- 6010051 -->
-Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+_Applies to:_
 - Windows 10
 - Windows 11
 Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
 ## Add a WIP policy
 After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
@ -28,18 +32,18 @@ After you've installed and set up Configuration Manager for your organization, y
 **To create a configuration item for WIP**
-1.  Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+1.  Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
    ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png)
-2.  Click the **Create Configuration Item** button.<p>
+2.  Select the **Create Configuration Item** button.<p>
 The **Create Configuration Item Wizard** starts.
    ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png)
 3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
+4.  In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**.
    -   **Settings for devices managed with the Configuration Manager client:** Windows 10
@ -47,11 +51,11 @@ The **Create Configuration Item Wizard** starts.
    -   **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
-5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+5.  On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
    ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png)
-6.  On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
+6.  On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
    ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png)
@ -71,7 +75,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
 **To add a store app**
-1.  From the **App rules** area, click **Add**.
+1.  From the **App rules** area, select **Add**.
    The **Add app rule** box appears.
@ -79,7 +83,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
-3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Select **Allow** from the **Windows Information Protection mode** drop-down list.
    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@ -87,7 +91,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
    The box changes to show the store app rule options.
-5.  Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+5.  Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
 If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
@ -131,7 +135,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
 **To add a desktop app to your policy**
-1.  From the **App rules** area, click **Add**.
+1.  From the **App rules** area, select **Add**.
    The **Add app rule** box appears.
@ -139,7 +143,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
-3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Select **Allow** from the **Windows Information Protection mode** drop-down list.
    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@ -147,15 +151,15 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
    The box changes to show the desktop app rule options.
-5.  Pick the options you want to include for the app rule (see table), and then click **OK**.
+5.  Pick the options you want to include for the app rule (see table), and then select **OK**.
     |Option|Manages|
     |--- |--- |
     |All fields left as "*"|All files signed by any publisher. (Not recommended.)|
-     |**Publisher** selected|All files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+     |**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
     |**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
     |**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
-     |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.|
+     |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
     |**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
     |**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
@ -185,31 +189,31 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 1.  Open the Local Security Policy snap-in (SecPol.msc).
-2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**.
    ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png)
-3.  Right-click in the right-hand pane, and then click **Create New Rule**.
+3.  Right-click in the right-hand pane, and then select **Create New Rule**.
    The **Create Packaged app Rules** wizard appears.
-4. On the **Before You Begin** page, click **Next**.
+4. On the **Before You Begin** page, select **Next**.
    ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png)
-5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
    ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png)
-6.  On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+6.  On the **Publisher** page, select **Select** from the **Use an installed packaged app as a reference** area.
    ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png)
-7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Photos.
    ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png)
-8. On the updated **Publisher** page, click **Create**.
+8. On the updated **Publisher** page, select **Create**.
    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png)
@ -217,15 +221,15 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
    ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png)
-10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+10. In the left pane, right-click on **AppLocker**, and then select **Export policy**.
    The **Export policy** box opens, letting you export and save your new policy as XML.
    ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png)
-11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
-    The policy is saved and you'll see a message that says 1 rule was exported from the policy.
+    The policy is saved and you'll see a message that says one rule was exported from the policy.
    **Example XML file**<br>
    This is the XML file that AppLocker creates for Microsoft Photos.
@ -251,7 +255,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 **To import your Applocker policy file app rule using Configuration Manager**
-1.  From the **App rules** area, click **Add**.
+1.  From the **App rules** area, select **Add**.
    The **Add app rule** box appears.
@ -259,7 +263,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
-3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Select **Allow** from the **Windows Information Protection mode** drop-down list.
    Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@ -267,7 +271,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
    The box changes to let you import your AppLocker XML policy file.
-5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
+5. Select the ellipsis (...) to browse for your AppLocker XML file, select **Open**, and then select **OK** to close the **Add app rule** box.
    The file is imported and the apps are added to your **App Rules** list.
@ -276,25 +280,25 @@ If you're running into compatibility issues where your app is incompatible with
 **To exempt a store app, a desktop app, or an AppLocker policy file app rule**
-1.  From the **App rules** area, click **Add**.
+1.  From the **App rules** area, select **Add**.
    The **Add app rule** box appears.
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
-3.  Click **Exempt** from the **Windows Information Protection mode** drop-down list.
+3.  Select **Exempt** from the **Windows Information Protection mode** drop-down list.
-    Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article.
+    When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article.
 4.  Fill out the rest of the app rule info, based on the type of rule you're adding:
-    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+    - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this article.
-    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+    - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this article.
-    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+    - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this article, using a list of exempted apps.
-5.  Click **OK**.
+5.  Select **OK**.
 ## Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
@ -308,15 +312,15 @@ We recommend that you start with **Silent** or **Override** while verifying with
 |-----|------------|
 |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.|
+|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](https://aka.ms/disablewip).|
 :::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png":::
 ## Define your enterprise-managed identity domains
 Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
 **To add your corporate identity**
@ -333,7 +337,7 @@ There are no default locations included with WIP, you must add each of your netw
 >Every WIP policy should include policy that defines your enterprise network locations.<br>
 >Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
-**To define where your protected apps can find and send enterprise data on you network**
+**To define where your protected apps can find and send enterprise data on your network**
 1. Add additional network locations your apps can access by clicking **Add**.
@ -345,7 +349,7 @@ There are no default locations included with WIP, you must add each of your netw
     - **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
-         For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
+         For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise.
         If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
@ -358,7 +362,7 @@ There are no default locations included with WIP, you must add each of your netw
         >[!Important]
         > In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
-     - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+     - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected.
         This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
@ -408,7 +412,7 @@ There are no default locations included with WIP, you must add each of your netw
         **Format examples**: `sts.contoso.com,sts.contoso2.com`
-3. Add as many locations as you need, and then click **OK**.
+3. Add as many locations as you need, and then select **OK**.
   The **Add or edit corporate network definition** box closes.
@ -416,13 +420,13 @@ There are no default locations included with WIP, you must add each of your netw
   :::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png":::
-   - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
+   - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
-   - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
+   - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
-   - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
+   - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
-5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
@ -452,27 +456,26 @@ After you've decided where your protected apps can access enterprise data on you
    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
-2. After you pick all of the settings you want to include, click **Summary**.
+2. After you pick all of the settings you want to include, select **Summary**.
 ## Review your configuration choices in the Summary screen
 After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
 **To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy.
    ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png)
-    A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+    A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page.
 ## Deploy the WIP policy
-After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699357(v=technet.10))
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg712268(v=technet.10))
+- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
- [How to Deploy Configuration Baselines in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh219289(v=technet.10))
+- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
-## Related topics
+## Related articles
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@ -1,21 +1,25 @@
 ---
-title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
+title: Create a WIP policy in Intune
-description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
+description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
 ms.prod: m365-security
-author: dansimp
+author: aczechowski
-ms.author: dansimp
+ms.author: aaroncz
-manager: dansimp
+manager: dougeby
 ms.reviewer: rafals
 ms.collection: M365-security-compliance
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 05/13/2019
+ms.date: 07/15/2022
 ms.reviewer: 
 ---
-# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
+# Create a Windows Information Protection policy in Microsoft Intune
-**Applies to:**
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
 <!-- 6010051 -->
-   Windows 10, version 1607 and later
+_Applies to:_
 - Windows 10
 - Windows 11
 Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
@ -118,7 +122,7 @@ If you don't know the Store app publisher or product name, you can find them by
 4.  Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
    >[!Important]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
 	>
 	> For example:
 	>
@ -147,7 +151,7 @@ If you don't know the Store app publisher or product name, you can find them by
 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
    >[!Important]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
 	>
 	> For example:
 	>
@ -164,19 +168,19 @@ To add **Desktop apps**, complete the following fields, based on what results yo
 |Field|Manages|
 |--- |--- |
-|All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)|
+|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)|
-|Publisher only|If you only fill out this field, you’ll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
-|Publisher and Name only|If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.|
+|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.|
-|Publisher, Name, and File only|If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.|
+|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.|
-|Publisher, Name, File, and Min version only|If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
+|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
-|Publisher, Name, File, and Max version only|If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
+|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
-|All fields completed|If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.|
+|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.|
-To add another Desktop app, select the ellipsis **…**. After you’ve entered the info into the fields, select **OK**.
+To add another Desktop app, select the ellipsis **…**. After you've entered the info into the fields, select **OK**.
 ![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+If you're unsure about what to include for the publisher, you can run this PowerShell command:
 ```powershell
 Get-AppLockerFileInformation -Path "<path_of_the_exe>"
@ -202,7 +206,7 @@ Regarding to how to get the Product Name for the Apps you wish to Add, contact t
 ### Import a list of apps 
-This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. 
+This section covers two examples of using an AppLocker XML file to the **Protected apps** list. You'll use this option if you want to add multiple apps at the same time. 
 - [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps)
 - [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps)
@ -233,7 +237,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
    ![Screenshot of the "Use an installed package app as a reference" radio button selected and the Select button highlighted](images/wip-applocker-secpol-wizard-3.png)
-7.  In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we’re using Microsoft Dynamics 365.
+7.  In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Dynamics 365.
    ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
@ -257,7 +261,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
-    The policy is saved and you’ll see a message that says one rule was exported from the policy.
+    The policy is saved and you'll see a message that says one rule was exported from the policy.
    **Example XML file**<br>
    This is the XML file that AppLocker creates for Microsoft Dynamics 365.
@ -281,7 +285,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
    </AppLockerPolicy>
    ```
-12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+12. After you've created your XML file, you need to import it by using Microsoft Intune.
 ## Create an Executable rule for unsigned apps
@ -303,7 +307,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
    ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
-7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
+7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we're using "C:\Program Files".
    ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
@ -315,9 +319,9 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
-    The policy is saved and you’ll see a message that says one rule was exported from the policy.
+    The policy is saved and you'll see a message that says one rule was exported from the policy.
-12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+12. After you've created your XML file, you need to import it by using Microsoft Intune.
 **To import a list of protected apps using Microsoft Intune**
@ -343,9 +347,9 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
 2. In **Exempt apps**, select **Add apps**.
-    When you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. 
+    When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. 
-3. Fill out the rest of the app info, based on the type of app you’re adding:
+3. Fill out the rest of the app info, based on the type of app you're adding:
    - [Add Recommended apps](#add-recommended-apps)
@ -371,12 +375,12 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
    |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
    |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
    |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-    |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
+    |Off |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](https://aka.ms/disablewip).|
 2. Select **Save**.
 ## Define your enterprise-managed corporate identity
-Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
 Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
@ -384,7 +388,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 1. From **App policy**, select the name of your policy, and then select **Required settings**.
-2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. 
+2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field. 
   ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
@ -395,7 +399,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. 
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
@ -420,7 +424,7 @@ Personal applications can access a cloud resource that has a blank space or an i
 To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
-In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. 
+In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. 
 In this case, Windows blocks the connection by default. 
 To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting. 
 For example: 
@ -466,9 +470,9 @@ corp.contoso.com,region.contoso.com
 ### Proxy servers
 Specify the proxy servers your devices will go through to reach your cloud resources. 
-Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Internal proxy servers list. 
+This list shouldn't include any servers listed in your Internal proxy servers list. 
 Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
@ -478,9 +482,9 @@ proxy.contoso.com:80;proxy2.contoso.com:443
 ### Internal proxy servers
-Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Proxy servers list.
+This list shouldn't include any servers listed in your Proxy servers list.
 Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
@ -492,7 +496,7 @@ contoso.internalproxy1.com;contoso.internalproxy2.com
 Specify the addresses for a valid IPv4 value range within your intranet. 
 These addresses, used with your Network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn’t supported.
+Classless Inter-Domain Routing (CIDR) notation isn't supported.
 Separate multiple ranges with the "," delimiter. 
@ -507,7 +511,7 @@ Starting with Windows 10, version 1703, this field is optional.
 Specify the addresses for a valid IPv6 value range within your intranet. 
 These addresses, used with your network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn’t supported.
+Classless Inter-Domain Routing (CIDR) notation isn't supported.
 Separate multiple ranges with the "," delimiter.
@ -534,10 +538,10 @@ Decide if you want Windows to look for more network settings:
 ![Microsoft Intune, Choose if you want Windows to search for more proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
 ## Upload your Data Recovery Agent (DRA) certificate
-After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
+After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
 >[!Important]
->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+>Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
 **To upload your DRA certificate**
 1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
@ -553,11 +557,11 @@ After you've decided where your protected apps can access enterprise data on you
 ![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png)
-**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
 - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
 **Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
@ -565,11 +569,11 @@ After you've decided where your protected apps can access enterprise data on you
 - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. 
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). 
+**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp). 
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. 
+- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files. 
-  If you don’t specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access.
+  If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access.
 - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
@ -601,6 +605,3 @@ You can restrict which files are protected by WIP when they're downloaded from a
 - [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
 - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
 > [!NOTE]
 > Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
--- a/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md
+++ b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md
@ -0,0 +1,12 @@
 ---
 author: aczechowski
 ms.author: aaroncz
 ms.prod: windows
 ms.topic: include
 ms.date: 07/15/2022
 ---
 > [!NOTE]
 > To streamline and improve your experience, starting in July 2022, Microsoft is deprecating Windows Information Protection and transitioning customers to [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection). Purview simplifies the configuration set-up and provides an advanced set of capabilities.<!-- 6010051 -->
 >
 > Microsoft will continue to support Windows Information Protection on supported versions of Windows. New versions of Windows won't include new capabilities for Windows Information Protection, and it won't be supported in future versions of Windows. Start your migration to Microsoft Purview Information Protection. For more information, see [Microsoft Purview Information Protection and Data Loss Prevention for a modern data protection strategy](https://aka.ms/MigrateToMIP).
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@ -1,26 +1,29 @@
 ---
-title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
+title: Protect your enterprise data using Windows Information Protection
 description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
 ms.prod: m365-security
 ms.localizationpriority: medium
-author: dansimp
+author: aczechowski
-ms.author: dansimp
+ms.author: aaroncz
-manager: dansimp
+manager: dougeby
 ms.reviewer: rafals
 ms.collection:
  - M365-security-compliance
-  - highpri
+ms.topic: overview
-ms.topic: conceptual
+ms.date: 07/15/2022
 ms.date: 03/05/2019
 ---
 # Protect your enterprise data using Windows Information Protection (WIP)
 **Applies to:**
- Windows 10, version 1607 and later
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
 <!-- 6010051 -->
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+_Applies to:_
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+- Windows 10
 - Windows 11
 With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
 Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
@ -32,18 +35,18 @@ Windows Information Protection (WIP), previously known as enterprise data protec
 > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
 ## Prerequisites
-You’ll need this software to run Windows Information Protection in your enterprise:
+You'll need this software to run Windows Information Protection in your enterprise:
 |Operating system | Management solution |
 |-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Endpoint Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Endpoint Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
 ## What is enterprise data control?
-Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
+Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
-As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn’t guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they’re not enough.
+As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they're not enough.
-In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don’t allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
+In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
 ### Using data loss prevention systems
 To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
@ -53,15 +56,15 @@ To help address this security insufficiency, companies developed data loss preve
 - **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
 ### Using information rights management systems
 To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on. 
-After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won’t be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees’ work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
+After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
 ### And what about when an employee leaves the company or unenrolls a device?
-Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
+Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
 ## Benefits of WIP
 Windows Information Protection provides:
@ -78,17 +81,17 @@ Windows Information Protection provides:
 ## Why use WIP?
 Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+-   **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn't using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
 -   **Manage your enterprise documents, apps, and encryption modes.**
    -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
-    - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+    - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn't paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
    -   **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
-        You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
+        You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@ -97,9 +100,9 @@ Windows Information Protection is the mobile application management (MAM) mechan
        Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
-    -   **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+    -   **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn't on your protected apps list, employees won't be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-    -   **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+    -   **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't.
 -   **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
@ -115,7 +118,7 @@ Windows Information Protection helps address your everyday challenges in the ent
 - Helping to maintain the ownership and control of your enterprise data.
- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
+- Helping control the network and data access and data sharing for apps that aren't enterprise aware
 ### Enterprise scenarios
 Windows Information Protection currently addresses these enterprise scenarios:
@ -125,12 +128,12 @@ Windows Information Protection currently addresses these enterprise scenarios:
 - You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn't required.
 ### <a href="" id="bkmk-modes"></a>WIP-protection modes
-Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
+Enterprise data is automatically encrypted after it's loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don't have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it's personally owned.
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@ -139,19 +142,14 @@ You can set your Windows Information Protection policy to use 1 of 4 protection
 |Mode|Description|
 |----|-----------|
-|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.|
 |Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would've been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. |
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
 ## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
+You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
 ## Next steps
 After deciding to use WIP in your enterprise, you need to:
-   [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
+After you decide to use WIP in your environment, [create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md).
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).