deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/vs-8493293'

Browse Source
This commit is contained in:
LizRoss
2016-08-25 10:37:18 -07:00
parent 7c05ec97a3 fd21842572
commit 76874eab64
2 changed files with 145 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -13,6 +13,8 @@ author: brianlic-msft
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
## August 2016
- [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |Updated and added additional scenarios for testing. |
- [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated to include info from the original What's New and Overview topics. |
- [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |New |
## RELEASE: Windows 10, version 1607

157
windows/keep-secure/testing-scenarios-for-wip.md
View File

@ -1,6 +1,6 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
@ -22,16 +22,145 @@ We've come up with a list of suggested testing scenarios that you can use to tes
## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
|Scenario |Processes |
|---------|----------|
|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</li></ol> |
|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your allowed apps list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your allowed apps list.<p>The content should move between the apps without any warning messages.</li></ol> |
|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<p>You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your allowed apps list.<p>The content should share between the apps without any warning messages.</li></ol> |
|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>WIP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
|Verify that Windows system components can use WIP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li></ol> |
|Use WIP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Use WIP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Unenroll client devices from WIP |<ul><li>Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
<table>
<tr>
<th>Scenario</th>
<th>Processes</th>
</tr>
<tr>
<td>Encrypt and decrypt files using File Explorer.</td>
<td><strong>For desktop:</strong><p>
<ol>
<li>Open File Explorer, right-click a work document, and then click <strong>Work</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then clicking <strong>Details</strong> from the <strong>Compress or Encrypt attributes</strong> area. The file should show up under the heading, <strong>This enterprise domain can remove or revoke access:</strong> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
<li>In File Explorer, right-click the same document, and then click <strong>Personal</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then verifying that the <strong>Details</strong> button is unavailable.</li>
</ol>
<strong>For mobile:</strong><p>
<ol>
<li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <strong>Select</strong> to mark at least one file as work-related.</li>
<li>Click the elipsis (...) again, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Work</strong>.<br>Make sure the file is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Select the same file, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Personal</strong>.<br>Make sure the file is decrypted and that you're no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
</ol>
</td>
</tr>
<tr>
<td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><p>
<ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<p><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<p>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.</li>
</ul>
<strong>For mobile:</strong><p>
<ol>
<li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <strong>Work</strong> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li>
<li>Open the same document one last time, make a change to the contents, and then save it again using the <strong>Personal</strong> option.<br>Make sure the file is decrypted and that you're no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
</ol>
</td>
</tr>
<tr>
<td>Block enterprise data from non-enterprise apps.</td>
<td>
<ol>
<li>Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn't be able to access the file.</li>
<li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <strong>Access Denied</strong> error message.</li>
</ol>
</td>
</tr>
<tr>
<td>Copy and paste from enterprise apps to non-enterprise apps.</td>
<td>
<ol>
<li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Change to personal</strong> or <strong>Keep at work</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn't pasted into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
<li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</li>
</ol>
</td>
</tr>
<tr>
<td>Drag and drop from enterprise apps to non-enterprise apps.</td>
<td>
<ol>
<li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn't dropped into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
<li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</li>
</ol>
</td>
</tr>
<tr>
<td>Share between enterprise apps and non-enterprise apps.</td>
<td>
<ol>
<li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn't shared into Facebook.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to share the content again.<br>The content is shared into Facebook.</li>
<li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</li>
</ol>
</td>
</tr>
<tr>
<td>Verify that Windows system components can use WIP.</td>
<td>
<ol>
<li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li>
</ol>
</td>
</tr>
<tr>
<td>Use WIP on NTFS, FAT, and exFAT systems.</td>
<td>
<ol>
<li>Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.</li>
<li>Create, edit, write, save, copy, and move files.<br>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li>
</ol>
</td>
</tr>
<tr>
<td>Verify your shared files can use WIP.</td>
<td>
<ol>
<li>Download a file from a protected file share, making sure the file is encrypted by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.</li>
<li>Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn't be able to access the file share.</li>
</ol>
</td>
</tr>
<tr>
<td>Verify your cloud resources can use WIP.</td>
<td>
<ol>
<li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li>
<li>Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li>
<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn't be able to access the sites.<p><strong>Note</strong><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <strong>Work</strong>.</li>
</ol>
</td>
</tr>
<tr>
<td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td>
<td>
<ol>
<li>Set up your VPN network to start based on the <strong>WIPModeID</strong> setting.<br>For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.</li>
<li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li>
<li>Disconnect from your network and then start an app that isn't on your allowed apps list.<br>The VPN shouldn't start and the app shouldn't be able to access your enterprise network.</li>
</ol>
</td>
</tr>
<tr>
<td>Unenroll client devices from WIP.</td>
<td>
<ul>
<li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<p><strong>Important</strong><br>On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
</ul>
</td>
</tr>
<tr>
<td>Verify that app content is protected when a Windows 10 Mobile phone is locked.</td>
<td>
<ul>
<li>Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone.</li>
</ul>
</td>
</tr>
</table>